diff options
| author | heretic <heretic@yandex-team.ru> | 2022-02-10 16:45:43 +0300 |
|---|---|---|
| committer | Daniil Cherednik <dcherednik@yandex-team.ru> | 2022-02-10 16:45:43 +0300 |
| commit | 397cbe258b9e064f49c4ca575279f02f39fef76e (patch) | |
| tree | a0b0eb3cca6a14e4e8ea715393637672fa651284 /contrib/libs/openssl/crypto/x509 | |
| parent | 43f5a35593ebc9f6bcea619bb170394ea7ae468e (diff) | |
| download | ydb-397cbe258b9e064f49c4ca575279f02f39fef76e.tar.gz | |
Restoring authorship annotation for <heretic@yandex-team.ru>. Commit 1 of 2.
Diffstat (limited to 'contrib/libs/openssl/crypto/x509')
| -rw-r--r-- | contrib/libs/openssl/crypto/x509/t_x509.c | 6 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/x509/x509_att.c | 4 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/x509/x509_cmp.c | 34 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/x509/x509_err.c | 4 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/x509/x509_local.h | 6 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/x509/x509_req.c | 26 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/x509/x509_txt.c | 6 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/x509/x509_vfy.c | 316 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/x509/x509_vpm.c | 6 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/x509/x_all.c | 4 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/x509/x_attrib.c | 8 | ||||
| -rw-r--r-- | contrib/libs/openssl/crypto/x509/x_pubkey.c | 12 |
12 files changed, 216 insertions, 216 deletions
diff --git a/contrib/libs/openssl/crypto/x509/t_x509.c b/contrib/libs/openssl/crypto/x509/t_x509.c index ece987a6bd..9f872c7d13 100644 --- a/contrib/libs/openssl/crypto/x509/t_x509.c +++ b/contrib/libs/openssl/crypto/x509/t_x509.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -365,9 +365,9 @@ int X509_aux_print(BIO *out, X509 *x, int indent) BIO_puts(out, "\n"); } else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); - alias = X509_alias_get0(x, &i); + alias = X509_alias_get0(x, &i); if (alias) - BIO_printf(out, "%*sAlias: %.*s\n", indent, "", i, alias); + BIO_printf(out, "%*sAlias: %.*s\n", indent, "", i, alias); keyid = X509_keyid_get0(x, &keyidlen); if (keyid) { BIO_printf(out, "%*sKey Id: ", indent, ""); diff --git a/contrib/libs/openssl/crypto/x509/x509_att.c b/contrib/libs/openssl/crypto/x509/x509_att.c index cc9f9d1909..998a5b3c44 100644 --- a/contrib/libs/openssl/crypto/x509/x509_att.c +++ b/contrib/libs/openssl/crypto/x509/x509_att.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -149,7 +149,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) return ret; } -void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x, +void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x, const ASN1_OBJECT *obj, int lastpos, int type) { int i; diff --git a/contrib/libs/openssl/crypto/x509/x509_cmp.c b/contrib/libs/openssl/crypto/x509/x509_cmp.c index 1d8d2d7b28..7c00c644fc 100644 --- a/contrib/libs/openssl/crypto/x509/x509_cmp.c +++ b/contrib/libs/openssl/crypto/x509/x509_cmp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -39,8 +39,8 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) if (ctx == NULL) goto err; f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0); - if (f == NULL) - goto err; + if (f == NULL) + goto err; if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) goto err; if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f))) @@ -135,21 +135,21 @@ unsigned long X509_subject_name_hash_old(X509 *x) */ int X509_cmp(const X509 *a, const X509 *b) { - int rv = 0; - - if (a == b) /* for efficiency */ - return 0; - - /* try to make sure hash is valid */ - (void)X509_check_purpose((X509 *)a, -1, 0); - (void)X509_check_purpose((X509 *)b, -1, 0); - - if ((a->ex_flags & EXFLAG_NO_FINGERPRINT) == 0 - && (b->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) - rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); - if (rv != 0) + int rv = 0; + + if (a == b) /* for efficiency */ + return 0; + + /* try to make sure hash is valid */ + (void)X509_check_purpose((X509 *)a, -1, 0); + (void)X509_check_purpose((X509 *)b, -1, 0); + + if ((a->ex_flags & EXFLAG_NO_FINGERPRINT) == 0 + && (b->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) + rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); + if (rv != 0) return rv; - + /* Check for match against stored encoding too */ if (!a->cert_info.enc.modified && !b->cert_info.enc.modified) { if (a->cert_info.enc.len < b->cert_info.enc.len) diff --git a/contrib/libs/openssl/crypto/x509/x509_err.c b/contrib/libs/openssl/crypto/x509/x509_err.c index bdd1e67cd3..d5384a6206 100644 --- a/contrib/libs/openssl/crypto/x509/x509_err.c +++ b/contrib/libs/openssl/crypto/x509/x509_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -79,7 +79,7 @@ static const ERR_STRING_DATA X509_str_functs[] = { {ERR_PACK(ERR_LIB_X509, X509_F_X509_PRINT_EX_FP, 0), "X509_print_ex_fp"}, {ERR_PACK(ERR_LIB_X509, X509_F_X509_PUBKEY_DECODE, 0), "x509_pubkey_decode"}, - {ERR_PACK(ERR_LIB_X509, X509_F_X509_PUBKEY_GET, 0), "X509_PUBKEY_get"}, + {ERR_PACK(ERR_LIB_X509, X509_F_X509_PUBKEY_GET, 0), "X509_PUBKEY_get"}, {ERR_PACK(ERR_LIB_X509, X509_F_X509_PUBKEY_GET0, 0), "X509_PUBKEY_get0"}, {ERR_PACK(ERR_LIB_X509, X509_F_X509_PUBKEY_SET, 0), "X509_PUBKEY_set"}, {ERR_PACK(ERR_LIB_X509, X509_F_X509_REQ_CHECK_PRIVATE_KEY, 0), diff --git a/contrib/libs/openssl/crypto/x509/x509_local.h b/contrib/libs/openssl/crypto/x509/x509_local.h index 10807e1def..23987859a5 100644 --- a/contrib/libs/openssl/crypto/x509/x509_local.h +++ b/contrib/libs/openssl/crypto/x509/x509_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -145,5 +145,5 @@ DEFINE_STACK_OF(STACK_OF_X509_NAME_ENTRY) void x509_set_signature_info(X509_SIG_INFO *siginf, const X509_ALGOR *alg, const ASN1_STRING *sig); -int x509_likely_issued(X509 *issuer, X509 *subject); -int x509_signing_allowed(const X509 *issuer, const X509 *subject); +int x509_likely_issued(X509 *issuer, X509 *subject); +int x509_signing_allowed(const X509 *issuer, const X509 *subject); diff --git a/contrib/libs/openssl/crypto/x509/x509_req.c b/contrib/libs/openssl/crypto/x509/x509_req.c index dd674926dd..1a70be5cfd 100644 --- a/contrib/libs/openssl/crypto/x509/x509_req.c +++ b/contrib/libs/openssl/crypto/x509/x509_req.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -286,18 +286,18 @@ void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig, *palg = &req->sig_alg; } -void X509_REQ_set0_signature(X509_REQ *req, ASN1_BIT_STRING *psig) -{ - if (req->signature) - ASN1_BIT_STRING_free(req->signature); - req->signature = psig; -} - -int X509_REQ_set1_signature_algo(X509_REQ *req, X509_ALGOR *palg) -{ - return X509_ALGOR_copy(&req->sig_alg, palg); -} - +void X509_REQ_set0_signature(X509_REQ *req, ASN1_BIT_STRING *psig) +{ + if (req->signature) + ASN1_BIT_STRING_free(req->signature); + req->signature = psig; +} + +int X509_REQ_set1_signature_algo(X509_REQ *req, X509_ALGOR *palg) +{ + return X509_ALGOR_copy(&req->sig_alg, palg); +} + int X509_REQ_get_signature_nid(const X509_REQ *req) { return OBJ_obj2nid(req->sig_alg.algorithm); diff --git a/contrib/libs/openssl/crypto/x509/x509_txt.c b/contrib/libs/openssl/crypto/x509/x509_txt.c index 02bde640d8..8b15e957b7 100644 --- a/contrib/libs/openssl/crypto/x509/x509_txt.c +++ b/contrib/libs/openssl/crypto/x509/x509_txt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -174,8 +174,8 @@ const char *X509_verify_cert_error_string(long n) return "OCSP verification failed"; case X509_V_ERR_OCSP_CERT_UNKNOWN: return "OCSP unknown cert"; - case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS: - return "Certificate public key has explicit ECC parameters"; + case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS: + return "Certificate public key has explicit ECC parameters"; default: /* Printing an error number into a static buffer is not thread-safe */ diff --git a/contrib/libs/openssl/crypto/x509/x509_vfy.c b/contrib/libs/openssl/crypto/x509/x509_vfy.c index 20a36e763c..bb787e8dda 100644 --- a/contrib/libs/openssl/crypto/x509/x509_vfy.c +++ b/contrib/libs/openssl/crypto/x509/x509_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -80,7 +80,7 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); static int check_dane_issuer(X509_STORE_CTX *ctx, int depth); static int check_key_level(X509_STORE_CTX *ctx, X509 *cert); static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert); -static int check_curve(X509 *cert); +static int check_curve(X509 *cert); static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, X509_CRL *crl, X509 *x); @@ -105,12 +105,12 @@ static int null_callback(int ok, X509_STORE_CTX *e) return ok; } -/* - * Return 1 if given cert is considered self-signed, 0 if not or on error. - * This does not verify self-signedness but relies on x509v3_cache_extensions() - * matching issuer and subject names (i.e., the cert being self-issued) and any - * present authority key identifier matching the subject key identifier, etc. - */ +/* + * Return 1 if given cert is considered self-signed, 0 if not or on error. + * This does not verify self-signedness but relies on x509v3_cache_extensions() + * matching issuer and subject names (i.e., the cert being self-issued) and any + * present authority key identifier matching the subject key identifier, etc. + */ static int cert_self_signed(X509 *x) { if (X509_check_purpose(x, -1, 0) != 1) @@ -137,9 +137,9 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) xtmp = sk_X509_value(certs, i); if (!X509_cmp(xtmp, x)) break; - xtmp = NULL; + xtmp = NULL; } - if (xtmp != NULL && !X509_up_ref(xtmp)) + if (xtmp != NULL && !X509_up_ref(xtmp)) xtmp = NULL; sk_X509_pop_free(certs, X509_free); return xtmp; @@ -272,24 +272,24 @@ int X509_verify_cert(X509_STORE_CTX *ctx) return -1; } - if (!X509_up_ref(ctx->cert)) { - X509err(X509_F_X509_VERIFY_CERT, ERR_R_INTERNAL_ERROR); - ctx->error = X509_V_ERR_UNSPECIFIED; - return -1; - } - + if (!X509_up_ref(ctx->cert)) { + X509err(X509_F_X509_VERIFY_CERT, ERR_R_INTERNAL_ERROR); + ctx->error = X509_V_ERR_UNSPECIFIED; + return -1; + } + /* * first we make sure the chain we are going to build is present and that * the first entry is in place */ - if ((ctx->chain = sk_X509_new_null()) == NULL - || !sk_X509_push(ctx->chain, ctx->cert)) { - X509_free(ctx->cert); + if ((ctx->chain = sk_X509_new_null()) == NULL + || !sk_X509_push(ctx->chain, ctx->cert)) { + X509_free(ctx->cert); X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); ctx->error = X509_V_ERR_OUT_OF_MEM; return -1; } - + ctx->num_untrusted = 1; /* If the peer's public key is too weak, we can stop early. */ @@ -312,21 +312,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx) return ret; } -static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert) -{ - int i, n = sk_X509_num(sk); - - for (i = 0; i < n; i++) - if (X509_cmp(sk_X509_value(sk, i), cert) == 0) - return 1; - return 0; -} - +static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert) +{ + int i, n = sk_X509_num(sk); + + for (i = 0; i < n; i++) + if (X509_cmp(sk_X509_value(sk, i), cert) == 0) + return 1; + return 0; +} + /* - * Find in given STACK_OF(X509) sk an issuer cert of given cert x. - * The issuer must not yet be in ctx->chain, where the exceptional case - * that x is self-issued and ctx->chain has just one element is allowed. - * Prefer the first one that is not expired, else take the last expired one. + * Find in given STACK_OF(X509) sk an issuer cert of given cert x. + * The issuer must not yet be in ctx->chain, where the exceptional case + * that x is self-issued and ctx->chain has just one element is allowed. + * Prefer the first one that is not expired, else take the last expired one. */ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { @@ -335,9 +335,9 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); - if (ctx->check_issued(ctx, x, issuer) - && (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1) - || !sk_X509_contains(ctx->chain, issuer))) { + if (ctx->check_issued(ctx, x, issuer) + && (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1) + || !sk_X509_contains(ctx->chain, issuer))) { rv = issuer; if (x509_check_cert_time(ctx, rv, -1)) break; @@ -346,25 +346,25 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) return rv; } -/* Check that the given certificate 'x' is issued by the certificate 'issuer' */ +/* Check that the given certificate 'x' is issued by the certificate 'issuer' */ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { - return x509_likely_issued(issuer, x) == X509_V_OK; + return x509_likely_issued(issuer, x) == X509_V_OK; } /* Alternative lookup method: look from a STACK stored in other_ctx */ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { *issuer = find_issuer(ctx, ctx->other_ctx, x); - - if (*issuer == NULL || !X509_up_ref(*issuer)) - goto err; - - return 1; - - err: - *issuer = NULL; - return 0; + + if (*issuer == NULL || !X509_up_ref(*issuer)) + goto err; + + return 1; + + err: + *issuer = NULL; + return 0; } static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, X509_NAME *nm) @@ -376,16 +376,16 @@ static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, X509_NAME *nm) for (i = 0; i < sk_X509_num(ctx->other_ctx); i++) { x = sk_X509_value(ctx->other_ctx, i); if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) { - if (!X509_up_ref(x)) { - sk_X509_pop_free(sk, X509_free); - X509err(X509_F_LOOKUP_CERTS_SK, ERR_R_INTERNAL_ERROR); - ctx->error = X509_V_ERR_UNSPECIFIED; - return NULL; - } + if (!X509_up_ref(x)) { + sk_X509_pop_free(sk, X509_free); + X509err(X509_F_LOOKUP_CERTS_SK, ERR_R_INTERNAL_ERROR); + ctx->error = X509_V_ERR_UNSPECIFIED; + return NULL; + } if (sk == NULL) sk = sk_X509_new_null(); - if (sk == NULL || !sk_X509_push(sk, x)) { - X509_free(x); + if (sk == NULL || !sk_X509_push(sk, x)) { + X509_free(x); sk_X509_pop_free(sk, X509_free); X509err(X509_F_LOOKUP_CERTS_SK, ERR_R_MALLOC_FAILURE); ctx->error = X509_V_ERR_OUT_OF_MEM; @@ -524,19 +524,19 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ret = 1; break; } - if (ret > 0 - && (ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) { - /* Check for presence of explicit elliptic curve parameters */ - ret = check_curve(x); - if (ret < 0) { - ctx->error = X509_V_ERR_UNSPECIFIED; - ret = 0; - } else if (ret == 0) { - ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS; - } - } - if (ret > 0 - && (x->ex_flags & EXFLAG_CA) == 0 + if (ret > 0 + && (ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) { + /* Check for presence of explicit elliptic curve parameters */ + ret = check_curve(x); + if (ret < 0) { + ctx->error = X509_V_ERR_UNSPECIFIED; + ret = 0; + } else if (ret == 0) { + ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS; + } + } + if (ret > 0 + && (x->ex_flags & EXFLAG_CA) == 0 && x->ex_pathlen != -1 && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) { ctx->error = X509_V_ERR_INVALID_EXTENSION; @@ -1727,7 +1727,7 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) return 1; } -/* verify the issuer signatures and cert times of ctx->chain */ +/* verify the issuer signatures and cert times of ctx->chain */ static int internal_verify(X509_STORE_CTX *ctx) { int n = sk_X509_num(ctx->chain) - 1; @@ -1742,25 +1742,25 @@ static int internal_verify(X509_STORE_CTX *ctx) if (ctx->bare_ta_signed) { xs = xi; xi = NULL; - goto check_cert_time; + goto check_cert_time; } if (ctx->check_issued(ctx, xi, xi)) - xs = xi; /* the typical case: last cert in the chain is self-issued */ + xs = xi; /* the typical case: last cert in the chain is self-issued */ else { if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { xs = xi; - goto check_cert_time; - } - if (n <= 0) { - if (!verify_cb_cert(ctx, xi, 0, - X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) - return 0; - - xs = xi; - goto check_cert_time; + goto check_cert_time; } - + if (n <= 0) { + if (!verify_cb_cert(ctx, xi, 0, + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) + return 0; + + xs = xi; + goto check_cert_time; + } + n--; ctx->error_depth = n; xs = sk_X509_value(ctx->chain, n); @@ -1772,54 +1772,54 @@ static int internal_verify(X509_STORE_CTX *ctx) */ while (n >= 0) { /* - * For each iteration of this loop: - * n is the subject depth - * xs is the subject cert, for which the signature is to be checked - * xi is the supposed issuer cert containing the public key to use - * Initially xs == xi if the last cert in the chain is self-issued. - * - * Skip signature check for self-signed certificates unless explicitly - * asked for because it does not add any security and just wastes time. + * For each iteration of this loop: + * n is the subject depth + * xs is the subject cert, for which the signature is to be checked + * xi is the supposed issuer cert containing the public key to use + * Initially xs == xi if the last cert in the chain is self-issued. + * + * Skip signature check for self-signed certificates unless explicitly + * asked for because it does not add any security and just wastes time. */ - if (xs != xi || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE) - && (xi->ex_flags & EXFLAG_SS) != 0)) { - EVP_PKEY *pkey; - /* - * If the issuer's public key is not available or its key usage - * does not support issuing the subject cert, report the issuer - * cert and its depth (rather than n, the depth of the subject). - */ - int issuer_depth = n + (xs == xi ? 0 : 1); - /* - * According to https://tools.ietf.org/html/rfc5280#section-6.1.4 - * step (n) we must check any given key usage extension in a CA cert - * when preparing the verification of a certificate issued by it. - * According to https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - * we must not verify a certifiate signature if the key usage of the - * CA certificate that issued the certificate prohibits signing. - * In case the 'issuing' certificate is the last in the chain and is - * not a CA certificate but a 'self-issued' end-entity cert (i.e., - * xs == xi && !(xi->ex_flags & EXFLAG_CA)) RFC 5280 does not apply - * (see https://tools.ietf.org/html/rfc6818#section-2) and thus - * we are free to ignore any key usage restrictions on such certs. - */ - int ret = xs == xi && (xi->ex_flags & EXFLAG_CA) == 0 - ? X509_V_OK : x509_signing_allowed(xi, xs); - - if (ret != X509_V_OK && !verify_cb_cert(ctx, xi, issuer_depth, ret)) - return 0; + if (xs != xi || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE) + && (xi->ex_flags & EXFLAG_SS) != 0)) { + EVP_PKEY *pkey; + /* + * If the issuer's public key is not available or its key usage + * does not support issuing the subject cert, report the issuer + * cert and its depth (rather than n, the depth of the subject). + */ + int issuer_depth = n + (xs == xi ? 0 : 1); + /* + * According to https://tools.ietf.org/html/rfc5280#section-6.1.4 + * step (n) we must check any given key usage extension in a CA cert + * when preparing the verification of a certificate issued by it. + * According to https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + * we must not verify a certifiate signature if the key usage of the + * CA certificate that issued the certificate prohibits signing. + * In case the 'issuing' certificate is the last in the chain and is + * not a CA certificate but a 'self-issued' end-entity cert (i.e., + * xs == xi && !(xi->ex_flags & EXFLAG_CA)) RFC 5280 does not apply + * (see https://tools.ietf.org/html/rfc6818#section-2) and thus + * we are free to ignore any key usage restrictions on such certs. + */ + int ret = xs == xi && (xi->ex_flags & EXFLAG_CA) == 0 + ? X509_V_OK : x509_signing_allowed(xi, xs); + + if (ret != X509_V_OK && !verify_cb_cert(ctx, xi, issuer_depth, ret)) + return 0; if ((pkey = X509_get0_pubkey(xi)) == NULL) { - ret = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; - if (!verify_cb_cert(ctx, xi, issuer_depth, ret)) + ret = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; + if (!verify_cb_cert(ctx, xi, issuer_depth, ret)) return 0; } else if (X509_verify(xs, pkey) <= 0) { - ret = X509_V_ERR_CERT_SIGNATURE_FAILURE; - if (!verify_cb_cert(ctx, xs, n, ret)) + ret = X509_V_ERR_CERT_SIGNATURE_FAILURE; + if (!verify_cb_cert(ctx, xs, n, ret)) return 0; } } - check_cert_time: /* in addition to RFC 5280, do also for trusted (root) cert */ + check_cert_time: /* in addition to RFC 5280, do also for trusted (root) cert */ /* Calls verify callback as needed */ if (!x509_check_cert_time(ctx, xs, n)) return 0; @@ -3221,16 +3221,16 @@ static int build_chain(X509_STORE_CTX *ctx) /* Drop this issuer from future consideration */ (void) sk_X509_delete_ptr(sktmp, xtmp); - if (!X509_up_ref(xtmp)) { - X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR); - trust = X509_TRUST_REJECTED; - ctx->error = X509_V_ERR_UNSPECIFIED; - search = 0; - continue; - } - + if (!X509_up_ref(xtmp)) { + X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR); + trust = X509_TRUST_REJECTED; + ctx->error = X509_V_ERR_UNSPECIFIED; + search = 0; + continue; + } + if (!sk_X509_push(ctx->chain, xtmp)) { - X509_free(xtmp); + X509_free(xtmp); X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); trust = X509_TRUST_REJECTED; ctx->error = X509_V_ERR_OUT_OF_MEM; @@ -3238,7 +3238,7 @@ static int build_chain(X509_STORE_CTX *ctx) continue; } - x = xtmp; + x = xtmp; ++ctx->num_untrusted; ss = cert_self_signed(xtmp); @@ -3330,32 +3330,32 @@ static int check_key_level(X509_STORE_CTX *ctx, X509 *cert) } /* - * Check whether the public key of ``cert`` does not use explicit params - * for an elliptic curve. - * - * Returns 1 on success, 0 if check fails, -1 for other errors. - */ -static int check_curve(X509 *cert) -{ -#ifndef OPENSSL_NO_EC - EVP_PKEY *pkey = X509_get0_pubkey(cert); - - /* Unsupported or malformed key */ - if (pkey == NULL) - return -1; - - if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { - int ret; - - ret = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey)); - return ret < 0 ? ret : !ret; - } -#endif - - return 1; -} - -/* + * Check whether the public key of ``cert`` does not use explicit params + * for an elliptic curve. + * + * Returns 1 on success, 0 if check fails, -1 for other errors. + */ +static int check_curve(X509 *cert) +{ +#ifndef OPENSSL_NO_EC + EVP_PKEY *pkey = X509_get0_pubkey(cert); + + /* Unsupported or malformed key */ + if (pkey == NULL) + return -1; + + if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { + int ret; + + ret = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey)); + return ret < 0 ? ret : !ret; + } +#endif + + return 1; +} + +/* * Check whether the signature digest algorithm of ``cert`` meets the security * level of ``ctx``. Should not be checked for trust anchors (whether * self-signed or otherwise). diff --git a/contrib/libs/openssl/crypto/x509/x509_vpm.c b/contrib/libs/openssl/crypto/x509/x509_vpm.c index 535f169a29..75b3600d01 100644 --- a/contrib/libs/openssl/crypto/x509/x509_vpm.c +++ b/contrib/libs/openssl/crypto/x509/x509_vpm.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -199,8 +199,8 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, return 0; } - x509_verify_param_copy(hostflags, 0); - + x509_verify_param_copy(hostflags, 0); + if (test_x509_verify_param_copy(hosts, NULL)) { sk_OPENSSL_STRING_pop_free(dest->hosts, str_free); dest->hosts = NULL; diff --git a/contrib/libs/openssl/crypto/x509/x_all.c b/contrib/libs/openssl/crypto/x509/x_all.c index a4e9cdaee8..a45f90e6f3 100644 --- a/contrib/libs/openssl/crypto/x509/x_all.c +++ b/contrib/libs/openssl/crypto/x509/x_all.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -363,7 +363,7 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { if (type == EVP_sha1() && (data->ex_flags & EXFLAG_SET) != 0 - && (data->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) { + && (data->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) { /* Asking for SHA1 and we already computed it. */ if (len != NULL) *len = sizeof(data->sha1_hash); diff --git a/contrib/libs/openssl/crypto/x509/x_attrib.c b/contrib/libs/openssl/crypto/x509/x_attrib.c index 7342c4f6bc..8823fa5382 100644 --- a/contrib/libs/openssl/crypto/x509/x_attrib.c +++ b/contrib/libs/openssl/crypto/x509/x_attrib.c @@ -37,13 +37,13 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value) { X509_ATTRIBUTE *ret = NULL; ASN1_TYPE *val = NULL; - ASN1_OBJECT *oid; + ASN1_OBJECT *oid; - if ((oid = OBJ_nid2obj(nid)) == NULL) - return NULL; + if ((oid = OBJ_nid2obj(nid)) == NULL) + return NULL; if ((ret = X509_ATTRIBUTE_new()) == NULL) return NULL; - ret->object = oid; + ret->object = oid; if ((val = ASN1_TYPE_new()) == NULL) goto err; if (!sk_ASN1_TYPE_push(ret->set, val)) diff --git a/contrib/libs/openssl/crypto/x509/x_pubkey.c b/contrib/libs/openssl/crypto/x509/x_pubkey.c index 9be7e92865..aa86785d44 100644 --- a/contrib/libs/openssl/crypto/x509/x_pubkey.c +++ b/contrib/libs/openssl/crypto/x509/x_pubkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -169,11 +169,11 @@ EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key) EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) { EVP_PKEY *ret = X509_PUBKEY_get0(key); - - if (ret != NULL && !EVP_PKEY_up_ref(ret)) { - X509err(X509_F_X509_PUBKEY_GET, ERR_R_INTERNAL_ERROR); - ret = NULL; - } + + if (ret != NULL && !EVP_PKEY_up_ref(ret)) { + X509err(X509_F_X509_PUBKEY_GET, ERR_R_INTERNAL_ERROR); + ret = NULL; + } return ret; } |