[openssl-commits] [openssl] master update

yang.yang at baishancloud.com yang.yang at baishancloud.com
Sat Oct 27 04:13:42 UTC 2018


The branch master has been updated
       via  c23e497da7815bf6ef84461f92339442d3702eda (commit)
      from  a83dc59afa2e0207180d7218efed19b20d48de95 (commit)


- Log -----------------------------------------------------------------
commit c23e497da7815bf6ef84461f92339442d3702eda
Author: Fraser Tweedale <ftweedal at redhat.com>
Date:   Sat Oct 27 12:11:41 2018 +0800

    Support GeneralSubtrees with minimum = 0
    
    The Name Constraints extension contains GeneralSubtree values
    indicating included or excluded subtrees.  It is defined as:
    
      GeneralSubtree ::= SEQUENCE {
        base                    GeneralName,
        minimum         [0]     BaseDistance DEFAULT 0,
        maximum         [1]     BaseDistance OPTIONAL }
    
    RFC 5280 further specifies:
    
      Within this profile, the minimum and maximum fields are not used with
      any name forms, thus, the minimum MUST be zero, and maximum MUST be
      absent.
    
    Because the minimum fields has DEFAULT 0, and certificates should be
    encoded using DER, the situation where minimum = 0 occurs in a
    certificate should not arise.  Nevertheless, it does arise.  For
    example, I have seen certificates issued by Microsoft programs that
    contain GeneralSubtree values encoded thus.
    
    Enhance the Name Constraints matching routine to handle the case
    where minimum is specified.  If present, it must be zero.  The
    maximum field remains prohibited.
    
    Reviewed-by: Paul Yang <yang.yang at baishancloud.com>
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/7039)

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509v3/v3_ncons.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 9a2cd5a..8465818 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -14,6 +14,7 @@
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
+#include <openssl/bn.h>
 
 #include "internal/x509_int.h"
 #include "ext_dat.h"
@@ -435,6 +436,27 @@ int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc)
     return X509_V_OK;
 }
 
+/*
+ * Return nonzero if the GeneralSubtree has valid 'minimum' field
+ * (must be absent or 0) and valid 'maximum' field (must be absent).
+ */
+static int nc_minmax_valid(GENERAL_SUBTREE *sub) {
+    BIGNUM *bn = NULL;
+    int ok = 1;
+
+    if (sub->maximum)
+        ok = 0;
+
+    if (sub->minimum) {
+        bn = ASN1_INTEGER_to_BN(sub->minimum, NULL);
+        if (bn == NULL || !BN_is_zero(bn))
+            ok = 0;
+        BN_free(bn);
+    }
+
+    return ok;
+}
+
 static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
 {
     GENERAL_SUBTREE *sub;
@@ -449,7 +471,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
         sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
         if (gen->type != sub->base->type)
             continue;
-        if (sub->minimum || sub->maximum)
+        if (!nc_minmax_valid(sub))
             return X509_V_ERR_SUBTREE_MINMAX;
         /* If we already have a match don't bother trying any more */
         if (match == 2)
@@ -472,7 +494,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
         sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
         if (gen->type != sub->base->type)
             continue;
-        if (sub->minimum || sub->maximum)
+        if (!nc_minmax_valid(sub))
             return X509_V_ERR_SUBTREE_MINMAX;
 
         r = nc_match_single(gen, sub->base);


More information about the openssl-commits mailing list