[openssl] master update
dev at ddvo.net
dev at ddvo.net
Tue Aug 4 07:19:44 UTC 2020
The branch master has been updated
via aff8c0a411824f29687a54a3aa82f7e770faff48 (commit)
via 57c05c57c3aab2755ec6eeae5d1800ac9cbd2f6d (commit)
via 02ae130e3dd1e4b4252692f65cb1f975bfe47935 (commit)
via 1ac658ac9d40711d0a9610e932ddfa7b90fdc537 (commit)
via c90c469376e28e87caf02e96bf6568131f1c5d1b (commit)
via b516a4b1399328ed2177e6bc5f717416a7d03806 (commit)
via 8f7e897995ae49546ab94a6969e85d797ac6c486 (commit)
from b5b6669fb63702233124c8fd5504e8477e559d07 (commit)
- Log -----------------------------------------------------------------
commit aff8c0a411824f29687a54a3aa82f7e770faff48
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sat Jun 27 10:29:55 2020 +0200
Fix error message on setting cert validity period in apps/cmp.c
Fixes #12268
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12296)
commit 57c05c57c3aab2755ec6eeae5d1800ac9cbd2f6d
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sat Jun 27 10:28:45 2020 +0200
apps: Correct and extend diagnostics of parse_name()
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12296)
commit 02ae130e3dd1e4b4252692f65cb1f975bfe47935
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Jun 26 20:40:19 2020 +0200
Add 'section=...' info in error output of X509V3_EXT_nconf() as far as appropriate
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12296)
commit 1ac658ac9d40711d0a9610e932ddfa7b90fdc537
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Jun 26 20:13:47 2020 +0200
Rename misleading X509V3_R_INVALID_NULL_NAME to X509V3_R_INVALID_EMPTY_NAME
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12296)
commit c90c469376e28e87caf02e96bf6568131f1c5d1b
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Jun 26 16:16:00 2020 +0200
Correct confusing X509V3 conf error output by removing needless 'section:<NULL>' etc.
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12296)
commit b516a4b1399328ed2177e6bc5f717416a7d03806
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Jun 26 16:16:56 2020 +0200
Correct misleading diagnostics of OBJ_txt2obj on unknown object name
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12296)
commit 8f7e897995ae49546ab94a6969e85d797ac6c486
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Jun 26 12:37:12 2020 +0200
apps/cmp.c: Defer diagnostic output on server+proxy to be contacted
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12296)
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 2 +-
apps/cmp.c | 12 ++++++------
apps/include/apps.h | 3 ++-
apps/lib/apps.c | 38 ++++++++++++++++++++++----------------
apps/req.c | 2 +-
apps/storeutl.c | 12 ++++--------
apps/x509.c | 3 ++-
crypto/err/openssl.txt | 3 ++-
crypto/objects/obj_dat.c | 4 ++++
crypto/objects/obj_err.c | 4 +++-
crypto/x509/v3_addr.c | 19 ++++++++++---------
crypto/x509/v3_asid.c | 9 +++++----
crypto/x509/v3_bcons.c | 4 +++-
crypto/x509/v3_bitst.c | 2 +-
crypto/x509/v3_conf.c | 43 +++++++++++++++++++++++++++++++------------
crypto/x509/v3_cpols.c | 20 +++++++++++---------
crypto/x509/v3_crld.c | 5 +++--
crypto/x509/v3_extku.c | 2 +-
crypto/x509/v3_pci.c | 1 +
crypto/x509/v3_pcons.c | 2 +-
crypto/x509/v3_pmaps.c | 4 ++--
crypto/x509/v3_tlsf.c | 3 ++-
crypto/x509/v3_utl.c | 11 ++++++-----
crypto/x509/v3err.c | 4 ++--
crypto/x509/x509_local.h | 3 +++
include/openssl/objectserr.h | 5 +++--
include/openssl/x509v3err.h | 2 +-
27 files changed, 133 insertions(+), 89 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index e001a34190..fef0b82c39 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1463,7 +1463,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
row[i] = NULL;
if (subj) {
- X509_NAME *n = parse_name(subj, chtype, multirdn);
+ X509_NAME *n = parse_name(subj, chtype, multirdn, "subject");
if (!n) {
ERR_print_errors(bio_err);
diff --git a/apps/cmp.c b/apps/cmp.c
index e5f72cbea7..01c5394344 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1109,12 +1109,10 @@ static int set_name(const char *str,
OSSL_CMP_CTX *ctx, const char *desc)
{
if (str != NULL) {
- X509_NAME *n = parse_name(str, MBSTRING_ASC, 0);
+ X509_NAME *n = parse_name(str, MBSTRING_ASC, 0, desc);
- if (n == NULL) {
- CMP_err2("cannot parse %s DN '%s'", desc, str);
+ if (n == NULL)
return 0;
- }
if (!(*set_fn) (ctx, n)) {
X509_NAME_free(n);
CMP_err("out of memory");
@@ -1869,7 +1867,7 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (opt_days > 0
&& !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_VALIDITY_DAYS,
opt_days)) {
- CMP_err("could to set requested cert validity period");
+ CMP_err("could not set requested cert validity period");
goto err;
}
@@ -2095,7 +2093,6 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (opt_proxy != NULL)
(void)BIO_snprintf(proxy_buf, sizeof(proxy_buf), " via %s", opt_proxy);
- CMP_info2("will contact %s%s", server_buf, proxy_buf);
if (!transform_opts())
goto err;
@@ -2217,6 +2214,9 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (opt_geninfo != NULL && !handle_opt_geninfo(ctx))
goto err;
+ /* not printing earlier, to minimize confusion in case setup fails before */
+ CMP_info2("will contact %s%s", server_buf, proxy_buf);
+
ret = 1;
err:
diff --git a/apps/include/apps.h b/apps/include/apps.h
index e91cdcdb8f..554d33e1c9 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -201,7 +201,8 @@ void free_index(CA_DB *db);
int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
int parse_yesno(const char *str, int def);
-X509_NAME *parse_name(const char *str, long chtype, int multirdn);
+X509_NAME *parse_name(const char *str, int chtype, int multirdn,
+ const char *desc);
void policies_print(X509_STORE_CTX *ctx);
int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index cf99ca0ebf..e8592c4880 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -1670,7 +1670,8 @@ int parse_yesno(const char *str, int def)
* name is expected to be in the format /type0=value0/type1=value1/type2=...
* where characters may be escaped by \
*/
-X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
+X509_NAME *parse_name(const char *cp, int chtype, int canmulti,
+ const char *desc)
{
int nextismulti = 0;
char *work;
@@ -1678,19 +1679,22 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
if (*cp++ != '/') {
BIO_printf(bio_err,
- "name is expected to be in the format "
+ "%s: %s name is expected to be in the format "
"/type0=value0/type1=value1/type2=... where characters may "
"be escaped by \\. This name is not in that format: '%s'\n",
- --cp);
+ opt_getprog(), desc, --cp);
return NULL;
}
n = X509_NAME_new();
- if (n == NULL)
+ if (n == NULL) {
+ BIO_printf(bio_err, "%s: Out of memory\n", opt_getprog());
return NULL;
+ }
work = OPENSSL_strdup(cp);
if (work == NULL) {
- BIO_printf(bio_err, "%s: Error copying name input\n", opt_getprog());
+ BIO_printf(bio_err, "%s: Error copying %s name input\n",
+ opt_getprog(), desc);
goto err;
}
@@ -1705,13 +1709,13 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
/* Collect the type */
while (*cp != '\0' && *cp != '=')
*bp++ = *cp++;
+ *bp++ = '\0';
if (*cp == '\0') {
BIO_printf(bio_err,
- "%s: Hit end of string before finding the '='\n",
- opt_getprog());
+ "%s: Missing '=' after RDN type string '%s' in %s name string\n",
+ opt_getprog(), typestr, desc);
goto err;
}
- *bp++ = '\0';
++cp;
/* Collect the value. */
@@ -1723,8 +1727,8 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
}
if (*cp == '\\' && *++cp == '\0') {
BIO_printf(bio_err,
- "%s: Escape character at end of string\n",
- opt_getprog());
+ "%s: Escape character at end of %s name string\n",
+ opt_getprog(), desc);
goto err;
}
}
@@ -1737,22 +1741,24 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
/* Parse */
nid = OBJ_txt2nid(typestr);
if (nid == NID_undef) {
- BIO_printf(bio_err, "%s: Skipping unknown attribute \"%s\"\n",
- opt_getprog(), typestr);
+ BIO_printf(bio_err,
+ "%s: Skipping unknown %s name attribute \"%s\"\n",
+ opt_getprog(), desc, typestr);
continue;
}
if (*valstr == '\0') {
BIO_printf(bio_err,
- "%s: No value provided for Subject Attribute %s, skipped\n",
- opt_getprog(), typestr);
+ "%s: No value provided for %s name attribute \"%s\", skipped\n",
+ opt_getprog(), desc, typestr);
continue;
}
if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
valstr, strlen((char *)valstr),
-1, ismulti ? -1 : 0)) {
ERR_print_errors(bio_err);
- BIO_printf(bio_err, "%s: Error adding name attribute \"/%s=%s\"\n",
- opt_getprog(), typestr ,valstr);
+ BIO_printf(bio_err,
+ "%s: Error adding %s name attribute \"/%s=%s\"\n",
+ opt_getprog(), desc, typestr ,valstr);
goto err;
}
}
diff --git a/apps/req.c b/apps/req.c
index 8931e9829f..46739554bd 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -1078,7 +1078,7 @@ static int build_subject(X509_REQ *req, const char *subject, unsigned long chtyp
{
X509_NAME *n;
- if ((n = parse_name(subject, chtype, multirdn)) == NULL)
+ if ((n = parse_name(subject, chtype, multirdn, "subject")) == NULL)
return 0;
if (!X509_REQ_set_subject_name(req, n)) {
diff --git a/apps/storeutl.c b/apps/storeutl.c
index 95af277260..66fd423ab0 100644
--- a/apps/storeutl.c
+++ b/apps/storeutl.c
@@ -157,11 +157,9 @@ int storeutl_main(int argc, char *argv[])
prog);
goto end;
}
- if ((subject = parse_name(opt_arg(), MBSTRING_UTF8, 1)) == NULL) {
- BIO_printf(bio_err, "%s: can't parse subject argument.\n",
- prog);
+ subject = parse_name(opt_arg(), MBSTRING_UTF8, 1, "subject");
+ if (subject == NULL)
goto end;
- }
break;
case OPT_CRITERION_ISSUER:
if (criterion != 0
@@ -177,11 +175,9 @@ int storeutl_main(int argc, char *argv[])
prog);
goto end;
}
- if ((issuer = parse_name(opt_arg(), MBSTRING_UTF8, 1)) == NULL) {
- BIO_printf(bio_err, "%s: can't parse issuer argument.\n",
- prog);
+ issuer = parse_name(opt_arg(), MBSTRING_UTF8, 1, "issuer");
+ if (issuer == NULL)
goto end;
- }
break;
case OPT_CRITERION_SERIAL:
if (criterion != 0
diff --git a/apps/x509.c b/apps/x509.c
index d8f69c08eb..fbe4b8cefe 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -536,7 +536,8 @@ int x509_main(int argc, char **argv)
"The -new option requires a subject to be set using -subj\n");
goto end;
}
- if (subj != NULL && (fsubj = parse_name(subj, chtype, multirdn)) == NULL)
+ if (subj != NULL
+ && (fsubj = parse_name(subj, chtype, multirdn, "subject")) == NULL)
goto end;
if (CAkeyfile == NULL && CA_flag && CAformat == FORMAT_PEM) {
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 1b4fca9b97..53becb8ed4 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2668,6 +2668,7 @@ KDF_R_VALUE_MISSING:102:value missing
KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size
OBJ_R_OID_EXISTS:102:oid exists
OBJ_R_UNKNOWN_NID:101:unknown nid
+OBJ_R_UNKNOWN_OBJECT_NAME:103:unknown object name
OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
OCSP_R_DIGEST_ERR:102:digest err
OCSP_R_ERROR_IN_NEXTUPDATE_FIELD:122:error in nextupdate field
@@ -3470,7 +3471,7 @@ X509V3_R_INVALID_IPADDRESS:166:invalid ipaddress
X509V3_R_INVALID_MULTIPLE_RDNS:161:invalid multiple rdns
X509V3_R_INVALID_NAME:106:invalid name
X509V3_R_INVALID_NULL_ARGUMENT:107:invalid null argument
-X509V3_R_INVALID_NULL_NAME:108:invalid null name
+X509V3_R_INVALID_EMPTY_NAME:108:invalid empty name
X509V3_R_INVALID_NULL_VALUE:109:invalid null value
X509V3_R_INVALID_NUMBER:140:invalid number
X509V3_R_INVALID_NUMBERS:141:invalid numbers
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index 0c4ec985cb..b2fd4a0226 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -372,6 +372,10 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
if (((nid = OBJ_sn2nid(s)) != NID_undef) ||
((nid = OBJ_ln2nid(s)) != NID_undef))
return OBJ_nid2obj(nid);
+ if (!ossl_isdigit(*s)) {
+ OBJerr(OBJ_F_OBJ_TXT2OBJ, OBJ_R_UNKNOWN_OBJECT_NAME);
+ return NULL;
+ }
}
/* Work out size of content octets */
diff --git a/crypto/objects/obj_err.c b/crypto/objects/obj_err.c
index b32e9f6f55..c55e8ef2d0 100644
--- a/crypto/objects/obj_err.c
+++ b/crypto/objects/obj_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -16,6 +16,8 @@
static const ERR_STRING_DATA OBJ_str_reasons[] = {
{ERR_PACK(ERR_LIB_OBJ, 0, OBJ_R_OID_EXISTS), "oid exists"},
{ERR_PACK(ERR_LIB_OBJ, 0, OBJ_R_UNKNOWN_NID), "unknown nid"},
+ {ERR_PACK(ERR_LIB_OBJ, 0, OBJ_R_UNKNOWN_OBJECT_NAME),
+ "unknown object name"},
{0, NULL}
};
diff --git a/crypto/x509/v3_addr.c b/crypto/x509/v3_addr.c
index 9e2b9d48a9..d965d74553 100644
--- a/crypto/x509/v3_addr.c
+++ b/crypto/x509/v3_addr.c
@@ -22,6 +22,7 @@
#include <openssl/x509v3.h>
#include "crypto/x509.h"
#include "ext_dat.h"
+#include "x509_local.h"
#ifndef OPENSSL_NO_RFC3779
@@ -925,7 +926,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
} else {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_EXTENSION_NAME_ERROR);
- X509V3_conf_err(val);
+ ERR_add_error_data(1, val->name);
goto err;
}
@@ -949,7 +950,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
t += strspn(t, " \t");
if (*safi > 0xFF || *t++ != ':') {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
t += strspn(t, " \t");
@@ -970,7 +971,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
if (!X509v3_addr_add_inherit(addr, afi, safi)) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_INVALID_INHERITANCE);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
OPENSSL_free(s);
@@ -985,7 +986,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
if (a2i_ipadd(min, s) != length) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
@@ -995,7 +996,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
if (t == s + i2 || *t != '\0') {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_EXTENSION_VALUE_ERROR);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
@@ -1009,19 +1010,19 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
if (i1 == i2 || s[i2] != '\0') {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_EXTENSION_VALUE_ERROR);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
if (a2i_ipadd(max, s + i1) != length) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_INVALID_IPADDRESS);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
if (memcmp(min, max, length_from_afi(afi)) > 0) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_EXTENSION_VALUE_ERROR);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
@@ -1038,7 +1039,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
default:
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_EXTENSION_VALUE_ERROR);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
diff --git a/crypto/x509/v3_asid.c b/crypto/x509/v3_asid.c
index 0ff37073cf..0fc7641386 100644
--- a/crypto/x509/v3_asid.c
+++ b/crypto/x509/v3_asid.c
@@ -23,6 +23,7 @@
#include "crypto/x509.h"
#include <openssl/bn.h>
#include "ext_dat.h"
+#include "x509_local.h"
#ifndef OPENSSL_NO_RFC3779
@@ -545,7 +546,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
} else {
X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
X509V3_R_EXTENSION_NAME_ERROR);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
@@ -557,7 +558,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
continue;
X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
X509V3_R_INVALID_INHERITANCE);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
@@ -573,7 +574,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
if (val->value[i2] != '-') {
X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
X509V3_R_INVALID_ASNUMBER);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
i2++;
@@ -582,7 +583,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
if (val->value[i3] != '\0') {
X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
X509V3_R_INVALID_ASRANGE);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
}
diff --git a/crypto/x509/v3_bcons.c b/crypto/x509/v3_bcons.c
index 6ab4aaf687..01d38473a3 100644
--- a/crypto/x509/v3_bcons.c
+++ b/crypto/x509/v3_bcons.c
@@ -14,6 +14,7 @@
#include <openssl/conf.h>
#include <openssl/x509v3.h>
#include "ext_dat.h"
+#include "x509_local.h"
DEFINE_STACK_OF(CONF_VALUE)
@@ -73,9 +74,10 @@ static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
} else if (strcmp(val->name, "pathlen") == 0) {
if (!X509V3_get_value_int(val, &bcons->pathlen))
goto err;
+ /* TODO add sanity check on int value - at least, must be >= 0 */
} else {
X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, X509V3_R_INVALID_NAME);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
}
diff --git a/crypto/x509/v3_bitst.c b/crypto/x509/v3_bitst.c
index ec8fdc55a1..02d40863a6 100644
--- a/crypto/x509/v3_bitst.c
+++ b/crypto/x509/v3_bitst.c
@@ -86,7 +86,7 @@ ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
if (!bnam->lname) {
X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
- X509V3_conf_err(val);
+ ERR_add_error_data(1, val->name);
ASN1_BIT_STRING_free(bs);
return NULL;
}
diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c
index bbe67dc3d3..88e29f9cc4 100644
--- a/crypto/x509/v3_conf.c
+++ b/crypto/x509/v3_conf.c
@@ -33,33 +33,42 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
int ext_nid, int crit, void *ext_struc);
static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
long *ext_len);
-/* CONF *conf: Config file */
-/* char *name: Name */
-/* char *value: Value */
-X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
- const char *value)
+
+static X509_EXTENSION *X509V3_EXT_nconf_int(CONF *conf, X509V3_CTX *ctx,
+ const char *section,
+ const char *name, const char *value)
{
int crit;
int ext_type;
X509_EXTENSION *ret;
+
crit = v3_check_critical(&value);
if ((ext_type = v3_check_generic(&value)))
return v3_generic_extension(name, value, crit, ext_type, ctx);
ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
if (!ret) {
- X509V3err(X509V3_F_X509V3_EXT_NCONF, X509V3_R_ERROR_IN_EXTENSION);
- ERR_add_error_data(4, "name=", name, ", value=", value);
+ X509V3err(0, X509V3_R_ERROR_IN_EXTENSION);
+ if (section != NULL)
+ ERR_add_error_data(6, "section=", section,
+ ", name=", name, ", value=", value);
+ else
+ ERR_add_error_data(4, "name=", name, ", value=", value);
}
return ret;
}
-/* CONF *conf: Config file */
-/* char *value: Value */
+X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
+ const char *value)
+{
+ return X509V3_EXT_nconf_int(conf, ctx, NULL, name, value);
+}
+
X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
const char *value)
{
int crit;
int ext_type;
+
crit = v3_check_critical(&value);
if ((ext_type = v3_check_generic(&value)))
return v3_generic_extension(OBJ_nid2sn(ext_nid),
@@ -138,6 +147,7 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
int ext_len;
ASN1_OCTET_STRING *ext_oct = NULL;
X509_EXTENSION *ext;
+
/* Convert internal representation to DER */
if (method->it) {
ext_der = NULL;
@@ -192,6 +202,7 @@ X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
static int v3_check_critical(const char **value)
{
const char *p = *value;
+
if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
return 0;
p += 9;
@@ -206,6 +217,7 @@ static int v3_check_generic(const char **value)
{
int gen_type = 0;
const char *p = *value;
+
if ((strlen(p) >= 4) && strncmp(p, "DER:", 4) == 0) {
p += 4;
gen_type = 1;
@@ -275,6 +287,7 @@ static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
{
ASN1_TYPE *typ;
unsigned char *ext_der = NULL;
+
typ = ASN1_generate_v3(value, ctx);
if (typ == NULL)
return NULL;
@@ -287,9 +300,11 @@ static void delete_ext(STACK_OF(X509_EXTENSION) *sk, X509_EXTENSION *dext)
{
int idx;
ASN1_OBJECT *obj;
+
obj = X509_EXTENSION_get_object(dext);
while ((idx = X509v3_get_ext_by_OBJ(sk, obj, -1)) >= 0) {
X509_EXTENSION *tmpext = X509v3_get_ext(sk, idx);
+
X509v3_delete_ext(sk, idx);
X509_EXTENSION_free(tmpext);
}
@@ -312,7 +327,8 @@ int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
return 0;
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
val = sk_CONF_VALUE_value(nval, i);
- if ((ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)) == NULL)
+ if ((ext = X509V3_EXT_nconf_int(conf, ctx, val->section,
+ val->name, val->value)) == NULL)
return 0;
if (ctx->flags == X509V3_CTX_REPLACE)
delete_ext(*sk, ext);
@@ -358,6 +374,7 @@ int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
{
STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
int i;
+
if (req)
sk = &extlist;
i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
@@ -448,12 +465,11 @@ X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
const char *name, const char *value)
{
CONF ctmp;
+
CONF_set_nconf(&ctmp, conf);
return X509V3_EXT_nconf(&ctmp, ctx, name, value);
}
-/* LHASH *conf: Config file */
-/* char *value: Value */
X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
X509V3_CTX *ctx, int ext_nid, const char *value)
{
@@ -489,6 +505,7 @@ int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
const char *section, X509 *cert)
{
CONF ctmp;
+
CONF_set_nconf(&ctmp, conf);
return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
}
@@ -499,6 +516,7 @@ int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
const char *section, X509_CRL *crl)
{
CONF ctmp;
+
CONF_set_nconf(&ctmp, conf);
return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
}
@@ -509,6 +527,7 @@ int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
const char *section, X509_REQ *req)
{
CONF ctmp;
+
CONF_set_nconf(&ctmp, conf);
return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
}
diff --git a/crypto/x509/v3_cpols.c b/crypto/x509/v3_cpols.c
index abbf5fbe60..6b507f40d7 100644
--- a/crypto/x509/v3_cpols.c
+++ b/crypto/x509/v3_cpols.c
@@ -14,6 +14,7 @@
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
+#include "x509_local.h"
#include "pcy_local.h"
#include "ext_dat.h"
@@ -116,11 +117,10 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
ia5org = 0;
for (i = 0; i < num; i++) {
cnf = sk_CONF_VALUE_value(vals, i);
-
- if (cnf->value || !cnf->name) {
+ if (cnf->value != NULL || cnf->name == NULL) {
X509V3err(X509V3_F_R2I_CERTPOL,
X509V3_R_INVALID_POLICY_IDENTIFIER);
- X509V3_conf_err(cnf);
+ X509V3_conf_add_error_name_value(cnf);
goto err;
}
pstr = cnf->name;
@@ -133,8 +133,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
polsect = X509V3_get_section(ctx, pstr + 1);
if (polsect == NULL) {
X509V3err(X509V3_F_R2I_CERTPOL, X509V3_R_INVALID_SECTION);
-
- X509V3_conf_err(cnf);
+ ERR_add_error_data(1, cnf->name);
goto err;
}
pol = policy_section(ctx, polsect, ia5org);
@@ -145,7 +144,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
if ((pobj = OBJ_txt2obj(cnf->name, 0)) == NULL) {
X509V3err(X509V3_F_R2I_CERTPOL,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
- X509V3_conf_err(cnf);
+ ERR_add_error_data(1, cnf->name);
goto err;
}
pol = POLICYINFO_new();
@@ -184,6 +183,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
cnf = sk_CONF_VALUE_value(polstrs, i);
if (strcmp(cnf->name, "policyIdentifier") == 0) {
ASN1_OBJECT *pobj;
+
if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) {
X509V3err(X509V3_F_POLICY_SECTION,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
@@ -233,7 +233,6 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
goto merr;
} else {
X509V3err(X509V3_F_POLICY_SECTION, X509V3_R_INVALID_OPTION);
-
X509V3_conf_err(cnf);
goto err;
}
@@ -307,6 +306,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
qual->d.usernotice = not;
for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
cnf = sk_CONF_VALUE_value(unot, i);
+
value = cnf->value;
if (strcmp(cnf->name, "explicitText") == 0) {
tag = displaytext_str2tag(value, &tag_len);
@@ -319,6 +319,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
goto merr;
} else if (strcmp(cnf->name, "organization") == 0) {
NOTICEREF *nref;
+
if (!not->noticeref) {
if ((nref = NOTICEREF_new()) == NULL)
goto merr;
@@ -334,6 +335,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
goto merr;
} else if (strcmp(cnf->name, "noticeNumbers") == 0) {
NOTICEREF *nref;
+
STACK_OF(CONF_VALUE) *nos;
if (!not->noticeref) {
if ((nref = NOTICEREF_new()) == NULL)
@@ -344,7 +346,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
nos = X509V3_parse_list(cnf->value);
if (!nos || !sk_CONF_VALUE_num(nos)) {
X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_NUMBERS);
- X509V3_conf_err(cnf);
+ X509V3_conf_add_error_name_value(cnf);
sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
goto err;
}
@@ -354,7 +356,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
goto err;
} else {
X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_OPTION);
- X509V3_conf_err(cnf);
+ X509V3_conf_add_error_name_value(cnf);
goto err;
}
}
diff --git a/crypto/x509/v3_crld.c b/crypto/x509/v3_crld.c
index 21a1bfcd7d..b54346d036 100644
--- a/crypto/x509/v3_crld.c
+++ b/crypto/x509/v3_crld.c
@@ -16,6 +16,7 @@
#include "crypto/x509.h"
#include "ext_dat.h"
+#include "x509_local.h"
DEFINE_STACK_OF(CONF_VALUE)
DEFINE_STACK_OF(GENERAL_NAME)
@@ -256,7 +257,7 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method,
DIST_POINT *point;
cnf = sk_CONF_VALUE_value(nval, i);
- if (!cnf->value) {
+ if (cnf->value == NULL) {
STACK_OF(CONF_VALUE) *dpsect;
dpsect = X509V3_get_section(ctx, cnf->name);
if (!dpsect)
@@ -398,7 +399,7 @@ static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
goto err;
} else {
X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME);
- X509V3_conf_err(cnf);
+ X509V3_conf_add_error_name_value(cnf);
goto err;
}
}
diff --git a/crypto/x509/v3_extku.c b/crypto/x509/v3_extku.c
index ed51b60f0c..7769bc9931 100644
--- a/crypto/x509/v3_extku.c
+++ b/crypto/x509/v3_extku.c
@@ -97,7 +97,7 @@ static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
- X509V3_conf_err(val);
+ ERR_add_error_data(1, extval);
return NULL;
}
sk_ASN1_OBJECT_push(extku, objtmp); /* no failure as it was reserved */
diff --git a/crypto/x509/v3_pci.c b/crypto/x509/v3_pci.c
index 30711149ce..714733684b 100644
--- a/crypto/x509/v3_pci.c
+++ b/crypto/x509/v3_pci.c
@@ -255,6 +255,7 @@ static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
vals = X509V3_parse_list(value);
for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
+
if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
X509V3err(X509V3_F_R2I_PCI,
X509V3_R_INVALID_PROXY_POLICY_SETTING);
diff --git a/crypto/x509/v3_pcons.c b/crypto/x509/v3_pcons.c
index e7bb7e9546..88a9497504 100644
--- a/crypto/x509/v3_pcons.c
+++ b/crypto/x509/v3_pcons.c
@@ -76,7 +76,7 @@ static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
goto err;
} else {
X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, X509V3_R_INVALID_NAME);
- X509V3_conf_err(val);
+ ERR_add_error_data(1, val->name);
goto err;
}
}
diff --git a/crypto/x509/v3_pmaps.c b/crypto/x509/v3_pmaps.c
index d54384dac2..23aefb196c 100644
--- a/crypto/x509/v3_pmaps.c
+++ b/crypto/x509/v3_pmaps.c
@@ -85,7 +85,7 @@ static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
if (!val->value || !val->name) {
X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
- X509V3_conf_err(val);
+ ERR_add_error_data(1, val->name);
goto err;
}
obj1 = OBJ_txt2obj(val->name, 0);
@@ -93,7 +93,7 @@ static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
if (!obj1 || !obj2) {
X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
X509V3_R_INVALID_OBJECT_IDENTIFIER);
- X509V3_conf_err(val);
+ ERR_add_error_data(1, val->name);
goto err;
}
pmap = POLICY_MAPPING_new();
diff --git a/crypto/x509/v3_tlsf.c b/crypto/x509/v3_tlsf.c
index e494e4e8d1..81ce333a34 100644
--- a/crypto/x509/v3_tlsf.c
+++ b/crypto/x509/v3_tlsf.c
@@ -14,6 +14,7 @@
#include <openssl/conf.h>
#include <openssl/x509v3.h>
#include "ext_dat.h"
+#include "x509_local.h"
DEFINE_STACK_OF(ASN1_INTEGER)
DEFINE_STACK_OF(CONF_VALUE)
@@ -119,7 +120,7 @@ static TLS_FEATURE *v2i_TLS_FEATURE(const X509V3_EXT_METHOD *method,
if (((*endptr) != '\0') || (extval == endptr) || (tlsextid < 0) ||
(tlsextid > 65535)) {
X509V3err(X509V3_F_V2I_TLS_FEATURE, X509V3_R_INVALID_SYNTAX);
- X509V3_conf_err(val);
+ X509V3_conf_add_error_name_value(val);
goto err;
}
}
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index aefb589743..acb0e35a42 100644
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -19,6 +19,7 @@
#include "crypto/x509.h"
#include <openssl/bn.h>
#include "ext_dat.h"
+#include "x509_local.h"
DEFINE_STACK_OF(CONF_VALUE)
DEFINE_STACK_OF(GENERAL_NAME)
@@ -271,7 +272,7 @@ int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool)
err:
X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,
X509V3_R_INVALID_BOOLEAN_STRING);
- X509V3_conf_err(value);
+ X509V3_conf_add_error_name_value(value);
return 0;
}
@@ -280,7 +281,7 @@ int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint)
ASN1_INTEGER *itmp;
if ((itmp = s2i_ASN1_INTEGER(NULL, value->value)) == NULL) {
- X509V3_conf_err(value);
+ X509V3_conf_add_error_name_value(value);
return 0;
}
*aint = itmp;
@@ -322,7 +323,7 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
ntmp = strip_spaces(q);
if (!ntmp) {
X509V3err(X509V3_F_X509V3_PARSE_LIST,
- X509V3_R_INVALID_NULL_NAME);
+ X509V3_R_INVALID_EMPTY_NAME);
goto err;
}
q = p + 1;
@@ -332,7 +333,7 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
q = p + 1;
if (!ntmp) {
X509V3err(X509V3_F_X509V3_PARSE_LIST,
- X509V3_R_INVALID_NULL_NAME);
+ X509V3_R_INVALID_EMPTY_NAME);
goto err;
}
X509V3_add_value(ntmp, NULL, &values);
@@ -368,7 +369,7 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
} else {
ntmp = strip_spaces(q);
if (!ntmp) {
- X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
+ X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_EMPTY_NAME);
goto err;
}
X509V3_add_value(ntmp, NULL, &values);
diff --git a/crypto/x509/v3err.c b/crypto/x509/v3err.c
index cbda3f2cf8..91fe0d075a 100644
--- a/crypto/x509/v3err.c
+++ b/crypto/x509/v3err.c
@@ -62,8 +62,8 @@ static const ERR_STRING_DATA X509V3_str_reasons[] = {
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NAME), "invalid name"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_ARGUMENT),
"invalid null argument"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_NAME),
- "invalid null name"},
+ {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_EMPTY_NAME),
+ "invalid empty name"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_VALUE),
"invalid null value"},
{ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NUMBER), "invalid number"},
diff --git a/crypto/x509/x509_local.h b/crypto/x509/x509_local.h
index e944d16afe..6a2137129c 100644
--- a/crypto/x509/x509_local.h
+++ b/crypto/x509/x509_local.h
@@ -9,6 +9,9 @@
#include "internal/refcount.h"
+#define X509V3_conf_add_error_name_value(val) \
+ ERR_add_error_data(4, "name=", (val)->name, ", value=", (val)->value)
+
/*
* This structure holds all parameters associated with a verify operation by
* including an X509_VERIFY_PARAM structure in related structures the
diff --git a/include/openssl/objectserr.h b/include/openssl/objectserr.h
index 3cac9a7327..f1de77945b 100644
--- a/include/openssl/objectserr.h
+++ b/include/openssl/objectserr.h
@@ -8,8 +8,8 @@
* https://www.openssl.org/source/license.html
*/
-#ifndef OPENSSL_OBJECTSERR_H
-# define OPENSSL_OBJECTSERR_H
+#ifndef OPENSSL_OBJERR_H
+# define OPENSSL_OBJERR_H
# pragma once
# include <openssl/opensslconf.h>
@@ -41,5 +41,6 @@ int ERR_load_OBJ_strings(void);
*/
# define OBJ_R_OID_EXISTS 102
# define OBJ_R_UNKNOWN_NID 101
+# define OBJ_R_UNKNOWN_OBJECT_NAME 103
#endif
diff --git a/include/openssl/x509v3err.h b/include/openssl/x509v3err.h
index eb3593fa20..d7aa5da6ac 100644
--- a/include/openssl/x509v3err.h
+++ b/include/openssl/x509v3err.h
@@ -127,7 +127,7 @@ int ERR_load_X509V3_strings(void);
# define X509V3_R_INVALID_MULTIPLE_RDNS 161
# define X509V3_R_INVALID_NAME 106
# define X509V3_R_INVALID_NULL_ARGUMENT 107
-# define X509V3_R_INVALID_NULL_NAME 108
+# define X509V3_R_INVALID_EMPTY_NAME 108
# define X509V3_R_INVALID_NULL_VALUE 109
# define X509V3_R_INVALID_NUMBER 140
# define X509V3_R_INVALID_NUMBERS 141
More information about the openssl-commits
mailing list