Name constraits needs to be evaluated in block as they appear in the
certificates, they can not be joined to one list. One example of this is: * cert is cn=foo,dc=bar,dc=baz * subca is dc=foo,dc=baz with name restriction dc=kaka,dc=baz * ca is dc=baz with name restriction dc=baz If the name restrictions are merged to a list, the certificate will pass this test. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16757 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
116
lib/hx509/cert.c
116
lib/hx509/cert.c
@@ -61,11 +61,8 @@ struct hx509_cert_data {
|
|||||||
};
|
};
|
||||||
|
|
||||||
typedef struct hx509_name_constraints {
|
typedef struct hx509_name_constraints {
|
||||||
/* NameConstraints nc; */
|
NameConstraints *val;
|
||||||
struct {
|
size_t len;
|
||||||
GeneralSubtrees *permittedSubtrees;
|
|
||||||
GeneralSubtrees *excludedSubtrees;
|
|
||||||
} nc;
|
|
||||||
} hx509_name_constraints;
|
} hx509_name_constraints;
|
||||||
|
|
||||||
#define GeneralSubtrees_SET(g,var) \
|
#define GeneralSubtrees_SET(g,var) \
|
||||||
@@ -816,44 +813,6 @@ static int
|
|||||||
init_name_constraints(hx509_name_constraints *nc)
|
init_name_constraints(hx509_name_constraints *nc)
|
||||||
{
|
{
|
||||||
memset(nc, 0, sizeof(*nc));
|
memset(nc, 0, sizeof(*nc));
|
||||||
|
|
||||||
nc->nc.permittedSubtrees = calloc(1, sizeof(*nc->nc.permittedSubtrees));
|
|
||||||
if (nc->nc.permittedSubtrees == NULL)
|
|
||||||
return ENOMEM;
|
|
||||||
nc->nc.excludedSubtrees = calloc(1, sizeof(*nc->nc.excludedSubtrees));
|
|
||||||
if (nc->nc.excludedSubtrees == NULL) {
|
|
||||||
free(nc->nc.permittedSubtrees);
|
|
||||||
nc->nc.permittedSubtrees = NULL;
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
append_tree(const GeneralSubtrees *add, GeneralSubtrees *merge)
|
|
||||||
{
|
|
||||||
unsigned int num, i;
|
|
||||||
GeneralSubtree *st;
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
num = merge->len + add->len;
|
|
||||||
if (num < merge->len)
|
|
||||||
return HX509_RANGE;
|
|
||||||
if (num > UINT_MAX/sizeof(merge->val[0]))
|
|
||||||
return HX509_RANGE;
|
|
||||||
st = realloc(merge->val, sizeof(*st) * num);
|
|
||||||
if (st == NULL)
|
|
||||||
return ENOMEM;
|
|
||||||
merge->val = st;
|
|
||||||
memset(&st[merge->len], 0, sizeof(add->val[0]) * add->len);
|
|
||||||
for (i = 0; i < add->len; i++) {
|
|
||||||
ret = copy_GeneralSubtree(&add->val[i],
|
|
||||||
&merge->val[merge->len + i]);
|
|
||||||
if (ret)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
merge->len = num;
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -872,16 +831,19 @@ add_name_constraints(const Certificate *c, int not_ca,
|
|||||||
else if (not_ca) {
|
else if (not_ca) {
|
||||||
ret = HX509_VERIFY_CONSTRAINTS;
|
ret = HX509_VERIFY_CONSTRAINTS;
|
||||||
} else {
|
} else {
|
||||||
GeneralSubtrees gs;
|
NameConstraints *val;
|
||||||
if (tnc.permittedSubtrees) {
|
val = realloc(nc->val, sizeof(nc->val[0]) * (nc->len + 1));
|
||||||
GeneralSubtrees_SET(&gs, tnc.permittedSubtrees);
|
if (val == NULL) {
|
||||||
ret = append_tree(&gs, nc->nc.permittedSubtrees);
|
ret = ENOMEM;
|
||||||
}
|
goto out;
|
||||||
if (ret == 0 && tnc.excludedSubtrees) {
|
|
||||||
GeneralSubtrees_SET(&gs, tnc.excludedSubtrees);
|
|
||||||
ret = append_tree(&gs, nc->nc.excludedSubtrees);
|
|
||||||
}
|
}
|
||||||
|
nc->val = val;
|
||||||
|
ret = copy_NameConstraints(&tnc, &nc->val[nc->len]);
|
||||||
|
if (ret)
|
||||||
|
goto out;
|
||||||
|
nc->len += 1;
|
||||||
}
|
}
|
||||||
|
out:
|
||||||
free_NameConstraints(&tnc);
|
free_NameConstraints(&tnc);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@@ -1079,26 +1041,28 @@ static int
|
|||||||
check_name_constraints(const hx509_name_constraints *nc,
|
check_name_constraints(const hx509_name_constraints *nc,
|
||||||
const Certificate *c)
|
const Certificate *c)
|
||||||
{
|
{
|
||||||
GeneralSubtrees gs;
|
|
||||||
int match, ret;
|
int match, ret;
|
||||||
|
int i;
|
||||||
|
|
||||||
if (nc->nc.permittedSubtrees->len > 0) {
|
for (i = 0 ; i < nc->len; i++) {
|
||||||
GeneralSubtrees_SET(&gs, nc->nc.permittedSubtrees);
|
GeneralSubtrees gs;
|
||||||
|
|
||||||
ret = match_tree(&gs, c, &match);
|
if (nc->val[i].permittedSubtrees) {
|
||||||
if (ret)
|
GeneralSubtrees_SET(&gs, nc->val[i].permittedSubtrees);
|
||||||
return ret;
|
ret = match_tree(&gs, c, &match);
|
||||||
if (match == 0)
|
if (ret)
|
||||||
return HX509_VERIFY_CONSTRAINTS;
|
return ret;
|
||||||
}
|
if (match == 0)
|
||||||
if (nc->nc.excludedSubtrees->len > 0) {
|
return HX509_VERIFY_CONSTRAINTS;
|
||||||
GeneralSubtrees_SET(&gs, nc->nc.excludedSubtrees);
|
}
|
||||||
|
if (nc->val[i].excludedSubtrees) {
|
||||||
ret = match_tree(&gs, c, &match);
|
GeneralSubtrees_SET(&gs, nc->val[i].excludedSubtrees);
|
||||||
if (ret)
|
ret = match_tree(&gs, c, &match);
|
||||||
return ret;
|
if (ret)
|
||||||
if (match)
|
return ret;
|
||||||
return HX509_VERIFY_CONSTRAINTS;
|
if (match)
|
||||||
|
return HX509_VERIFY_CONSTRAINTS;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@@ -1106,17 +1070,11 @@ check_name_constraints(const hx509_name_constraints *nc,
|
|||||||
static void
|
static void
|
||||||
free_name_constraints(hx509_name_constraints *nc)
|
free_name_constraints(hx509_name_constraints *nc)
|
||||||
{
|
{
|
||||||
/* free_NameConstraints(&nc->nc); */
|
int i;
|
||||||
if (nc->nc.permittedSubtrees) {
|
|
||||||
free_GeneralSubtrees(nc->nc.permittedSubtrees);
|
for (i = 0 ; i < nc->len; i++)
|
||||||
free(nc->nc.permittedSubtrees);
|
free_NameConstraints(&nc->val[i]);
|
||||||
nc->nc.permittedSubtrees = NULL;
|
free(nc->val);
|
||||||
}
|
|
||||||
if (nc->nc.excludedSubtrees) {
|
|
||||||
free_GeneralSubtrees(nc->nc.excludedSubtrees);
|
|
||||||
free(nc->nc.excludedSubtrees);
|
|
||||||
nc->nc.excludedSubtrees = NULL;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
|
|||||||
Reference in New Issue
Block a user