v3_ncons.c 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702
  1. /*
  2. * Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "internal/cryptlib.h"
  10. #include "internal/numbers.h"
  11. #include <stdio.h>
  12. #include "crypto/asn1.h"
  13. #include <openssl/asn1t.h>
  14. #include <openssl/conf.h>
  15. #include <openssl/x509v3.h>
  16. #include "crypto/x509.h"
  17. #include "ext_dat.h"
  18. static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
  19. X509V3_CTX *ctx,
  20. STACK_OF(CONF_VALUE) *nval);
  21. static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
  22. BIO *bp, int ind);
  23. static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
  24. STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp,
  25. int ind, const char *name);
  26. static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
  27. static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
  28. static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
  29. static int nc_dn(X509_NAME *sub, X509_NAME *nm);
  30. static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
  31. static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
  32. static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
  33. static int nc_ip(ASN1_OCTET_STRING *ip, ASN1_OCTET_STRING *base);
  34. const X509V3_EXT_METHOD v3_name_constraints = {
  35. NID_name_constraints, 0,
  36. ASN1_ITEM_ref(NAME_CONSTRAINTS),
  37. 0, 0, 0, 0,
  38. 0, 0,
  39. 0, v2i_NAME_CONSTRAINTS,
  40. i2r_NAME_CONSTRAINTS, 0,
  41. NULL
  42. };
  43. ASN1_SEQUENCE(GENERAL_SUBTREE) = {
  44. ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
  45. ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),
  46. ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1)
  47. } ASN1_SEQUENCE_END(GENERAL_SUBTREE)
  48. ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
  49. ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,
  50. GENERAL_SUBTREE, 0),
  51. ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,
  52. GENERAL_SUBTREE, 1),
  53. } ASN1_SEQUENCE_END(NAME_CONSTRAINTS)
  54. IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
  55. IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
  56. #define IA5_OFFSET_LEN(ia5base, offset) \
  57. ((ia5base)->length - ((unsigned char *)(offset) - (ia5base)->data))
  58. /* Like memchr but for ASN1_IA5STRING. Additionally you can specify the
  59. * starting point to search from
  60. */
  61. # define ia5memchr(str, start, c) memchr(start, c, IA5_OFFSET_LEN(str, start))
  62. /* Like memrrchr but for ASN1_IA5STRING */
  63. static char *ia5memrchr(ASN1_IA5STRING *str, int c)
  64. {
  65. int i;
  66. for (i = str->length; i > 0 && str->data[i - 1] != c; i--);
  67. if (i == 0)
  68. return NULL;
  69. return (char *)&str->data[i - 1];
  70. }
  71. /*
  72. * We cannot use strncasecmp here because that applies locale specific rules. It
  73. * also doesn't work with ASN1_STRINGs that may have embedded NUL characters.
  74. * For example in Turkish 'I' is not the uppercase character for 'i'. We need to
  75. * do a simple ASCII case comparison ignoring the locale (that is why we use
  76. * numeric constants below).
  77. */
  78. static int ia5ncasecmp(const char *s1, const char *s2, size_t n)
  79. {
  80. for (; n > 0; n--, s1++, s2++) {
  81. if (*s1 != *s2) {
  82. unsigned char c1 = (unsigned char)*s1, c2 = (unsigned char)*s2;
  83. /* Convert to lower case */
  84. if (c1 >= 0x41 /* A */ && c1 <= 0x5A /* Z */)
  85. c1 += 0x20;
  86. if (c2 >= 0x41 /* A */ && c2 <= 0x5A /* Z */)
  87. c2 += 0x20;
  88. if (c1 == c2)
  89. continue;
  90. if (c1 < c2)
  91. return -1;
  92. /* c1 > c2 */
  93. return 1;
  94. }
  95. }
  96. return 0;
  97. }
  98. static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
  99. X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
  100. {
  101. int i;
  102. CONF_VALUE tval, *val;
  103. STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
  104. NAME_CONSTRAINTS *ncons = NULL;
  105. GENERAL_SUBTREE *sub = NULL;
  106. ncons = NAME_CONSTRAINTS_new();
  107. if (ncons == NULL)
  108. goto memerr;
  109. for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
  110. val = sk_CONF_VALUE_value(nval, i);
  111. if (strncmp(val->name, "permitted", 9) == 0 && val->name[9]) {
  112. ptree = &ncons->permittedSubtrees;
  113. tval.name = val->name + 10;
  114. } else if (strncmp(val->name, "excluded", 8) == 0 && val->name[8]) {
  115. ptree = &ncons->excludedSubtrees;
  116. tval.name = val->name + 9;
  117. } else {
  118. X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, X509V3_R_INVALID_SYNTAX);
  119. goto err;
  120. }
  121. tval.value = val->value;
  122. sub = GENERAL_SUBTREE_new();
  123. if (sub == NULL)
  124. goto memerr;
  125. if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
  126. goto err;
  127. if (*ptree == NULL)
  128. *ptree = sk_GENERAL_SUBTREE_new_null();
  129. if (*ptree == NULL || !sk_GENERAL_SUBTREE_push(*ptree, sub))
  130. goto memerr;
  131. sub = NULL;
  132. }
  133. return ncons;
  134. memerr:
  135. X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
  136. err:
  137. NAME_CONSTRAINTS_free(ncons);
  138. GENERAL_SUBTREE_free(sub);
  139. return NULL;
  140. }
  141. static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
  142. BIO *bp, int ind)
  143. {
  144. NAME_CONSTRAINTS *ncons = a;
  145. do_i2r_name_constraints(method, ncons->permittedSubtrees,
  146. bp, ind, "Permitted");
  147. do_i2r_name_constraints(method, ncons->excludedSubtrees,
  148. bp, ind, "Excluded");
  149. return 1;
  150. }
  151. static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
  152. STACK_OF(GENERAL_SUBTREE) *trees,
  153. BIO *bp, int ind, const char *name)
  154. {
  155. GENERAL_SUBTREE *tree;
  156. int i;
  157. if (sk_GENERAL_SUBTREE_num(trees) > 0)
  158. BIO_printf(bp, "%*s%s:\n", ind, "", name);
  159. for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
  160. tree = sk_GENERAL_SUBTREE_value(trees, i);
  161. BIO_printf(bp, "%*s", ind + 2, "");
  162. if (tree->base->type == GEN_IPADD)
  163. print_nc_ipadd(bp, tree->base->d.ip);
  164. else
  165. GENERAL_NAME_print(bp, tree->base);
  166. BIO_puts(bp, "\n");
  167. }
  168. return 1;
  169. }
  170. static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
  171. {
  172. int i, len;
  173. unsigned char *p;
  174. p = ip->data;
  175. len = ip->length;
  176. BIO_puts(bp, "IP:");
  177. if (len == 8) {
  178. BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
  179. p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
  180. } else if (len == 32) {
  181. for (i = 0; i < 16; i++) {
  182. BIO_printf(bp, "%X", p[0] << 8 | p[1]);
  183. p += 2;
  184. if (i == 7)
  185. BIO_puts(bp, "/");
  186. else if (i != 15)
  187. BIO_puts(bp, ":");
  188. }
  189. } else
  190. BIO_printf(bp, "IP Address:<invalid>");
  191. return 1;
  192. }
  193. #define NAME_CHECK_MAX (1 << 20)
  194. static int add_lengths(int *out, int a, int b)
  195. {
  196. /* sk_FOO_num(NULL) returns -1 but is effectively 0 when iterating. */
  197. if (a < 0)
  198. a = 0;
  199. if (b < 0)
  200. b = 0;
  201. if (a > INT_MAX - b)
  202. return 0;
  203. *out = a + b;
  204. return 1;
  205. }
  206. /*-
  207. * Check a certificate conforms to a specified set of constraints.
  208. * Return values:
  209. * X509_V_OK: All constraints obeyed.
  210. * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
  211. * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
  212. * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
  213. * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
  214. * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
  215. * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
  216. */
  217. int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
  218. {
  219. int r, i, name_count, constraint_count;
  220. X509_NAME *nm;
  221. nm = X509_get_subject_name(x);
  222. /*
  223. * Guard against certificates with an excessive number of names or
  224. * constraints causing a computationally expensive name constraints check.
  225. */
  226. if (!add_lengths(&name_count, X509_NAME_entry_count(nm),
  227. sk_GENERAL_NAME_num(x->altname))
  228. || !add_lengths(&constraint_count,
  229. sk_GENERAL_SUBTREE_num(nc->permittedSubtrees),
  230. sk_GENERAL_SUBTREE_num(nc->excludedSubtrees))
  231. || (name_count > 0 && constraint_count > NAME_CHECK_MAX / name_count))
  232. return X509_V_ERR_UNSPECIFIED;
  233. if (X509_NAME_entry_count(nm) > 0) {
  234. GENERAL_NAME gntmp;
  235. gntmp.type = GEN_DIRNAME;
  236. gntmp.d.directoryName = nm;
  237. r = nc_match(&gntmp, nc);
  238. if (r != X509_V_OK)
  239. return r;
  240. gntmp.type = GEN_EMAIL;
  241. /* Process any email address attributes in subject name */
  242. for (i = -1;;) {
  243. const X509_NAME_ENTRY *ne;
  244. i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i);
  245. if (i == -1)
  246. break;
  247. ne = X509_NAME_get_entry(nm, i);
  248. gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
  249. if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
  250. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  251. r = nc_match(&gntmp, nc);
  252. if (r != X509_V_OK)
  253. return r;
  254. }
  255. }
  256. for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) {
  257. GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
  258. r = nc_match(gen, nc);
  259. if (r != X509_V_OK)
  260. return r;
  261. }
  262. return X509_V_OK;
  263. }
  264. static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen)
  265. {
  266. int utf8_length;
  267. unsigned char *utf8_value;
  268. int i;
  269. int isdnsname = 0;
  270. /* Don't leave outputs uninitialized */
  271. *dnsid = NULL;
  272. *idlen = 0;
  273. /*-
  274. * Per RFC 6125, DNS-IDs representing internationalized domain names appear
  275. * in certificates in A-label encoded form:
  276. *
  277. * https://tools.ietf.org/html/rfc6125#section-6.4.2
  278. *
  279. * The same applies to CNs which are intended to represent DNS names.
  280. * However, while in the SAN DNS-IDs are IA5Strings, as CNs they may be
  281. * needlessly encoded in 16-bit Unicode. We perform a conversion to UTF-8
  282. * to ensure that we get an ASCII representation of any CNs that are
  283. * representable as ASCII, but just not encoded as ASCII. The UTF-8 form
  284. * may contain some non-ASCII octets, and that's fine, such CNs are not
  285. * valid legacy DNS names.
  286. *
  287. * Note, 'int' is the return type of ASN1_STRING_to_UTF8() so that's what
  288. * we must use for 'utf8_length'.
  289. */
  290. if ((utf8_length = ASN1_STRING_to_UTF8(&utf8_value, cn)) < 0)
  291. return X509_V_ERR_OUT_OF_MEM;
  292. /*
  293. * Some certificates have had names that include a *trailing* NUL byte.
  294. * Remove these harmless NUL characters. They would otherwise yield false
  295. * alarms with the following embedded NUL check.
  296. */
  297. while (utf8_length > 0 && utf8_value[utf8_length - 1] == '\0')
  298. --utf8_length;
  299. /* Reject *embedded* NULs */
  300. if (memchr(utf8_value, 0, utf8_length) != NULL) {
  301. OPENSSL_free(utf8_value);
  302. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  303. }
  304. /*
  305. * XXX: Deviation from strict DNS name syntax, also check names with '_'
  306. * Check DNS name syntax, any '-' or '.' must be internal,
  307. * and on either side of each '.' we can't have a '-' or '.'.
  308. *
  309. * If the name has just one label, we don't consider it a DNS name. This
  310. * means that "CN=sometld" cannot be precluded by DNS name constraints, but
  311. * that is not a problem.
  312. */
  313. for (i = 0; i < utf8_length; ++i) {
  314. unsigned char c = utf8_value[i];
  315. if ((c >= 'a' && c <= 'z')
  316. || (c >= 'A' && c <= 'Z')
  317. || (c >= '0' && c <= '9')
  318. || c == '_')
  319. continue;
  320. /* Dot and hyphen cannot be first or last. */
  321. if (i > 0 && i < utf8_length - 1) {
  322. if (c == '-')
  323. continue;
  324. /*
  325. * Next to a dot the preceding and following characters must not be
  326. * another dot or a hyphen. Otherwise, record that the name is
  327. * plausible, since it has two or more labels.
  328. */
  329. if (c == '.'
  330. && utf8_value[i + 1] != '.'
  331. && utf8_value[i - 1] != '-'
  332. && utf8_value[i + 1] != '-') {
  333. isdnsname = 1;
  334. continue;
  335. }
  336. }
  337. isdnsname = 0;
  338. break;
  339. }
  340. if (isdnsname) {
  341. *dnsid = utf8_value;
  342. *idlen = (size_t)utf8_length;
  343. return X509_V_OK;
  344. }
  345. OPENSSL_free(utf8_value);
  346. return X509_V_OK;
  347. }
  348. /*
  349. * Check CN against DNS-ID name constraints.
  350. */
  351. int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc)
  352. {
  353. int r, i;
  354. X509_NAME *nm = X509_get_subject_name(x);
  355. ASN1_STRING stmp;
  356. GENERAL_NAME gntmp;
  357. stmp.flags = 0;
  358. stmp.type = V_ASN1_IA5STRING;
  359. gntmp.type = GEN_DNS;
  360. gntmp.d.dNSName = &stmp;
  361. /* Process any commonName attributes in subject name */
  362. for (i = -1;;) {
  363. X509_NAME_ENTRY *ne;
  364. ASN1_STRING *cn;
  365. unsigned char *idval;
  366. size_t idlen;
  367. i = X509_NAME_get_index_by_NID(nm, NID_commonName, i);
  368. if (i == -1)
  369. break;
  370. ne = X509_NAME_get_entry(nm, i);
  371. cn = X509_NAME_ENTRY_get_data(ne);
  372. /* Only process attributes that look like host names */
  373. if ((r = cn2dnsid(cn, &idval, &idlen)) != X509_V_OK)
  374. return r;
  375. if (idlen == 0)
  376. continue;
  377. stmp.length = idlen;
  378. stmp.data = idval;
  379. r = nc_match(&gntmp, nc);
  380. OPENSSL_free(idval);
  381. if (r != X509_V_OK)
  382. return r;
  383. }
  384. return X509_V_OK;
  385. }
  386. static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
  387. {
  388. GENERAL_SUBTREE *sub;
  389. int i, r, match = 0;
  390. /*
  391. * Permitted subtrees: if any subtrees exist of matching the type at
  392. * least one subtree must match.
  393. */
  394. for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
  395. sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
  396. if (gen->type != sub->base->type)
  397. continue;
  398. if (sub->minimum || sub->maximum)
  399. return X509_V_ERR_SUBTREE_MINMAX;
  400. /* If we already have a match don't bother trying any more */
  401. if (match == 2)
  402. continue;
  403. if (match == 0)
  404. match = 1;
  405. r = nc_match_single(gen, sub->base);
  406. if (r == X509_V_OK)
  407. match = 2;
  408. else if (r != X509_V_ERR_PERMITTED_VIOLATION)
  409. return r;
  410. }
  411. if (match == 1)
  412. return X509_V_ERR_PERMITTED_VIOLATION;
  413. /* Excluded subtrees: must not match any of these */
  414. for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
  415. sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
  416. if (gen->type != sub->base->type)
  417. continue;
  418. if (sub->minimum || sub->maximum)
  419. return X509_V_ERR_SUBTREE_MINMAX;
  420. r = nc_match_single(gen, sub->base);
  421. if (r == X509_V_OK)
  422. return X509_V_ERR_EXCLUDED_VIOLATION;
  423. else if (r != X509_V_ERR_PERMITTED_VIOLATION)
  424. return r;
  425. }
  426. return X509_V_OK;
  427. }
  428. static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
  429. {
  430. switch (base->type) {
  431. case GEN_DIRNAME:
  432. return nc_dn(gen->d.directoryName, base->d.directoryName);
  433. case GEN_DNS:
  434. return nc_dns(gen->d.dNSName, base->d.dNSName);
  435. case GEN_EMAIL:
  436. return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
  437. case GEN_URI:
  438. return nc_uri(gen->d.uniformResourceIdentifier,
  439. base->d.uniformResourceIdentifier);
  440. case GEN_IPADD:
  441. return nc_ip(gen->d.iPAddress, base->d.iPAddress);
  442. default:
  443. return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
  444. }
  445. }
  446. /*
  447. * directoryName name constraint matching. The canonical encoding of
  448. * X509_NAME makes this comparison easy. It is matched if the subtree is a
  449. * subset of the name.
  450. */
  451. static int nc_dn(X509_NAME *nm, X509_NAME *base)
  452. {
  453. /* Ensure canonical encodings are up to date. */
  454. if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
  455. return X509_V_ERR_OUT_OF_MEM;
  456. if (base->modified && i2d_X509_NAME(base, NULL) < 0)
  457. return X509_V_ERR_OUT_OF_MEM;
  458. if (base->canon_enclen > nm->canon_enclen)
  459. return X509_V_ERR_PERMITTED_VIOLATION;
  460. if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
  461. return X509_V_ERR_PERMITTED_VIOLATION;
  462. return X509_V_OK;
  463. }
  464. static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
  465. {
  466. char *baseptr = (char *)base->data;
  467. char *dnsptr = (char *)dns->data;
  468. /* Empty matches everything */
  469. if (base->length == 0)
  470. return X509_V_OK;
  471. if (dns->length < base->length)
  472. return X509_V_ERR_PERMITTED_VIOLATION;
  473. /*
  474. * Otherwise can add zero or more components on the left so compare RHS
  475. * and if dns is longer and expect '.' as preceding character.
  476. */
  477. if (dns->length > base->length) {
  478. dnsptr += dns->length - base->length;
  479. if (*baseptr != '.' && dnsptr[-1] != '.')
  480. return X509_V_ERR_PERMITTED_VIOLATION;
  481. }
  482. if (ia5ncasecmp(baseptr, dnsptr, base->length))
  483. return X509_V_ERR_PERMITTED_VIOLATION;
  484. return X509_V_OK;
  485. }
  486. static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
  487. {
  488. const char *baseptr = (char *)base->data;
  489. const char *emlptr = (char *)eml->data;
  490. const char *baseat = ia5memrchr(base, '@');
  491. const char *emlat = ia5memrchr(eml, '@');
  492. size_t basehostlen, emlhostlen;
  493. if (!emlat)
  494. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  495. /* Special case: initial '.' is RHS match */
  496. if (!baseat && base->length > 0 && (*baseptr == '.')) {
  497. if (eml->length > base->length) {
  498. emlptr += eml->length - base->length;
  499. if (ia5ncasecmp(baseptr, emlptr, base->length) == 0)
  500. return X509_V_OK;
  501. }
  502. return X509_V_ERR_PERMITTED_VIOLATION;
  503. }
  504. /* If we have anything before '@' match local part */
  505. if (baseat) {
  506. if (baseat != baseptr) {
  507. if ((baseat - baseptr) != (emlat - emlptr))
  508. return X509_V_ERR_PERMITTED_VIOLATION;
  509. /* Case sensitive match of local part */
  510. if (strncmp(baseptr, emlptr, emlat - emlptr))
  511. return X509_V_ERR_PERMITTED_VIOLATION;
  512. }
  513. /* Position base after '@' */
  514. baseptr = baseat + 1;
  515. }
  516. emlptr = emlat + 1;
  517. basehostlen = IA5_OFFSET_LEN(base, baseptr);
  518. emlhostlen = IA5_OFFSET_LEN(eml, emlptr);
  519. /* Just have hostname left to match: case insensitive */
  520. if (basehostlen != emlhostlen || ia5ncasecmp(baseptr, emlptr, emlhostlen))
  521. return X509_V_ERR_PERMITTED_VIOLATION;
  522. return X509_V_OK;
  523. }
  524. static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
  525. {
  526. const char *baseptr = (char *)base->data;
  527. const char *hostptr = (char *)uri->data;
  528. const char *p = ia5memchr(uri, (char *)uri->data, ':');
  529. int hostlen;
  530. /* Check for foo:// and skip past it */
  531. if (p == NULL
  532. || IA5_OFFSET_LEN(uri, p) < 3
  533. || p[1] != '/'
  534. || p[2] != '/')
  535. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  536. hostptr = p + 3;
  537. /* Determine length of hostname part of URI */
  538. /* Look for a port indicator as end of hostname first */
  539. p = ia5memchr(uri, hostptr, ':');
  540. /* Otherwise look for trailing slash */
  541. if (p == NULL)
  542. p = ia5memchr(uri, hostptr, '/');
  543. if (p == NULL)
  544. hostlen = IA5_OFFSET_LEN(uri, hostptr);
  545. else
  546. hostlen = p - hostptr;
  547. if (hostlen == 0)
  548. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  549. /* Special case: initial '.' is RHS match */
  550. if (base->length > 0 && *baseptr == '.') {
  551. if (hostlen > base->length) {
  552. p = hostptr + hostlen - base->length;
  553. if (ia5ncasecmp(p, baseptr, base->length) == 0)
  554. return X509_V_OK;
  555. }
  556. return X509_V_ERR_PERMITTED_VIOLATION;
  557. }
  558. if ((base->length != (int)hostlen)
  559. || ia5ncasecmp(hostptr, baseptr, hostlen))
  560. return X509_V_ERR_PERMITTED_VIOLATION;
  561. return X509_V_OK;
  562. }
  563. static int nc_ip(ASN1_OCTET_STRING *ip, ASN1_OCTET_STRING *base)
  564. {
  565. int hostlen, baselen, i;
  566. unsigned char *hostptr, *baseptr, *maskptr;
  567. hostptr = ip->data;
  568. hostlen = ip->length;
  569. baseptr = base->data;
  570. baselen = base->length;
  571. /* Invalid if not IPv4 or IPv6 */
  572. if (!((hostlen == 4) || (hostlen == 16)))
  573. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  574. if (!((baselen == 8) || (baselen == 32)))
  575. return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
  576. /* Do not match IPv4 with IPv6 */
  577. if (hostlen * 2 != baselen)
  578. return X509_V_ERR_PERMITTED_VIOLATION;
  579. maskptr = base->data + hostlen;
  580. /* Considering possible not aligned base ipAddress */
  581. /* Not checking for wrong mask definition: i.e.: 255.0.255.0 */
  582. for (i = 0; i < hostlen; i++)
  583. if ((hostptr[i] & maskptr[i]) != (baseptr[i] & maskptr[i]))
  584. return X509_V_ERR_PERMITTED_VIOLATION;
  585. return X509_V_OK;
  586. }