void *X509V3_EXT_d2i(X509_EXTENSION *ext)
{
const X509V3_EXT_METHOD *method;
const unsigned char *p;
ASN1_STRING *extvalue;
int extlen;
if ((method = X509V3_EXT_get(ext)) == NULL)
return NULL;
extvalue = X509_EXTENSION_get_data(ext);
p = ASN1_STRING_get0_data(extvalue);
extlen = ASN1_STRING_length(extvalue);
if (method->it)
return ASN1_item_d2i(NULL, &p, extlen, ASN1_ITEM_ptr(method->it));
return method->d2i(NULL, &p, extlen);
}
/* char *value: Value */
static X509_EXTENSION *
do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value)
{
const X509V3_EXT_METHOD *method;
X509_EXTENSION *ext;
STACK_OF(CONF_VALUE) *nval;
void *ext_struc;
if (ext_nid == NID_undef) {
X509V3err(X509V3_F_DO_EXT_NCONF,
X509V3_R_UNKNOWN_EXTENSION_NAME);
return NULL;
}
if (!(method = X509V3_EXT_get_nid(ext_nid))) {
X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION);
return NULL;
}
/* Now get internal extension representation based on type */
if (method->v2i) {
if (*value == '@')
nval = NCONF_get_section(conf, value + 1);
else
nval = X509V3_parse_list(value);
if (sk_CONF_VALUE_num(nval) <= 0) {
X509V3err(X509V3_F_DO_EXT_NCONF,
X509V3_R_INVALID_EXTENSION_STRING);
ERR_asprintf_error_data("name=%s,section=%s",
OBJ_nid2sn(ext_nid), value);
return NULL;
}
ext_struc = method->v2i(method, ctx, nval);
if (*value != '@')
sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
if (!ext_struc)
return NULL;
} else if (method->s2i) {
if (!(ext_struc = method->s2i(method, ctx, value)))
return NULL;
} else if (method->r2i) {
if (!ctx->db || !ctx->db_meth) {
X509V3err(X509V3_F_DO_EXT_NCONF,
X509V3_R_NO_CONFIG_DATABASE);
return NULL;
}
if (!(ext_struc = method->r2i(method, ctx, value)))
return NULL;
} else {
X509V3err(X509V3_F_DO_EXT_NCONF,
X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
ERR_asprintf_error_data("name=%s", OBJ_nid2sn(ext_nid));
return NULL;
}
ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
if (method->it)
ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
else
method->ext_free(ext_struc);
return ext;
}
static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
{
/* If ADB or STACK just NULL the field */
if (tt->flags & (ASN1_TFLG_ADB_MASK|ASN1_TFLG_SK_MASK))
*pval = NULL;
else
asn1_item_clear(pval, ASN1_ITEM_ptr(tt->item));
}
EXPORT_C void *X509V3_EXT_d2i(X509_EXTENSION *ext)
{
X509V3_EXT_METHOD *method;
const unsigned char *p;
if(!(method = X509V3_EXT_get(ext))) return NULL;
p = ext->value->data;
if(method->it) return ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
return method->d2i(NULL, &p, ext->value->length);
}
int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
int n;
for (n = 0; item_type[n] != NULL; ++n) {
const uint8_t *b = buf;
const ASN1_ITEM *i = ASN1_ITEM_ptr(item_type[n]);
ASN1_VALUE *o = ASN1_item_d2i(NULL, &b, len, i);
ASN1_item_free(o, i);
}
return 0;
}
int protocol_checkcert(void *peer, X509 * cert)
{
struct in_network net;
int i, j;
const unsigned char *p;
void *ext_str = NULL;
const STACK_OF(X509_EXTENSION) * exts = cert->cert_info->extensions;
X509_EXTENSION *ext;
X509V3_EXT_METHOD *method;
STACK_OF(GENERAL_SUBTREE) * trees;
GENERAL_SUBTREE *tree;
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++)
{
ext = sk_X509_EXTENSION_value(exts, i);
if ((method = X509V3_EXT_get(ext))
&& method->ext_nid == NID_name_constraints)
{
p = ext->value->data;
if (method->it)
ext_str = ASN1_item_d2i(NULL, &p, ext->value->length,
ASN1_ITEM_ptr(method->it));
else
ext_str = method->d2i(NULL, &p, ext->value->length);
trees = ((NAME_CONSTRAINTS *) ext_str)->permittedSubtrees;
for (j = 0; j < sk_GENERAL_SUBTREE_num(trees); j++)
{
tree = sk_GENERAL_SUBTREE_value(trees, j);
if (tree->base->type == GEN_IPADD)
p = tree->base->d.ip->data;
if (tree->base->d.ip->length == 8)
{
net.addr.s_addr = *((uint32_t *) p);
net.netmask.s_addr = *((uint32_t *) & p[4]);
printf("%s/", inet_ntoa(net.addr));
printf("%s\n", inet_ntoa(net.netmask));
}
//else if(len == 32) //IPv6
// See openssl/crypto/x509v3/v3_ncons.c:static int print_nc_ipadd()
//else //DNS
// GENERAL_NAME_print(bp, tree->base);
}
}
}
return 0;
}
static int asn1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
{
const ASN1_ITEM *it = ASN1_ITEM_ptr(tt->item);
int embed = tt->flags & ASN1_TFLG_EMBED;
ASN1_VALUE *tval;
int ret;
if (embed) {
tval = (ASN1_VALUE *)pval;
pval = &tval;
}
if (tt->flags & ASN1_TFLG_OPTIONAL) {
asn1_template_clear(pval, tt);
return 1;
}
/* If ANY DEFINED BY nothing to do */
if (tt->flags & ASN1_TFLG_ADB_MASK) {
*pval = NULL;
return 1;
}
#ifdef CRYPTO_MDEBUG
if (tt->field_name)
CRYPTO_push_info(tt->field_name);
#endif
/* If SET OF or SEQUENCE OF, its a STACK */
if (tt->flags & ASN1_TFLG_SK_MASK) {
STACK_OF(ASN1_VALUE) *skval;
skval = sk_ASN1_VALUE_new_null();
if (!skval) {
ASN1err(ASN1_F_ASN1_TEMPLATE_NEW, ERR_R_MALLOC_FAILURE);
ret = 0;
goto done;
}
*pval = (ASN1_VALUE *)skval;
ret = 1;
goto done;
}
/* Otherwise pass it back to the item routine */
ret = asn1_item_embed_new(pval, it, embed);
done:
#ifdef CRYPTO_MDEBUG
if (it->sname)
CRYPTO_pop_info();
#endif
return ret;
}
static int do_print_item(const TEST_PACKAGE *package)
{
#define DATA_BUF_SIZE 256
const ASN1_ITEM *i = ASN1_ITEM_ptr(package->asn1_type);
ASN1_VALUE *o;
int ret;
OPENSSL_assert(package->encode_expectations_elem_size <= DATA_BUF_SIZE);
if ((o = OPENSSL_malloc(DATA_BUF_SIZE)) == NULL)
return 0;
(void)RAND_bytes((unsigned char*)o,
(int)package->encode_expectations_elem_size);
ret = ASN1_item_print(bio_err, o, 0, i, NULL);
OPENSSL_free(o);
return ret;
}
int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
{
const ASN1_ITEM *it = ASN1_ITEM_ptr(tt->item);
int ret;
if (tt->flags & ASN1_TFLG_OPTIONAL)
{
asn1_template_clear(pval, tt);
return 1;
}
/* If ANY DEFINED BY nothing to do */
if (tt->flags & ASN1_TFLG_ADB_MASK)
{
*pval = NULL;
return 1;
}
#ifdef CRYPTO_MDEBUG
if (tt->field_name)
CRYPTO_push_info(tt->field_name);
#endif
/* If SET OF or SEQUENCE OF, its a STACK */
if (tt->flags & ASN1_TFLG_SK_MASK)
{
STACK_OF(ASN1_VALUE) *skval;
skval = sk_ASN1_VALUE_new_null();
if (!skval)
{
OPENSSL_PUT_ERROR(ASN1, ASN1_template_new, ERR_R_MALLOC_FAILURE);
ret = 0;
goto done;
}
*pval = (ASN1_VALUE *)skval;
ret = 1;
goto done;
}
/* Otherwise pass it back to the item routine */
ret = asn1_item_ex_combine_new(pval, it, tt->flags & ASN1_TFLG_COMBINE);
done:
#ifdef CRYPTO_MDEBUG
if (it->sname)
CRYPTO_pop_info();
#endif
return ret;
}
static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
int ext_nid, int crit, void *ext_struc)
{
unsigned char *ext_der = NULL;
int ext_len;
ASN1_OCTET_STRING *ext_oct = NULL;
X509_EXTENSION *ext;
/* Convert internal representation to DER */
if (method->it) {
ext_der = NULL;
ext_len =
ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
if (ext_len < 0)
goto merr;
} else {
unsigned char *p;
ext_len = method->i2d(ext_struc, NULL);
if ((ext_der = OPENSSL_malloc(ext_len)) == NULL)
goto merr;
p = ext_der;
method->i2d(ext_struc, &p);
}
if ((ext_oct = ASN1_OCTET_STRING_new()) == NULL)
goto merr;
ext_oct->data = ext_der;
ext_der = NULL;
ext_oct->length = ext_len;
ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
if (!ext)
goto merr;
ASN1_OCTET_STRING_free(ext_oct);
return ext;
merr:
X509V3err(X509V3_F_DO_EXT_I2D, ERR_R_MALLOC_FAILURE);
OPENSSL_free(ext_der);
ASN1_OCTET_STRING_free(ext_oct);
return NULL;
}
int X509V3_EXT_free(int nid, void *ext_data)
{
const X509V3_EXT_METHOD *ext_method = X509V3_EXT_get_nid(nid);
if (ext_method == NULL) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_CANNOT_FIND_FREE_FUNCTION);
return 0;
}
if (ext_method->it != NULL)
ASN1_item_free(ext_data, ASN1_ITEM_ptr(ext_method->it));
else if (ext_method->ext_free != NULL)
ext_method->ext_free(ext_data);
else {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_CANNOT_FIND_FREE_FUNCTION);
return 0;
}
return 1;
}
/* Match a hostname against the contents of a dNSName field of the
subjectAltName extension, if present. This is the preferred place for a
certificate to store its domain name, as opposed to in the commonName field.
It has the advantage that multiple names can be stored, so that one
certificate can match both "example.com" and "www.example.com".
If num_checked is not NULL, the number of dNSName fields that were checked
before returning will be stored in it. This is so you can distinguish between
the check failing because there were names but none matched, or because there
were no names to match. */
static int cert_match_dnsname(X509 *cert, const char *hostname,
unsigned int *num_checked)
{
X509_EXTENSION *ext;
STACK_OF(GENERAL_NAME) *gen_names;
const X509V3_EXT_METHOD *method;
unsigned char *data;
int i;
if (num_checked != NULL)
*num_checked = 0;
i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
if (i < 0)
return 0;
/* If there's more than one subjectAltName extension, forget it. */
if (X509_get_ext_by_NID(cert, NID_subject_alt_name, i) >= 0)
return 0;
ext = X509_get_ext(cert, i);
/* See the function X509V3_EXT_print in the OpenSSL source for this method
of getting a string value from an extension. */
method = X509V3_EXT_get(ext);
if (method == NULL)
return 0;
/* We must copy this address into a temporary variable because ASN1_item_d2i
increments it. We don't want it to corrupt ext->value->data. */
data = ext->value->data;
/* Here we rely on the fact that the internal representation (the "i" in
"i2d") for NID_subject_alt_name is STACK_OF(GENERAL_NAME). Converting it
to a stack of CONF_VALUE with a i2v method is not satisfactory, because a
CONF_VALUE doesn't contain the length of the value so you can't know the
presence of null bytes. */
#if (OPENSSL_VERSION_NUMBER > 0x00907000L)
if (method->it != NULL) {
gen_names = (STACK_OF(GENERAL_NAME) *) ASN1_item_d2i(NULL,
(const unsigned char **) &data,
ext->value->length, ASN1_ITEM_ptr(method->it));
} else {
long ipfix_ssl_post_connection_check(SSL *ssl, char *host)
{
X509 *cert;
X509_NAME *subj;
char data[256];
int extcount;
int ok = 0;
/* Checking the return from SSL_get_peer_certificate here is not strictly
* necessary.
*/
if (!(cert = SSL_get_peer_certificate(ssl)) || !host)
goto err_occured;
if ((extcount = X509_get_ext_count(cert)) > 0)
{
int i;
for (i = 0; i < extcount; i++)
{
char *extstr;
X509_EXTENSION *ext;
ext = X509_get_ext(cert, i);
extstr = (char*) OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
if (!strcmp(extstr, "subjectAltName"))
{
int j;
const unsigned char *data;
STACK_OF(CONF_VALUE) *val;
CONF_VALUE *nval;
X509V3_EXT_METHOD *meth;
void *ext_str = NULL;
if (!(meth = X509V3_EXT_get(ext)))
break;
data = ext->value->data;
#if (OPENSSL_VERSION_NUMBER > 0x00907000L)
if (meth->it)
ext_str = ASN1_item_d2i(NULL, &data, ext->value->length,
ASN1_ITEM_ptr(meth->it));
else
ext_str = meth->d2i(NULL, &data, ext->value->length);
#else
ext_str = meth->d2i(NULL, &data, ext->value->length);
#endif
val = meth->i2v(meth, ext_str, NULL);
for (j = 0; j < sk_CONF_VALUE_num(val); j++)
{
nval = sk_CONF_VALUE_value(val, j);
if (!strcmp(nval->name, "DNS") && !strcmp(nval->value, host))
{
ok = 1;
break;
}
}
}
if (ok)
break;
}
}
if (!ok && (subj = X509_get_subject_name(cert)) &&
X509_NAME_get_text_by_NID(subj, NID_commonName, data, 256) > 0)
{
data[255] = 0;
if (strcasecmp(data, host) != 0)
goto err_occured;
}
X509_free(cert);
return SSL_get_verify_result(ssl);
err_occured:
if (cert)
X509_free(cert);
return X509_V_ERR_APPLICATION_VERIFICATION;
}
/**
Search for a hostname match in the SubjectAlternativeNames.
*/
uint32_t
check_san (SSL *ssl, const char *hostname)
{
X509 *cert;
int extcount, ok = 0;
/* What an OpenSSL mess ... */
if (NULL == (cert = SSL_get_peer_certificate(ssl)))
{
die ("Getting certificate failed");
}
if ((extcount = X509_get_ext_count(cert)) > 0)
{
int i;
for (i = 0; i < extcount; ++i)
{
const char *extstr;
X509_EXTENSION *ext;
ext = X509_get_ext(cert, i);
extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
if (!strcmp(extstr, "subjectAltName"))
{
int j;
void *extvalstr;
const unsigned char *tmp;
STACK_OF(CONF_VALUE) *val;
CONF_VALUE *nval;
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
const
#endif
X509V3_EXT_METHOD *method;
if (!(method = X509V3_EXT_get(ext)))
{
break;
}
tmp = ext->value->data;
if (method->it)
{
extvalstr = ASN1_item_d2i(NULL, &tmp, ext->value->length,
ASN1_ITEM_ptr(method->it));
} else {
extvalstr = method->d2i(NULL, &tmp, ext->value->length);
}
if (!extvalstr)
{
break;
}
if (method->i2v)
{
val = method->i2v(method, extvalstr, NULL);
for (j = 0; j < sk_CONF_VALUE_num(val); ++j)
{
nval = sk_CONF_VALUE_value(val, j);
if ((!strcasecmp(nval->name, "DNS") &&
!strcasecmp(nval->value, hostname) ) ||
(!strcasecmp(nval->name, "iPAddress") &&
!strcasecmp(nval->value, hostname)))
{
verb ("V: subjectAltName matched: %s, type: %s", nval->value, nval->name); // We matched this; so it's safe to print
ok = 1;
break;
}
// Attempt to match subjectAltName DNS names
if (!strcasecmp(nval->name, "DNS"))
{
ok = check_wildcard_match_rfc2595(hostname, nval->value);
if (ok)
{
break;
}
}
verb_debug ("V: subjectAltName found but not matched: %s, type: %s",
nval->value, sanitize_string(nval->name));
}
}
} else {
verb_debug ("V: found non subjectAltName extension");
}
if (ok)
{
break;
}
}
} else {
verb_debug ("V: no X509_EXTENSION field(s) found");
}
X509_free(cert);
return ok;
}
static int asn1_template_noexp_d2i(ASN1_VALUE **val,
const unsigned char **in, long len,
const ASN1_TEMPLATE *tt, char opt,
ASN1_TLC *ctx)
{
int flags, aclass;
int ret;
const unsigned char *p, *q;
if (!val)
return 0;
flags = tt->flags;
aclass = flags & ASN1_TFLG_TAG_CLASS;
p = *in;
q = p;
if (flags & ASN1_TFLG_SK_MASK)
{
/* SET OF, SEQUENCE OF */
int sktag, skaclass;
char sk_eoc;
/* First work out expected inner tag value */
if (flags & ASN1_TFLG_IMPTAG)
{
sktag = tt->tag;
skaclass = aclass;
}
else
{
skaclass = V_ASN1_UNIVERSAL;
if (flags & ASN1_TFLG_SET_OF)
sktag = V_ASN1_SET;
else
sktag = V_ASN1_SEQUENCE;
}
/* Get the tag */
ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL,
&p, len, sktag, skaclass, opt, ctx);
if (!ret)
{
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
ERR_R_NESTED_ASN1_ERROR);
return 0;
}
else if (ret == -1)
return -1;
if (!*val)
*val = (ASN1_VALUE *)sk_new_null();
else
{
/* We've got a valid STACK: free up any items present */
STACK *sktmp = (STACK *)*val;
ASN1_VALUE *vtmp;
while(sk_num(sktmp) > 0)
{
vtmp = (ASN1_VALUE *)sk_pop(sktmp);
ASN1_item_ex_free(&vtmp,
ASN1_ITEM_ptr(tt->item));
}
}
if (!*val)
{
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
ERR_R_MALLOC_FAILURE);
goto err;
}
/* Read as many items as we can */
while(len > 0)
{
ASN1_VALUE *skfield;
q = p;
/* See if EOC found */
if (asn1_check_eoc(&p, len))
{
if (!sk_eoc)
{
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
ASN1_R_UNEXPECTED_EOC);
goto err;
}
len -= p - q;
sk_eoc = 0;
break;
}
skfield = NULL;
if (!ASN1_item_ex_d2i(&skfield, &p, len,
ASN1_ITEM_ptr(tt->item),
-1, 0, 0, ctx))
{
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
ERR_R_NESTED_ASN1_ERROR);
goto err;
}
len -= p - q;
if (!sk_push((STACK *)*val, (char *)skfield))
{
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
ERR_R_MALLOC_FAILURE);
goto err;
}
}
if (sk_eoc)
{
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_MISSING_EOC);
goto err;
}
}
else if (flags & ASN1_TFLG_IMPTAG)
{
/* IMPLICIT tagging */
ret = ASN1_item_ex_d2i(val, &p, len,
ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx);
if (!ret)
{
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
ERR_R_NESTED_ASN1_ERROR);
goto err;
}
else if (ret == -1)
return -1;
}
else
{
/* Nothing special */
ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
-1, 0, opt, ctx);
if (!ret)
{
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
ERR_R_NESTED_ASN1_ERROR);
goto err;
}
else if (ret == -1)
return -1;
}
*in = p;
return 1;
err:
ASN1_template_free(val, tt);
return 0;
}
/*
* Usage: d2i_test <type> <file>, e.g.
* d2i_test generalname bad_generalname.der
*/
int main(int argc, char **argv)
{
int result = 0;
const char *test_type_name;
const char *expected_error_string;
const char *p = getenv("OPENSSL_DEBUG_MEMORY");
size_t i;
static ASN1_ITEM_EXP *items[] = {
ASN1_ITEM_ref(ASN1_ANY),
ASN1_ITEM_ref(X509),
ASN1_ITEM_ref(GENERAL_NAME),
ASN1_ITEM_ref(ASN1_INTEGER),
#ifndef OPENSSL_NO_CMS
ASN1_ITEM_ref(CMS_ContentInfo)
#endif
};
static error_enum expected_errors[] = {
{"OK", ASN1_OK},
{"BIO", ASN1_BIO},
{"decode", ASN1_DECODE},
{"encode", ASN1_ENCODE},
{"compare", ASN1_COMPARE}
};
if (p != NULL && strcmp(p, "on") == 0)
CRYPTO_set_mem_debug(1);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
if (argc != 4) {
fprintf(stderr,
"Usage: d2i_test item_name expected_error file.der\n");
return 1;
}
test_type_name = argv[1];
expected_error_string = argv[2];
test_file = argv[3];
for (i = 0; i < OSSL_NELEM(items); i++) {
const ASN1_ITEM *it = ASN1_ITEM_ptr(items[i]);
if (strcmp(test_type_name, it->sname) == 0) {
item_type = it;
break;
}
}
if (item_type == NULL) {
fprintf(stderr, "Unknown type %s\n", test_type_name);
fprintf(stderr, "Supported types:\n");
for (i = 0; i < OSSL_NELEM(items); i++) {
const ASN1_ITEM *it = ASN1_ITEM_ptr(items[i]);
fprintf(stderr, "\t%s\n", it->sname);
}
return 1;
}
for (i = 0; i < OSSL_NELEM(expected_errors); i++) {
if (strcmp(expected_errors[i].str, expected_error_string) == 0) {
expected_error = expected_errors[i].code;
break;
}
}
if (expected_error == ASN1_UNKNOWN) {
fprintf(stderr, "Unknown expected error %s\n", expected_error_string);
return 1;
}
ADD_TEST(test_bad_asn1);
result = run_tests(argv[0]);
#ifndef OPENSSL_NO_CRYPTO_MDEBUG
if (CRYPTO_mem_leaks_fp(stderr) <= 0)
result = 1;
#endif
return result;
}
static X509_EXTENSION* openssl_new_xextension(lua_State*L, int idx, int v3)
{
int nid;
int critical = 0;
ASN1_OCTET_STRING* value = NULL;
X509_EXTENSION* y = NULL;
lua_getfield(L, idx, "object");
nid = openssl_get_nid(L, -1);
lua_pop(L, 1);
lua_getfield(L, idx, "critical");
critical = lua_isnil(L, -1) ? 0 : lua_toboolean(L, -1);
lua_pop(L, 1);
if (nid == NID_undef)
{
lua_pushfstring(L, "%s is not valid object id", lua_tostring(L, -1));
luaL_argerror(L, idx, lua_tostring(L, -1));
}
lua_getfield(L, idx, "value");
luaL_argcheck(L, lua_isstring(L, -1) || auxiliar_isgroup(L, "openssl.asn1group", -1),
1, "field value must be string or openssl.asn1group object");
if (lua_isstring(L, -1))
{
size_t size;
const char* data = lua_tolstring(L, -1, &size);
if (v3)
{
const X509V3_EXT_METHOD *method = X509V3_EXT_get_nid(nid);
if (method)
{
void *ext_struc = NULL;
STACK_OF(CONF_VALUE) *nval = X509V3_parse_list(data);
/* Now get internal extension representation based on type */
if (method->v2i && nval)
{
if (sk_CONF_VALUE_num(nval) > 0)
{
ext_struc = method->v2i(method, NULL, nval);
}
}
else if (method->s2i)
{
ext_struc = method->s2i(method, NULL, data);
}
if (nval)
sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
if (ext_struc)
{
unsigned char *ext_der = NULL;
int ext_len;
/* Convert internal representation to DER */
if (method->it)
{
ext_der = NULL;
ext_len = ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
if (ext_len < 0)
{
ext_der = NULL;
}
}
else
{
ext_len = method->i2d(ext_struc, NULL);
ext_der = OPENSSL_malloc(ext_len);
if (ext_der)
{
unsigned char* p = ext_der;
method->i2d(ext_struc, &p);
}
}
if (ext_der)
{
value = ASN1_STRING_type_new(V_ASN1_OCTET_STRING);
ASN1_STRING_set(value, ext_der, ext_len);
}
else
value = NULL;
if (method->it) ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
else method->ext_free(ext_struc);
}
}
}
else
{
value = ASN1_STRING_type_new(V_ASN1_OCTET_STRING);
ASN1_STRING_set(value, data, size);
}
if (value)
{
y = X509_EXTENSION_create_by_NID(NULL, nid, critical, value);
ASN1_STRING_free(value);
return y;
}
else
{
luaL_error(L, "don't support object(%s) with value (%s)", OBJ_nid2ln(nid), data);
return NULL;
}
}
else
{
value = CHECK_GROUP(-1, ASN1_STRING, "openssl.asn1group");
y = X509_EXTENSION_create_by_NID(NULL, nid, critical, value);
lua_pop(L, 1);
return y;
}
}
static PyObject *
_get_peer_alt_names (X509 *certificate) {
/* this code follows the procedure outlined in
OpenSSL's crypto/x509v3/v3_prn.c:X509v3_EXT_print()
function to extract the STACK_OF(GENERAL_NAME),
then iterates through the stack to add the
names. */
int i, j;
PyObject *peer_alt_names = Py_None;
PyObject *v, *t;
X509_EXTENSION *ext = NULL;
GENERAL_NAMES *names = NULL;
GENERAL_NAME *name;
X509V3_EXT_METHOD *method;
BIO *biobuf = NULL;
char buf[2048];
char *vptr;
int len;
const unsigned char *p;
if (certificate == NULL)
return peer_alt_names;
/* get a memory buffer */
biobuf = BIO_new(BIO_s_mem());
i = 0;
while ((i = X509_get_ext_by_NID(
certificate, NID_subject_alt_name, i)) >= 0) {
if (peer_alt_names == Py_None) {
peer_alt_names = PyList_New(0);
if (peer_alt_names == NULL)
goto fail;
}
/* now decode the altName */
ext = X509_get_ext(certificate, i);
if(!(method = X509V3_EXT_get(ext))) {
PyErr_SetString
(PySSLErrorObject,
ERRSTR("No method for internalizing subjectAltName!"));
goto fail;
}
p = ext->value->data;
if (method->it)
names = (GENERAL_NAMES*)
(ASN1_item_d2i(NULL,
&p,
ext->value->length,
ASN1_ITEM_ptr(method->it)));
else
names = (GENERAL_NAMES*)
(method->d2i(NULL,
&p,
ext->value->length));
for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
/* get a rendering of each name in the set of names */
name = sk_GENERAL_NAME_value(names, j);
if (name->type == GEN_DIRNAME) {
/* we special-case DirName as a tuple of
tuples of attributes */
t = PyTuple_New(2);
if (t == NULL) {
goto fail;
}
v = PyUnicode_FromString("DirName");
if (v == NULL) {
Py_DECREF(t);
goto fail;
}
PyTuple_SET_ITEM(t, 0, v);
v = _create_tuple_for_X509_NAME (name->d.dirn);
if (v == NULL) {
Py_DECREF(t);
goto fail;
}
PyTuple_SET_ITEM(t, 1, v);
} else {
/* for everything else, we use the OpenSSL print form */
(void) BIO_reset(biobuf);
GENERAL_NAME_print(biobuf, name);
len = BIO_gets(biobuf, buf, sizeof(buf)-1);
if (len < 0) {
_setSSLError(NULL, 0, __FILE__, __LINE__);
goto fail;
}
vptr = strchr(buf, ':');
if (vptr == NULL)
goto fail;
t = PyTuple_New(2);
if (t == NULL)
goto fail;
v = PyUnicode_FromStringAndSize(buf, (vptr - buf));
if (v == NULL) {
Py_DECREF(t);
goto fail;
}
PyTuple_SET_ITEM(t, 0, v);
v = PyUnicode_FromStringAndSize((vptr + 1),
(len - (vptr - buf + 1)));
if (v == NULL) {
Py_DECREF(t);
goto fail;
}
PyTuple_SET_ITEM(t, 1, v);
}
/* and add that rendering to the list */
if (PyList_Append(peer_alt_names, t) < 0) {
Py_DECREF(t);
goto fail;
}
Py_DECREF(t);
}
}
BIO_free(biobuf);
if (peer_alt_names != Py_None) {
v = PyList_AsTuple(peer_alt_names);
Py_DECREF(peer_alt_names);
return v;
} else {
return peer_alt_names;
}
fail:
if (biobuf != NULL)
BIO_free(biobuf);
if (peer_alt_names != Py_None) {
Py_XDECREF(peer_alt_names);
}
return NULL;
}
int protocol_checknameconstraints(const struct peer_s *peer)
{
struct in_network ncnet, *shnet;
int i, j, r, ret = 0, valid = 0;
const unsigned char *p;
void *ext_str = NULL;
X509 *cert;
STACK_OF(X509_EXTENSION) * exts;
X509_EXTENSION *ext;
const X509V3_EXT_METHOD *method;
STACK_OF(GENERAL_SUBTREE) * trees;
GENERAL_SUBTREE *tree;
pthread_mutex_lock(&peer->udpsrvsession->dtls_mutex);
cert = SSL_get_peer_certificate(peer->udpsrvsession->dtls);
exts = cert->cert_info->extensions;
for (r = 0; r < peer->shared_networks_len; r++)
{
shnet = &peer->shared_networks[r];
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++)
{
ext = sk_X509_EXTENSION_value(exts, i);
if ((method = X509V3_EXT_get(ext))
&& method->ext_nid == NID_name_constraints)
{
p = ext->value->data;
if (method->it)
ext_str = ASN1_item_d2i(NULL, &p, ext->value->length,
ASN1_ITEM_ptr(method->it));
else
ext_str = method->d2i(NULL, &p, ext->value->length);
trees = ((NAME_CONSTRAINTS *) ext_str)->permittedSubtrees;
for (j = 0; j < sk_GENERAL_SUBTREE_num(trees); j++)
{
tree = sk_GENERAL_SUBTREE_value(trees, j);
if (tree->base->type == GEN_IPADD)
{
if (tree->base->d.ip->length == 8)
{
ncnet.addr.s_addr =
*((uint32_t *) tree->base->d.ip->data);
ncnet.netmask.s_addr =
*((uint32_t *) & tree->base->d.ip->data[4]);
if (shnet->netmask.s_addr >= ncnet.netmask.s_addr
&& (ncnet.addr.s_addr & ncnet.netmask.s_addr)
== (shnet->addr.s_addr &
shnet->netmask.s_addr))
valid++;
}
//else if(tree->base->d.ip->length == 32) //IPv6
// See openssl/crypto/x509v3/v3_ncons.c:static int print_nc_ipadd()
//} else { //DNS
// GENERAL_NAME_print(bp, tree->base);
}
}
}
}
if (valid == 0){
ret = -1;
break;
}
ret += valid;
valid = 0;
}
pthread_mutex_unlock(&peer->udpsrvsession->dtls_mutex);
return ret;
}
