diff options
author | Richard Levitte <levitte@openssl.org> | 2005-04-09 16:07:12 +0000 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2005-04-09 16:07:12 +0000 |
commit | d9bfe4f97cd4244beb0598cc348d68b04dac7068 (patch) | |
tree | 1577815b1c870c4541cb56ce12c7713e12889791 /crypto | |
parent | dc0ed30cfeb37d64fc2bd26887b19e0898a96bde (diff) |
Added restrictions on the use of proxy certificates, as they may pose
a security threat on unexpecting applications. Document and test.
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/x509/x509_txt.c | 2 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 15 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.h | 19 | ||||
-rw-r--r-- | crypto/x509v3/v3_purp.c | 4 |
4 files changed, 31 insertions, 9 deletions
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 247e7e178a..7dd2b761d9 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -128,6 +128,8 @@ const char *X509_verify_cert_error_string(long n) return ("path length constraint exceeded"); case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: return("proxy path length constraint exceeded"); + case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: + return("proxy cerificates not allowed, please set the appropriate flag"); case X509_V_ERR_INVALID_PURPOSE: return ("unsupported certificate purpose"); case X509_V_ERR_CERT_UNTRUSTED: diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 431a620618..3da2490fea 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -391,6 +391,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) int (*cb)(int ok,X509_STORE_CTX *ctx); int proxy_path_length = 0; cb=ctx->verify_cb; + int allow_proxy_certs = !!(ctx->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); /* must_be_ca can have 1 of 3 values: -1: we accept both CA and non-CA certificates, to allow direct @@ -401,6 +402,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) all certificates in the chain except the leaf certificate. */ must_be_ca = -1; + + /* A hack to keep people who don't want to modify their software + happy */ + if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) + allow_proxy_certs = 1; + /* Check all untrusted certificates */ for (i = 0; i < ctx->last_untrusted; i++) { @@ -415,6 +422,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } + if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) + { + ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } ret = X509_check_ca(x); switch(must_be_ca) { diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 33ace72671..85bd6406bb 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -292,7 +292,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 #define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 #define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 -#define X509_V_ERR_CERT_NOT_YET_VALID 9 +#define X509_V_ERR_CERT_NOT_YET_VALID 9 #define X509_V_ERR_CERT_HAS_EXPIRED 10 #define X509_V_ERR_CRL_NOT_YET_VALID 11 #define X509_V_ERR_CRL_HAS_EXPIRED 12 @@ -325,10 +325,11 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_ERR_INVALID_NON_CA 37 #define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 #define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 +#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 -#define X509_V_ERR_INVALID_EXTENSION 40 -#define X509_V_ERR_INVALID_POLICY_EXTENSION 41 -#define X509_V_ERR_NO_EXPLICIT_POLICY 42 +#define X509_V_ERR_INVALID_EXTENSION 41 +#define X509_V_ERR_INVALID_POLICY_EXTENSION 42 +#define X509_V_ERR_NO_EXPLICIT_POLICY 43 /* The application is not happy */ @@ -348,14 +349,16 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Disable workarounds for broken certificates */ #define X509_V_FLAG_X509_STRICT 0x20 +/* Enable proxy certificate validation */ +#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 /* Enable policy checking */ -#define X509_V_FLAG_POLICY_CHECK 0x40 +#define X509_V_FLAG_POLICY_CHECK 0x80 /* Policy variable require-explicit-policy */ -#define X509_V_FLAG_EXPLICIT_POLICY 0x80 +#define X509_V_FLAG_EXPLICIT_POLICY 0x100 /* Policy variable inhibit-any-policy */ -#define X509_V_FLAG_INHIBIT_ANY 0x100 +#define X509_V_FLAG_INHIBIT_ANY 0x200 /* Policy variable inhibit-policy-mapping */ -#define X509_V_FLAG_INHIBIT_MAP 0x200 +#define X509_V_FLAG_INHIBIT_MAP 0x400 /* Notify callback that policy is OK */ #define X509_V_FLAG_NOTIFY_POLICY 0x800 diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 9f992c9087..1222c3ce5b 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -338,7 +338,9 @@ static void x509v3_cache_extensions(X509 *x) } /* Handle proxy certificates */ if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { - if (x->ex_flags & EXFLAG_CA) { + if (x->ex_flags & EXFLAG_CA + || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0 + || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) { x->ex_flags |= EXFLAG_INVALID; } if (pci->pcPathLengthConstraint) { |