From 3c0d1258ceae61a00f7fb2a8ac220399cb0cbe84 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 9 Dec 2019 18:09:58 -0600 Subject: [PATCH] hx509: Fix unauthorized feature accounting --- lib/hx509/req.c | 59 ++++++++++--------------------------------------- 1 file changed, 12 insertions(+), 47 deletions(-) diff --git a/lib/hx509/req.c b/lib/hx509/req.c index b4fc5d71f..768dfdaf1 100644 --- a/lib/hx509/req.c +++ b/lib/hx509/req.c @@ -48,7 +48,6 @@ struct hx509_request_data { struct abitstring_s authorized_EKUs; struct abitstring_s authorized_SANs; uint32_t nunsupported; /* Count of unsupported features requested */ - uint32_t nrequested; /* Count of supported features requested */ uint32_t nauthorized; /* Count of supported features authorized */ uint32_t ku_are_authorized:1; }; @@ -202,18 +201,11 @@ hx509_request_get_SubjectPublicKeyInfo(hx509_context context, HX509_LIB_FUNCTION int HX509_LIB_CALL hx509_request_set_ku(hx509_context context, hx509_request req, KeyUsage ku) { - KeyUsage oldku = req->ku; uint64_t n = KeyUsage2int(ku); - if ((KeyUsage2int(req->ku) & n) != n) { + if ((KeyUsage2int(req->ku) & n) != n) req->ku_are_authorized = 0; - } req->ku = ku; - - if (KeyUsage2int(oldku) == 0 && n != 0) - req->nrequested++; - if (KeyUsage2int(oldku) && KeyUsage2int(req->ku) == 0) - req->nrequested--; return 0; } @@ -286,12 +278,7 @@ hx509_request_add_GeneralName(hx509_context context, hx509_request req, const GeneralName *gn) { - int ret; - - ret = add_GeneralNames(&req->san, gn); - if (ret == 0) - req->nrequested++; - return ret; + return add_GeneralNames(&req->san, gn); } static int @@ -340,13 +327,8 @@ hx509_request_add_xmpp_name(hx509_context context, hx509_request req, const char *jid) { - int ret; - - ret = add_utf8_other_san(context, &req->san, &asn1_oid_id_pkix_on_xmppAddr, - jid); - if (ret == 0) - req->nrequested++; - return ret; + return add_utf8_other_san(context, &req->san, + &asn1_oid_id_pkix_on_xmppAddr, jid); } /** @@ -365,13 +347,8 @@ hx509_request_add_ms_upn_name(hx509_context context, hx509_request req, const char *upn) { - int ret; - - ret = add_utf8_other_san(context, &req->san, &asn1_oid_id_pkinit_ms_san, - upn); - if (ret == 0) - req->nrequested++; - return ret; + return add_utf8_other_san(context, &req->san, &asn1_oid_id_pkinit_ms_san, + upn); } /** @@ -391,17 +368,13 @@ hx509_request_add_dns_name(hx509_context context, const char *hostname) { GeneralName name; - int ret; memset(&name, 0, sizeof(name)); name.element = choice_GeneralName_dNSName; name.u.dNSName.data = rk_UNCONST(hostname); name.u.dNSName.length = strlen(hostname); - ret = add_GeneralNames(&req->san, &name); - if (ret == 0) - req->nrequested++; - return ret; + return add_GeneralNames(&req->san, &name); } /** @@ -421,17 +394,13 @@ hx509_request_add_email(hx509_context context, const char *email) { GeneralName name; - int ret; memset(&name, 0, sizeof(name)); name.element = choice_GeneralName_rfc822Name; name.u.rfc822Name.data = rk_UNCONST(email); name.u.rfc822Name.length = strlen(email); - ret = add_GeneralNames(&req->san, &name); - if (ret == 0) - req->nrequested++; - return ret; + return add_GeneralNames(&req->san, &name); } /** @@ -460,8 +429,6 @@ hx509_request_add_registered(hx509_context context, return ret; ret = add_GeneralNames(&req->san, &name); free_GeneralName(&name); - if (ret == 0) - req->nrequested++; return ret; } @@ -498,8 +465,6 @@ hx509_request_add_pkinit(hx509_context context, if (ret == 0) ret = add_GeneralNames(&req->san, &gn); free_GeneralName(&gn); - if (ret == 0) - req->nrequested++; return ret; } @@ -854,7 +819,6 @@ hx509_request_parse_der(hx509_context context, */ if (KeyUsage2int((*req)->ku) & ~KeyUsage2int(int2KeyUsage(~0))) (*req)->nunsupported++; - (*req)->nrequested++; } else if (der_heim_oid_cmp(&e->extnID, &asn1_oid_id_x509_ce_extKeyUsage) == 0) { ret = decode_ExtKeyUsage(e->extnValue.data, e->extnValue.length, @@ -865,7 +829,6 @@ hx509_request_parse_der(hx509_context context, * Count each EKU as a separate requested extension to be * authorized. */ - (*req)->nrequested += (*req)->eku.len; } else if (der_heim_oid_cmp(&e->extnID, &asn1_oid_id_x509_ce_subjectAltName) == 0) { ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length, @@ -876,7 +839,6 @@ hx509_request_parse_der(hx509_context context, * Count each SAN as a separate requested extension to be * authorized. */ - (*req)->nrequested += (*req)->san.len; } else { char *oidstr = NULL; @@ -1218,7 +1180,10 @@ hx509_request_count_unsupported(hx509_request req) HX509_LIB_FUNCTION size_t HX509_LIB_CALL hx509_request_count_unauthorized(hx509_request req) { - return req->nrequested - (req->nauthorized + req->ku_are_authorized); + size_t nrequested = req->eku.len + req->san.len + + (KeyUsage2int(req->ku) ? 1 : 0) + req->nunsupported; + + return nrequested - (req->nauthorized + req->ku_are_authorized); } static hx509_san_type -- 2.34.1