diff options
| author | jsing <> | 2014-04-20 16:10:10 +0000 |
|---|---|---|
| committer | jsing <> | 2014-04-20 16:10:10 +0000 |
| commit | 8aa5cc9e2555b404cda4a86d2d7eb2b208430f46 (patch) | |
| tree | 0f2bd825121fc0e3357fbeb2dd62261b82250398 /src/lib/libcrypto/x509/x509_trs.c | |
| parent | 837f29e8dc024eb12e6553a87d298bfcf9d08daf (diff) | |
| download | openbsd-8aa5cc9e2555b404cda4a86d2d7eb2b208430f46.tar.gz openbsd-8aa5cc9e2555b404cda4a86d2d7eb2b208430f46.tar.bz2 openbsd-8aa5cc9e2555b404cda4a86d2d7eb2b208430f46.zip | |
KNF.
Diffstat (limited to 'src/lib/libcrypto/x509/x509_trs.c')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_trs.c | 167 |
1 files changed, 101 insertions, 66 deletions
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c index bdda53ec6b..90fd128591 100644 --- a/src/lib/libcrypto/x509/x509_trs.c +++ b/src/lib/libcrypto/x509/x509_trs.c | |||
| @@ -10,7 +10,7 @@ | |||
| 10 | * are met: | 10 | * are met: |
| 11 | * | 11 | * |
| 12 | * 1. Redistributions of source code must retain the above copyright | 12 | * 1. Redistributions of source code must retain the above copyright |
| 13 | * notice, this list of conditions and the following disclaimer. | 13 | * notice, this list of conditions and the following disclaimer. |
| 14 | * | 14 | * |
| 15 | * 2. Redistributions in binary form must reproduce the above copyright | 15 | * 2. Redistributions in binary form must reproduce the above copyright |
| 16 | * notice, this list of conditions and the following disclaimer in | 16 | * notice, this list of conditions and the following disclaimer in |
| @@ -61,8 +61,7 @@ | |||
| 61 | #include <openssl/x509v3.h> | 61 | #include <openssl/x509v3.h> |
| 62 | 62 | ||
| 63 | 63 | ||
| 64 | static int tr_cmp(const X509_TRUST * const *a, | 64 | static int tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b); |
| 65 | const X509_TRUST * const *b); | ||
| 66 | static void trtable_free(X509_TRUST *p); | 65 | static void trtable_free(X509_TRUST *p); |
| 67 | 66 | ||
| 68 | static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags); | 67 | static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags); |
| @@ -78,14 +77,14 @@ static int (*default_trust)(int id, X509 *x, int flags) = obj_trust; | |||
| 78 | */ | 77 | */ |
| 79 | 78 | ||
| 80 | static X509_TRUST trstandard[] = { | 79 | static X509_TRUST trstandard[] = { |
| 81 | {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL}, | 80 | {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL}, |
| 82 | {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, | 81 | {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, |
| 83 | {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL}, | 82 | {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL}, |
| 84 | {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, | 83 | {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, |
| 85 | {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL}, | 84 | {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL}, |
| 86 | {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL}, | 85 | {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL}, |
| 87 | {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}, | 86 | {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}, |
| 88 | {X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL} | 87 | {X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL} |
| 89 | }; | 88 | }; |
| 90 | 89 | ||
| 91 | #define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST)) | 90 | #define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST)) |
| @@ -94,61 +93,76 @@ IMPLEMENT_STACK_OF(X509_TRUST) | |||
| 94 | 93 | ||
| 95 | static STACK_OF(X509_TRUST) *trtable = NULL; | 94 | static STACK_OF(X509_TRUST) *trtable = NULL; |
| 96 | 95 | ||
| 97 | static int tr_cmp(const X509_TRUST * const *a, | 96 | static int |
| 98 | const X509_TRUST * const *b) | 97 | tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b) |
| 99 | { | 98 | { |
| 100 | return (*a)->trust - (*b)->trust; | 99 | return (*a)->trust - (*b)->trust; |
| 101 | } | 100 | } |
| 102 | 101 | ||
| 103 | int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int) | 102 | int |
| 103 | (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int) | ||
| 104 | { | 104 | { |
| 105 | int (*oldtrust)(int , X509 *, int); | 105 | int (*oldtrust)(int , X509 *, int); |
| 106 | |||
| 106 | oldtrust = default_trust; | 107 | oldtrust = default_trust; |
| 107 | default_trust = trust; | 108 | default_trust = trust; |
| 108 | return oldtrust; | 109 | return oldtrust; |
| 109 | } | 110 | } |
| 110 | 111 | ||
| 111 | 112 | int | |
| 112 | int X509_check_trust(X509 *x, int id, int flags) | 113 | X509_check_trust(X509 *x, int id, int flags) |
| 113 | { | 114 | { |
| 114 | X509_TRUST *pt; | 115 | X509_TRUST *pt; |
| 115 | int idx; | 116 | int idx; |
| 116 | if(id == -1) return 1; | 117 | |
| 118 | if (id == -1) | ||
| 119 | return 1; | ||
| 117 | idx = X509_TRUST_get_by_id(id); | 120 | idx = X509_TRUST_get_by_id(id); |
| 118 | if(idx == -1) return default_trust(id, x, flags); | 121 | if (idx == -1) |
| 122 | return default_trust(id, x, flags); | ||
| 119 | pt = X509_TRUST_get0(idx); | 123 | pt = X509_TRUST_get0(idx); |
| 120 | return pt->check_trust(pt, x, flags); | 124 | return pt->check_trust(pt, x, flags); |
| 121 | } | 125 | } |
| 122 | 126 | ||
| 123 | int X509_TRUST_get_count(void) | 127 | int |
| 128 | X509_TRUST_get_count(void) | ||
| 124 | { | 129 | { |
| 125 | if(!trtable) return X509_TRUST_COUNT; | 130 | if (!trtable) |
| 131 | return X509_TRUST_COUNT; | ||
| 126 | return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT; | 132 | return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT; |
| 127 | } | 133 | } |
| 128 | 134 | ||
| 129 | X509_TRUST * X509_TRUST_get0(int idx) | 135 | X509_TRUST * |
| 136 | X509_TRUST_get0(int idx) | ||
| 130 | { | 137 | { |
| 131 | if(idx < 0) return NULL; | 138 | if (idx < 0) |
| 132 | if(idx < (int)X509_TRUST_COUNT) return trstandard + idx; | 139 | return NULL; |
| 140 | if (idx < (int)X509_TRUST_COUNT) | ||
| 141 | return trstandard + idx; | ||
| 133 | return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT); | 142 | return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT); |
| 134 | } | 143 | } |
| 135 | 144 | ||
| 136 | int X509_TRUST_get_by_id(int id) | 145 | int |
| 146 | X509_TRUST_get_by_id(int id) | ||
| 137 | { | 147 | { |
| 138 | X509_TRUST tmp; | 148 | X509_TRUST tmp; |
| 139 | int idx; | 149 | int idx; |
| 140 | if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX)) | 150 | |
| 141 | return id - X509_TRUST_MIN; | 151 | if ((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX)) |
| 152 | return id - X509_TRUST_MIN; | ||
| 142 | tmp.trust = id; | 153 | tmp.trust = id; |
| 143 | if(!trtable) return -1; | 154 | if (!trtable) |
| 155 | return -1; | ||
| 144 | idx = sk_X509_TRUST_find(trtable, &tmp); | 156 | idx = sk_X509_TRUST_find(trtable, &tmp); |
| 145 | if(idx == -1) return -1; | 157 | if (idx == -1) |
| 158 | return -1; | ||
| 146 | return idx + X509_TRUST_COUNT; | 159 | return idx + X509_TRUST_COUNT; |
| 147 | } | 160 | } |
| 148 | 161 | ||
| 149 | int X509_TRUST_set(int *t, int trust) | 162 | int |
| 163 | X509_TRUST_set(int *t, int trust) | ||
| 150 | { | 164 | { |
| 151 | if(X509_TRUST_get_by_id(trust) == -1) { | 165 | if (X509_TRUST_get_by_id(trust) == -1) { |
| 152 | X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST); | 166 | X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST); |
| 153 | return 0; | 167 | return 0; |
| 154 | } | 168 | } |
| @@ -156,11 +170,13 @@ int X509_TRUST_set(int *t, int trust) | |||
| 156 | return 1; | 170 | return 1; |
| 157 | } | 171 | } |
| 158 | 172 | ||
| 159 | int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), | 173 | int |
| 160 | char *name, int arg1, void *arg2) | 174 | X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), |
| 175 | char *name, int arg1, void *arg2) | ||
| 161 | { | 176 | { |
| 162 | int idx; | 177 | int idx; |
| 163 | X509_TRUST *trtmp; | 178 | X509_TRUST *trtmp; |
| 179 | |||
| 164 | /* This is set according to what we change: application can't set it */ | 180 | /* This is set according to what we change: application can't set it */ |
| 165 | flags &= ~X509_TRUST_DYNAMIC; | 181 | flags &= ~X509_TRUST_DYNAMIC; |
| 166 | /* This will always be set for application modified trust entries */ | 182 | /* This will always be set for application modified trust entries */ |
| @@ -168,9 +184,9 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), | |||
| 168 | /* Get existing entry if any */ | 184 | /* Get existing entry if any */ |
| 169 | idx = X509_TRUST_get_by_id(id); | 185 | idx = X509_TRUST_get_by_id(id); |
| 170 | /* Need a new entry */ | 186 | /* Need a new entry */ |
| 171 | if(idx == -1) { | 187 | if (idx == -1) { |
| 172 | if(!(trtmp = malloc(sizeof(X509_TRUST)))) { | 188 | if (!(trtmp = malloc(sizeof(X509_TRUST)))) { |
| 173 | X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); | 189 | X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); |
| 174 | return 0; | 190 | return 0; |
| 175 | } | 191 | } |
| 176 | trtmp->flags = X509_TRUST_DYNAMIC; | 192 | trtmp->flags = X509_TRUST_DYNAMIC; |
| @@ -178,10 +194,11 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), | |||
| 178 | trtmp = X509_TRUST_get0(idx); | 194 | trtmp = X509_TRUST_get0(idx); |
| 179 | 195 | ||
| 180 | /* free existing name if dynamic */ | 196 | /* free existing name if dynamic */ |
| 181 | if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name); | 197 | if (trtmp->flags & X509_TRUST_DYNAMIC_NAME) |
| 198 | free(trtmp->name); | ||
| 182 | /* dup supplied name */ | 199 | /* dup supplied name */ |
| 183 | if(!(trtmp->name = BUF_strdup(name))) { | 200 | if (!(trtmp->name = BUF_strdup(name))) { |
| 184 | X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); | 201 | X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); |
| 185 | return 0; | 202 | return 0; |
| 186 | } | 203 | } |
| 187 | /* Keep the dynamic flag of existing entry */ | 204 | /* Keep the dynamic flag of existing entry */ |
| @@ -195,22 +212,24 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), | |||
| 195 | trtmp->arg2 = arg2; | 212 | trtmp->arg2 = arg2; |
| 196 | 213 | ||
| 197 | /* If its a new entry manage the dynamic table */ | 214 | /* If its a new entry manage the dynamic table */ |
| 198 | if(idx == -1) { | 215 | if (idx == -1) { |
| 199 | if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { | 216 | if (!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { |
| 200 | X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); | 217 | X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); |
| 201 | return 0; | 218 | return 0; |
| 202 | } | 219 | } |
| 203 | if (!sk_X509_TRUST_push(trtable, trtmp)) { | 220 | if (!sk_X509_TRUST_push(trtable, trtmp)) { |
| 204 | X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); | 221 | X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); |
| 205 | return 0; | 222 | return 0; |
| 206 | } | 223 | } |
| 207 | } | 224 | } |
| 208 | return 1; | 225 | return 1; |
| 209 | } | 226 | } |
| 210 | 227 | ||
| 211 | static void trtable_free(X509_TRUST *p) | 228 | static void |
| 229 | trtable_free(X509_TRUST *p) | ||
| 212 | { | 230 | { |
| 213 | if(!p) return; | 231 | if (!p) |
| 232 | return; | ||
| 214 | if (p->flags & X509_TRUST_DYNAMIC) { | 233 | if (p->flags & X509_TRUST_DYNAMIC) { |
| 215 | if (p->flags & X509_TRUST_DYNAMIC_NAME) | 234 | if (p->flags & X509_TRUST_DYNAMIC_NAME) |
| 216 | free(p->name); | 235 | free(p->name); |
| @@ -218,32 +237,39 @@ static void trtable_free(X509_TRUST *p) | |||
| 218 | } | 237 | } |
| 219 | } | 238 | } |
| 220 | 239 | ||
| 221 | void X509_TRUST_cleanup(void) | 240 | void |
| 241 | X509_TRUST_cleanup(void) | ||
| 222 | { | 242 | { |
| 223 | unsigned int i; | 243 | unsigned int i; |
| 224 | for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i); | 244 | |
| 245 | for(i = 0; i < X509_TRUST_COUNT; i++) | ||
| 246 | trtable_free(trstandard + i); | ||
| 225 | sk_X509_TRUST_pop_free(trtable, trtable_free); | 247 | sk_X509_TRUST_pop_free(trtable, trtable_free); |
| 226 | trtable = NULL; | 248 | trtable = NULL; |
| 227 | } | 249 | } |
| 228 | 250 | ||
| 229 | int X509_TRUST_get_flags(X509_TRUST *xp) | 251 | int |
| 252 | X509_TRUST_get_flags(X509_TRUST *xp) | ||
| 230 | { | 253 | { |
| 231 | return xp->flags; | 254 | return xp->flags; |
| 232 | } | 255 | } |
| 233 | 256 | ||
| 234 | char *X509_TRUST_get0_name(X509_TRUST *xp) | 257 | char * |
| 258 | X509_TRUST_get0_name(X509_TRUST *xp) | ||
| 235 | { | 259 | { |
| 236 | return xp->name; | 260 | return xp->name; |
| 237 | } | 261 | } |
| 238 | 262 | ||
| 239 | int X509_TRUST_get_trust(X509_TRUST *xp) | 263 | int |
| 264 | X509_TRUST_get_trust(X509_TRUST *xp) | ||
| 240 | { | 265 | { |
| 241 | return xp->trust; | 266 | return xp->trust; |
| 242 | } | 267 | } |
| 243 | 268 | ||
| 244 | static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) | 269 | static int |
| 270 | trust_1oidany(X509_TRUST *trust, X509 *x, int flags) | ||
| 245 | { | 271 | { |
| 246 | if(x->aux && (x->aux->trust || x->aux->reject)) | 272 | if (x->aux && (x->aux->trust || x->aux->reject)) |
| 247 | return obj_trust(trust->arg1, x, flags); | 273 | return obj_trust(trust->arg1, x, flags); |
| 248 | /* we don't have any trust settings: for compatibility | 274 | /* we don't have any trust settings: for compatibility |
| 249 | * we return trusted if it is self signed | 275 | * we return trusted if it is self signed |
| @@ -251,38 +277,47 @@ static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) | |||
| 251 | return trust_compat(trust, x, flags); | 277 | return trust_compat(trust, x, flags); |
| 252 | } | 278 | } |
| 253 | 279 | ||
| 254 | static int trust_1oid(X509_TRUST *trust, X509 *x, int flags) | 280 | static int |
| 281 | trust_1oid(X509_TRUST *trust, X509 *x, int flags) | ||
| 255 | { | 282 | { |
| 256 | if(x->aux) return obj_trust(trust->arg1, x, flags); | 283 | if (x->aux) |
| 284 | return obj_trust(trust->arg1, x, flags); | ||
| 257 | return X509_TRUST_UNTRUSTED; | 285 | return X509_TRUST_UNTRUSTED; |
| 258 | } | 286 | } |
| 259 | 287 | ||
| 260 | static int trust_compat(X509_TRUST *trust, X509 *x, int flags) | 288 | static int |
| 289 | trust_compat(X509_TRUST *trust, X509 *x, int flags) | ||
| 261 | { | 290 | { |
| 262 | X509_check_purpose(x, -1, 0); | 291 | X509_check_purpose(x, -1, 0); |
| 263 | if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED; | 292 | if (x->ex_flags & EXFLAG_SS) |
| 264 | else return X509_TRUST_UNTRUSTED; | 293 | return X509_TRUST_TRUSTED; |
| 294 | else | ||
| 295 | return X509_TRUST_UNTRUSTED; | ||
| 265 | } | 296 | } |
| 266 | 297 | ||
| 267 | static int obj_trust(int id, X509 *x, int flags) | 298 | static int |
| 299 | obj_trust(int id, X509 *x, int flags) | ||
| 268 | { | 300 | { |
| 269 | ASN1_OBJECT *obj; | 301 | ASN1_OBJECT *obj; |
| 270 | int i; | 302 | int i; |
| 271 | X509_CERT_AUX *ax; | 303 | X509_CERT_AUX *ax; |
| 304 | |||
| 272 | ax = x->aux; | 305 | ax = x->aux; |
| 273 | if(!ax) return X509_TRUST_UNTRUSTED; | 306 | if (!ax) |
| 274 | if(ax->reject) { | 307 | return X509_TRUST_UNTRUSTED; |
| 275 | for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { | 308 | if (ax->reject) { |
| 309 | for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { | ||
| 276 | obj = sk_ASN1_OBJECT_value(ax->reject, i); | 310 | obj = sk_ASN1_OBJECT_value(ax->reject, i); |
| 277 | if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED; | 311 | if (OBJ_obj2nid(obj) == id) |
| 312 | return X509_TRUST_REJECTED; | ||
| 278 | } | 313 | } |
| 279 | } | 314 | } |
| 280 | if(ax->trust) { | 315 | if (ax->trust) { |
| 281 | for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { | 316 | for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { |
| 282 | obj = sk_ASN1_OBJECT_value(ax->trust, i); | 317 | obj = sk_ASN1_OBJECT_value(ax->trust, i); |
| 283 | if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED; | 318 | if (OBJ_obj2nid(obj) == id) |
| 319 | return X509_TRUST_TRUSTED; | ||
| 284 | } | 320 | } |
| 285 | } | 321 | } |
| 286 | return X509_TRUST_UNTRUSTED; | 322 | return X509_TRUST_UNTRUSTED; |
| 287 | } | 323 | } |
| 288 | |||