summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libcrypto/x509/x509_set.c90
-rw-r--r--src/lib/libcrypto/x509/x509_trs.c167
-rw-r--r--src/lib/libcrypto/x509/x509_txt.c30
-rw-r--r--src/lib/libcrypto/x509/x509_v3.c235
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c972
-rw-r--r--src/lib/libcrypto/x509/x509_vpm.c171
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_set.c90
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_trs.c167
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_txt.c30
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_v3.c235
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_vfy.c972
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_vpm.c171
12 files changed, 1902 insertions, 1428 deletions
diff --git a/src/lib/libcrypto/x509/x509_set.c b/src/lib/libcrypto/x509/x509_set.c
index dfe9eb68ff..6fd2f85761 100644
--- a/src/lib/libcrypto/x509/x509_set.c
+++ b/src/lib/libcrypto/x509/x509_set.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -63,78 +63,92 @@
63#include <openssl/evp.h> 63#include <openssl/evp.h>
64#include <openssl/x509.h> 64#include <openssl/x509.h>
65 65
66int X509_set_version(X509 *x, long version) 66int
67X509_set_version(X509 *x, long version)
67{ 68{
68 if (x == NULL) return(0); 69 if (x == NULL)
70 return (0);
69 if (x->cert_info->version == NULL) { 71 if (x->cert_info->version == NULL) {
70 if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL) 72 if ((x->cert_info->version = M_ASN1_INTEGER_new()) == NULL)
71 return(0); 73 return (0);
72 } 74 }
73 return(ASN1_INTEGER_set(x->cert_info->version,version)); 75 return (ASN1_INTEGER_set(x->cert_info->version, version));
74} 76}
75 77
76int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) 78int
79X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
77{ 80{
78 ASN1_INTEGER *in; 81 ASN1_INTEGER *in;
79 82
80 if (x == NULL) return(0); 83 if (x == NULL)
81 in=x->cert_info->serialNumber; 84 return (0);
85 in = x->cert_info->serialNumber;
82 if (in != serial) { 86 if (in != serial) {
83 in=M_ASN1_INTEGER_dup(serial); 87 in = M_ASN1_INTEGER_dup(serial);
84 if (in != NULL) { 88 if (in != NULL) {
85 M_ASN1_INTEGER_free(x->cert_info->serialNumber); 89 M_ASN1_INTEGER_free(x->cert_info->serialNumber);
86 x->cert_info->serialNumber=in; 90 x->cert_info->serialNumber = in;
87 } 91 }
88 } 92 }
89 return(in != NULL); 93 return (in != NULL);
90} 94}
91 95
92int X509_set_issuer_name(X509 *x, X509_NAME *name) 96int
97X509_set_issuer_name(X509 *x, X509_NAME *name)
93{ 98{
94 if ((x == NULL) || (x->cert_info == NULL)) return(0); 99 if ((x == NULL) || (x->cert_info == NULL))
95 return(X509_NAME_set(&x->cert_info->issuer,name)); 100 return (0);
101 return (X509_NAME_set(&x->cert_info->issuer, name));
96} 102}
97 103
98int X509_set_subject_name(X509 *x, X509_NAME *name) 104int
105X509_set_subject_name(X509 *x, X509_NAME *name)
99{ 106{
100 if ((x == NULL) || (x->cert_info == NULL)) return(0); 107 if ((x == NULL) || (x->cert_info == NULL))
101 return(X509_NAME_set(&x->cert_info->subject,name)); 108 return (0);
109 return (X509_NAME_set(&x->cert_info->subject, name));
102} 110}
103 111
104int X509_set_notBefore(X509 *x, const ASN1_TIME *tm) 112int
113X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
105{ 114{
106 ASN1_TIME *in; 115 ASN1_TIME *in;
107 116
108 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); 117 if ((x == NULL) || (x->cert_info->validity == NULL))
109 in=x->cert_info->validity->notBefore; 118 return (0);
119 in = x->cert_info->validity->notBefore;
110 if (in != tm) { 120 if (in != tm) {
111 in=M_ASN1_TIME_dup(tm); 121 in = M_ASN1_TIME_dup(tm);
112 if (in != NULL) { 122 if (in != NULL) {
113 M_ASN1_TIME_free(x->cert_info->validity->notBefore); 123 M_ASN1_TIME_free(x->cert_info->validity->notBefore);
114 x->cert_info->validity->notBefore=in; 124 x->cert_info->validity->notBefore = in;
115 } 125 }
116 } 126 }
117 return(in != NULL); 127 return (in != NULL);
118} 128}
119 129
120int X509_set_notAfter(X509 *x, const ASN1_TIME *tm) 130int
131X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
121{ 132{
122 ASN1_TIME *in; 133 ASN1_TIME *in;
123 134
124 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); 135 if ((x == NULL) || (x->cert_info->validity == NULL))
125 in=x->cert_info->validity->notAfter; 136 return (0);
137 in = x->cert_info->validity->notAfter;
126 if (in != tm) { 138 if (in != tm) {
127 in=M_ASN1_TIME_dup(tm); 139 in = M_ASN1_TIME_dup(tm);
128 if (in != NULL) { 140 if (in != NULL) {
129 M_ASN1_TIME_free(x->cert_info->validity->notAfter); 141 M_ASN1_TIME_free(x->cert_info->validity->notAfter);
130 x->cert_info->validity->notAfter=in; 142 x->cert_info->validity->notAfter = in;
131 } 143 }
132 } 144 }
133 return(in != NULL); 145 return (in != NULL);
134} 146}
135 147
136int X509_set_pubkey(X509 *x, EVP_PKEY *pkey) 148int
149X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
137{ 150{
138 if ((x == NULL) || (x->cert_info == NULL)) return(0); 151 if ((x == NULL) || (x->cert_info == NULL))
139 return(X509_PUBKEY_set(&(x->cert_info->key),pkey)); 152 return (0);
153 return (X509_PUBKEY_set(&(x->cert_info->key), pkey));
140} 154}
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index bdda53ec6b..90fd128591 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -61,8 +61,7 @@
61#include <openssl/x509v3.h> 61#include <openssl/x509v3.h>
62 62
63 63
64static int tr_cmp(const X509_TRUST * const *a, 64static int tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b);
65 const X509_TRUST * const *b);
66static void trtable_free(X509_TRUST *p); 65static void trtable_free(X509_TRUST *p);
67 66
68static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags); 67static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
@@ -78,14 +77,14 @@ static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
78 */ 77 */
79 78
80static X509_TRUST trstandard[] = { 79static X509_TRUST trstandard[] = {
81{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL}, 80 {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
82{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, 81 {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
83{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL}, 82 {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
84{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, 83 {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
85{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL}, 84 {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
86{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL}, 85 {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
87{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}, 86 {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL},
88{X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL} 87 {X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
89}; 88};
90 89
91#define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST)) 90#define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST))
@@ -94,61 +93,76 @@ IMPLEMENT_STACK_OF(X509_TRUST)
94 93
95static STACK_OF(X509_TRUST) *trtable = NULL; 94static STACK_OF(X509_TRUST) *trtable = NULL;
96 95
97static int tr_cmp(const X509_TRUST * const *a, 96static int
98 const X509_TRUST * const *b) 97tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b)
99{ 98{
100 return (*a)->trust - (*b)->trust; 99 return (*a)->trust - (*b)->trust;
101} 100}
102 101
103int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int) 102int
103(*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
104{ 104{
105 int (*oldtrust)(int , X509 *, int); 105 int (*oldtrust)(int , X509 *, int);
106
106 oldtrust = default_trust; 107 oldtrust = default_trust;
107 default_trust = trust; 108 default_trust = trust;
108 return oldtrust; 109 return oldtrust;
109} 110}
110 111
111 112int
112int X509_check_trust(X509 *x, int id, int flags) 113X509_check_trust(X509 *x, int id, int flags)
113{ 114{
114 X509_TRUST *pt; 115 X509_TRUST *pt;
115 int idx; 116 int idx;
116 if(id == -1) return 1; 117
118 if (id == -1)
119 return 1;
117 idx = X509_TRUST_get_by_id(id); 120 idx = X509_TRUST_get_by_id(id);
118 if(idx == -1) return default_trust(id, x, flags); 121 if (idx == -1)
122 return default_trust(id, x, flags);
119 pt = X509_TRUST_get0(idx); 123 pt = X509_TRUST_get0(idx);
120 return pt->check_trust(pt, x, flags); 124 return pt->check_trust(pt, x, flags);
121} 125}
122 126
123int X509_TRUST_get_count(void) 127int
128X509_TRUST_get_count(void)
124{ 129{
125 if(!trtable) return X509_TRUST_COUNT; 130 if (!trtable)
131 return X509_TRUST_COUNT;
126 return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT; 132 return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
127} 133}
128 134
129X509_TRUST * X509_TRUST_get0(int idx) 135X509_TRUST *
136X509_TRUST_get0(int idx)
130{ 137{
131 if(idx < 0) return NULL; 138 if (idx < 0)
132 if(idx < (int)X509_TRUST_COUNT) return trstandard + idx; 139 return NULL;
140 if (idx < (int)X509_TRUST_COUNT)
141 return trstandard + idx;
133 return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT); 142 return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
134} 143}
135 144
136int X509_TRUST_get_by_id(int id) 145int
146X509_TRUST_get_by_id(int id)
137{ 147{
138 X509_TRUST tmp; 148 X509_TRUST tmp;
139 int idx; 149 int idx;
140 if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX)) 150
141 return id - X509_TRUST_MIN; 151 if ((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
152 return id - X509_TRUST_MIN;
142 tmp.trust = id; 153 tmp.trust = id;
143 if(!trtable) return -1; 154 if (!trtable)
155 return -1;
144 idx = sk_X509_TRUST_find(trtable, &tmp); 156 idx = sk_X509_TRUST_find(trtable, &tmp);
145 if(idx == -1) return -1; 157 if (idx == -1)
158 return -1;
146 return idx + X509_TRUST_COUNT; 159 return idx + X509_TRUST_COUNT;
147} 160}
148 161
149int X509_TRUST_set(int *t, int trust) 162int
163X509_TRUST_set(int *t, int trust)
150{ 164{
151 if(X509_TRUST_get_by_id(trust) == -1) { 165 if (X509_TRUST_get_by_id(trust) == -1) {
152 X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST); 166 X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST);
153 return 0; 167 return 0;
154 } 168 }
@@ -156,11 +170,13 @@ int X509_TRUST_set(int *t, int trust)
156 return 1; 170 return 1;
157} 171}
158 172
159int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), 173int
160 char *name, int arg1, void *arg2) 174X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
175 char *name, int arg1, void *arg2)
161{ 176{
162 int idx; 177 int idx;
163 X509_TRUST *trtmp; 178 X509_TRUST *trtmp;
179
164 /* This is set according to what we change: application can't set it */ 180 /* This is set according to what we change: application can't set it */
165 flags &= ~X509_TRUST_DYNAMIC; 181 flags &= ~X509_TRUST_DYNAMIC;
166 /* This will always be set for application modified trust entries */ 182 /* This will always be set for application modified trust entries */
@@ -168,9 +184,9 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
168 /* Get existing entry if any */ 184 /* Get existing entry if any */
169 idx = X509_TRUST_get_by_id(id); 185 idx = X509_TRUST_get_by_id(id);
170 /* Need a new entry */ 186 /* Need a new entry */
171 if(idx == -1) { 187 if (idx == -1) {
172 if(!(trtmp = malloc(sizeof(X509_TRUST)))) { 188 if (!(trtmp = malloc(sizeof(X509_TRUST)))) {
173 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); 189 X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
174 return 0; 190 return 0;
175 } 191 }
176 trtmp->flags = X509_TRUST_DYNAMIC; 192 trtmp->flags = X509_TRUST_DYNAMIC;
@@ -178,10 +194,11 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
178 trtmp = X509_TRUST_get0(idx); 194 trtmp = X509_TRUST_get0(idx);
179 195
180 /* free existing name if dynamic */ 196 /* free existing name if dynamic */
181 if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name); 197 if (trtmp->flags & X509_TRUST_DYNAMIC_NAME)
198 free(trtmp->name);
182 /* dup supplied name */ 199 /* dup supplied name */
183 if(!(trtmp->name = BUF_strdup(name))) { 200 if (!(trtmp->name = BUF_strdup(name))) {
184 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); 201 X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
185 return 0; 202 return 0;
186 } 203 }
187 /* Keep the dynamic flag of existing entry */ 204 /* Keep the dynamic flag of existing entry */
@@ -195,22 +212,24 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
195 trtmp->arg2 = arg2; 212 trtmp->arg2 = arg2;
196 213
197 /* If its a new entry manage the dynamic table */ 214 /* If its a new entry manage the dynamic table */
198 if(idx == -1) { 215 if (idx == -1) {
199 if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { 216 if (!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
200 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); 217 X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
201 return 0; 218 return 0;
202 } 219 }
203 if (!sk_X509_TRUST_push(trtable, trtmp)) { 220 if (!sk_X509_TRUST_push(trtable, trtmp)) {
204 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); 221 X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
205 return 0; 222 return 0;
206 } 223 }
207 } 224 }
208 return 1; 225 return 1;
209} 226}
210 227
211static void trtable_free(X509_TRUST *p) 228static void
229trtable_free(X509_TRUST *p)
212{ 230{
213 if(!p) return; 231 if (!p)
232 return;
214 if (p->flags & X509_TRUST_DYNAMIC) { 233 if (p->flags & X509_TRUST_DYNAMIC) {
215 if (p->flags & X509_TRUST_DYNAMIC_NAME) 234 if (p->flags & X509_TRUST_DYNAMIC_NAME)
216 free(p->name); 235 free(p->name);
@@ -218,32 +237,39 @@ static void trtable_free(X509_TRUST *p)
218 } 237 }
219} 238}
220 239
221void X509_TRUST_cleanup(void) 240void
241X509_TRUST_cleanup(void)
222{ 242{
223 unsigned int i; 243 unsigned int i;
224 for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i); 244
245 for(i = 0; i < X509_TRUST_COUNT; i++)
246 trtable_free(trstandard + i);
225 sk_X509_TRUST_pop_free(trtable, trtable_free); 247 sk_X509_TRUST_pop_free(trtable, trtable_free);
226 trtable = NULL; 248 trtable = NULL;
227} 249}
228 250
229int X509_TRUST_get_flags(X509_TRUST *xp) 251int
252X509_TRUST_get_flags(X509_TRUST *xp)
230{ 253{
231 return xp->flags; 254 return xp->flags;
232} 255}
233 256
234char *X509_TRUST_get0_name(X509_TRUST *xp) 257char *
258X509_TRUST_get0_name(X509_TRUST *xp)
235{ 259{
236 return xp->name; 260 return xp->name;
237} 261}
238 262
239int X509_TRUST_get_trust(X509_TRUST *xp) 263int
264X509_TRUST_get_trust(X509_TRUST *xp)
240{ 265{
241 return xp->trust; 266 return xp->trust;
242} 267}
243 268
244static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) 269static int
270trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
245{ 271{
246 if(x->aux && (x->aux->trust || x->aux->reject)) 272 if (x->aux && (x->aux->trust || x->aux->reject))
247 return obj_trust(trust->arg1, x, flags); 273 return obj_trust(trust->arg1, x, flags);
248 /* we don't have any trust settings: for compatibility 274 /* we don't have any trust settings: for compatibility
249 * we return trusted if it is self signed 275 * we return trusted if it is self signed
@@ -251,38 +277,47 @@ static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
251 return trust_compat(trust, x, flags); 277 return trust_compat(trust, x, flags);
252} 278}
253 279
254static int trust_1oid(X509_TRUST *trust, X509 *x, int flags) 280static int
281trust_1oid(X509_TRUST *trust, X509 *x, int flags)
255{ 282{
256 if(x->aux) return obj_trust(trust->arg1, x, flags); 283 if (x->aux)
284 return obj_trust(trust->arg1, x, flags);
257 return X509_TRUST_UNTRUSTED; 285 return X509_TRUST_UNTRUSTED;
258} 286}
259 287
260static int trust_compat(X509_TRUST *trust, X509 *x, int flags) 288static int
289trust_compat(X509_TRUST *trust, X509 *x, int flags)
261{ 290{
262 X509_check_purpose(x, -1, 0); 291 X509_check_purpose(x, -1, 0);
263 if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED; 292 if (x->ex_flags & EXFLAG_SS)
264 else return X509_TRUST_UNTRUSTED; 293 return X509_TRUST_TRUSTED;
294 else
295 return X509_TRUST_UNTRUSTED;
265} 296}
266 297
267static int obj_trust(int id, X509 *x, int flags) 298static int
299obj_trust(int id, X509 *x, int flags)
268{ 300{
269 ASN1_OBJECT *obj; 301 ASN1_OBJECT *obj;
270 int i; 302 int i;
271 X509_CERT_AUX *ax; 303 X509_CERT_AUX *ax;
304
272 ax = x->aux; 305 ax = x->aux;
273 if(!ax) return X509_TRUST_UNTRUSTED; 306 if (!ax)
274 if(ax->reject) { 307 return X509_TRUST_UNTRUSTED;
275 for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { 308 if (ax->reject) {
309 for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
276 obj = sk_ASN1_OBJECT_value(ax->reject, i); 310 obj = sk_ASN1_OBJECT_value(ax->reject, i);
277 if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED; 311 if (OBJ_obj2nid(obj) == id)
312 return X509_TRUST_REJECTED;
278 } 313 }
279 } 314 }
280 if(ax->trust) { 315 if (ax->trust) {
281 for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { 316 for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
282 obj = sk_ASN1_OBJECT_value(ax->trust, i); 317 obj = sk_ASN1_OBJECT_value(ax->trust, i);
283 if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED; 318 if (OBJ_obj2nid(obj) == id)
319 return X509_TRUST_TRUSTED;
284 } 320 }
285 } 321 }
286 return X509_TRUST_UNTRUSTED; 322 return X509_TRUST_UNTRUSTED;
287} 323}
288
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
index 8caf18a955..31a909a12c 100644
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ b/src/lib/libcrypto/x509/x509_txt.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -68,7 +68,8 @@
68#include <openssl/x509.h> 68#include <openssl/x509.h>
69#include <openssl/objects.h> 69#include <openssl/objects.h>
70 70
71const char *X509_verify_cert_error_string(long n) 71const char *
72X509_verify_cert_error_string(long n)
72{ 73{
73 static char buf[100]; 74 static char buf[100];
74 75
@@ -162,12 +163,11 @@ const char *X509_verify_cert_error_string(long n)
162 case X509_V_ERR_NO_EXPLICIT_POLICY: 163 case X509_V_ERR_NO_EXPLICIT_POLICY:
163 return("no explicit policy"); 164 return("no explicit policy");
164 case X509_V_ERR_DIFFERENT_CRL_SCOPE: 165 case X509_V_ERR_DIFFERENT_CRL_SCOPE:
165 return("Different CRL scope"); 166 return("Different CRL scope");
166 case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: 167 case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
167 return("Unsupported extension feature"); 168 return("Unsupported extension feature");
168 case X509_V_ERR_UNNESTED_RESOURCE: 169 case X509_V_ERR_UNNESTED_RESOURCE:
169 return("RFC 3779 resource not subset of parent's resources"); 170 return("RFC 3779 resource not subset of parent's resources");
170
171 case X509_V_ERR_PERMITTED_VIOLATION: 171 case X509_V_ERR_PERMITTED_VIOLATION:
172 return("permitted subtree violation"); 172 return("permitted subtree violation");
173 case X509_V_ERR_EXCLUDED_VIOLATION: 173 case X509_V_ERR_EXCLUDED_VIOLATION:
@@ -184,9 +184,7 @@ const char *X509_verify_cert_error_string(long n)
184 return("CRL path validation error"); 184 return("CRL path validation error");
185 185
186 default: 186 default:
187 snprintf(buf,sizeof buf,"error number %ld",n); 187 snprintf(buf, sizeof buf, "error number %ld", n);
188 return(buf); 188 return (buf);
189 } 189 }
190} 190}
191
192
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
index f41fab3367..cabace584b 100644
--- a/src/lib/libcrypto/x509/x509_v3.c
+++ b/src/lib/libcrypto/x509/x509_v3.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -65,202 +65,235 @@
65#include <openssl/x509.h> 65#include <openssl/x509.h>
66#include <openssl/x509v3.h> 66#include <openssl/x509v3.h>
67 67
68int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) 68int
69X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
69{ 70{
70 if (x == NULL) return(0); 71 if (x == NULL)
71 return(sk_X509_EXTENSION_num(x)); 72 return (0);
73 return (sk_X509_EXTENSION_num(x));
72} 74}
73 75
74int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, 76int
75 int lastpos) 77X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos)
76{ 78{
77 ASN1_OBJECT *obj; 79 ASN1_OBJECT *obj;
78 80
79 obj=OBJ_nid2obj(nid); 81 obj = OBJ_nid2obj(nid);
80 if (obj == NULL) return(-2); 82 if (obj == NULL)
81 return(X509v3_get_ext_by_OBJ(x,obj,lastpos)); 83 return (-2);
84 return (X509v3_get_ext_by_OBJ(x, obj, lastpos));
82} 85}
83 86
84int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj, 87int
85 int lastpos) 88X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
89 int lastpos)
86{ 90{
87 int n; 91 int n;
88 X509_EXTENSION *ex; 92 X509_EXTENSION *ex;
89 93
90 if (sk == NULL) return(-1); 94 if (sk == NULL)
95 return (-1);
91 lastpos++; 96 lastpos++;
92 if (lastpos < 0) 97 if (lastpos < 0)
93 lastpos=0; 98 lastpos = 0;
94 n=sk_X509_EXTENSION_num(sk); 99 n = sk_X509_EXTENSION_num(sk);
95 for ( ; lastpos < n; lastpos++) { 100 for (; lastpos < n; lastpos++) {
96 ex=sk_X509_EXTENSION_value(sk,lastpos); 101 ex = sk_X509_EXTENSION_value(sk, lastpos);
97 if (OBJ_cmp(ex->object,obj) == 0) 102 if (OBJ_cmp(ex->object, obj) == 0)
98 return(lastpos); 103 return (lastpos);
99 } 104 }
100 return(-1); 105 return (-1);
101} 106}
102 107
103int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, 108int
104 int lastpos) 109X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
110 int lastpos)
105{ 111{
106 int n; 112 int n;
107 X509_EXTENSION *ex; 113 X509_EXTENSION *ex;
108 114
109 if (sk == NULL) return(-1); 115 if (sk == NULL)
116 return (-1);
110 lastpos++; 117 lastpos++;
111 if (lastpos < 0) 118 if (lastpos < 0)
112 lastpos=0; 119 lastpos = 0;
113 n=sk_X509_EXTENSION_num(sk); 120 n = sk_X509_EXTENSION_num(sk);
114 for ( ; lastpos < n; lastpos++) { 121 for (; lastpos < n; lastpos++) {
115 ex=sk_X509_EXTENSION_value(sk,lastpos); 122 ex = sk_X509_EXTENSION_value(sk, lastpos);
116 if ( ((ex->critical > 0) && crit) || 123 if (((ex->critical > 0) && crit) ||
117 ((ex->critical <= 0) && !crit)) 124 ((ex->critical <= 0) && !crit))
118 return(lastpos); 125 return (lastpos);
119 } 126 }
120 return(-1); 127 return (-1);
121} 128}
122 129
123X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc) 130X509_EXTENSION *
131X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
124{ 132{
125 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) 133 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
126 return NULL; 134 return NULL;
127 else 135 else
128 return sk_X509_EXTENSION_value(x,loc); 136 return sk_X509_EXTENSION_value(x, loc);
129} 137}
130 138
131X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc) 139X509_EXTENSION *
140X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
132{ 141{
133 X509_EXTENSION *ret; 142 X509_EXTENSION *ret;
134 143
135 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) 144 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
136 return(NULL); 145 return (NULL);
137 ret=sk_X509_EXTENSION_delete(x,loc); 146 ret = sk_X509_EXTENSION_delete(x, loc);
138 return(ret); 147 return (ret);
139} 148}
140 149
141STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, 150STACK_OF(X509_EXTENSION) *
142 X509_EXTENSION *ex, int loc) 151X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc)
143{ 152{
144 X509_EXTENSION *new_ex=NULL; 153 X509_EXTENSION *new_ex = NULL;
145 int n; 154 int n;
146 STACK_OF(X509_EXTENSION) *sk=NULL; 155 STACK_OF(X509_EXTENSION) *sk = NULL;
147 156
148 if (x == NULL) { 157 if (x == NULL) {
149 X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER); 158 X509err(X509_F_X509V3_ADD_EXT, ERR_R_PASSED_NULL_PARAMETER);
150 goto err2; 159 goto err2;
151 } 160 }
152 161
153 if (*x == NULL) { 162 if (*x == NULL) {
154 if ((sk=sk_X509_EXTENSION_new_null()) == NULL) 163 if ((sk = sk_X509_EXTENSION_new_null()) == NULL)
155 goto err; 164 goto err;
156 } else 165 } else
157 sk= *x; 166 sk= *x;
158 167
159 n=sk_X509_EXTENSION_num(sk); 168 n = sk_X509_EXTENSION_num(sk);
160 if (loc > n) loc=n; 169 if (loc > n)
161 else if (loc < 0) loc=n; 170 loc = n;
171 else if (loc < 0)
172 loc = n;
162 173
163 if ((new_ex=X509_EXTENSION_dup(ex)) == NULL) 174 if ((new_ex = X509_EXTENSION_dup(ex)) == NULL)
164 goto err2; 175 goto err2;
165 if (!sk_X509_EXTENSION_insert(sk,new_ex,loc)) 176 if (!sk_X509_EXTENSION_insert(sk, new_ex, loc))
166 goto err; 177 goto err;
167 if (*x == NULL) 178 if (*x == NULL)
168 *x=sk; 179 *x = sk;
169 return(sk); 180 return (sk);
181
170err: 182err:
171 X509err(X509_F_X509V3_ADD_EXT,ERR_R_MALLOC_FAILURE); 183 X509err(X509_F_X509V3_ADD_EXT, ERR_R_MALLOC_FAILURE);
172err2: 184err2:
173 if (new_ex != NULL) X509_EXTENSION_free(new_ex); 185 if (new_ex != NULL)
174 if (sk != NULL) sk_X509_EXTENSION_free(sk); 186 X509_EXTENSION_free(new_ex);
175 return(NULL); 187 if (sk != NULL)
188 sk_X509_EXTENSION_free(sk);
189 return (NULL);
176} 190}
177 191
178X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, 192X509_EXTENSION *
179 int crit, ASN1_OCTET_STRING *data) 193X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit,
194 ASN1_OCTET_STRING *data)
180{ 195{
181 ASN1_OBJECT *obj; 196 ASN1_OBJECT *obj;
182 X509_EXTENSION *ret; 197 X509_EXTENSION *ret;
183 198
184 obj=OBJ_nid2obj(nid); 199 obj = OBJ_nid2obj(nid);
185 if (obj == NULL) { 200 if (obj == NULL) {
186 X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID); 201 X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,
187 return(NULL); 202 X509_R_UNKNOWN_NID);
203 return (NULL);
188 } 204 }
189 ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data); 205 ret = X509_EXTENSION_create_by_OBJ(ex, obj, crit, data);
190 if (ret == NULL) ASN1_OBJECT_free(obj); 206 if (ret == NULL)
191 return(ret); 207 ASN1_OBJECT_free(obj);
208 return (ret);
192} 209}
193 210
194X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, 211X509_EXTENSION *
195 ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data) 212X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, ASN1_OBJECT *obj, int crit,
213 ASN1_OCTET_STRING *data)
196{ 214{
197 X509_EXTENSION *ret; 215 X509_EXTENSION *ret;
198 216
199 if ((ex == NULL) || (*ex == NULL)) { 217 if ((ex == NULL) || (*ex == NULL)) {
200 if ((ret=X509_EXTENSION_new()) == NULL) 218 if ((ret = X509_EXTENSION_new()) == NULL) {
201 { 219 X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,
202 X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE); 220 ERR_R_MALLOC_FAILURE);
203 return(NULL); 221 return (NULL);
204 } 222 }
205 } else 223 } else
206 ret= *ex; 224 ret= *ex;
207 225
208 if (!X509_EXTENSION_set_object(ret,obj)) 226 if (!X509_EXTENSION_set_object(ret, obj))
209 goto err; 227 goto err;
210 if (!X509_EXTENSION_set_critical(ret,crit)) 228 if (!X509_EXTENSION_set_critical(ret, crit))
211 goto err; 229 goto err;
212 if (!X509_EXTENSION_set_data(ret,data)) 230 if (!X509_EXTENSION_set_data(ret, data))
213 goto err; 231 goto err;
214 232
215 if ((ex != NULL) && (*ex == NULL)) *ex=ret; 233 if ((ex != NULL) && (*ex == NULL))
216 return(ret); 234 *ex = ret;
235 return (ret);
236
217err: 237err:
218 if ((ex == NULL) || (ret != *ex)) 238 if ((ex == NULL) || (ret != *ex))
219 X509_EXTENSION_free(ret); 239 X509_EXTENSION_free(ret);
220 return(NULL); 240 return (NULL);
221} 241}
222 242
223int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj) 243int
244X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
224{ 245{
225 if ((ex == NULL) || (obj == NULL)) 246 if ((ex == NULL) || (obj == NULL))
226 return(0); 247 return (0);
227 ASN1_OBJECT_free(ex->object); 248 ASN1_OBJECT_free(ex->object);
228 ex->object=OBJ_dup(obj); 249 ex->object = OBJ_dup(obj);
229 return(1); 250 return (1);
230} 251}
231 252
232int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) 253int
254X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
233{ 255{
234 if (ex == NULL) return(0); 256 if (ex == NULL)
235 ex->critical=(crit)?0xFF:-1; 257 return (0);
236 return(1); 258 ex->critical = (crit) ? 0xFF : -1;
259 return (1);
237} 260}
238 261
239int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) 262int
263X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
240{ 264{
241 int i; 265 int i;
242 266
243 if (ex == NULL) return(0); 267 if (ex == NULL)
244 i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length); 268 return (0);
245 if (!i) return(0); 269 i = M_ASN1_OCTET_STRING_set(ex->value, data->data, data->length);
246 return(1); 270 if (!i)
271 return (0);
272 return (1);
247} 273}
248 274
249ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex) 275ASN1_OBJECT *
276X509_EXTENSION_get_object(X509_EXTENSION *ex)
250{ 277{
251 if (ex == NULL) return(NULL); 278 if (ex == NULL)
252 return(ex->object); 279 return (NULL);
280 return (ex->object);
253} 281}
254 282
255ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex) 283ASN1_OCTET_STRING *
284X509_EXTENSION_get_data(X509_EXTENSION *ex)
256{ 285{
257 if (ex == NULL) return(NULL); 286 if (ex == NULL)
258 return(ex->value); 287 return (NULL);
288 return (ex->value);
259} 289}
260 290
261int X509_EXTENSION_get_critical(X509_EXTENSION *ex) 291int
292X509_EXTENSION_get_critical(X509_EXTENSION *ex)
262{ 293{
263 if (ex == NULL) return(0); 294 if (ex == NULL)
264 if(ex->critical > 0) return 1; 295 return (0);
296 if (ex->critical > 0)
297 return 1;
265 return 0; 298 return 0;
266} 299}
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 6e9dd7cc6a..0024904c20 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -108,7 +108,7 @@
108 108
109#define CRL_SCORE_TIME_DELTA 0x002 109#define CRL_SCORE_TIME_DELTA 0x002
110 110
111static int null_callback(int ok,X509_STORE_CTX *e); 111static int null_callback(int ok, X509_STORE_CTX *e);
112static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); 112static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
113static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); 113static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
114static int check_chain_extensions(X509_STORE_CTX *ctx); 114static int check_chain_extensions(X509_STORE_CTX *ctx);
@@ -119,100 +119,106 @@ static int check_cert(X509_STORE_CTX *ctx);
119static int check_policy(X509_STORE_CTX *ctx); 119static int check_policy(X509_STORE_CTX *ctx);
120 120
121static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 121static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
122 unsigned int *preasons, 122 unsigned int *preasons, X509_CRL *crl, X509 *x);
123 X509_CRL *crl, X509 *x);
124static int get_crl_delta(X509_STORE_CTX *ctx, 123static int get_crl_delta(X509_STORE_CTX *ctx,
125 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); 124 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
126static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, 125static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
127 X509_CRL *base, STACK_OF(X509_CRL) *crls); 126 X509_CRL *base, STACK_OF(X509_CRL) *crls);
128static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, 127static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
129 X509 **pissuer, int *pcrl_score); 128 int *pcrl_score);
130static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, 129static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
131 unsigned int *preasons); 130 unsigned int *preasons);
132static int check_crl_path(X509_STORE_CTX *ctx, X509 *x); 131static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
133static int check_crl_chain(X509_STORE_CTX *ctx, 132static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
134 STACK_OF(X509) *cert_path, 133 STACK_OF(X509) *crl_path);
135 STACK_OF(X509) *crl_path);
136 134
137static int internal_verify(X509_STORE_CTX *ctx); 135static int internal_verify(X509_STORE_CTX *ctx);
138const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; 136const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
139 137
140 138
141static int null_callback(int ok, X509_STORE_CTX *e) 139static int
140null_callback(int ok, X509_STORE_CTX *e)
142{ 141{
143 return ok; 142 return ok;
144} 143}
145 144
146#if 0 145#if 0
147static int x509_subject_cmp(X509 **a, X509 **b) 146static int
147x509_subject_cmp(X509 **a, X509 **b)
148{ 148{
149 return X509_subject_name_cmp(*a,*b); 149 return X509_subject_name_cmp(*a, *b);
150} 150}
151#endif 151#endif
152 152
153int X509_verify_cert(X509_STORE_CTX *ctx) 153int
154X509_verify_cert(X509_STORE_CTX *ctx)
154{ 155{
155 X509 *x,*xtmp,*chain_ss=NULL; 156 X509 *x, *xtmp, *chain_ss = NULL;
156 int bad_chain = 0; 157 int bad_chain = 0;
157 X509_VERIFY_PARAM *param = ctx->param; 158 X509_VERIFY_PARAM *param = ctx->param;
158 int depth,i,ok=0; 159 int depth, i, ok = 0;
159 int num; 160 int num;
160 int (*cb)(int xok,X509_STORE_CTX *xctx); 161 int (*cb)(int xok, X509_STORE_CTX *xctx);
161 STACK_OF(X509) *sktmp=NULL; 162 STACK_OF(X509) *sktmp = NULL;
163
162 if (ctx->cert == NULL) { 164 if (ctx->cert == NULL) {
163 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); 165 X509err(X509_F_X509_VERIFY_CERT,
166 X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
164 return -1; 167 return -1;
165 } 168 }
166 169
167 cb=ctx->verify_cb; 170 cb = ctx->verify_cb;
168 171
169 /* first we make sure the chain we are going to build is 172 /* first we make sure the chain we are going to build is
170 * present and that the first entry is in place */ 173 * present and that the first entry is in place */
171 if (ctx->chain == NULL) { 174 if (ctx->chain == NULL) {
172 if ( ((ctx->chain=sk_X509_new_null()) == NULL) || 175 if (((ctx->chain = sk_X509_new_null()) == NULL) ||
173 (!sk_X509_push(ctx->chain,ctx->cert))) { 176 (!sk_X509_push(ctx->chain, ctx->cert))) {
174 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 177 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
175 goto end; 178 goto end;
176 } 179 }
177 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); 180 CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509);
178 ctx->last_untrusted=1; 181 ctx->last_untrusted = 1;
179 } 182 }
180 183
181 /* We use a temporary STACK so we can chop and hack at it */ 184 /* We use a temporary STACK so we can chop and hack at it */
182 if (ctx->untrusted != NULL 185 if (ctx->untrusted != NULL &&
183 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) { 186 (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
184 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 187 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
185 goto end; 188 goto end;
186 } 189 }
187 190
188 num=sk_X509_num(ctx->chain); 191 num = sk_X509_num(ctx->chain);
189 x=sk_X509_value(ctx->chain,num-1); 192 x = sk_X509_value(ctx->chain, num - 1);
190 depth=param->depth; 193 depth = param->depth;
191
192 194
193 for (;;) { 195 for (;;) {
194 /* If we have enough, we break */ 196 /* If we have enough, we break */
195 if (depth < num) break; /* FIXME: If this happens, we should take 197 if (depth < num)
196 * note of it and, if appropriate, use the 198 break; /* FIXME: If this happens, we should take
197 * X509_V_ERR_CERT_CHAIN_TOO_LONG error 199 * note of it and, if appropriate, use the
198 * code later. 200 * X509_V_ERR_CERT_CHAIN_TOO_LONG error
199 */ 201 * code later.
202 */
200 203
201 /* If we are self signed, we break */ 204 /* If we are self signed, we break */
202 if (ctx->check_issued(ctx, x,x)) break; 205 if (ctx->check_issued(ctx, x, x))
206 break;
203 207
204 /* If we were passed a cert chain, use it first */ 208 /* If we were passed a cert chain, use it first */
205 if (ctx->untrusted != NULL) { 209 if (ctx->untrusted != NULL) {
206 xtmp=find_issuer(ctx, sktmp,x); 210 xtmp = find_issuer(ctx, sktmp, x);
207 if (xtmp != NULL) { 211 if (xtmp != NULL) {
208 if (!sk_X509_push(ctx->chain,xtmp)) { 212 if (!sk_X509_push(ctx->chain, xtmp)) {
209 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 213 X509err(X509_F_X509_VERIFY_CERT,
214 ERR_R_MALLOC_FAILURE);
210 goto end; 215 goto end;
211 } 216 }
212 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); 217 CRYPTO_add(&xtmp->references, 1,
213 (void)sk_X509_delete_ptr(sktmp,xtmp); 218 CRYPTO_LOCK_X509);
219 (void)sk_X509_delete_ptr(sktmp, xtmp);
214 ctx->last_untrusted++; 220 ctx->last_untrusted++;
215 x=xtmp; 221 x = xtmp;
216 num++; 222 num++;
217 /* reparse the full chain for 223 /* reparse the full chain for
218 * the next one */ 224 * the next one */
@@ -230,8 +236,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
230 * is self signed. 236 * is self signed.
231 */ 237 */
232 238
233 i=sk_X509_num(ctx->chain); 239 i = sk_X509_num(ctx->chain);
234 x=sk_X509_value(ctx->chain,i-1); 240 x = sk_X509_value(ctx->chain, i - 1);
235 if (ctx->check_issued(ctx, x, x)) { 241 if (ctx->check_issued(ctx, x, x)) {
236 /* we have a self signed certificate */ 242 /* we have a self signed certificate */
237 if (sk_X509_num(ctx->chain) == 1) { 243 if (sk_X509_num(ctx->chain) == 1) {
@@ -241,13 +247,16 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
241 */ 247 */
242 ok = ctx->get_issuer(&xtmp, ctx, x); 248 ok = ctx->get_issuer(&xtmp, ctx, x);
243 if ((ok <= 0) || X509_cmp(x, xtmp)) { 249 if ((ok <= 0) || X509_cmp(x, xtmp)) {
244 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; 250 ctx->error =
245 ctx->current_cert=x; 251 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
246 ctx->error_depth=i-1; 252 ctx->current_cert = x;
247 if (ok == 1) X509_free(xtmp); 253 ctx->error_depth = i - 1;
254 if (ok == 1)
255 X509_free(xtmp);
248 bad_chain = 1; 256 bad_chain = 1;
249 ok=cb(0,ctx); 257 ok = cb(0, ctx);
250 if (!ok) goto end; 258 if (!ok)
259 goto end;
251 } else { 260 } else {
252 /* We have a match: replace certificate with store version 261 /* We have a match: replace certificate with store version
253 * so we get any trust settings. 262 * so we get any trust settings.
@@ -255,34 +264,37 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
255 X509_free(x); 264 X509_free(x);
256 x = xtmp; 265 x = xtmp;
257 (void)sk_X509_set(ctx->chain, i - 1, x); 266 (void)sk_X509_set(ctx->chain, i - 1, x);
258 ctx->last_untrusted=0; 267 ctx->last_untrusted = 0;
259 } 268 }
260 } else { 269 } else {
261 /* extract and save self signed certificate for later use */ 270 /* extract and save self signed certificate for later use */
262 chain_ss=sk_X509_pop(ctx->chain); 271 chain_ss = sk_X509_pop(ctx->chain);
263 ctx->last_untrusted--; 272 ctx->last_untrusted--;
264 num--; 273 num--;
265 x=sk_X509_value(ctx->chain,num-1); 274 x = sk_X509_value(ctx->chain, num - 1);
266 } 275 }
267 } 276 }
268 277
269 /* We now lookup certs from the certificate store */ 278 /* We now lookup certs from the certificate store */
270 for (;;) { 279 for (;;) {
271 /* If we have enough, we break */ 280 /* If we have enough, we break */
272 if (depth < num) break; 281 if (depth < num)
282 break;
273 283
274 /* If we are self signed, we break */ 284 /* If we are self signed, we break */
275 if (ctx->check_issued(ctx,x,x)) break; 285 if (ctx->check_issued(ctx, x, x))
286 break;
276 287
277 ok = ctx->get_issuer(&xtmp, ctx, x); 288 ok = ctx->get_issuer(&xtmp, ctx, x);
278 289 if (ok < 0)
279 if (ok < 0) return ok; 290 return ok;
280 if (ok == 0) break; 291 if (ok == 0)
292 break;
281 293
282 x = xtmp; 294 x = xtmp;
283 if (!sk_X509_push(ctx->chain,x)) { 295 if (!sk_X509_push(ctx->chain, x)) {
284 X509_free(xtmp); 296 X509_free(xtmp);
285 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 297 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
286 return 0; 298 return 0;
287 } 299 }
288 num++; 300 num++;
@@ -291,81 +303,94 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
291 /* we now have our chain, lets check it... */ 303 /* we now have our chain, lets check it... */
292 304
293 /* Is last certificate looked up self signed? */ 305 /* Is last certificate looked up self signed? */
294 if (!ctx->check_issued(ctx,x,x)) { 306 if (!ctx->check_issued(ctx, x, x)) {
295 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { 307 if ((chain_ss == NULL) ||
308 !ctx->check_issued(ctx, x, chain_ss)) {
296 if (ctx->last_untrusted >= num) 309 if (ctx->last_untrusted >= num)
297 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 310 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
298 else 311 else
299 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; 312 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
300 ctx->current_cert=x; 313 ctx->current_cert = x;
301 } else { 314 } else {
302 315
303 sk_X509_push(ctx->chain,chain_ss); 316 sk_X509_push(ctx->chain, chain_ss);
304 num++; 317 num++;
305 ctx->last_untrusted=num; 318 ctx->last_untrusted = num;
306 ctx->current_cert=chain_ss; 319 ctx->current_cert = chain_ss;
307 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 320 ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
308 chain_ss=NULL; 321 chain_ss = NULL;
309 } 322 }
310 323
311 ctx->error_depth=num-1; 324 ctx->error_depth = num - 1;
312 bad_chain = 1; 325 bad_chain = 1;
313 ok=cb(0,ctx); 326 ok = cb(0, ctx);
314 if (!ok) goto end; 327 if (!ok)
328 goto end;
315 } 329 }
316 330
317 /* We have the chain complete: now we need to check its purpose */ 331 /* We have the chain complete: now we need to check its purpose */
318 ok = check_chain_extensions(ctx); 332 ok = check_chain_extensions(ctx);
319 333
320 if (!ok) goto end; 334 if (!ok)
335 goto end;
321 336
322 /* Check name constraints */ 337 /* Check name constraints */
323 338
324 ok = check_name_constraints(ctx); 339 ok = check_name_constraints(ctx);
325 340
326 if (!ok) goto end; 341 if (!ok)
342 goto end;
327 343
328 /* The chain extensions are OK: check trust */ 344 /* The chain extensions are OK: check trust */
329 345
330 if (param->trust > 0) ok = check_trust(ctx); 346 if (param->trust > 0)
347 ok = check_trust(ctx);
331 348
332 if (!ok) goto end; 349 if (!ok)
350 goto end;
333 351
334 /* We may as well copy down any DSA parameters that are required */ 352 /* We may as well copy down any DSA parameters that are required */
335 X509_get_pubkey_parameters(NULL,ctx->chain); 353 X509_get_pubkey_parameters(NULL, ctx->chain);
336 354
337 /* Check revocation status: we do this after copying parameters 355 /* Check revocation status: we do this after copying parameters
338 * because they may be needed for CRL signature verification. 356 * because they may be needed for CRL signature verification.
339 */ 357 */
340 358
341 ok = ctx->check_revocation(ctx); 359 ok = ctx->check_revocation(ctx);
342 if(!ok) goto end; 360 if (!ok)
361 goto end;
343 362
344 /* At this point, we have a chain and need to verify it */ 363 /* At this point, we have a chain and need to verify it */
345 if (ctx->verify != NULL) 364 if (ctx->verify != NULL)
346 ok=ctx->verify(ctx); 365 ok = ctx->verify(ctx);
347 else 366 else
348 ok=internal_verify(ctx); 367 ok = internal_verify(ctx);
349 if(!ok) goto end; 368 if (!ok)
369 goto end;
350 370
351#ifndef OPENSSL_NO_RFC3779 371#ifndef OPENSSL_NO_RFC3779
352 /* RFC 3779 path validation, now that CRL check has been done */ 372 /* RFC 3779 path validation, now that CRL check has been done */
353 ok = v3_asid_validate_path(ctx); 373 ok = v3_asid_validate_path(ctx);
354 if (!ok) goto end; 374 if (!ok)
375 goto end;
355 ok = v3_addr_validate_path(ctx); 376 ok = v3_addr_validate_path(ctx);
356 if (!ok) goto end; 377 if (!ok)
378 goto end;
357#endif 379#endif
358 380
359 /* If we get this far evaluate policies */ 381 /* If we get this far evaluate policies */
360 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) 382 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
361 ok = ctx->check_policy(ctx); 383 ok = ctx->check_policy(ctx);
362 if(!ok) goto end; 384 if (!ok)
385 goto end;
363 if (0) { 386 if (0) {
364end: 387end:
365 X509_get_pubkey_parameters(NULL,ctx->chain); 388 X509_get_pubkey_parameters(NULL, ctx->chain);
366 } 389 }
367 if (sktmp != NULL) sk_X509_free(sktmp); 390 if (sktmp != NULL)
368 if (chain_ss != NULL) X509_free(chain_ss); 391 sk_X509_free(sktmp);
392 if (chain_ss != NULL)
393 X509_free(chain_ss);
369 return ok; 394 return ok;
370} 395}
371 396
@@ -373,10 +398,12 @@ end:
373/* Given a STACK_OF(X509) find the issuer of cert (if any) 398/* Given a STACK_OF(X509) find the issuer of cert (if any)
374 */ 399 */
375 400
376static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) 401static X509 *
402find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
377{ 403{
378 int i; 404 int i;
379 X509 *issuer; 405 X509 *issuer;
406
380 for (i = 0; i < sk_X509_num(sk); i++) { 407 for (i = 0; i < sk_X509_num(sk); i++) {
381 issuer = sk_X509_value(sk, i); 408 issuer = sk_X509_value(sk, i);
382 if (ctx->check_issued(ctx, x, issuer)) 409 if (ctx->check_issued(ctx, x, issuer))
@@ -387,9 +414,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
387 414
388/* Given a possible certificate and issuer check them */ 415/* Given a possible certificate and issuer check them */
389 416
390static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) 417static int
418check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
391{ 419{
392 int ret; 420 int ret;
421
393 ret = X509_check_issued(issuer, x); 422 ret = X509_check_issued(issuer, x);
394 if (ret == X509_V_OK) 423 if (ret == X509_V_OK)
395 return 1; 424 return 1;
@@ -405,33 +434,35 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
405 434
406/* Alternative lookup method: look from a STACK stored in other_ctx */ 435/* Alternative lookup method: look from a STACK stored in other_ctx */
407 436
408static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 437static int
438get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
409{ 439{
410 *issuer = find_issuer(ctx, ctx->other_ctx, x); 440 *issuer = find_issuer(ctx, ctx->other_ctx, x);
411 if (*issuer) { 441 if (*issuer) {
412 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); 442 CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
413 return 1; 443 return 1;
414 } else 444 } else
415 return 0; 445 return 0;
416} 446}
417
418 447
419/* Check a certificate chains extensions for consistency 448/* Check a certificate chains extensions for consistency
420 * with the supplied purpose 449 * with the supplied purpose
421 */ 450 */
422 451
423static int check_chain_extensions(X509_STORE_CTX *ctx) 452static int
453check_chain_extensions(X509_STORE_CTX *ctx)
424{ 454{
425#ifdef OPENSSL_NO_CHAIN_VERIFY 455#ifdef OPENSSL_NO_CHAIN_VERIFY
426 return 1; 456 return 1;
427#else 457#else
428 int i, ok=0, must_be_ca, plen = 0; 458 int i, ok = 0, must_be_ca, plen = 0;
429 X509 *x; 459 X509 *x;
430 int (*cb)(int xok,X509_STORE_CTX *xctx); 460 int (*cb)(int xok, X509_STORE_CTX *xctx);
431 int proxy_path_length = 0; 461 int proxy_path_length = 0;
432 int purpose; 462 int purpose;
433 int allow_proxy_certs; 463 int allow_proxy_certs;
434 cb=ctx->verify_cb; 464
465 cb = ctx->verify_cb;
435 466
436 /* must_be_ca can have 1 of 3 values: 467 /* must_be_ca can have 1 of 3 values:
437 -1: we accept both CA and non-CA certificates, to allow direct 468 -1: we accept both CA and non-CA certificates, to allow direct
@@ -449,7 +480,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
449 purpose = X509_PURPOSE_CRL_SIGN; 480 purpose = X509_PURPOSE_CRL_SIGN;
450 } else { 481 } else {
451 allow_proxy_certs = 482 allow_proxy_certs =
452 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); 483 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
453 /* A hack to keep people who don't want to modify their 484 /* A hack to keep people who don't want to modify their
454 software happy */ 485 software happy */
455 if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) 486 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
@@ -461,26 +492,28 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
461 for (i = 0; i < ctx->last_untrusted; i++) { 492 for (i = 0; i < ctx->last_untrusted; i++) {
462 int ret; 493 int ret;
463 x = sk_X509_value(ctx->chain, i); 494 x = sk_X509_value(ctx->chain, i);
464 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 495 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
465 && (x->ex_flags & EXFLAG_CRITICAL)) { 496 (x->ex_flags & EXFLAG_CRITICAL)) {
466 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 497 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
467 ctx->error_depth = i; 498 ctx->error_depth = i;
468 ctx->current_cert = x; 499 ctx->current_cert = x;
469 ok=cb(0,ctx); 500 ok = cb(0, ctx);
470 if (!ok) goto end; 501 if (!ok)
502 goto end;
471 } 503 }
472 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { 504 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
473 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; 505 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
474 ctx->error_depth = i; 506 ctx->error_depth = i;
475 ctx->current_cert = x; 507 ctx->current_cert = x;
476 ok=cb(0,ctx); 508 ok = cb(0, ctx);
477 if (!ok) goto end; 509 if (!ok)
510 goto end;
478 } 511 }
479 ret = X509_check_ca(x); 512 ret = X509_check_ca(x);
480 switch(must_be_ca) { 513 switch (must_be_ca) {
481 case -1: 514 case -1:
482 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 515 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
483 && (ret != 1) && (ret != 0)) { 516 (ret != 1) && (ret != 0)) {
484 ret = 0; 517 ret = 0;
485 ctx->error = X509_V_ERR_INVALID_CA; 518 ctx->error = X509_V_ERR_INVALID_CA;
486 } else 519 } else
@@ -494,9 +527,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
494 ret = 1; 527 ret = 1;
495 break; 528 break;
496 default: 529 default:
497 if ((ret == 0) 530 if ((ret == 0) ||
498 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 531 ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
499 && (ret != 1))) { 532 (ret != 1))) {
500 ret = 0; 533 ret = 0;
501 ctx->error = X509_V_ERR_INVALID_CA; 534 ctx->error = X509_V_ERR_INVALID_CA;
502 } else 535 } else
@@ -506,30 +539,33 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
506 if (ret == 0) { 539 if (ret == 0) {
507 ctx->error_depth = i; 540 ctx->error_depth = i;
508 ctx->current_cert = x; 541 ctx->current_cert = x;
509 ok=cb(0,ctx); 542 ok = cb(0, ctx);
510 if (!ok) goto end; 543 if (!ok)
544 goto end;
511 } 545 }
512 if (ctx->param->purpose > 0) { 546 if (ctx->param->purpose > 0) {
513 ret = X509_check_purpose(x, purpose, must_be_ca > 0); 547 ret = X509_check_purpose(x, purpose, must_be_ca > 0);
514 if ((ret == 0) 548 if ((ret == 0) ||
515 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 549 ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
516 && (ret != 1))) { 550 (ret != 1))) {
517 ctx->error = X509_V_ERR_INVALID_PURPOSE; 551 ctx->error = X509_V_ERR_INVALID_PURPOSE;
518 ctx->error_depth = i; 552 ctx->error_depth = i;
519 ctx->current_cert = x; 553 ctx->current_cert = x;
520 ok=cb(0,ctx); 554 ok = cb(0, ctx);
521 if (!ok) goto end; 555 if (!ok)
556 goto end;
522 } 557 }
523 } 558 }
524 /* Check pathlen if not self issued */ 559 /* Check pathlen if not self issued */
525 if ((i > 1) && !(x->ex_flags & EXFLAG_SI) 560 if ((i > 1) && !(x->ex_flags & EXFLAG_SI) &&
526 && (x->ex_pathlen != -1) 561 (x->ex_pathlen != -1) &&
527 && (plen > (x->ex_pathlen + proxy_path_length + 1))) { 562 (plen > (x->ex_pathlen + proxy_path_length + 1))) {
528 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; 563 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
529 ctx->error_depth = i; 564 ctx->error_depth = i;
530 ctx->current_cert = x; 565 ctx->current_cert = x;
531 ok=cb(0,ctx); 566 ok = cb(0, ctx);
532 if (!ok) goto end; 567 if (!ok)
568 goto end;
533 } 569 }
534 /* Increment path length if not self issued */ 570 /* Increment path length if not self issued */
535 if (!(x->ex_flags & EXFLAG_SI)) 571 if (!(x->ex_flags & EXFLAG_SI))
@@ -541,11 +577,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
541 if (x->ex_flags & EXFLAG_PROXY) { 577 if (x->ex_flags & EXFLAG_PROXY) {
542 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { 578 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
543 ctx->error = 579 ctx->error =
544 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; 580 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
545 ctx->error_depth = i; 581 ctx->error_depth = i;
546 ctx->current_cert = x; 582 ctx->current_cert = x;
547 ok=cb(0,ctx); 583 ok = cb(0, ctx);
548 if (!ok) goto end; 584 if (!ok)
585 goto end;
549 } 586 }
550 proxy_path_length++; 587 proxy_path_length++;
551 must_be_ca = 0; 588 must_be_ca = 0;
@@ -553,15 +590,18 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
553 must_be_ca = 1; 590 must_be_ca = 1;
554 } 591 }
555 ok = 1; 592 ok = 1;
556 end: 593
594end:
557 return ok; 595 return ok;
558#endif 596#endif
559} 597}
560 598
561static int check_name_constraints(X509_STORE_CTX *ctx) 599static int
600check_name_constraints(X509_STORE_CTX *ctx)
562{ 601{
563 X509 *x; 602 X509 *x;
564 int i, j, rv; 603 int i, j, rv;
604
565 /* Check name constraints for all certificates */ 605 /* Check name constraints for all certificates */
566 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { 606 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
567 x = sk_X509_value(ctx->chain, i); 607 x = sk_X509_value(ctx->chain, i);
@@ -581,7 +621,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
581 ctx->error = rv; 621 ctx->error = rv;
582 ctx->error_depth = i; 622 ctx->error_depth = i;
583 ctx->current_cert = x; 623 ctx->current_cert = x;
584 if (!ctx->verify_cb(0,ctx)) 624 if (!ctx->verify_cb(0, ctx))
585 return 0; 625 return 0;
586 } 626 }
587 } 627 }
@@ -590,16 +630,18 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
590 return 1; 630 return 1;
591} 631}
592 632
593static int check_trust(X509_STORE_CTX *ctx) 633static int
634check_trust(X509_STORE_CTX *ctx)
594{ 635{
595#ifdef OPENSSL_NO_CHAIN_VERIFY 636#ifdef OPENSSL_NO_CHAIN_VERIFY
596 return 1; 637 return 1;
597#else 638#else
598 int i, ok; 639 int i, ok;
599 X509 *x; 640 X509 *x;
600 int (*cb)(int xok,X509_STORE_CTX *xctx); 641 int (*cb)(int xok, X509_STORE_CTX *xctx);
601 cb=ctx->verify_cb; 642
602/* For now just check the last certificate in the chain */ 643 cb = ctx->verify_cb;
644 /* For now just check the last certificate in the chain */
603 i = sk_X509_num(ctx->chain) - 1; 645 i = sk_X509_num(ctx->chain) - 1;
604 x = sk_X509_value(ctx->chain, i); 646 x = sk_X509_value(ctx->chain, i);
605 ok = X509_check_trust(x, ctx->param->trust, 0); 647 ok = X509_check_trust(x, ctx->param->trust, 0);
@@ -616,9 +658,11 @@ static int check_trust(X509_STORE_CTX *ctx)
616#endif 658#endif
617} 659}
618 660
619static int check_revocation(X509_STORE_CTX *ctx) 661static int
662check_revocation(X509_STORE_CTX *ctx)
620{ 663{
621 int i, last, ok; 664 int i, last, ok;
665
622 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) 666 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
623 return 1; 667 return 1;
624 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) 668 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
@@ -629,19 +673,23 @@ static int check_revocation(X509_STORE_CTX *ctx)
629 return 1; 673 return 1;
630 last = 0; 674 last = 0;
631 } 675 }
632 for(i = 0; i <= last; i++) { 676 for (i = 0; i <= last; i++) {
633 ctx->error_depth = i; 677 ctx->error_depth = i;
634 ok = check_cert(ctx); 678 ok = check_cert(ctx);
635 if (!ok) return ok; 679 if (!ok)
680 return ok;
636 } 681 }
637 return 1; 682 return 1;
638} 683}
639 684
640static int check_cert(X509_STORE_CTX *ctx) { 685static int
686check_cert(X509_STORE_CTX *ctx)
687{
641 X509_CRL *crl = NULL, *dcrl = NULL; 688 X509_CRL *crl = NULL, *dcrl = NULL;
642 X509 *x; 689 X509 *x;
643 int ok, cnum; 690 int ok, cnum;
644 unsigned int last_reasons; 691 unsigned int last_reasons;
692
645 cnum = ctx->error_depth; 693 cnum = ctx->error_depth;
646 x = sk_X509_value(ctx->chain, cnum); 694 x = sk_X509_value(ctx->chain, cnum);
647 ctx->current_cert = x; 695 ctx->current_cert = x;
@@ -658,7 +706,7 @@ static int check_cert(X509_STORE_CTX *ctx) {
658 /* If error looking up CRL, nothing we can do except 706 /* If error looking up CRL, nothing we can do except
659 * notify callback 707 * notify callback
660 */ 708 */
661 if(!ok) { 709 if (!ok) {
662 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 710 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
663 ok = ctx->verify_cb(0, ctx); 711 ok = ctx->verify_cb(0, ctx);
664 goto err; 712 goto err;
@@ -698,21 +746,23 @@ static int check_cert(X509_STORE_CTX *ctx) {
698 goto err; 746 goto err;
699 } 747 }
700 } 748 }
749
701err: 750err:
702 X509_CRL_free(crl); 751 X509_CRL_free(crl);
703 X509_CRL_free(dcrl); 752 X509_CRL_free(dcrl);
704 753
705 ctx->current_crl = NULL; 754 ctx->current_crl = NULL;
706 return ok; 755 return ok;
707
708} 756}
709 757
710/* Check CRL times against values in X509_STORE_CTX */ 758/* Check CRL times against values in X509_STORE_CTX */
711 759
712static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) 760static int
761check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
713{ 762{
714 time_t *ptime; 763 time_t *ptime;
715 int i; 764 int i;
765
716 if (notify) 766 if (notify)
717 ctx->current_crl = crl; 767 ctx->current_crl = crl;
718 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) 768 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
@@ -720,11 +770,11 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
720 else 770 else
721 ptime = NULL; 771 ptime = NULL;
722 772
723 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); 773 i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
724 if (i == 0) { 774 if (i == 0) {
725 if (!notify) 775 if (!notify)
726 return 0; 776 return 0;
727 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; 777 ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
728 if (!ctx->verify_cb(0, ctx)) 778 if (!ctx->verify_cb(0, ctx))
729 return 0; 779 return 0;
730 } 780 }
@@ -732,26 +782,27 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
732 if (i > 0) { 782 if (i > 0) {
733 if (!notify) 783 if (!notify)
734 return 0; 784 return 0;
735 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; 785 ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
736 if (!ctx->verify_cb(0, ctx)) 786 if (!ctx->verify_cb(0, ctx))
737 return 0; 787 return 0;
738 } 788 }
739 789
740 if(X509_CRL_get_nextUpdate(crl)) { 790 if (X509_CRL_get_nextUpdate(crl)) {
741 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); 791 i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
742 792
743 if (i == 0) { 793 if (i == 0) {
744 if (!notify) 794 if (!notify)
745 return 0; 795 return 0;
746 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; 796 ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
747 if (!ctx->verify_cb(0, ctx)) 797 if (!ctx->verify_cb(0, ctx))
748 return 0; 798 return 0;
749 } 799 }
750 /* Ignore expiry of base CRL is delta is valid */ 800 /* Ignore expiry of base CRL is delta is valid */
751 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { 801 if ((i < 0) &&
802 !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
752 if (!notify) 803 if (!notify)
753 return 0; 804 return 0;
754 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; 805 ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
755 if (!ctx->verify_cb(0, ctx)) 806 if (!ctx->verify_cb(0, ctx))
756 return 0; 807 return 0;
757 } 808 }
@@ -763,9 +814,10 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
763 return 1; 814 return 1;
764} 815}
765 816
766static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, 817static int
767 X509 **pissuer, int *pscore, unsigned int *preasons, 818get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
768 STACK_OF(X509_CRL) *crls) 819 X509 **pissuer, int *pscore, unsigned int *preasons,
820 STACK_OF(X509_CRL) *crls)
769{ 821{
770 int i, crl_score, best_score = *pscore; 822 int i, crl_score, best_score = *pscore;
771 unsigned int reasons, best_reasons = 0; 823 unsigned int reasons, best_reasons = 0;
@@ -811,10 +863,12 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
811 * both present or both absent. If both present all fields must be identical. 863 * both present or both absent. If both present all fields must be identical.
812 */ 864 */
813 865
814static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) 866static int
867crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
815{ 868{
816 ASN1_OCTET_STRING *exta, *extb; 869 ASN1_OCTET_STRING *exta, *extb;
817 int i; 870 int i;
871
818 i = X509_CRL_get_ext_by_NID(a, nid, -1); 872 i = X509_CRL_get_ext_by_NID(a, nid, -1);
819 if (i >= 0) { 873 if (i >= 0) {
820 /* Can't have multiple occurrences */ 874 /* Can't have multiple occurrences */
@@ -827,7 +881,6 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
827 i = X509_CRL_get_ext_by_NID(b, nid, -1); 881 i = X509_CRL_get_ext_by_NID(b, nid, -1);
828 882
829 if (i >= 0) { 883 if (i >= 0) {
830
831 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) 884 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
832 return 0; 885 return 0;
833 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); 886 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
@@ -840,7 +893,6 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
840 if (!exta || !extb) 893 if (!exta || !extb)
841 return 0; 894 return 0;
842 895
843
844 if (ASN1_OCTET_STRING_cmp(exta, extb)) 896 if (ASN1_OCTET_STRING_cmp(exta, extb))
845 return 0; 897 return 0;
846 898
@@ -849,29 +901,30 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
849 901
850/* See if a base and delta are compatible */ 902/* See if a base and delta are compatible */
851 903
852static int check_delta_base(X509_CRL *delta, X509_CRL *base) 904static int
905check_delta_base(X509_CRL *delta, X509_CRL *base)
853{ 906{
854 /* Delta CRL must be a delta */ 907 /* Delta CRL must be a delta */
855 if (!delta->base_crl_number) 908 if (!delta->base_crl_number)
856 return 0; 909 return 0;
857 /* Base must have a CRL number */ 910 /* Base must have a CRL number */
858 if (!base->crl_number) 911 if (!base->crl_number)
859 return 0; 912 return 0;
860 /* Issuer names must match */ 913 /* Issuer names must match */
861 if (X509_NAME_cmp(X509_CRL_get_issuer(base), 914 if (X509_NAME_cmp(X509_CRL_get_issuer(base),
862 X509_CRL_get_issuer(delta))) 915 X509_CRL_get_issuer(delta)))
863 return 0; 916 return 0;
864 /* AKID and IDP must match */ 917 /* AKID and IDP must match */
865 if (!crl_extension_match(delta, base, NID_authority_key_identifier)) 918 if (!crl_extension_match(delta, base, NID_authority_key_identifier))
866 return 0; 919 return 0;
867 if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) 920 if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
868 return 0; 921 return 0;
869 /* Delta CRL base number must not exceed Full CRL number. */ 922 /* Delta CRL base number must not exceed Full CRL number. */
870 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) 923 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
871 return 0; 924 return 0;
872 /* Delta CRL number must exceed full CRL number */ 925 /* Delta CRL number must exceed full CRL number */
873 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) 926 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
874 return 1; 927 return 1;
875 return 0; 928 return 0;
876} 929}
877 930
@@ -879,11 +932,13 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
879 * or retrieve a chain of deltas... 932 * or retrieve a chain of deltas...
880 */ 933 */
881 934
882static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, 935static void
883 X509_CRL *base, STACK_OF(X509_CRL) *crls) 936get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base,
937 STACK_OF(X509_CRL) *crls)
884{ 938{
885 X509_CRL *delta; 939 X509_CRL *delta;
886 int i; 940 int i;
941
887 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) 942 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
888 return; 943 return;
889 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) 944 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
@@ -908,11 +963,10 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
908 * no new reasons the CRL is rejected, otherwise reasons is updated. 963 * no new reasons the CRL is rejected, otherwise reasons is updated.
909 */ 964 */
910 965
911static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 966static int
912 unsigned int *preasons, 967get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons,
913 X509_CRL *crl, X509 *x) 968 X509_CRL *crl, X509 *x)
914{ 969{
915
916 int crl_score = 0; 970 int crl_score = 0;
917 unsigned int tmp_reasons = *preasons, crl_reasons; 971 unsigned int tmp_reasons = *preasons, crl_reasons;
918 972
@@ -968,11 +1022,11 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
968 *preasons = tmp_reasons; 1022 *preasons = tmp_reasons;
969 1023
970 return crl_score; 1024 return crl_score;
971
972} 1025}
973 1026
974static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, 1027static void
975 X509 **pissuer, int *pcrl_score) 1028crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
1029 int *pcrl_score)
976{ 1030{
977 X509 *crl_issuer = NULL; 1031 X509 *crl_issuer = NULL;
978 X509_NAME *cnm = X509_CRL_get_issuer(crl); 1032 X509_NAME *cnm = X509_CRL_get_issuer(crl);
@@ -1026,14 +1080,16 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1026/* Check the path of a CRL issuer certificate. This creates a new 1080/* Check the path of a CRL issuer certificate. This creates a new
1027 * X509_STORE_CTX and populates it with most of the parameters from the 1081 * X509_STORE_CTX and populates it with most of the parameters from the
1028 * parent. This could be optimised somewhat since a lot of path checking 1082 * parent. This could be optimised somewhat since a lot of path checking
1029 * will be duplicated by the parent, but this will rarely be used in 1083 * will be duplicated by the parent, but this will rarely be used in
1030 * practice. 1084 * practice.
1031 */ 1085 */
1032 1086
1033static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) 1087static int
1088check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1034{ 1089{
1035 X509_STORE_CTX crl_ctx; 1090 X509_STORE_CTX crl_ctx;
1036 int ret; 1091 int ret;
1092
1037 /* Don't allow recursive CRL path validation */ 1093 /* Don't allow recursive CRL path validation */
1038 if (ctx->parent) 1094 if (ctx->parent)
1039 return 0; 1095 return 0;
@@ -1054,9 +1110,9 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1054 goto err; 1110 goto err;
1055 1111
1056 /* Check chain is acceptable */ 1112 /* Check chain is acceptable */
1057
1058 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); 1113 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1059 err: 1114
1115err:
1060 X509_STORE_CTX_cleanup(&crl_ctx); 1116 X509_STORE_CTX_cleanup(&crl_ctx);
1061 return ret; 1117 return ret;
1062} 1118}
@@ -1069,11 +1125,12 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1069 * until this is resolved we use the RFC5280 version 1125 * until this is resolved we use the RFC5280 version
1070 */ 1126 */
1071 1127
1072static int check_crl_chain(X509_STORE_CTX *ctx, 1128static int
1073 STACK_OF(X509) *cert_path, 1129check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
1074 STACK_OF(X509) *crl_path) 1130 STACK_OF(X509) *crl_path)
1075{ 1131{
1076 X509 *cert_ta, *crl_ta; 1132 X509 *cert_ta, *crl_ta;
1133
1077 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); 1134 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1078 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); 1135 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1079 if (!X509_cmp(cert_ta, crl_ta)) 1136 if (!X509_cmp(cert_ta, crl_ta))
@@ -1088,13 +1145,14 @@ static int check_crl_chain(X509_STORE_CTX *ctx,
1088 * 4. One is NULL: automatic match. 1145 * 4. One is NULL: automatic match.
1089 */ 1146 */
1090 1147
1091 1148static int
1092static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) 1149idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1093{ 1150{
1094 X509_NAME *nm = NULL; 1151 X509_NAME *nm = NULL;
1095 GENERAL_NAMES *gens = NULL; 1152 GENERAL_NAMES *gens = NULL;
1096 GENERAL_NAME *gena, *genb; 1153 GENERAL_NAME *gena, *genb;
1097 int i, j; 1154 int i, j;
1155
1098 if (!a || !b) 1156 if (!a || !b)
1099 return 1; 1157 return 1;
1100 if (a->type == 1) { 1158 if (a->type == 1) {
@@ -1123,7 +1181,7 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1123 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ 1181 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1124 if (nm) { 1182 if (nm) {
1125 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { 1183 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1126 gena = sk_GENERAL_NAME_value(gens, i); 1184 gena = sk_GENERAL_NAME_value(gens, i);
1127 if (gena->type != GEN_DIRNAME) 1185 if (gena->type != GEN_DIRNAME)
1128 continue; 1186 continue;
1129 if (!X509_NAME_cmp(nm, gena->d.directoryName)) 1187 if (!X509_NAME_cmp(nm, gena->d.directoryName))
@@ -1144,13 +1202,14 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1144 } 1202 }
1145 1203
1146 return 0; 1204 return 0;
1147
1148} 1205}
1149 1206
1150static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) 1207static int
1208crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1151{ 1209{
1152 int i; 1210 int i;
1153 X509_NAME *nm = X509_CRL_get_issuer(crl); 1211 X509_NAME *nm = X509_CRL_get_issuer(crl);
1212
1154 /* If no CRLissuer return is successful iff don't need a match */ 1213 /* If no CRLissuer return is successful iff don't need a match */
1155 if (!dp->CRLissuer) 1214 if (!dp->CRLissuer)
1156 return !!(crl_score & CRL_SCORE_ISSUER_NAME); 1215 return !!(crl_score & CRL_SCORE_ISSUER_NAME);
@@ -1166,10 +1225,11 @@ static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1166 1225
1167/* Check CRLDP and IDP */ 1226/* Check CRLDP and IDP */
1168 1227
1169static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, 1228static int
1170 unsigned int *preasons) 1229crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons)
1171{ 1230{
1172 int i; 1231 int i;
1232
1173 if (crl->idp_flags & IDP_ONLYATTR) 1233 if (crl->idp_flags & IDP_ONLYATTR)
1174 return 0; 1234 return 0;
1175 if (x->ex_flags & EXFLAG_CA) { 1235 if (x->ex_flags & EXFLAG_CA) {
@@ -1184,13 +1244,14 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1184 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); 1244 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1185 if (crldp_check_crlissuer(dp, crl, crl_score)) { 1245 if (crldp_check_crlissuer(dp, crl, crl_score)) {
1186 if (!crl->idp || 1246 if (!crl->idp ||
1187 idp_check_dp(dp->distpoint, crl->idp->distpoint)) { 1247 idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1188 *preasons &= dp->dp_reasons; 1248 *preasons &= dp->dp_reasons;
1189 return 1; 1249 return 1;
1190 } 1250 }
1191 } 1251 }
1192 } 1252 }
1193 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) 1253 if ((!crl->idp || !crl->idp->distpoint) &&
1254 (crl_score & CRL_SCORE_ISSUER_NAME))
1194 return 1; 1255 return 1;
1195 return 0; 1256 return 0;
1196} 1257}
@@ -1198,9 +1259,9 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1198/* Retrieve CRL corresponding to current certificate. 1259/* Retrieve CRL corresponding to current certificate.
1199 * If deltas enabled try to find a delta CRL too 1260 * If deltas enabled try to find a delta CRL too
1200 */ 1261 */
1201 1262
1202static int get_crl_delta(X509_STORE_CTX *ctx, 1263static int
1203 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) 1264get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1204{ 1265{
1205 int ok; 1266 int ok;
1206 X509 *issuer = NULL; 1267 X509 *issuer = NULL;
@@ -1209,15 +1270,14 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
1209 X509_CRL *crl = NULL, *dcrl = NULL; 1270 X509_CRL *crl = NULL, *dcrl = NULL;
1210 STACK_OF(X509_CRL) *skcrl; 1271 STACK_OF(X509_CRL) *skcrl;
1211 X509_NAME *nm = X509_get_issuer_name(x); 1272 X509_NAME *nm = X509_get_issuer_name(x);
1212 reasons = ctx->current_reasons;
1213 ok = get_crl_sk(ctx, &crl, &dcrl,
1214 &issuer, &crl_score, &reasons, ctx->crls);
1215 1273
1274 reasons = ctx->current_reasons;
1275 ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons,
1276 ctx->crls);
1216 if (ok) 1277 if (ok)
1217 goto done; 1278 goto done;
1218 1279
1219 /* Lookup CRLs from store */ 1280 /* Lookup CRLs from store */
1220
1221 skcrl = ctx->lookup_crls(ctx, nm); 1281 skcrl = ctx->lookup_crls(ctx, nm);
1222 1282
1223 /* If no CRLs found and a near match from get_crl_sk use that */ 1283 /* If no CRLs found and a near match from get_crl_sk use that */
@@ -1228,7 +1288,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
1228 1288
1229 sk_X509_CRL_pop_free(skcrl, X509_CRL_free); 1289 sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1230 1290
1231 done: 1291done:
1232 1292
1233 /* If we got any kind of CRL use it and return success */ 1293 /* If we got any kind of CRL use it and return success */
1234 if (crl) { 1294 if (crl) {
@@ -1244,11 +1304,13 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
1244} 1304}
1245 1305
1246/* Check CRL validity */ 1306/* Check CRL validity */
1247static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) 1307static int
1308check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1248{ 1309{
1249 X509 *issuer = NULL; 1310 X509 *issuer = NULL;
1250 EVP_PKEY *ikey = NULL; 1311 EVP_PKEY *ikey = NULL;
1251 int ok = 0, chnum, cnum; 1312 int ok = 0, chnum, cnum;
1313
1252 cnum = ctx->error_depth; 1314 cnum = ctx->error_depth;
1253 chnum = sk_X509_num(ctx->chain) - 1; 1315 chnum = sk_X509_num(ctx->chain) - 1;
1254 /* if we have an alternative CRL issuer cert use that */ 1316 /* if we have an alternative CRL issuer cert use that */
@@ -1262,44 +1324,50 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1262 } else { 1324 } else {
1263 issuer = sk_X509_value(ctx->chain, chnum); 1325 issuer = sk_X509_value(ctx->chain, chnum);
1264 /* If not self signed, can't check signature */ 1326 /* If not self signed, can't check signature */
1265 if(!ctx->check_issued(ctx, issuer, issuer)) { 1327 if (!ctx->check_issued(ctx, issuer, issuer)) {
1266 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; 1328 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1267 ok = ctx->verify_cb(0, ctx); 1329 ok = ctx->verify_cb(0, ctx);
1268 if(!ok) goto err; 1330 if (!ok)
1331 goto err;
1269 } 1332 }
1270 } 1333 }
1271 1334
1272 if(issuer) { 1335 if (issuer) {
1273 /* Skip most tests for deltas because they have already 1336 /* Skip most tests for deltas because they have already
1274 * been done 1337 * been done
1275 */ 1338 */
1276 if (!crl->base_crl_number) { 1339 if (!crl->base_crl_number) {
1277 /* Check for cRLSign bit if keyUsage present */ 1340 /* Check for cRLSign bit if keyUsage present */
1278 if ((issuer->ex_flags & EXFLAG_KUSAGE) && 1341 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1279 !(issuer->ex_kusage & KU_CRL_SIGN)) { 1342 !(issuer->ex_kusage & KU_CRL_SIGN)) {
1280 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; 1343 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1281 ok = ctx->verify_cb(0, ctx); 1344 ok = ctx->verify_cb(0, ctx);
1282 if(!ok) goto err; 1345 if (!ok)
1346 goto err;
1283 } 1347 }
1284 1348
1285 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { 1349 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1286 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; 1350 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1287 ok = ctx->verify_cb(0, ctx); 1351 ok = ctx->verify_cb(0, ctx);
1288 if(!ok) goto err; 1352 if (!ok)
1353 goto err;
1289 } 1354 }
1290 1355
1291 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { 1356 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
1292 if (check_crl_path(ctx, ctx->current_issuer) <= 0) { 1357 if (check_crl_path(ctx,
1358 ctx->current_issuer) <= 0) {
1293 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; 1359 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1294 ok = ctx->verify_cb(0, ctx); 1360 ok = ctx->verify_cb(0, ctx);
1295 if(!ok) goto err; 1361 if (!ok)
1362 goto err;
1296 } 1363 }
1297 } 1364 }
1298 1365
1299 if (crl->idp_flags & IDP_INVALID) { 1366 if (crl->idp_flags & IDP_INVALID) {
1300 ctx->error = X509_V_ERR_INVALID_EXTENSION; 1367 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1301 ok = ctx->verify_cb(0, ctx); 1368 ok = ctx->verify_cb(0, ctx);
1302 if(!ok) goto err; 1369 if (!ok)
1370 goto err;
1303 } 1371 }
1304 1372
1305 1373
@@ -1314,16 +1382,18 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1314 /* Attempt to get issuer certificate public key */ 1382 /* Attempt to get issuer certificate public key */
1315 ikey = X509_get_pubkey(issuer); 1383 ikey = X509_get_pubkey(issuer);
1316 1384
1317 if(!ikey) { 1385 if (!ikey) {
1318 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1386 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1319 ok = ctx->verify_cb(0, ctx); 1387 ok = ctx->verify_cb(0, ctx);
1320 if (!ok) goto err; 1388 if (!ok)
1389 goto err;
1321 } else { 1390 } else {
1322 /* Verify CRL signature */ 1391 /* Verify CRL signature */
1323 if(X509_CRL_verify(crl, ikey) <= 0) { 1392 if (X509_CRL_verify(crl, ikey) <= 0) {
1324 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; 1393 ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
1325 ok = ctx->verify_cb(0, ctx); 1394 ok = ctx->verify_cb(0, ctx);
1326 if (!ok) goto err; 1395 if (!ok)
1396 goto err;
1327 } 1397 }
1328 } 1398 }
1329 } 1399 }
@@ -1336,20 +1406,22 @@ err:
1336} 1406}
1337 1407
1338/* Check certificate against CRL */ 1408/* Check certificate against CRL */
1339static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) 1409static int
1410cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1340{ 1411{
1341 int ok; 1412 int ok;
1342 X509_REVOKED *rev; 1413 X509_REVOKED *rev;
1414
1343 /* The rules changed for this... previously if a CRL contained 1415 /* The rules changed for this... previously if a CRL contained
1344 * unhandled critical extensions it could still be used to indicate 1416 * unhandled critical extensions it could still be used to indicate
1345 * a certificate was revoked. This has since been changed since 1417 * a certificate was revoked. This has since been changed since
1346 * critical extension can change the meaning of CRL entries. 1418 * critical extension can change the meaning of CRL entries.
1347 */ 1419 */
1348 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 1420 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
1349 && (crl->flags & EXFLAG_CRITICAL)) { 1421 (crl->flags & EXFLAG_CRITICAL)) {
1350 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; 1422 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1351 ok = ctx->verify_cb(0, ctx); 1423 ok = ctx->verify_cb(0, ctx);
1352 if(!ok) 1424 if (!ok)
1353 return 0; 1425 return 0;
1354 } 1426 }
1355 /* Look for serial number of certificate in CRL 1427 /* Look for serial number of certificate in CRL
@@ -1367,15 +1439,17 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1367 return 1; 1439 return 1;
1368} 1440}
1369 1441
1370static int check_policy(X509_STORE_CTX *ctx) 1442static int
1443check_policy(X509_STORE_CTX *ctx)
1371{ 1444{
1372 int ret; 1445 int ret;
1446
1373 if (ctx->parent) 1447 if (ctx->parent)
1374 return 1; 1448 return 1;
1375 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, 1449 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1376 ctx->param->policies, ctx->param->flags); 1450 ctx->param->policies, ctx->param->flags);
1377 if (ret == 0) { 1451 if (ret == 0) {
1378 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); 1452 X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE);
1379 return 0; 1453 return 0;
1380 } 1454 }
1381 /* Invalid or inconsistent extensions */ 1455 /* Invalid or inconsistent extensions */
@@ -1391,7 +1465,7 @@ static int check_policy(X509_STORE_CTX *ctx)
1391 continue; 1465 continue;
1392 ctx->current_cert = x; 1466 ctx->current_cert = x;
1393 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; 1467 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1394 if(!ctx->verify_cb(0, ctx)) 1468 if (!ctx->verify_cb(0, ctx))
1395 return 0; 1469 return 0;
1396 } 1470 }
1397 return 1; 1471 return 1;
@@ -1412,7 +1486,8 @@ static int check_policy(X509_STORE_CTX *ctx)
1412 return 1; 1486 return 1;
1413} 1487}
1414 1488
1415static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) 1489static int
1490check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1416{ 1491{
1417 time_t *ptime; 1492 time_t *ptime;
1418 int i; 1493 int i;
@@ -1422,32 +1497,32 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1422 else 1497 else
1423 ptime = NULL; 1498 ptime = NULL;
1424 1499
1425 i=X509_cmp_time(X509_get_notBefore(x), ptime); 1500 i = X509_cmp_time(X509_get_notBefore(x), ptime);
1426 if (i == 0) { 1501 if (i == 0) {
1427 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 1502 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1428 ctx->current_cert=x; 1503 ctx->current_cert = x;
1429 if (!ctx->verify_cb(0, ctx)) 1504 if (!ctx->verify_cb(0, ctx))
1430 return 0; 1505 return 0;
1431 } 1506 }
1432 1507
1433 if (i > 0) { 1508 if (i > 0) {
1434 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; 1509 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1435 ctx->current_cert=x; 1510 ctx->current_cert = x;
1436 if (!ctx->verify_cb(0, ctx)) 1511 if (!ctx->verify_cb(0, ctx))
1437 return 0; 1512 return 0;
1438 } 1513 }
1439 1514
1440 i=X509_cmp_time(X509_get_notAfter(x), ptime); 1515 i = X509_cmp_time(X509_get_notAfter(x), ptime);
1441 if (i == 0) { 1516 if (i == 0) {
1442 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 1517 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1443 ctx->current_cert=x; 1518 ctx->current_cert = x;
1444 if (!ctx->verify_cb(0, ctx)) 1519 if (!ctx->verify_cb(0, ctx))
1445 return 0; 1520 return 0;
1446 } 1521 }
1447 1522
1448 if (i < 0) { 1523 if (i < 0) {
1449 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; 1524 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1450 ctx->current_cert=x; 1525 ctx->current_cert = x;
1451 if (!ctx->verify_cb(0, ctx)) 1526 if (!ctx->verify_cb(0, ctx))
1452 return 0; 1527 return 0;
1453 } 1528 }
@@ -1455,60 +1530,63 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1455 return 1; 1530 return 1;
1456} 1531}
1457 1532
1458static int internal_verify(X509_STORE_CTX *ctx) 1533static int
1534internal_verify(X509_STORE_CTX *ctx)
1459{ 1535{
1460 int ok=0,n; 1536 int ok = 0, n;
1461 X509 *xs,*xi; 1537 X509 *xs, *xi;
1462 EVP_PKEY *pkey=NULL; 1538 EVP_PKEY *pkey = NULL;
1463 int (*cb)(int xok,X509_STORE_CTX *xctx); 1539 int (*cb)(int xok, X509_STORE_CTX *xctx);
1464 1540
1465 cb=ctx->verify_cb; 1541 cb = ctx->verify_cb;
1466 1542
1467 n=sk_X509_num(ctx->chain); 1543 n = sk_X509_num(ctx->chain);
1468 ctx->error_depth=n-1; 1544 ctx->error_depth = n - 1;
1469 n--; 1545 n--;
1470 xi=sk_X509_value(ctx->chain,n); 1546 xi = sk_X509_value(ctx->chain, n);
1471 1547
1472 if (ctx->check_issued(ctx, xi, xi)) 1548 if (ctx->check_issued(ctx, xi, xi))
1473 xs=xi; 1549 xs = xi;
1474 else { 1550 else {
1475 if (n <= 0) { 1551 if (n <= 0) {
1476 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; 1552 ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1477 ctx->current_cert=xi; 1553 ctx->current_cert = xi;
1478 ok=cb(0,ctx); 1554 ok = cb(0, ctx);
1479 goto end; 1555 goto end;
1480 } else { 1556 } else {
1481 n--; 1557 n--;
1482 ctx->error_depth=n; 1558 ctx->error_depth = n;
1483 xs=sk_X509_value(ctx->chain,n); 1559 xs = sk_X509_value(ctx->chain, n);
1484 } 1560 }
1485 } 1561 }
1486 1562
1487/* ctx->error=0; not needed */ 1563/* ctx->error=0; not needed */
1488 while (n >= 0) { 1564 while (n >= 0) {
1489 ctx->error_depth=n; 1565 ctx->error_depth = n;
1490 1566
1491 /* Skip signature check for self signed certificates unless 1567 /* Skip signature check for self signed certificates unless
1492 * explicitly asked for. It doesn't add any security and 1568 * explicitly asked for. It doesn't add any security and
1493 * just wastes time. 1569 * just wastes time.
1494 */ 1570 */
1495 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { 1571 if (!xs->valid && (xs != xi ||
1496 if ((pkey=X509_get_pubkey(xi)) == NULL) { 1572 (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
1497 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1573 if ((pkey = X509_get_pubkey(xi)) == NULL) {
1498 ctx->current_cert=xi; 1574 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1499 ok=(*cb)(0,ctx); 1575 ctx->current_cert = xi;
1500 if (!ok) goto end; 1576 ok = (*cb)(0, ctx);
1501 } else if (X509_verify(xs,pkey) <= 0) { 1577 if (!ok)
1502 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; 1578 goto end;
1503 ctx->current_cert=xs; 1579 } else if (X509_verify(xs, pkey) <= 0) {
1504 ok=(*cb)(0,ctx); 1580 ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
1581 ctx->current_cert = xs;
1582 ok = (*cb)(0, ctx);
1505 if (!ok) { 1583 if (!ok) {
1506 EVP_PKEY_free(pkey); 1584 EVP_PKEY_free(pkey);
1507 goto end; 1585 goto end;
1508 } 1586 }
1509 } 1587 }
1510 EVP_PKEY_free(pkey); 1588 EVP_PKEY_free(pkey);
1511 pkey=NULL; 1589 pkey = NULL;
1512 } 1590 }
1513 1591
1514 xs->valid = 1; 1592 xs->valid = 1;
@@ -1518,200 +1596,225 @@ static int internal_verify(X509_STORE_CTX *ctx)
1518 goto end; 1596 goto end;
1519 1597
1520 /* The last error (if any) is still in the error value */ 1598 /* The last error (if any) is still in the error value */
1521 ctx->current_issuer=xi; 1599 ctx->current_issuer = xi;
1522 ctx->current_cert=xs; 1600 ctx->current_cert = xs;
1523 ok=(*cb)(1,ctx); 1601 ok = (*cb)(1, ctx);
1524 if (!ok) goto end; 1602 if (!ok)
1603 goto end;
1525 1604
1526 n--; 1605 n--;
1527 if (n >= 0) { 1606 if (n >= 0) {
1528 xi=xs; 1607 xi = xs;
1529 xs=sk_X509_value(ctx->chain,n); 1608 xs = sk_X509_value(ctx->chain, n);
1530 } 1609 }
1531 } 1610 }
1532 ok=1; 1611 ok = 1;
1612
1533end: 1613end:
1534 return ok; 1614 return ok;
1535} 1615}
1536 1616
1537int X509_cmp_current_time(const ASN1_TIME *ctm) 1617int
1618X509_cmp_current_time(const ASN1_TIME *ctm)
1538{ 1619{
1539 return X509_cmp_time(ctm, NULL); 1620 return X509_cmp_time(ctm, NULL);
1540} 1621}
1541 1622
1542int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) 1623int
1624X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1543{ 1625{
1544 char *str; 1626 char *str;
1545 ASN1_TIME atm; 1627 ASN1_TIME atm;
1546 long offset; 1628 long offset;
1547 char buff1[24],buff2[24],*p; 1629 char buff1[24], buff2[24], *p;
1548 int i,j; 1630 int i, j;
1549 1631
1550 p=buff1; 1632 p = buff1;
1551 i=ctm->length; 1633 i = ctm->length;
1552 str=(char *)ctm->data; 1634 str = (char *)ctm->data;
1553 if (ctm->type == V_ASN1_UTCTIME) { 1635 if (ctm->type == V_ASN1_UTCTIME) {
1554 if ((i < 11) || (i > 17)) return 0; 1636 if ((i < 11) || (i > 17))
1555 memcpy(p,str,10); 1637 return 0;
1556 p+=10; 1638 memcpy(p, str, 10);
1557 str+=10; 1639 p += 10;
1640 str += 10;
1558 } else { 1641 } else {
1559 if (i < 13) return 0; 1642 if (i < 13)
1560 memcpy(p,str,12); 1643 return 0;
1561 p+=12; 1644 memcpy(p, str, 12);
1562 str+=12; 1645 p += 12;
1646 str += 12;
1563 } 1647 }
1564 1648
1565 if ((*str == 'Z') || (*str == '-') || (*str == '+')) { 1649 if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
1566 *(p++)='0'; 1650 *(p++) = '0';
1567 *(p++)='0'; 1651 *(p++) = '0';
1568 } else { 1652 } else {
1569 *(p++)= *(str++); 1653 *(p++) = *(str++);
1570 *(p++)= *(str++); 1654 *(p++) = *(str++);
1571 /* Skip any fractional seconds... */ 1655 /* Skip any fractional seconds... */
1572 if (*str == '.') { 1656 if (*str == '.') {
1573 str++; 1657 str++;
1574 while ((*str >= '0') && (*str <= '9')) str++; 1658 while ((*str >= '0') && (*str <= '9'))
1659 str++;
1575 } 1660 }
1576
1577 } 1661 }
1578 *(p++)='Z'; 1662 *(p++) = 'Z';
1579 *(p++)='\0'; 1663 *(p++) = '\0';
1580 1664
1581 if (*str == 'Z') 1665 if (*str == 'Z')
1582 offset=0; 1666 offset = 0;
1583 else { 1667 else {
1584 if ((*str != '+') && (*str != '-')) 1668 if ((*str != '+') && (*str != '-'))
1585 return 0; 1669 return 0;
1586 offset=((str[1]-'0')*10+(str[2]-'0'))*60; 1670 offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
1587 offset+=(str[3]-'0')*10+(str[4]-'0'); 1671 offset += (str[3] - '0') * 10 + (str[4] - '0');
1588 if (*str == '-') 1672 if (*str == '-')
1589 offset= -offset; 1673 offset = -offset;
1590 } 1674 }
1591 atm.type=ctm->type; 1675 atm.type = ctm->type;
1592 atm.flags = 0; 1676 atm.flags = 0;
1593 atm.length=sizeof(buff2); 1677 atm.length = sizeof(buff2);
1594 atm.data=(unsigned char *)buff2; 1678 atm.data = (unsigned char *)buff2;
1595 1679
1596 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL) 1680 if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL)
1597 return 0; 1681 return 0;
1598 1682
1599 if (ctm->type == V_ASN1_UTCTIME) { 1683 if (ctm->type == V_ASN1_UTCTIME) {
1600 i=(buff1[0]-'0')*10+(buff1[1]-'0'); 1684 i = (buff1[0] - '0') * 10 + (buff1[1] - '0');
1601 if (i < 50) i+=100; /* cf. RFC 2459 */ 1685 if (i < 50)
1602 j=(buff2[0]-'0')*10+(buff2[1]-'0'); 1686 i += 100; /* cf. RFC 2459 */
1603 if (j < 50) j+=100; 1687 j = (buff2[0] - '0') * 10 + (buff2[1] - '0');
1604 1688 if (j < 50)
1605 if (i < j) return -1; 1689 j += 100;
1606 if (i > j) return 1; 1690 if (i < j)
1691 return -1;
1692 if (i > j)
1693 return 1;
1607 } 1694 }
1608 i=strcmp(buff1,buff2); 1695 i = strcmp(buff1, buff2);
1609 if (i == 0) /* wait a second then return younger :-) */ 1696 if (i == 0) /* wait a second then return younger :-) */
1610 return -1; 1697 return -1;
1611 else 1698 else
1612 return i; 1699 return i;
1613} 1700}
1614 1701
1615ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) 1702ASN1_TIME *
1703X509_gmtime_adj(ASN1_TIME *s, long adj)
1616{ 1704{
1617 return X509_time_adj(s, adj, NULL); 1705 return X509_time_adj(s, adj, NULL);
1618} 1706}
1619 1707
1620ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) 1708ASN1_TIME *
1709X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1621{ 1710{
1622 return X509_time_adj_ex(s, 0, offset_sec, in_tm); 1711 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1623} 1712}
1624 1713
1625ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, 1714ASN1_TIME *
1626 int offset_day, long offset_sec, time_t *in_tm) 1715X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_tm)
1627{ 1716{
1628 time_t t; 1717 time_t t;
1629 1718
1630 if (in_tm) t = *in_tm; 1719 if (in_tm)
1631 else time(&t); 1720 t = *in_tm;
1721 else
1722 time(&t);
1632 1723
1633 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) { 1724 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
1634 if (s->type == V_ASN1_UTCTIME) 1725 if (s->type == V_ASN1_UTCTIME)
1635 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); 1726 return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec);
1636 if (s->type == V_ASN1_GENERALIZEDTIME) 1727 if (s->type == V_ASN1_GENERALIZEDTIME)
1637 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, 1728 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
1638 offset_sec); 1729 offset_sec);
1639 } 1730 }
1640 return ASN1_TIME_adj(s, t, offset_day, offset_sec); 1731 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1641} 1732}
1642 1733
1643int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) 1734int
1735X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1644{ 1736{
1645 EVP_PKEY *ktmp=NULL,*ktmp2; 1737 EVP_PKEY *ktmp = NULL, *ktmp2;
1646 int i,j; 1738 int i, j;
1647 1739
1648 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; 1740 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey))
1741 return 1;
1649 1742
1650 for (i=0; i<sk_X509_num(chain); i++) { 1743 for (i = 0; i < sk_X509_num(chain); i++) {
1651 ktmp=X509_get_pubkey(sk_X509_value(chain,i)); 1744 ktmp = X509_get_pubkey(sk_X509_value(chain, i));
1652 if (ktmp == NULL) { 1745 if (ktmp == NULL) {
1653 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); 1746 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
1747 X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1654 return 0; 1748 return 0;
1655 } 1749 }
1656 if (!EVP_PKEY_missing_parameters(ktmp)) 1750 if (!EVP_PKEY_missing_parameters(ktmp))
1657 break; 1751 break;
1658 else { 1752 else {
1659 EVP_PKEY_free(ktmp); 1753 EVP_PKEY_free(ktmp);
1660 ktmp=NULL; 1754 ktmp = NULL;
1661 } 1755 }
1662 } 1756 }
1663 if (ktmp == NULL) { 1757 if (ktmp == NULL) {
1664 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); 1758 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
1759 X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1665 return 0; 1760 return 0;
1666 } 1761 }
1667 1762
1668 /* first, populate the other certs */ 1763 /* first, populate the other certs */
1669 for (j=i-1; j >= 0; j--) { 1764 for (j = i - 1; j >= 0; j--) {
1670 ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); 1765 ktmp2 = X509_get_pubkey(sk_X509_value(chain, j));
1671 EVP_PKEY_copy_parameters(ktmp2,ktmp); 1766 EVP_PKEY_copy_parameters(ktmp2, ktmp);
1672 EVP_PKEY_free(ktmp2); 1767 EVP_PKEY_free(ktmp2);
1673 } 1768 }
1674 1769
1675 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); 1770 if (pkey != NULL)
1771 EVP_PKEY_copy_parameters(pkey, ktmp);
1676 EVP_PKEY_free(ktmp); 1772 EVP_PKEY_free(ktmp);
1677 return 1; 1773 return 1;
1678} 1774}
1679 1775
1680int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 1776int
1681 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 1777X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1778 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
1682{ 1779{
1683 /* This function is (usually) called only once, by 1780 /* This function is (usually) called only once, by
1684 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ 1781 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1685 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, 1782 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX,
1686 new_func, dup_func, free_func); 1783 argl, argp, new_func, dup_func, free_func);
1687} 1784}
1688 1785
1689int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) 1786int
1787X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
1690{ 1788{
1691 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); 1789 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
1692} 1790}
1693 1791
1694void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) 1792void *
1793X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
1695{ 1794{
1696 return CRYPTO_get_ex_data(&ctx->ex_data,idx); 1795 return CRYPTO_get_ex_data(&ctx->ex_data, idx);
1697} 1796}
1698 1797
1699int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) 1798int
1799X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
1700{ 1800{
1701 return ctx->error; 1801 return ctx->error;
1702} 1802}
1703 1803
1704void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) 1804void
1805X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
1705{ 1806{
1706 ctx->error=err; 1807 ctx->error = err;
1707} 1808}
1708 1809
1709int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) 1810int
1811X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
1710{ 1812{
1711 return ctx->error_depth; 1813 return ctx->error_depth;
1712} 1814}
1713 1815
1714X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) 1816X509 *
1817X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
1715{ 1818{
1716 return ctx->current_cert; 1819 return ctx->current_cert;
1717} 1820}
@@ -1726,7 +1829,9 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1726 int i; 1829 int i;
1727 X509 *x; 1830 X509 *x;
1728 STACK_OF(X509) *chain; 1831 STACK_OF(X509) *chain;
1729 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; 1832
1833 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain)))
1834 return NULL;
1730 for (i = 0; i < sk_X509_num(chain); i++) { 1835 for (i = 0; i < sk_X509_num(chain); i++) {
1731 x = sk_X509_value(chain, i); 1836 x = sk_X509_value(chain, i);
1732 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 1837 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
@@ -1734,42 +1839,50 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1734 return chain; 1839 return chain;
1735} 1840}
1736 1841
1737X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) 1842X509 *
1843X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
1738{ 1844{
1739 return ctx->current_issuer; 1845 return ctx->current_issuer;
1740} 1846}
1741 1847
1742X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) 1848X509_CRL *
1849X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
1743{ 1850{
1744 return ctx->current_crl; 1851 return ctx->current_crl;
1745} 1852}
1746 1853
1747X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) 1854X509_STORE_CTX *
1855X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
1748{ 1856{
1749 return ctx->parent; 1857 return ctx->parent;
1750} 1858}
1751 1859
1752void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) 1860void
1861X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
1753{ 1862{
1754 ctx->cert=x; 1863 ctx->cert = x;
1755} 1864}
1756 1865
1757void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 1866void
1867X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1758{ 1868{
1759 ctx->untrusted=sk; 1869 ctx->untrusted = sk;
1760} 1870}
1761 1871
1762void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) 1872void
1873X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1763{ 1874{
1764 ctx->crls=sk; 1875 ctx->crls = sk;
1765} 1876}
1766 1877
1767int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) 1878int
1879X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
1768{ 1880{
1769 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); 1881 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
1770} 1882}
1771 1883
1772int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) 1884int
1885X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1773{ 1886{
1774 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); 1887 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
1775} 1888}
@@ -1784,19 +1897,22 @@ int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1784 * aren't set then we use the default of SSL client/server. 1897 * aren't set then we use the default of SSL client/server.
1785 */ 1898 */
1786 1899
1787int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, 1900int
1788 int purpose, int trust) 1901X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1902 int purpose, int trust)
1789{ 1903{
1790 int idx; 1904 int idx;
1905
1791 /* If purpose not set use default */ 1906 /* If purpose not set use default */
1792 if (!purpose) purpose = def_purpose; 1907 if (!purpose)
1908 purpose = def_purpose;
1793 /* If we have a purpose then check it is valid */ 1909 /* If we have a purpose then check it is valid */
1794 if (purpose) { 1910 if (purpose) {
1795 X509_PURPOSE *ptmp; 1911 X509_PURPOSE *ptmp;
1796 idx = X509_PURPOSE_get_by_id(purpose); 1912 idx = X509_PURPOSE_get_by_id(purpose);
1797 if (idx == -1) { 1913 if (idx == -1) {
1798 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1914 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1799 X509_R_UNKNOWN_PURPOSE_ID); 1915 X509_R_UNKNOWN_PURPOSE_ID);
1800 return 0; 1916 return 0;
1801 } 1917 }
1802 ptmp = X509_PURPOSE_get0(idx); 1918 ptmp = X509_PURPOSE_get0(idx);
@@ -1804,74 +1920,82 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1804 idx = X509_PURPOSE_get_by_id(def_purpose); 1920 idx = X509_PURPOSE_get_by_id(def_purpose);
1805 if (idx == -1) { 1921 if (idx == -1) {
1806 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1922 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1807 X509_R_UNKNOWN_PURPOSE_ID); 1923 X509_R_UNKNOWN_PURPOSE_ID);
1808 return 0; 1924 return 0;
1809 } 1925 }
1810 ptmp = X509_PURPOSE_get0(idx); 1926 ptmp = X509_PURPOSE_get0(idx);
1811 } 1927 }
1812 /* If trust not set then get from purpose default */ 1928 /* If trust not set then get from purpose default */
1813 if (!trust) trust = ptmp->trust; 1929 if (!trust)
1930 trust = ptmp->trust;
1814 } 1931 }
1815 if (trust) { 1932 if (trust) {
1816 idx = X509_TRUST_get_by_id(trust); 1933 idx = X509_TRUST_get_by_id(trust);
1817 if (idx == -1) { 1934 if (idx == -1) {
1818 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1935 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1819 X509_R_UNKNOWN_TRUST_ID); 1936 X509_R_UNKNOWN_TRUST_ID);
1820 return 0; 1937 return 0;
1821 } 1938 }
1822 } 1939 }
1823 1940
1824 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; 1941 if (purpose && !ctx->param->purpose)
1825 if (trust && !ctx->param->trust) ctx->param->trust = trust; 1942 ctx->param->purpose = purpose;
1943 if (trust && !ctx->param->trust)
1944 ctx->param->trust = trust;
1826 return 1; 1945 return 1;
1827} 1946}
1828 1947
1829X509_STORE_CTX *X509_STORE_CTX_new(void) 1948X509_STORE_CTX *
1949X509_STORE_CTX_new(void)
1830{ 1950{
1831 X509_STORE_CTX *ctx; 1951 X509_STORE_CTX *ctx;
1952
1832 ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX)); 1953 ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX));
1833 if (!ctx) { 1954 if (!ctx) {
1834 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); 1955 X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE);
1835 return NULL; 1956 return NULL;
1836 } 1957 }
1837 memset(ctx, 0, sizeof(X509_STORE_CTX)); 1958 memset(ctx, 0, sizeof(X509_STORE_CTX));
1838 return ctx; 1959 return ctx;
1839} 1960}
1840 1961
1841void X509_STORE_CTX_free(X509_STORE_CTX *ctx) 1962void
1963X509_STORE_CTX_free(X509_STORE_CTX *ctx)
1842{ 1964{
1843 X509_STORE_CTX_cleanup(ctx); 1965 X509_STORE_CTX_cleanup(ctx);
1844 free(ctx); 1966 free(ctx);
1845} 1967}
1846 1968
1847int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, 1969int
1848 STACK_OF(X509) *chain) 1970X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1971 STACK_OF(X509) *chain)
1849{ 1972{
1850 int ret = 1; 1973 int ret = 1;
1851 ctx->ctx=store; 1974
1852 ctx->current_method=0; 1975 ctx->ctx = store;
1853 ctx->cert=x509; 1976 ctx->current_method = 0;
1854 ctx->untrusted=chain; 1977 ctx->cert = x509;
1978 ctx->untrusted = chain;
1855 ctx->crls = NULL; 1979 ctx->crls = NULL;
1856 ctx->last_untrusted=0; 1980 ctx->last_untrusted = 0;
1857 ctx->other_ctx=NULL; 1981 ctx->other_ctx = NULL;
1858 ctx->valid=0; 1982 ctx->valid = 0;
1859 ctx->chain=NULL; 1983 ctx->chain = NULL;
1860 ctx->error=0; 1984 ctx->error = 0;
1861 ctx->explicit_policy=0; 1985 ctx->explicit_policy = 0;
1862 ctx->error_depth=0; 1986 ctx->error_depth = 0;
1863 ctx->current_cert=NULL; 1987 ctx->current_cert = NULL;
1864 ctx->current_issuer=NULL; 1988 ctx->current_issuer = NULL;
1865 ctx->current_crl=NULL; 1989 ctx->current_crl = NULL;
1866 ctx->current_crl_score=0; 1990 ctx->current_crl_score = 0;
1867 ctx->current_reasons=0; 1991 ctx->current_reasons = 0;
1868 ctx->tree = NULL; 1992 ctx->tree = NULL;
1869 ctx->parent = NULL; 1993 ctx->parent = NULL;
1870 1994
1871 ctx->param = X509_VERIFY_PARAM_new(); 1995 ctx->param = X509_VERIFY_PARAM_new();
1872 1996
1873 if (!ctx->param) { 1997 if (!ctx->param) {
1874 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 1998 X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
1875 return 0; 1999 return 0;
1876 } 2000 }
1877 2001
@@ -1879,7 +2003,6 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1879 * use defaults. 2003 * use defaults.
1880 */ 2004 */
1881 2005
1882
1883 if (store) 2006 if (store)
1884 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); 2007 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
1885 else 2008 else
@@ -1893,10 +2016,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1893 2016
1894 if (ret) 2017 if (ret)
1895 ret = X509_VERIFY_PARAM_inherit(ctx->param, 2018 ret = X509_VERIFY_PARAM_inherit(ctx->param,
1896 X509_VERIFY_PARAM_lookup("default")); 2019 X509_VERIFY_PARAM_lookup("default"));
1897 2020
1898 if (ret == 0) { 2021 if (ret == 0) {
1899 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 2022 X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
1900 return 0; 2023 return 0;
1901 } 2024 }
1902 2025
@@ -1957,10 +2080,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1957 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a 2080 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
1958 * corresponding "new" here and remove this bogus initialisation. */ 2081 * corresponding "new" here and remove this bogus initialisation. */
1959 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ 2082 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
1960 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, 2083 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
1961 &(ctx->ex_data))) { 2084 &(ctx->ex_data))) {
1962 free(ctx); 2085 free(ctx);
1963 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 2086 X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
1964 return 0; 2087 return 0;
1965 } 2088 }
1966 return 1; 2089 return 1;
@@ -1970,64 +2093,75 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1970 * This avoids X509_STORE nastiness where it isn't needed. 2093 * This avoids X509_STORE nastiness where it isn't needed.
1971 */ 2094 */
1972 2095
1973void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 2096void
2097X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1974{ 2098{
1975 ctx->other_ctx = sk; 2099 ctx->other_ctx = sk;
1976 ctx->get_issuer = get_issuer_sk; 2100 ctx->get_issuer = get_issuer_sk;
1977} 2101}
1978 2102
1979void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) 2103void
2104X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
1980{ 2105{
1981 if (ctx->cleanup) ctx->cleanup(ctx); 2106 if (ctx->cleanup)
2107 ctx->cleanup(ctx);
1982 if (ctx->param != NULL) { 2108 if (ctx->param != NULL) {
1983 if (ctx->parent == NULL) 2109 if (ctx->parent == NULL)
1984 X509_VERIFY_PARAM_free(ctx->param); 2110 X509_VERIFY_PARAM_free(ctx->param);
1985 ctx->param=NULL; 2111 ctx->param = NULL;
1986 } 2112 }
1987 if (ctx->tree != NULL) { 2113 if (ctx->tree != NULL) {
1988 X509_policy_tree_free(ctx->tree); 2114 X509_policy_tree_free(ctx->tree);
1989 ctx->tree=NULL; 2115 ctx->tree = NULL;
1990 } 2116 }
1991 if (ctx->chain != NULL) { 2117 if (ctx->chain != NULL) {
1992 sk_X509_pop_free(ctx->chain,X509_free); 2118 sk_X509_pop_free(ctx->chain, X509_free);
1993 ctx->chain=NULL; 2119 ctx->chain = NULL;
1994 } 2120 }
1995 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); 2121 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX,
1996 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); 2122 ctx, &(ctx->ex_data));
2123 memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
1997} 2124}
1998 2125
1999void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) 2126void
2127X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2000{ 2128{
2001 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 2129 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2002} 2130}
2003 2131
2004void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) 2132void
2133X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2005{ 2134{
2006 X509_VERIFY_PARAM_set_flags(ctx->param, flags); 2135 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2007} 2136}
2008 2137
2009void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) 2138void
2139X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2010{ 2140{
2011 X509_VERIFY_PARAM_set_time(ctx->param, t); 2141 X509_VERIFY_PARAM_set_time(ctx->param, t);
2012} 2142}
2013 2143
2014void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, 2144void
2015 int (*verify_cb)(int, X509_STORE_CTX *)) 2145X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2146 int (*verify_cb)(int, X509_STORE_CTX *))
2016{ 2147{
2017 ctx->verify_cb=verify_cb; 2148 ctx->verify_cb = verify_cb;
2018} 2149}
2019 2150
2020X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) 2151X509_POLICY_TREE *
2152X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2021{ 2153{
2022 return ctx->tree; 2154 return ctx->tree;
2023} 2155}
2024 2156
2025int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) 2157int
2158X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2026{ 2159{
2027 return ctx->explicit_policy; 2160 return ctx->explicit_policy;
2028} 2161}
2029 2162
2030int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) 2163int
2164X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2031{ 2165{
2032 const X509_VERIFY_PARAM *param; 2166 const X509_VERIFY_PARAM *param;
2033 param = X509_VERIFY_PARAM_lookup(name); 2167 param = X509_VERIFY_PARAM_lookup(name);
@@ -2036,12 +2170,14 @@ int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2036 return X509_VERIFY_PARAM_inherit(ctx->param, param); 2170 return X509_VERIFY_PARAM_inherit(ctx->param, param);
2037} 2171}
2038 2172
2039X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) 2173X509_VERIFY_PARAM *
2174X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2040{ 2175{
2041 return ctx->param; 2176 return ctx->param;
2042} 2177}
2043 2178
2044void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) 2179void
2180X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2045{ 2181{
2046 if (ctx->param) 2182 if (ctx->param)
2047 X509_VERIFY_PARAM_free(ctx->param); 2183 X509_VERIFY_PARAM_free(ctx->param);
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
index 7f0824f75e..f0d2a0902e 100644
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -67,7 +67,8 @@
67 67
68/* X509_VERIFY_PARAM functions */ 68/* X509_VERIFY_PARAM functions */
69 69
70static void x509_verify_param_zero(X509_VERIFY_PARAM *param) 70static void
71x509_verify_param_zero(X509_VERIFY_PARAM *param)
71{ 72{
72 if (!param) 73 if (!param)
73 return; 74 return;
@@ -84,16 +85,19 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
84 } 85 }
85} 86}
86 87
87X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) 88X509_VERIFY_PARAM *
89X509_VERIFY_PARAM_new(void)
88{ 90{
89 X509_VERIFY_PARAM *param; 91 X509_VERIFY_PARAM *param;
92
90 param = malloc(sizeof(X509_VERIFY_PARAM)); 93 param = malloc(sizeof(X509_VERIFY_PARAM));
91 memset(param, 0, sizeof(X509_VERIFY_PARAM)); 94 memset(param, 0, sizeof(X509_VERIFY_PARAM));
92 x509_verify_param_zero(param); 95 x509_verify_param_zero(param);
93 return param; 96 return param;
94} 97}
95 98
96void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) 99void
100X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
97{ 101{
98 x509_verify_param_zero(param); 102 x509_verify_param_zero(param);
99 free(param); 103 free(param);
@@ -109,7 +113,7 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
109 * for SSL servers or clients but only if the application has not set new 113 * for SSL servers or clients but only if the application has not set new
110 * ones. 114 * ones.
111 * 115 *
112 * The "inh_flags" field determines how this function behaves. 116 * The "inh_flags" field determines how this function behaves.
113 * 117 *
114 * Normally any values which are set in the default are not copied from the 118 * Normally any values which are set in the default are not copied from the
115 * destination and verify flags are ORed together. 119 * destination and verify flags are ORed together.
@@ -141,13 +145,14 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
141#define x509_verify_param_copy(field, def) \ 145#define x509_verify_param_copy(field, def) \
142 if (test_x509_verify_param_copy(field, def)) \ 146 if (test_x509_verify_param_copy(field, def)) \
143 dest->field = src->field 147 dest->field = src->field
144
145 148
146int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, 149
147 const X509_VERIFY_PARAM *src) 150int
151X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src)
148{ 152{
149 unsigned long inh_flags; 153 unsigned long inh_flags;
150 int to_default, to_overwrite; 154 int to_default, to_overwrite;
155
151 if (!src) 156 if (!src)
152 return 1; 157 return 1;
153 inh_flags = dest->inh_flags | src->inh_flags; 158 inh_flags = dest->inh_flags | src->inh_flags;
@@ -193,18 +198,20 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
193 return 1; 198 return 1;
194} 199}
195 200
196int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, 201int
197 const X509_VERIFY_PARAM *from) 202X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from)
198{ 203{
199 unsigned long save_flags = to->inh_flags; 204 unsigned long save_flags = to->inh_flags;
200 int ret; 205 int ret;
206
201 to->inh_flags |= X509_VP_FLAG_DEFAULT; 207 to->inh_flags |= X509_VP_FLAG_DEFAULT;
202 ret = X509_VERIFY_PARAM_inherit(to, from); 208 ret = X509_VERIFY_PARAM_inherit(to, from);
203 to->inh_flags = save_flags; 209 to->inh_flags = save_flags;
204 return ret; 210 return ret;
205} 211}
206 212
207int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) 213int
214X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
208{ 215{
209 if (param->name) 216 if (param->name)
210 free(param->name); 217 free(param->name);
@@ -214,7 +221,8 @@ int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
214 return 0; 221 return 0;
215} 222}
216 223
217int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) 224int
225X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
218{ 226{
219 param->flags |= flags; 227 param->flags |= flags;
220 if (flags & X509_V_FLAG_POLICY_MASK) 228 if (flags & X509_V_FLAG_POLICY_MASK)
@@ -222,39 +230,46 @@ int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
222 return 1; 230 return 1;
223} 231}
224 232
225int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags) 233int
234X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
226{ 235{
227 param->flags &= ~flags; 236 param->flags &= ~flags;
228 return 1; 237 return 1;
229} 238}
230 239
231unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) 240unsigned long
241X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
232{ 242{
233 return param->flags; 243 return param->flags;
234} 244}
235 245
236int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) 246int
247X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
237{ 248{
238 return X509_PURPOSE_set(&param->purpose, purpose); 249 return X509_PURPOSE_set(&param->purpose, purpose);
239} 250}
240 251
241int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) 252int
253X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
242{ 254{
243 return X509_TRUST_set(&param->trust, trust); 255 return X509_TRUST_set(&param->trust, trust);
244} 256}
245 257
246void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) 258void
259X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
247{ 260{
248 param->depth = depth; 261 param->depth = depth;
249} 262}
250 263
251void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) 264void
265X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
252{ 266{
253 param->check_time = t; 267 param->check_time = t;
254 param->flags |= X509_V_FLAG_USE_CHECK_TIME; 268 param->flags |= X509_V_FLAG_USE_CHECK_TIME;
255} 269}
256 270
257int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) 271int
272X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
258{ 273{
259 if (!param->policies) { 274 if (!param->policies) {
260 param->policies = sk_ASN1_OBJECT_new_null(); 275 param->policies = sk_ASN1_OBJECT_new_null();
@@ -266,11 +281,13 @@ int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
266 return 1; 281 return 1;
267} 282}
268 283
269int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 284int
270 STACK_OF(ASN1_OBJECT) *policies) 285X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
286 STACK_OF(ASN1_OBJECT) *policies)
271{ 287{
272 int i; 288 int i;
273 ASN1_OBJECT *oid, *doid; 289 ASN1_OBJECT *oid, *doid;
290
274 if (!param) 291 if (!param)
275 return 0; 292 return 0;
276 if (param->policies) 293 if (param->policies)
@@ -299,7 +316,8 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
299 return 1; 316 return 1;
300} 317}
301 318
302int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) 319int
320X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
303{ 321{
304 return param->depth; 322 return param->depth;
305} 323}
@@ -312,80 +330,81 @@ int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
312 330
313static const X509_VERIFY_PARAM default_table[] = { 331static const X509_VERIFY_PARAM default_table[] = {
314 { 332 {
315 "default", /* X509 default parameters */ 333 "default", /* X509 default parameters */
316 0, /* Check time */ 334 0, /* Check time */
317 0, /* internal flags */ 335 0, /* internal flags */
318 0, /* flags */ 336 0, /* flags */
319 0, /* purpose */ 337 0, /* purpose */
320 0, /* trust */ 338 0, /* trust */
321 100, /* depth */ 339 100, /* depth */
322 NULL /* policies */ 340 NULL /* policies */
323 }, 341 },
324 { 342 {
325 "pkcs7", /* S/MIME sign parameters */ 343 "pkcs7", /* S/MIME sign parameters */
326 0, /* Check time */ 344 0, /* Check time */
327 0, /* internal flags */ 345 0, /* internal flags */
328 0, /* flags */ 346 0, /* flags */
329 X509_PURPOSE_SMIME_SIGN, /* purpose */ 347 X509_PURPOSE_SMIME_SIGN, /* purpose */
330 X509_TRUST_EMAIL, /* trust */ 348 X509_TRUST_EMAIL, /* trust */
331 -1, /* depth */ 349 -1, /* depth */
332 NULL /* policies */ 350 NULL /* policies */
333 }, 351 },
334 { 352 {
335 "smime_sign", /* S/MIME sign parameters */ 353 "smime_sign", /* S/MIME sign parameters */
336 0, /* Check time */ 354 0, /* Check time */
337 0, /* internal flags */ 355 0, /* internal flags */
338 0, /* flags */ 356 0, /* flags */
339 X509_PURPOSE_SMIME_SIGN, /* purpose */ 357 X509_PURPOSE_SMIME_SIGN, /* purpose */
340 X509_TRUST_EMAIL, /* trust */ 358 X509_TRUST_EMAIL, /* trust */
341 -1, /* depth */ 359 -1, /* depth */
342 NULL /* policies */ 360 NULL /* policies */
343 }, 361 },
344 { 362 {
345 "ssl_client", /* SSL/TLS client parameters */ 363 "ssl_client", /* SSL/TLS client parameters */
346 0, /* Check time */ 364 0, /* Check time */
347 0, /* internal flags */ 365 0, /* internal flags */
348 0, /* flags */ 366 0, /* flags */
349 X509_PURPOSE_SSL_CLIENT, /* purpose */ 367 X509_PURPOSE_SSL_CLIENT, /* purpose */
350 X509_TRUST_SSL_CLIENT, /* trust */ 368 X509_TRUST_SSL_CLIENT, /* trust */
351 -1, /* depth */ 369 -1, /* depth */
352 NULL /* policies */ 370 NULL /* policies */
353 }, 371 },
354 { 372 {
355 "ssl_server", /* SSL/TLS server parameters */ 373 "ssl_server", /* SSL/TLS server parameters */
356 0, /* Check time */ 374 0, /* Check time */
357 0, /* internal flags */ 375 0, /* internal flags */
358 0, /* flags */ 376 0, /* flags */
359 X509_PURPOSE_SSL_SERVER, /* purpose */ 377 X509_PURPOSE_SSL_SERVER, /* purpose */
360 X509_TRUST_SSL_SERVER, /* trust */ 378 X509_TRUST_SSL_SERVER, /* trust */
361 -1, /* depth */ 379 -1, /* depth */
362 NULL /* policies */ 380 NULL /* policies */
363 } 381 }
364}; 382};
365 383
366static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL; 384static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
367 385
368static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b) 386static int
369 387table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
370{ 388{
371 return strcmp(a->name, b->name); 389 return strcmp(a->name, b->name);
372} 390}
373 391
374DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, 392DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
375 table); 393IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
376IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
377 table);
378 394
379static int param_cmp(const X509_VERIFY_PARAM * const *a, 395static int
380 const X509_VERIFY_PARAM * const *b) 396param_cmp(const X509_VERIFY_PARAM * const *a,
397 const X509_VERIFY_PARAM * const *b)
381{ 398{
382 return strcmp((*a)->name, (*b)->name); 399 return strcmp((*a)->name, (*b)->name);
383} 400}
384 401
385int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) 402int
403X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
386{ 404{
387 int idx; 405 int idx;
388 X509_VERIFY_PARAM *ptmp; 406 X509_VERIFY_PARAM *ptmp;
407
389 if (!param_table) { 408 if (!param_table) {
390 param_table = sk_X509_VERIFY_PARAM_new(param_cmp); 409 param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
391 if (!param_table) 410 if (!param_table)
@@ -403,7 +422,8 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
403 return 1; 422 return 1;
404} 423}
405 424
406const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) 425const X509_VERIFY_PARAM *
426X509_VERIFY_PARAM_lookup(const char *name)
407{ 427{
408 int idx; 428 int idx;
409 X509_VERIFY_PARAM pm; 429 X509_VERIFY_PARAM pm;
@@ -415,13 +435,14 @@ const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
415 return sk_X509_VERIFY_PARAM_value(param_table, idx); 435 return sk_X509_VERIFY_PARAM_value(param_table, idx);
416 } 436 }
417 return OBJ_bsearch_table(&pm, default_table, 437 return OBJ_bsearch_table(&pm, default_table,
418 sizeof(default_table)/sizeof(X509_VERIFY_PARAM)); 438 sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
419} 439}
420 440
421void X509_VERIFY_PARAM_table_cleanup(void) 441void
442X509_VERIFY_PARAM_table_cleanup(void)
422{ 443{
423 if (param_table) 444 if (param_table)
424 sk_X509_VERIFY_PARAM_pop_free(param_table, 445 sk_X509_VERIFY_PARAM_pop_free(param_table,
425 X509_VERIFY_PARAM_free); 446 X509_VERIFY_PARAM_free);
426 param_table = NULL; 447 param_table = NULL;
427} 448}
diff --git a/src/lib/libssl/src/crypto/x509/x509_set.c b/src/lib/libssl/src/crypto/x509/x509_set.c
index dfe9eb68ff..6fd2f85761 100644
--- a/src/lib/libssl/src/crypto/x509/x509_set.c
+++ b/src/lib/libssl/src/crypto/x509/x509_set.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -63,78 +63,92 @@
63#include <openssl/evp.h> 63#include <openssl/evp.h>
64#include <openssl/x509.h> 64#include <openssl/x509.h>
65 65
66int X509_set_version(X509 *x, long version) 66int
67X509_set_version(X509 *x, long version)
67{ 68{
68 if (x == NULL) return(0); 69 if (x == NULL)
70 return (0);
69 if (x->cert_info->version == NULL) { 71 if (x->cert_info->version == NULL) {
70 if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL) 72 if ((x->cert_info->version = M_ASN1_INTEGER_new()) == NULL)
71 return(0); 73 return (0);
72 } 74 }
73 return(ASN1_INTEGER_set(x->cert_info->version,version)); 75 return (ASN1_INTEGER_set(x->cert_info->version, version));
74} 76}
75 77
76int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) 78int
79X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
77{ 80{
78 ASN1_INTEGER *in; 81 ASN1_INTEGER *in;
79 82
80 if (x == NULL) return(0); 83 if (x == NULL)
81 in=x->cert_info->serialNumber; 84 return (0);
85 in = x->cert_info->serialNumber;
82 if (in != serial) { 86 if (in != serial) {
83 in=M_ASN1_INTEGER_dup(serial); 87 in = M_ASN1_INTEGER_dup(serial);
84 if (in != NULL) { 88 if (in != NULL) {
85 M_ASN1_INTEGER_free(x->cert_info->serialNumber); 89 M_ASN1_INTEGER_free(x->cert_info->serialNumber);
86 x->cert_info->serialNumber=in; 90 x->cert_info->serialNumber = in;
87 } 91 }
88 } 92 }
89 return(in != NULL); 93 return (in != NULL);
90} 94}
91 95
92int X509_set_issuer_name(X509 *x, X509_NAME *name) 96int
97X509_set_issuer_name(X509 *x, X509_NAME *name)
93{ 98{
94 if ((x == NULL) || (x->cert_info == NULL)) return(0); 99 if ((x == NULL) || (x->cert_info == NULL))
95 return(X509_NAME_set(&x->cert_info->issuer,name)); 100 return (0);
101 return (X509_NAME_set(&x->cert_info->issuer, name));
96} 102}
97 103
98int X509_set_subject_name(X509 *x, X509_NAME *name) 104int
105X509_set_subject_name(X509 *x, X509_NAME *name)
99{ 106{
100 if ((x == NULL) || (x->cert_info == NULL)) return(0); 107 if ((x == NULL) || (x->cert_info == NULL))
101 return(X509_NAME_set(&x->cert_info->subject,name)); 108 return (0);
109 return (X509_NAME_set(&x->cert_info->subject, name));
102} 110}
103 111
104int X509_set_notBefore(X509 *x, const ASN1_TIME *tm) 112int
113X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
105{ 114{
106 ASN1_TIME *in; 115 ASN1_TIME *in;
107 116
108 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); 117 if ((x == NULL) || (x->cert_info->validity == NULL))
109 in=x->cert_info->validity->notBefore; 118 return (0);
119 in = x->cert_info->validity->notBefore;
110 if (in != tm) { 120 if (in != tm) {
111 in=M_ASN1_TIME_dup(tm); 121 in = M_ASN1_TIME_dup(tm);
112 if (in != NULL) { 122 if (in != NULL) {
113 M_ASN1_TIME_free(x->cert_info->validity->notBefore); 123 M_ASN1_TIME_free(x->cert_info->validity->notBefore);
114 x->cert_info->validity->notBefore=in; 124 x->cert_info->validity->notBefore = in;
115 } 125 }
116 } 126 }
117 return(in != NULL); 127 return (in != NULL);
118} 128}
119 129
120int X509_set_notAfter(X509 *x, const ASN1_TIME *tm) 130int
131X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
121{ 132{
122 ASN1_TIME *in; 133 ASN1_TIME *in;
123 134
124 if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); 135 if ((x == NULL) || (x->cert_info->validity == NULL))
125 in=x->cert_info->validity->notAfter; 136 return (0);
137 in = x->cert_info->validity->notAfter;
126 if (in != tm) { 138 if (in != tm) {
127 in=M_ASN1_TIME_dup(tm); 139 in = M_ASN1_TIME_dup(tm);
128 if (in != NULL) { 140 if (in != NULL) {
129 M_ASN1_TIME_free(x->cert_info->validity->notAfter); 141 M_ASN1_TIME_free(x->cert_info->validity->notAfter);
130 x->cert_info->validity->notAfter=in; 142 x->cert_info->validity->notAfter = in;
131 } 143 }
132 } 144 }
133 return(in != NULL); 145 return (in != NULL);
134} 146}
135 147
136int X509_set_pubkey(X509 *x, EVP_PKEY *pkey) 148int
149X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
137{ 150{
138 if ((x == NULL) || (x->cert_info == NULL)) return(0); 151 if ((x == NULL) || (x->cert_info == NULL))
139 return(X509_PUBKEY_set(&(x->cert_info->key),pkey)); 152 return (0);
153 return (X509_PUBKEY_set(&(x->cert_info->key), pkey));
140} 154}
diff --git a/src/lib/libssl/src/crypto/x509/x509_trs.c b/src/lib/libssl/src/crypto/x509/x509_trs.c
index bdda53ec6b..90fd128591 100644
--- a/src/lib/libssl/src/crypto/x509/x509_trs.c
+++ b/src/lib/libssl/src/crypto/x509/x509_trs.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -61,8 +61,7 @@
61#include <openssl/x509v3.h> 61#include <openssl/x509v3.h>
62 62
63 63
64static int tr_cmp(const X509_TRUST * const *a, 64static int tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b);
65 const X509_TRUST * const *b);
66static void trtable_free(X509_TRUST *p); 65static void trtable_free(X509_TRUST *p);
67 66
68static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags); 67static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
@@ -78,14 +77,14 @@ static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
78 */ 77 */
79 78
80static X509_TRUST trstandard[] = { 79static X509_TRUST trstandard[] = {
81{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL}, 80 {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
82{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, 81 {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
83{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL}, 82 {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
84{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, 83 {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
85{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL}, 84 {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
86{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL}, 85 {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
87{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}, 86 {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL},
88{X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL} 87 {X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
89}; 88};
90 89
91#define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST)) 90#define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST))
@@ -94,61 +93,76 @@ IMPLEMENT_STACK_OF(X509_TRUST)
94 93
95static STACK_OF(X509_TRUST) *trtable = NULL; 94static STACK_OF(X509_TRUST) *trtable = NULL;
96 95
97static int tr_cmp(const X509_TRUST * const *a, 96static int
98 const X509_TRUST * const *b) 97tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b)
99{ 98{
100 return (*a)->trust - (*b)->trust; 99 return (*a)->trust - (*b)->trust;
101} 100}
102 101
103int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int) 102int
103(*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
104{ 104{
105 int (*oldtrust)(int , X509 *, int); 105 int (*oldtrust)(int , X509 *, int);
106
106 oldtrust = default_trust; 107 oldtrust = default_trust;
107 default_trust = trust; 108 default_trust = trust;
108 return oldtrust; 109 return oldtrust;
109} 110}
110 111
111 112int
112int X509_check_trust(X509 *x, int id, int flags) 113X509_check_trust(X509 *x, int id, int flags)
113{ 114{
114 X509_TRUST *pt; 115 X509_TRUST *pt;
115 int idx; 116 int idx;
116 if(id == -1) return 1; 117
118 if (id == -1)
119 return 1;
117 idx = X509_TRUST_get_by_id(id); 120 idx = X509_TRUST_get_by_id(id);
118 if(idx == -1) return default_trust(id, x, flags); 121 if (idx == -1)
122 return default_trust(id, x, flags);
119 pt = X509_TRUST_get0(idx); 123 pt = X509_TRUST_get0(idx);
120 return pt->check_trust(pt, x, flags); 124 return pt->check_trust(pt, x, flags);
121} 125}
122 126
123int X509_TRUST_get_count(void) 127int
128X509_TRUST_get_count(void)
124{ 129{
125 if(!trtable) return X509_TRUST_COUNT; 130 if (!trtable)
131 return X509_TRUST_COUNT;
126 return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT; 132 return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
127} 133}
128 134
129X509_TRUST * X509_TRUST_get0(int idx) 135X509_TRUST *
136X509_TRUST_get0(int idx)
130{ 137{
131 if(idx < 0) return NULL; 138 if (idx < 0)
132 if(idx < (int)X509_TRUST_COUNT) return trstandard + idx; 139 return NULL;
140 if (idx < (int)X509_TRUST_COUNT)
141 return trstandard + idx;
133 return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT); 142 return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
134} 143}
135 144
136int X509_TRUST_get_by_id(int id) 145int
146X509_TRUST_get_by_id(int id)
137{ 147{
138 X509_TRUST tmp; 148 X509_TRUST tmp;
139 int idx; 149 int idx;
140 if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX)) 150
141 return id - X509_TRUST_MIN; 151 if ((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
152 return id - X509_TRUST_MIN;
142 tmp.trust = id; 153 tmp.trust = id;
143 if(!trtable) return -1; 154 if (!trtable)
155 return -1;
144 idx = sk_X509_TRUST_find(trtable, &tmp); 156 idx = sk_X509_TRUST_find(trtable, &tmp);
145 if(idx == -1) return -1; 157 if (idx == -1)
158 return -1;
146 return idx + X509_TRUST_COUNT; 159 return idx + X509_TRUST_COUNT;
147} 160}
148 161
149int X509_TRUST_set(int *t, int trust) 162int
163X509_TRUST_set(int *t, int trust)
150{ 164{
151 if(X509_TRUST_get_by_id(trust) == -1) { 165 if (X509_TRUST_get_by_id(trust) == -1) {
152 X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST); 166 X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST);
153 return 0; 167 return 0;
154 } 168 }
@@ -156,11 +170,13 @@ int X509_TRUST_set(int *t, int trust)
156 return 1; 170 return 1;
157} 171}
158 172
159int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), 173int
160 char *name, int arg1, void *arg2) 174X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
175 char *name, int arg1, void *arg2)
161{ 176{
162 int idx; 177 int idx;
163 X509_TRUST *trtmp; 178 X509_TRUST *trtmp;
179
164 /* This is set according to what we change: application can't set it */ 180 /* This is set according to what we change: application can't set it */
165 flags &= ~X509_TRUST_DYNAMIC; 181 flags &= ~X509_TRUST_DYNAMIC;
166 /* This will always be set for application modified trust entries */ 182 /* This will always be set for application modified trust entries */
@@ -168,9 +184,9 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
168 /* Get existing entry if any */ 184 /* Get existing entry if any */
169 idx = X509_TRUST_get_by_id(id); 185 idx = X509_TRUST_get_by_id(id);
170 /* Need a new entry */ 186 /* Need a new entry */
171 if(idx == -1) { 187 if (idx == -1) {
172 if(!(trtmp = malloc(sizeof(X509_TRUST)))) { 188 if (!(trtmp = malloc(sizeof(X509_TRUST)))) {
173 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); 189 X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
174 return 0; 190 return 0;
175 } 191 }
176 trtmp->flags = X509_TRUST_DYNAMIC; 192 trtmp->flags = X509_TRUST_DYNAMIC;
@@ -178,10 +194,11 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
178 trtmp = X509_TRUST_get0(idx); 194 trtmp = X509_TRUST_get0(idx);
179 195
180 /* free existing name if dynamic */ 196 /* free existing name if dynamic */
181 if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name); 197 if (trtmp->flags & X509_TRUST_DYNAMIC_NAME)
198 free(trtmp->name);
182 /* dup supplied name */ 199 /* dup supplied name */
183 if(!(trtmp->name = BUF_strdup(name))) { 200 if (!(trtmp->name = BUF_strdup(name))) {
184 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); 201 X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
185 return 0; 202 return 0;
186 } 203 }
187 /* Keep the dynamic flag of existing entry */ 204 /* Keep the dynamic flag of existing entry */
@@ -195,22 +212,24 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
195 trtmp->arg2 = arg2; 212 trtmp->arg2 = arg2;
196 213
197 /* If its a new entry manage the dynamic table */ 214 /* If its a new entry manage the dynamic table */
198 if(idx == -1) { 215 if (idx == -1) {
199 if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { 216 if (!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
200 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); 217 X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
201 return 0; 218 return 0;
202 } 219 }
203 if (!sk_X509_TRUST_push(trtable, trtmp)) { 220 if (!sk_X509_TRUST_push(trtable, trtmp)) {
204 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); 221 X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
205 return 0; 222 return 0;
206 } 223 }
207 } 224 }
208 return 1; 225 return 1;
209} 226}
210 227
211static void trtable_free(X509_TRUST *p) 228static void
229trtable_free(X509_TRUST *p)
212{ 230{
213 if(!p) return; 231 if (!p)
232 return;
214 if (p->flags & X509_TRUST_DYNAMIC) { 233 if (p->flags & X509_TRUST_DYNAMIC) {
215 if (p->flags & X509_TRUST_DYNAMIC_NAME) 234 if (p->flags & X509_TRUST_DYNAMIC_NAME)
216 free(p->name); 235 free(p->name);
@@ -218,32 +237,39 @@ static void trtable_free(X509_TRUST *p)
218 } 237 }
219} 238}
220 239
221void X509_TRUST_cleanup(void) 240void
241X509_TRUST_cleanup(void)
222{ 242{
223 unsigned int i; 243 unsigned int i;
224 for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i); 244
245 for(i = 0; i < X509_TRUST_COUNT; i++)
246 trtable_free(trstandard + i);
225 sk_X509_TRUST_pop_free(trtable, trtable_free); 247 sk_X509_TRUST_pop_free(trtable, trtable_free);
226 trtable = NULL; 248 trtable = NULL;
227} 249}
228 250
229int X509_TRUST_get_flags(X509_TRUST *xp) 251int
252X509_TRUST_get_flags(X509_TRUST *xp)
230{ 253{
231 return xp->flags; 254 return xp->flags;
232} 255}
233 256
234char *X509_TRUST_get0_name(X509_TRUST *xp) 257char *
258X509_TRUST_get0_name(X509_TRUST *xp)
235{ 259{
236 return xp->name; 260 return xp->name;
237} 261}
238 262
239int X509_TRUST_get_trust(X509_TRUST *xp) 263int
264X509_TRUST_get_trust(X509_TRUST *xp)
240{ 265{
241 return xp->trust; 266 return xp->trust;
242} 267}
243 268
244static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) 269static int
270trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
245{ 271{
246 if(x->aux && (x->aux->trust || x->aux->reject)) 272 if (x->aux && (x->aux->trust || x->aux->reject))
247 return obj_trust(trust->arg1, x, flags); 273 return obj_trust(trust->arg1, x, flags);
248 /* we don't have any trust settings: for compatibility 274 /* we don't have any trust settings: for compatibility
249 * we return trusted if it is self signed 275 * we return trusted if it is self signed
@@ -251,38 +277,47 @@ static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
251 return trust_compat(trust, x, flags); 277 return trust_compat(trust, x, flags);
252} 278}
253 279
254static int trust_1oid(X509_TRUST *trust, X509 *x, int flags) 280static int
281trust_1oid(X509_TRUST *trust, X509 *x, int flags)
255{ 282{
256 if(x->aux) return obj_trust(trust->arg1, x, flags); 283 if (x->aux)
284 return obj_trust(trust->arg1, x, flags);
257 return X509_TRUST_UNTRUSTED; 285 return X509_TRUST_UNTRUSTED;
258} 286}
259 287
260static int trust_compat(X509_TRUST *trust, X509 *x, int flags) 288static int
289trust_compat(X509_TRUST *trust, X509 *x, int flags)
261{ 290{
262 X509_check_purpose(x, -1, 0); 291 X509_check_purpose(x, -1, 0);
263 if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED; 292 if (x->ex_flags & EXFLAG_SS)
264 else return X509_TRUST_UNTRUSTED; 293 return X509_TRUST_TRUSTED;
294 else
295 return X509_TRUST_UNTRUSTED;
265} 296}
266 297
267static int obj_trust(int id, X509 *x, int flags) 298static int
299obj_trust(int id, X509 *x, int flags)
268{ 300{
269 ASN1_OBJECT *obj; 301 ASN1_OBJECT *obj;
270 int i; 302 int i;
271 X509_CERT_AUX *ax; 303 X509_CERT_AUX *ax;
304
272 ax = x->aux; 305 ax = x->aux;
273 if(!ax) return X509_TRUST_UNTRUSTED; 306 if (!ax)
274 if(ax->reject) { 307 return X509_TRUST_UNTRUSTED;
275 for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { 308 if (ax->reject) {
309 for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
276 obj = sk_ASN1_OBJECT_value(ax->reject, i); 310 obj = sk_ASN1_OBJECT_value(ax->reject, i);
277 if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED; 311 if (OBJ_obj2nid(obj) == id)
312 return X509_TRUST_REJECTED;
278 } 313 }
279 } 314 }
280 if(ax->trust) { 315 if (ax->trust) {
281 for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { 316 for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
282 obj = sk_ASN1_OBJECT_value(ax->trust, i); 317 obj = sk_ASN1_OBJECT_value(ax->trust, i);
283 if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED; 318 if (OBJ_obj2nid(obj) == id)
319 return X509_TRUST_TRUSTED;
284 } 320 }
285 } 321 }
286 return X509_TRUST_UNTRUSTED; 322 return X509_TRUST_UNTRUSTED;
287} 323}
288
diff --git a/src/lib/libssl/src/crypto/x509/x509_txt.c b/src/lib/libssl/src/crypto/x509/x509_txt.c
index 8caf18a955..31a909a12c 100644
--- a/src/lib/libssl/src/crypto/x509/x509_txt.c
+++ b/src/lib/libssl/src/crypto/x509/x509_txt.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -68,7 +68,8 @@
68#include <openssl/x509.h> 68#include <openssl/x509.h>
69#include <openssl/objects.h> 69#include <openssl/objects.h>
70 70
71const char *X509_verify_cert_error_string(long n) 71const char *
72X509_verify_cert_error_string(long n)
72{ 73{
73 static char buf[100]; 74 static char buf[100];
74 75
@@ -162,12 +163,11 @@ const char *X509_verify_cert_error_string(long n)
162 case X509_V_ERR_NO_EXPLICIT_POLICY: 163 case X509_V_ERR_NO_EXPLICIT_POLICY:
163 return("no explicit policy"); 164 return("no explicit policy");
164 case X509_V_ERR_DIFFERENT_CRL_SCOPE: 165 case X509_V_ERR_DIFFERENT_CRL_SCOPE:
165 return("Different CRL scope"); 166 return("Different CRL scope");
166 case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: 167 case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
167 return("Unsupported extension feature"); 168 return("Unsupported extension feature");
168 case X509_V_ERR_UNNESTED_RESOURCE: 169 case X509_V_ERR_UNNESTED_RESOURCE:
169 return("RFC 3779 resource not subset of parent's resources"); 170 return("RFC 3779 resource not subset of parent's resources");
170
171 case X509_V_ERR_PERMITTED_VIOLATION: 171 case X509_V_ERR_PERMITTED_VIOLATION:
172 return("permitted subtree violation"); 172 return("permitted subtree violation");
173 case X509_V_ERR_EXCLUDED_VIOLATION: 173 case X509_V_ERR_EXCLUDED_VIOLATION:
@@ -184,9 +184,7 @@ const char *X509_verify_cert_error_string(long n)
184 return("CRL path validation error"); 184 return("CRL path validation error");
185 185
186 default: 186 default:
187 snprintf(buf,sizeof buf,"error number %ld",n); 187 snprintf(buf, sizeof buf, "error number %ld", n);
188 return(buf); 188 return (buf);
189 } 189 }
190} 190}
191
192
diff --git a/src/lib/libssl/src/crypto/x509/x509_v3.c b/src/lib/libssl/src/crypto/x509/x509_v3.c
index f41fab3367..cabace584b 100644
--- a/src/lib/libssl/src/crypto/x509/x509_v3.c
+++ b/src/lib/libssl/src/crypto/x509/x509_v3.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -65,202 +65,235 @@
65#include <openssl/x509.h> 65#include <openssl/x509.h>
66#include <openssl/x509v3.h> 66#include <openssl/x509v3.h>
67 67
68int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) 68int
69X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
69{ 70{
70 if (x == NULL) return(0); 71 if (x == NULL)
71 return(sk_X509_EXTENSION_num(x)); 72 return (0);
73 return (sk_X509_EXTENSION_num(x));
72} 74}
73 75
74int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, 76int
75 int lastpos) 77X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos)
76{ 78{
77 ASN1_OBJECT *obj; 79 ASN1_OBJECT *obj;
78 80
79 obj=OBJ_nid2obj(nid); 81 obj = OBJ_nid2obj(nid);
80 if (obj == NULL) return(-2); 82 if (obj == NULL)
81 return(X509v3_get_ext_by_OBJ(x,obj,lastpos)); 83 return (-2);
84 return (X509v3_get_ext_by_OBJ(x, obj, lastpos));
82} 85}
83 86
84int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj, 87int
85 int lastpos) 88X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
89 int lastpos)
86{ 90{
87 int n; 91 int n;
88 X509_EXTENSION *ex; 92 X509_EXTENSION *ex;
89 93
90 if (sk == NULL) return(-1); 94 if (sk == NULL)
95 return (-1);
91 lastpos++; 96 lastpos++;
92 if (lastpos < 0) 97 if (lastpos < 0)
93 lastpos=0; 98 lastpos = 0;
94 n=sk_X509_EXTENSION_num(sk); 99 n = sk_X509_EXTENSION_num(sk);
95 for ( ; lastpos < n; lastpos++) { 100 for (; lastpos < n; lastpos++) {
96 ex=sk_X509_EXTENSION_value(sk,lastpos); 101 ex = sk_X509_EXTENSION_value(sk, lastpos);
97 if (OBJ_cmp(ex->object,obj) == 0) 102 if (OBJ_cmp(ex->object, obj) == 0)
98 return(lastpos); 103 return (lastpos);
99 } 104 }
100 return(-1); 105 return (-1);
101} 106}
102 107
103int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, 108int
104 int lastpos) 109X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
110 int lastpos)
105{ 111{
106 int n; 112 int n;
107 X509_EXTENSION *ex; 113 X509_EXTENSION *ex;
108 114
109 if (sk == NULL) return(-1); 115 if (sk == NULL)
116 return (-1);
110 lastpos++; 117 lastpos++;
111 if (lastpos < 0) 118 if (lastpos < 0)
112 lastpos=0; 119 lastpos = 0;
113 n=sk_X509_EXTENSION_num(sk); 120 n = sk_X509_EXTENSION_num(sk);
114 for ( ; lastpos < n; lastpos++) { 121 for (; lastpos < n; lastpos++) {
115 ex=sk_X509_EXTENSION_value(sk,lastpos); 122 ex = sk_X509_EXTENSION_value(sk, lastpos);
116 if ( ((ex->critical > 0) && crit) || 123 if (((ex->critical > 0) && crit) ||
117 ((ex->critical <= 0) && !crit)) 124 ((ex->critical <= 0) && !crit))
118 return(lastpos); 125 return (lastpos);
119 } 126 }
120 return(-1); 127 return (-1);
121} 128}
122 129
123X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc) 130X509_EXTENSION *
131X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
124{ 132{
125 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) 133 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
126 return NULL; 134 return NULL;
127 else 135 else
128 return sk_X509_EXTENSION_value(x,loc); 136 return sk_X509_EXTENSION_value(x, loc);
129} 137}
130 138
131X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc) 139X509_EXTENSION *
140X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
132{ 141{
133 X509_EXTENSION *ret; 142 X509_EXTENSION *ret;
134 143
135 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) 144 if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
136 return(NULL); 145 return (NULL);
137 ret=sk_X509_EXTENSION_delete(x,loc); 146 ret = sk_X509_EXTENSION_delete(x, loc);
138 return(ret); 147 return (ret);
139} 148}
140 149
141STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, 150STACK_OF(X509_EXTENSION) *
142 X509_EXTENSION *ex, int loc) 151X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc)
143{ 152{
144 X509_EXTENSION *new_ex=NULL; 153 X509_EXTENSION *new_ex = NULL;
145 int n; 154 int n;
146 STACK_OF(X509_EXTENSION) *sk=NULL; 155 STACK_OF(X509_EXTENSION) *sk = NULL;
147 156
148 if (x == NULL) { 157 if (x == NULL) {
149 X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER); 158 X509err(X509_F_X509V3_ADD_EXT, ERR_R_PASSED_NULL_PARAMETER);
150 goto err2; 159 goto err2;
151 } 160 }
152 161
153 if (*x == NULL) { 162 if (*x == NULL) {
154 if ((sk=sk_X509_EXTENSION_new_null()) == NULL) 163 if ((sk = sk_X509_EXTENSION_new_null()) == NULL)
155 goto err; 164 goto err;
156 } else 165 } else
157 sk= *x; 166 sk= *x;
158 167
159 n=sk_X509_EXTENSION_num(sk); 168 n = sk_X509_EXTENSION_num(sk);
160 if (loc > n) loc=n; 169 if (loc > n)
161 else if (loc < 0) loc=n; 170 loc = n;
171 else if (loc < 0)
172 loc = n;
162 173
163 if ((new_ex=X509_EXTENSION_dup(ex)) == NULL) 174 if ((new_ex = X509_EXTENSION_dup(ex)) == NULL)
164 goto err2; 175 goto err2;
165 if (!sk_X509_EXTENSION_insert(sk,new_ex,loc)) 176 if (!sk_X509_EXTENSION_insert(sk, new_ex, loc))
166 goto err; 177 goto err;
167 if (*x == NULL) 178 if (*x == NULL)
168 *x=sk; 179 *x = sk;
169 return(sk); 180 return (sk);
181
170err: 182err:
171 X509err(X509_F_X509V3_ADD_EXT,ERR_R_MALLOC_FAILURE); 183 X509err(X509_F_X509V3_ADD_EXT, ERR_R_MALLOC_FAILURE);
172err2: 184err2:
173 if (new_ex != NULL) X509_EXTENSION_free(new_ex); 185 if (new_ex != NULL)
174 if (sk != NULL) sk_X509_EXTENSION_free(sk); 186 X509_EXTENSION_free(new_ex);
175 return(NULL); 187 if (sk != NULL)
188 sk_X509_EXTENSION_free(sk);
189 return (NULL);
176} 190}
177 191
178X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, 192X509_EXTENSION *
179 int crit, ASN1_OCTET_STRING *data) 193X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit,
194 ASN1_OCTET_STRING *data)
180{ 195{
181 ASN1_OBJECT *obj; 196 ASN1_OBJECT *obj;
182 X509_EXTENSION *ret; 197 X509_EXTENSION *ret;
183 198
184 obj=OBJ_nid2obj(nid); 199 obj = OBJ_nid2obj(nid);
185 if (obj == NULL) { 200 if (obj == NULL) {
186 X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID); 201 X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,
187 return(NULL); 202 X509_R_UNKNOWN_NID);
203 return (NULL);
188 } 204 }
189 ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data); 205 ret = X509_EXTENSION_create_by_OBJ(ex, obj, crit, data);
190 if (ret == NULL) ASN1_OBJECT_free(obj); 206 if (ret == NULL)
191 return(ret); 207 ASN1_OBJECT_free(obj);
208 return (ret);
192} 209}
193 210
194X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, 211X509_EXTENSION *
195 ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data) 212X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, ASN1_OBJECT *obj, int crit,
213 ASN1_OCTET_STRING *data)
196{ 214{
197 X509_EXTENSION *ret; 215 X509_EXTENSION *ret;
198 216
199 if ((ex == NULL) || (*ex == NULL)) { 217 if ((ex == NULL) || (*ex == NULL)) {
200 if ((ret=X509_EXTENSION_new()) == NULL) 218 if ((ret = X509_EXTENSION_new()) == NULL) {
201 { 219 X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,
202 X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE); 220 ERR_R_MALLOC_FAILURE);
203 return(NULL); 221 return (NULL);
204 } 222 }
205 } else 223 } else
206 ret= *ex; 224 ret= *ex;
207 225
208 if (!X509_EXTENSION_set_object(ret,obj)) 226 if (!X509_EXTENSION_set_object(ret, obj))
209 goto err; 227 goto err;
210 if (!X509_EXTENSION_set_critical(ret,crit)) 228 if (!X509_EXTENSION_set_critical(ret, crit))
211 goto err; 229 goto err;
212 if (!X509_EXTENSION_set_data(ret,data)) 230 if (!X509_EXTENSION_set_data(ret, data))
213 goto err; 231 goto err;
214 232
215 if ((ex != NULL) && (*ex == NULL)) *ex=ret; 233 if ((ex != NULL) && (*ex == NULL))
216 return(ret); 234 *ex = ret;
235 return (ret);
236
217err: 237err:
218 if ((ex == NULL) || (ret != *ex)) 238 if ((ex == NULL) || (ret != *ex))
219 X509_EXTENSION_free(ret); 239 X509_EXTENSION_free(ret);
220 return(NULL); 240 return (NULL);
221} 241}
222 242
223int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj) 243int
244X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
224{ 245{
225 if ((ex == NULL) || (obj == NULL)) 246 if ((ex == NULL) || (obj == NULL))
226 return(0); 247 return (0);
227 ASN1_OBJECT_free(ex->object); 248 ASN1_OBJECT_free(ex->object);
228 ex->object=OBJ_dup(obj); 249 ex->object = OBJ_dup(obj);
229 return(1); 250 return (1);
230} 251}
231 252
232int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) 253int
254X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
233{ 255{
234 if (ex == NULL) return(0); 256 if (ex == NULL)
235 ex->critical=(crit)?0xFF:-1; 257 return (0);
236 return(1); 258 ex->critical = (crit) ? 0xFF : -1;
259 return (1);
237} 260}
238 261
239int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) 262int
263X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
240{ 264{
241 int i; 265 int i;
242 266
243 if (ex == NULL) return(0); 267 if (ex == NULL)
244 i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length); 268 return (0);
245 if (!i) return(0); 269 i = M_ASN1_OCTET_STRING_set(ex->value, data->data, data->length);
246 return(1); 270 if (!i)
271 return (0);
272 return (1);
247} 273}
248 274
249ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex) 275ASN1_OBJECT *
276X509_EXTENSION_get_object(X509_EXTENSION *ex)
250{ 277{
251 if (ex == NULL) return(NULL); 278 if (ex == NULL)
252 return(ex->object); 279 return (NULL);
280 return (ex->object);
253} 281}
254 282
255ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex) 283ASN1_OCTET_STRING *
284X509_EXTENSION_get_data(X509_EXTENSION *ex)
256{ 285{
257 if (ex == NULL) return(NULL); 286 if (ex == NULL)
258 return(ex->value); 287 return (NULL);
288 return (ex->value);
259} 289}
260 290
261int X509_EXTENSION_get_critical(X509_EXTENSION *ex) 291int
292X509_EXTENSION_get_critical(X509_EXTENSION *ex)
262{ 293{
263 if (ex == NULL) return(0); 294 if (ex == NULL)
264 if(ex->critical > 0) return 1; 295 return (0);
296 if (ex->critical > 0)
297 return 1;
265 return 0; 298 return 0;
266} 299}
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index 6e9dd7cc6a..0024904c20 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -108,7 +108,7 @@
108 108
109#define CRL_SCORE_TIME_DELTA 0x002 109#define CRL_SCORE_TIME_DELTA 0x002
110 110
111static int null_callback(int ok,X509_STORE_CTX *e); 111static int null_callback(int ok, X509_STORE_CTX *e);
112static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); 112static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
113static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); 113static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
114static int check_chain_extensions(X509_STORE_CTX *ctx); 114static int check_chain_extensions(X509_STORE_CTX *ctx);
@@ -119,100 +119,106 @@ static int check_cert(X509_STORE_CTX *ctx);
119static int check_policy(X509_STORE_CTX *ctx); 119static int check_policy(X509_STORE_CTX *ctx);
120 120
121static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 121static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
122 unsigned int *preasons, 122 unsigned int *preasons, X509_CRL *crl, X509 *x);
123 X509_CRL *crl, X509 *x);
124static int get_crl_delta(X509_STORE_CTX *ctx, 123static int get_crl_delta(X509_STORE_CTX *ctx,
125 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); 124 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
126static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, 125static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
127 X509_CRL *base, STACK_OF(X509_CRL) *crls); 126 X509_CRL *base, STACK_OF(X509_CRL) *crls);
128static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, 127static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
129 X509 **pissuer, int *pcrl_score); 128 int *pcrl_score);
130static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, 129static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
131 unsigned int *preasons); 130 unsigned int *preasons);
132static int check_crl_path(X509_STORE_CTX *ctx, X509 *x); 131static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
133static int check_crl_chain(X509_STORE_CTX *ctx, 132static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
134 STACK_OF(X509) *cert_path, 133 STACK_OF(X509) *crl_path);
135 STACK_OF(X509) *crl_path);
136 134
137static int internal_verify(X509_STORE_CTX *ctx); 135static int internal_verify(X509_STORE_CTX *ctx);
138const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; 136const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
139 137
140 138
141static int null_callback(int ok, X509_STORE_CTX *e) 139static int
140null_callback(int ok, X509_STORE_CTX *e)
142{ 141{
143 return ok; 142 return ok;
144} 143}
145 144
146#if 0 145#if 0
147static int x509_subject_cmp(X509 **a, X509 **b) 146static int
147x509_subject_cmp(X509 **a, X509 **b)
148{ 148{
149 return X509_subject_name_cmp(*a,*b); 149 return X509_subject_name_cmp(*a, *b);
150} 150}
151#endif 151#endif
152 152
153int X509_verify_cert(X509_STORE_CTX *ctx) 153int
154X509_verify_cert(X509_STORE_CTX *ctx)
154{ 155{
155 X509 *x,*xtmp,*chain_ss=NULL; 156 X509 *x, *xtmp, *chain_ss = NULL;
156 int bad_chain = 0; 157 int bad_chain = 0;
157 X509_VERIFY_PARAM *param = ctx->param; 158 X509_VERIFY_PARAM *param = ctx->param;
158 int depth,i,ok=0; 159 int depth, i, ok = 0;
159 int num; 160 int num;
160 int (*cb)(int xok,X509_STORE_CTX *xctx); 161 int (*cb)(int xok, X509_STORE_CTX *xctx);
161 STACK_OF(X509) *sktmp=NULL; 162 STACK_OF(X509) *sktmp = NULL;
163
162 if (ctx->cert == NULL) { 164 if (ctx->cert == NULL) {
163 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); 165 X509err(X509_F_X509_VERIFY_CERT,
166 X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
164 return -1; 167 return -1;
165 } 168 }
166 169
167 cb=ctx->verify_cb; 170 cb = ctx->verify_cb;
168 171
169 /* first we make sure the chain we are going to build is 172 /* first we make sure the chain we are going to build is
170 * present and that the first entry is in place */ 173 * present and that the first entry is in place */
171 if (ctx->chain == NULL) { 174 if (ctx->chain == NULL) {
172 if ( ((ctx->chain=sk_X509_new_null()) == NULL) || 175 if (((ctx->chain = sk_X509_new_null()) == NULL) ||
173 (!sk_X509_push(ctx->chain,ctx->cert))) { 176 (!sk_X509_push(ctx->chain, ctx->cert))) {
174 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 177 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
175 goto end; 178 goto end;
176 } 179 }
177 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); 180 CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509);
178 ctx->last_untrusted=1; 181 ctx->last_untrusted = 1;
179 } 182 }
180 183
181 /* We use a temporary STACK so we can chop and hack at it */ 184 /* We use a temporary STACK so we can chop and hack at it */
182 if (ctx->untrusted != NULL 185 if (ctx->untrusted != NULL &&
183 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) { 186 (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
184 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 187 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
185 goto end; 188 goto end;
186 } 189 }
187 190
188 num=sk_X509_num(ctx->chain); 191 num = sk_X509_num(ctx->chain);
189 x=sk_X509_value(ctx->chain,num-1); 192 x = sk_X509_value(ctx->chain, num - 1);
190 depth=param->depth; 193 depth = param->depth;
191
192 194
193 for (;;) { 195 for (;;) {
194 /* If we have enough, we break */ 196 /* If we have enough, we break */
195 if (depth < num) break; /* FIXME: If this happens, we should take 197 if (depth < num)
196 * note of it and, if appropriate, use the 198 break; /* FIXME: If this happens, we should take
197 * X509_V_ERR_CERT_CHAIN_TOO_LONG error 199 * note of it and, if appropriate, use the
198 * code later. 200 * X509_V_ERR_CERT_CHAIN_TOO_LONG error
199 */ 201 * code later.
202 */
200 203
201 /* If we are self signed, we break */ 204 /* If we are self signed, we break */
202 if (ctx->check_issued(ctx, x,x)) break; 205 if (ctx->check_issued(ctx, x, x))
206 break;
203 207
204 /* If we were passed a cert chain, use it first */ 208 /* If we were passed a cert chain, use it first */
205 if (ctx->untrusted != NULL) { 209 if (ctx->untrusted != NULL) {
206 xtmp=find_issuer(ctx, sktmp,x); 210 xtmp = find_issuer(ctx, sktmp, x);
207 if (xtmp != NULL) { 211 if (xtmp != NULL) {
208 if (!sk_X509_push(ctx->chain,xtmp)) { 212 if (!sk_X509_push(ctx->chain, xtmp)) {
209 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 213 X509err(X509_F_X509_VERIFY_CERT,
214 ERR_R_MALLOC_FAILURE);
210 goto end; 215 goto end;
211 } 216 }
212 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); 217 CRYPTO_add(&xtmp->references, 1,
213 (void)sk_X509_delete_ptr(sktmp,xtmp); 218 CRYPTO_LOCK_X509);
219 (void)sk_X509_delete_ptr(sktmp, xtmp);
214 ctx->last_untrusted++; 220 ctx->last_untrusted++;
215 x=xtmp; 221 x = xtmp;
216 num++; 222 num++;
217 /* reparse the full chain for 223 /* reparse the full chain for
218 * the next one */ 224 * the next one */
@@ -230,8 +236,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
230 * is self signed. 236 * is self signed.
231 */ 237 */
232 238
233 i=sk_X509_num(ctx->chain); 239 i = sk_X509_num(ctx->chain);
234 x=sk_X509_value(ctx->chain,i-1); 240 x = sk_X509_value(ctx->chain, i - 1);
235 if (ctx->check_issued(ctx, x, x)) { 241 if (ctx->check_issued(ctx, x, x)) {
236 /* we have a self signed certificate */ 242 /* we have a self signed certificate */
237 if (sk_X509_num(ctx->chain) == 1) { 243 if (sk_X509_num(ctx->chain) == 1) {
@@ -241,13 +247,16 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
241 */ 247 */
242 ok = ctx->get_issuer(&xtmp, ctx, x); 248 ok = ctx->get_issuer(&xtmp, ctx, x);
243 if ((ok <= 0) || X509_cmp(x, xtmp)) { 249 if ((ok <= 0) || X509_cmp(x, xtmp)) {
244 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; 250 ctx->error =
245 ctx->current_cert=x; 251 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
246 ctx->error_depth=i-1; 252 ctx->current_cert = x;
247 if (ok == 1) X509_free(xtmp); 253 ctx->error_depth = i - 1;
254 if (ok == 1)
255 X509_free(xtmp);
248 bad_chain = 1; 256 bad_chain = 1;
249 ok=cb(0,ctx); 257 ok = cb(0, ctx);
250 if (!ok) goto end; 258 if (!ok)
259 goto end;
251 } else { 260 } else {
252 /* We have a match: replace certificate with store version 261 /* We have a match: replace certificate with store version
253 * so we get any trust settings. 262 * so we get any trust settings.
@@ -255,34 +264,37 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
255 X509_free(x); 264 X509_free(x);
256 x = xtmp; 265 x = xtmp;
257 (void)sk_X509_set(ctx->chain, i - 1, x); 266 (void)sk_X509_set(ctx->chain, i - 1, x);
258 ctx->last_untrusted=0; 267 ctx->last_untrusted = 0;
259 } 268 }
260 } else { 269 } else {
261 /* extract and save self signed certificate for later use */ 270 /* extract and save self signed certificate for later use */
262 chain_ss=sk_X509_pop(ctx->chain); 271 chain_ss = sk_X509_pop(ctx->chain);
263 ctx->last_untrusted--; 272 ctx->last_untrusted--;
264 num--; 273 num--;
265 x=sk_X509_value(ctx->chain,num-1); 274 x = sk_X509_value(ctx->chain, num - 1);
266 } 275 }
267 } 276 }
268 277
269 /* We now lookup certs from the certificate store */ 278 /* We now lookup certs from the certificate store */
270 for (;;) { 279 for (;;) {
271 /* If we have enough, we break */ 280 /* If we have enough, we break */
272 if (depth < num) break; 281 if (depth < num)
282 break;
273 283
274 /* If we are self signed, we break */ 284 /* If we are self signed, we break */
275 if (ctx->check_issued(ctx,x,x)) break; 285 if (ctx->check_issued(ctx, x, x))
286 break;
276 287
277 ok = ctx->get_issuer(&xtmp, ctx, x); 288 ok = ctx->get_issuer(&xtmp, ctx, x);
278 289 if (ok < 0)
279 if (ok < 0) return ok; 290 return ok;
280 if (ok == 0) break; 291 if (ok == 0)
292 break;
281 293
282 x = xtmp; 294 x = xtmp;
283 if (!sk_X509_push(ctx->chain,x)) { 295 if (!sk_X509_push(ctx->chain, x)) {
284 X509_free(xtmp); 296 X509_free(xtmp);
285 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 297 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
286 return 0; 298 return 0;
287 } 299 }
288 num++; 300 num++;
@@ -291,81 +303,94 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
291 /* we now have our chain, lets check it... */ 303 /* we now have our chain, lets check it... */
292 304
293 /* Is last certificate looked up self signed? */ 305 /* Is last certificate looked up self signed? */
294 if (!ctx->check_issued(ctx,x,x)) { 306 if (!ctx->check_issued(ctx, x, x)) {
295 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { 307 if ((chain_ss == NULL) ||
308 !ctx->check_issued(ctx, x, chain_ss)) {
296 if (ctx->last_untrusted >= num) 309 if (ctx->last_untrusted >= num)
297 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 310 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
298 else 311 else
299 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; 312 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
300 ctx->current_cert=x; 313 ctx->current_cert = x;
301 } else { 314 } else {
302 315
303 sk_X509_push(ctx->chain,chain_ss); 316 sk_X509_push(ctx->chain, chain_ss);
304 num++; 317 num++;
305 ctx->last_untrusted=num; 318 ctx->last_untrusted = num;
306 ctx->current_cert=chain_ss; 319 ctx->current_cert = chain_ss;
307 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 320 ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
308 chain_ss=NULL; 321 chain_ss = NULL;
309 } 322 }
310 323
311 ctx->error_depth=num-1; 324 ctx->error_depth = num - 1;
312 bad_chain = 1; 325 bad_chain = 1;
313 ok=cb(0,ctx); 326 ok = cb(0, ctx);
314 if (!ok) goto end; 327 if (!ok)
328 goto end;
315 } 329 }
316 330
317 /* We have the chain complete: now we need to check its purpose */ 331 /* We have the chain complete: now we need to check its purpose */
318 ok = check_chain_extensions(ctx); 332 ok = check_chain_extensions(ctx);
319 333
320 if (!ok) goto end; 334 if (!ok)
335 goto end;
321 336
322 /* Check name constraints */ 337 /* Check name constraints */
323 338
324 ok = check_name_constraints(ctx); 339 ok = check_name_constraints(ctx);
325 340
326 if (!ok) goto end; 341 if (!ok)
342 goto end;
327 343
328 /* The chain extensions are OK: check trust */ 344 /* The chain extensions are OK: check trust */
329 345
330 if (param->trust > 0) ok = check_trust(ctx); 346 if (param->trust > 0)
347 ok = check_trust(ctx);
331 348
332 if (!ok) goto end; 349 if (!ok)
350 goto end;
333 351
334 /* We may as well copy down any DSA parameters that are required */ 352 /* We may as well copy down any DSA parameters that are required */
335 X509_get_pubkey_parameters(NULL,ctx->chain); 353 X509_get_pubkey_parameters(NULL, ctx->chain);
336 354
337 /* Check revocation status: we do this after copying parameters 355 /* Check revocation status: we do this after copying parameters
338 * because they may be needed for CRL signature verification. 356 * because they may be needed for CRL signature verification.
339 */ 357 */
340 358
341 ok = ctx->check_revocation(ctx); 359 ok = ctx->check_revocation(ctx);
342 if(!ok) goto end; 360 if (!ok)
361 goto end;
343 362
344 /* At this point, we have a chain and need to verify it */ 363 /* At this point, we have a chain and need to verify it */
345 if (ctx->verify != NULL) 364 if (ctx->verify != NULL)
346 ok=ctx->verify(ctx); 365 ok = ctx->verify(ctx);
347 else 366 else
348 ok=internal_verify(ctx); 367 ok = internal_verify(ctx);
349 if(!ok) goto end; 368 if (!ok)
369 goto end;
350 370
351#ifndef OPENSSL_NO_RFC3779 371#ifndef OPENSSL_NO_RFC3779
352 /* RFC 3779 path validation, now that CRL check has been done */ 372 /* RFC 3779 path validation, now that CRL check has been done */
353 ok = v3_asid_validate_path(ctx); 373 ok = v3_asid_validate_path(ctx);
354 if (!ok) goto end; 374 if (!ok)
375 goto end;
355 ok = v3_addr_validate_path(ctx); 376 ok = v3_addr_validate_path(ctx);
356 if (!ok) goto end; 377 if (!ok)
378 goto end;
357#endif 379#endif
358 380
359 /* If we get this far evaluate policies */ 381 /* If we get this far evaluate policies */
360 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) 382 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
361 ok = ctx->check_policy(ctx); 383 ok = ctx->check_policy(ctx);
362 if(!ok) goto end; 384 if (!ok)
385 goto end;
363 if (0) { 386 if (0) {
364end: 387end:
365 X509_get_pubkey_parameters(NULL,ctx->chain); 388 X509_get_pubkey_parameters(NULL, ctx->chain);
366 } 389 }
367 if (sktmp != NULL) sk_X509_free(sktmp); 390 if (sktmp != NULL)
368 if (chain_ss != NULL) X509_free(chain_ss); 391 sk_X509_free(sktmp);
392 if (chain_ss != NULL)
393 X509_free(chain_ss);
369 return ok; 394 return ok;
370} 395}
371 396
@@ -373,10 +398,12 @@ end:
373/* Given a STACK_OF(X509) find the issuer of cert (if any) 398/* Given a STACK_OF(X509) find the issuer of cert (if any)
374 */ 399 */
375 400
376static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) 401static X509 *
402find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
377{ 403{
378 int i; 404 int i;
379 X509 *issuer; 405 X509 *issuer;
406
380 for (i = 0; i < sk_X509_num(sk); i++) { 407 for (i = 0; i < sk_X509_num(sk); i++) {
381 issuer = sk_X509_value(sk, i); 408 issuer = sk_X509_value(sk, i);
382 if (ctx->check_issued(ctx, x, issuer)) 409 if (ctx->check_issued(ctx, x, issuer))
@@ -387,9 +414,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
387 414
388/* Given a possible certificate and issuer check them */ 415/* Given a possible certificate and issuer check them */
389 416
390static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) 417static int
418check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
391{ 419{
392 int ret; 420 int ret;
421
393 ret = X509_check_issued(issuer, x); 422 ret = X509_check_issued(issuer, x);
394 if (ret == X509_V_OK) 423 if (ret == X509_V_OK)
395 return 1; 424 return 1;
@@ -405,33 +434,35 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
405 434
406/* Alternative lookup method: look from a STACK stored in other_ctx */ 435/* Alternative lookup method: look from a STACK stored in other_ctx */
407 436
408static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 437static int
438get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
409{ 439{
410 *issuer = find_issuer(ctx, ctx->other_ctx, x); 440 *issuer = find_issuer(ctx, ctx->other_ctx, x);
411 if (*issuer) { 441 if (*issuer) {
412 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); 442 CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
413 return 1; 443 return 1;
414 } else 444 } else
415 return 0; 445 return 0;
416} 446}
417
418 447
419/* Check a certificate chains extensions for consistency 448/* Check a certificate chains extensions for consistency
420 * with the supplied purpose 449 * with the supplied purpose
421 */ 450 */
422 451
423static int check_chain_extensions(X509_STORE_CTX *ctx) 452static int
453check_chain_extensions(X509_STORE_CTX *ctx)
424{ 454{
425#ifdef OPENSSL_NO_CHAIN_VERIFY 455#ifdef OPENSSL_NO_CHAIN_VERIFY
426 return 1; 456 return 1;
427#else 457#else
428 int i, ok=0, must_be_ca, plen = 0; 458 int i, ok = 0, must_be_ca, plen = 0;
429 X509 *x; 459 X509 *x;
430 int (*cb)(int xok,X509_STORE_CTX *xctx); 460 int (*cb)(int xok, X509_STORE_CTX *xctx);
431 int proxy_path_length = 0; 461 int proxy_path_length = 0;
432 int purpose; 462 int purpose;
433 int allow_proxy_certs; 463 int allow_proxy_certs;
434 cb=ctx->verify_cb; 464
465 cb = ctx->verify_cb;
435 466
436 /* must_be_ca can have 1 of 3 values: 467 /* must_be_ca can have 1 of 3 values:
437 -1: we accept both CA and non-CA certificates, to allow direct 468 -1: we accept both CA and non-CA certificates, to allow direct
@@ -449,7 +480,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
449 purpose = X509_PURPOSE_CRL_SIGN; 480 purpose = X509_PURPOSE_CRL_SIGN;
450 } else { 481 } else {
451 allow_proxy_certs = 482 allow_proxy_certs =
452 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); 483 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
453 /* A hack to keep people who don't want to modify their 484 /* A hack to keep people who don't want to modify their
454 software happy */ 485 software happy */
455 if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) 486 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
@@ -461,26 +492,28 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
461 for (i = 0; i < ctx->last_untrusted; i++) { 492 for (i = 0; i < ctx->last_untrusted; i++) {
462 int ret; 493 int ret;
463 x = sk_X509_value(ctx->chain, i); 494 x = sk_X509_value(ctx->chain, i);
464 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 495 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
465 && (x->ex_flags & EXFLAG_CRITICAL)) { 496 (x->ex_flags & EXFLAG_CRITICAL)) {
466 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 497 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
467 ctx->error_depth = i; 498 ctx->error_depth = i;
468 ctx->current_cert = x; 499 ctx->current_cert = x;
469 ok=cb(0,ctx); 500 ok = cb(0, ctx);
470 if (!ok) goto end; 501 if (!ok)
502 goto end;
471 } 503 }
472 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { 504 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
473 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; 505 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
474 ctx->error_depth = i; 506 ctx->error_depth = i;
475 ctx->current_cert = x; 507 ctx->current_cert = x;
476 ok=cb(0,ctx); 508 ok = cb(0, ctx);
477 if (!ok) goto end; 509 if (!ok)
510 goto end;
478 } 511 }
479 ret = X509_check_ca(x); 512 ret = X509_check_ca(x);
480 switch(must_be_ca) { 513 switch (must_be_ca) {
481 case -1: 514 case -1:
482 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 515 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
483 && (ret != 1) && (ret != 0)) { 516 (ret != 1) && (ret != 0)) {
484 ret = 0; 517 ret = 0;
485 ctx->error = X509_V_ERR_INVALID_CA; 518 ctx->error = X509_V_ERR_INVALID_CA;
486 } else 519 } else
@@ -494,9 +527,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
494 ret = 1; 527 ret = 1;
495 break; 528 break;
496 default: 529 default:
497 if ((ret == 0) 530 if ((ret == 0) ||
498 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 531 ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
499 && (ret != 1))) { 532 (ret != 1))) {
500 ret = 0; 533 ret = 0;
501 ctx->error = X509_V_ERR_INVALID_CA; 534 ctx->error = X509_V_ERR_INVALID_CA;
502 } else 535 } else
@@ -506,30 +539,33 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
506 if (ret == 0) { 539 if (ret == 0) {
507 ctx->error_depth = i; 540 ctx->error_depth = i;
508 ctx->current_cert = x; 541 ctx->current_cert = x;
509 ok=cb(0,ctx); 542 ok = cb(0, ctx);
510 if (!ok) goto end; 543 if (!ok)
544 goto end;
511 } 545 }
512 if (ctx->param->purpose > 0) { 546 if (ctx->param->purpose > 0) {
513 ret = X509_check_purpose(x, purpose, must_be_ca > 0); 547 ret = X509_check_purpose(x, purpose, must_be_ca > 0);
514 if ((ret == 0) 548 if ((ret == 0) ||
515 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 549 ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
516 && (ret != 1))) { 550 (ret != 1))) {
517 ctx->error = X509_V_ERR_INVALID_PURPOSE; 551 ctx->error = X509_V_ERR_INVALID_PURPOSE;
518 ctx->error_depth = i; 552 ctx->error_depth = i;
519 ctx->current_cert = x; 553 ctx->current_cert = x;
520 ok=cb(0,ctx); 554 ok = cb(0, ctx);
521 if (!ok) goto end; 555 if (!ok)
556 goto end;
522 } 557 }
523 } 558 }
524 /* Check pathlen if not self issued */ 559 /* Check pathlen if not self issued */
525 if ((i > 1) && !(x->ex_flags & EXFLAG_SI) 560 if ((i > 1) && !(x->ex_flags & EXFLAG_SI) &&
526 && (x->ex_pathlen != -1) 561 (x->ex_pathlen != -1) &&
527 && (plen > (x->ex_pathlen + proxy_path_length + 1))) { 562 (plen > (x->ex_pathlen + proxy_path_length + 1))) {
528 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; 563 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
529 ctx->error_depth = i; 564 ctx->error_depth = i;
530 ctx->current_cert = x; 565 ctx->current_cert = x;
531 ok=cb(0,ctx); 566 ok = cb(0, ctx);
532 if (!ok) goto end; 567 if (!ok)
568 goto end;
533 } 569 }
534 /* Increment path length if not self issued */ 570 /* Increment path length if not self issued */
535 if (!(x->ex_flags & EXFLAG_SI)) 571 if (!(x->ex_flags & EXFLAG_SI))
@@ -541,11 +577,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
541 if (x->ex_flags & EXFLAG_PROXY) { 577 if (x->ex_flags & EXFLAG_PROXY) {
542 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { 578 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
543 ctx->error = 579 ctx->error =
544 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; 580 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
545 ctx->error_depth = i; 581 ctx->error_depth = i;
546 ctx->current_cert = x; 582 ctx->current_cert = x;
547 ok=cb(0,ctx); 583 ok = cb(0, ctx);
548 if (!ok) goto end; 584 if (!ok)
585 goto end;
549 } 586 }
550 proxy_path_length++; 587 proxy_path_length++;
551 must_be_ca = 0; 588 must_be_ca = 0;
@@ -553,15 +590,18 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
553 must_be_ca = 1; 590 must_be_ca = 1;
554 } 591 }
555 ok = 1; 592 ok = 1;
556 end: 593
594end:
557 return ok; 595 return ok;
558#endif 596#endif
559} 597}
560 598
561static int check_name_constraints(X509_STORE_CTX *ctx) 599static int
600check_name_constraints(X509_STORE_CTX *ctx)
562{ 601{
563 X509 *x; 602 X509 *x;
564 int i, j, rv; 603 int i, j, rv;
604
565 /* Check name constraints for all certificates */ 605 /* Check name constraints for all certificates */
566 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { 606 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
567 x = sk_X509_value(ctx->chain, i); 607 x = sk_X509_value(ctx->chain, i);
@@ -581,7 +621,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
581 ctx->error = rv; 621 ctx->error = rv;
582 ctx->error_depth = i; 622 ctx->error_depth = i;
583 ctx->current_cert = x; 623 ctx->current_cert = x;
584 if (!ctx->verify_cb(0,ctx)) 624 if (!ctx->verify_cb(0, ctx))
585 return 0; 625 return 0;
586 } 626 }
587 } 627 }
@@ -590,16 +630,18 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
590 return 1; 630 return 1;
591} 631}
592 632
593static int check_trust(X509_STORE_CTX *ctx) 633static int
634check_trust(X509_STORE_CTX *ctx)
594{ 635{
595#ifdef OPENSSL_NO_CHAIN_VERIFY 636#ifdef OPENSSL_NO_CHAIN_VERIFY
596 return 1; 637 return 1;
597#else 638#else
598 int i, ok; 639 int i, ok;
599 X509 *x; 640 X509 *x;
600 int (*cb)(int xok,X509_STORE_CTX *xctx); 641 int (*cb)(int xok, X509_STORE_CTX *xctx);
601 cb=ctx->verify_cb; 642
602/* For now just check the last certificate in the chain */ 643 cb = ctx->verify_cb;
644 /* For now just check the last certificate in the chain */
603 i = sk_X509_num(ctx->chain) - 1; 645 i = sk_X509_num(ctx->chain) - 1;
604 x = sk_X509_value(ctx->chain, i); 646 x = sk_X509_value(ctx->chain, i);
605 ok = X509_check_trust(x, ctx->param->trust, 0); 647 ok = X509_check_trust(x, ctx->param->trust, 0);
@@ -616,9 +658,11 @@ static int check_trust(X509_STORE_CTX *ctx)
616#endif 658#endif
617} 659}
618 660
619static int check_revocation(X509_STORE_CTX *ctx) 661static int
662check_revocation(X509_STORE_CTX *ctx)
620{ 663{
621 int i, last, ok; 664 int i, last, ok;
665
622 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) 666 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
623 return 1; 667 return 1;
624 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) 668 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
@@ -629,19 +673,23 @@ static int check_revocation(X509_STORE_CTX *ctx)
629 return 1; 673 return 1;
630 last = 0; 674 last = 0;
631 } 675 }
632 for(i = 0; i <= last; i++) { 676 for (i = 0; i <= last; i++) {
633 ctx->error_depth = i; 677 ctx->error_depth = i;
634 ok = check_cert(ctx); 678 ok = check_cert(ctx);
635 if (!ok) return ok; 679 if (!ok)
680 return ok;
636 } 681 }
637 return 1; 682 return 1;
638} 683}
639 684
640static int check_cert(X509_STORE_CTX *ctx) { 685static int
686check_cert(X509_STORE_CTX *ctx)
687{
641 X509_CRL *crl = NULL, *dcrl = NULL; 688 X509_CRL *crl = NULL, *dcrl = NULL;
642 X509 *x; 689 X509 *x;
643 int ok, cnum; 690 int ok, cnum;
644 unsigned int last_reasons; 691 unsigned int last_reasons;
692
645 cnum = ctx->error_depth; 693 cnum = ctx->error_depth;
646 x = sk_X509_value(ctx->chain, cnum); 694 x = sk_X509_value(ctx->chain, cnum);
647 ctx->current_cert = x; 695 ctx->current_cert = x;
@@ -658,7 +706,7 @@ static int check_cert(X509_STORE_CTX *ctx) {
658 /* If error looking up CRL, nothing we can do except 706 /* If error looking up CRL, nothing we can do except
659 * notify callback 707 * notify callback
660 */ 708 */
661 if(!ok) { 709 if (!ok) {
662 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 710 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
663 ok = ctx->verify_cb(0, ctx); 711 ok = ctx->verify_cb(0, ctx);
664 goto err; 712 goto err;
@@ -698,21 +746,23 @@ static int check_cert(X509_STORE_CTX *ctx) {
698 goto err; 746 goto err;
699 } 747 }
700 } 748 }
749
701err: 750err:
702 X509_CRL_free(crl); 751 X509_CRL_free(crl);
703 X509_CRL_free(dcrl); 752 X509_CRL_free(dcrl);
704 753
705 ctx->current_crl = NULL; 754 ctx->current_crl = NULL;
706 return ok; 755 return ok;
707
708} 756}
709 757
710/* Check CRL times against values in X509_STORE_CTX */ 758/* Check CRL times against values in X509_STORE_CTX */
711 759
712static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) 760static int
761check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
713{ 762{
714 time_t *ptime; 763 time_t *ptime;
715 int i; 764 int i;
765
716 if (notify) 766 if (notify)
717 ctx->current_crl = crl; 767 ctx->current_crl = crl;
718 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) 768 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
@@ -720,11 +770,11 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
720 else 770 else
721 ptime = NULL; 771 ptime = NULL;
722 772
723 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); 773 i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
724 if (i == 0) { 774 if (i == 0) {
725 if (!notify) 775 if (!notify)
726 return 0; 776 return 0;
727 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; 777 ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
728 if (!ctx->verify_cb(0, ctx)) 778 if (!ctx->verify_cb(0, ctx))
729 return 0; 779 return 0;
730 } 780 }
@@ -732,26 +782,27 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
732 if (i > 0) { 782 if (i > 0) {
733 if (!notify) 783 if (!notify)
734 return 0; 784 return 0;
735 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; 785 ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
736 if (!ctx->verify_cb(0, ctx)) 786 if (!ctx->verify_cb(0, ctx))
737 return 0; 787 return 0;
738 } 788 }
739 789
740 if(X509_CRL_get_nextUpdate(crl)) { 790 if (X509_CRL_get_nextUpdate(crl)) {
741 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); 791 i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
742 792
743 if (i == 0) { 793 if (i == 0) {
744 if (!notify) 794 if (!notify)
745 return 0; 795 return 0;
746 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; 796 ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
747 if (!ctx->verify_cb(0, ctx)) 797 if (!ctx->verify_cb(0, ctx))
748 return 0; 798 return 0;
749 } 799 }
750 /* Ignore expiry of base CRL is delta is valid */ 800 /* Ignore expiry of base CRL is delta is valid */
751 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { 801 if ((i < 0) &&
802 !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
752 if (!notify) 803 if (!notify)
753 return 0; 804 return 0;
754 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; 805 ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
755 if (!ctx->verify_cb(0, ctx)) 806 if (!ctx->verify_cb(0, ctx))
756 return 0; 807 return 0;
757 } 808 }
@@ -763,9 +814,10 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
763 return 1; 814 return 1;
764} 815}
765 816
766static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, 817static int
767 X509 **pissuer, int *pscore, unsigned int *preasons, 818get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
768 STACK_OF(X509_CRL) *crls) 819 X509 **pissuer, int *pscore, unsigned int *preasons,
820 STACK_OF(X509_CRL) *crls)
769{ 821{
770 int i, crl_score, best_score = *pscore; 822 int i, crl_score, best_score = *pscore;
771 unsigned int reasons, best_reasons = 0; 823 unsigned int reasons, best_reasons = 0;
@@ -811,10 +863,12 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
811 * both present or both absent. If both present all fields must be identical. 863 * both present or both absent. If both present all fields must be identical.
812 */ 864 */
813 865
814static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) 866static int
867crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
815{ 868{
816 ASN1_OCTET_STRING *exta, *extb; 869 ASN1_OCTET_STRING *exta, *extb;
817 int i; 870 int i;
871
818 i = X509_CRL_get_ext_by_NID(a, nid, -1); 872 i = X509_CRL_get_ext_by_NID(a, nid, -1);
819 if (i >= 0) { 873 if (i >= 0) {
820 /* Can't have multiple occurrences */ 874 /* Can't have multiple occurrences */
@@ -827,7 +881,6 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
827 i = X509_CRL_get_ext_by_NID(b, nid, -1); 881 i = X509_CRL_get_ext_by_NID(b, nid, -1);
828 882
829 if (i >= 0) { 883 if (i >= 0) {
830
831 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) 884 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
832 return 0; 885 return 0;
833 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); 886 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
@@ -840,7 +893,6 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
840 if (!exta || !extb) 893 if (!exta || !extb)
841 return 0; 894 return 0;
842 895
843
844 if (ASN1_OCTET_STRING_cmp(exta, extb)) 896 if (ASN1_OCTET_STRING_cmp(exta, extb))
845 return 0; 897 return 0;
846 898
@@ -849,29 +901,30 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
849 901
850/* See if a base and delta are compatible */ 902/* See if a base and delta are compatible */
851 903
852static int check_delta_base(X509_CRL *delta, X509_CRL *base) 904static int
905check_delta_base(X509_CRL *delta, X509_CRL *base)
853{ 906{
854 /* Delta CRL must be a delta */ 907 /* Delta CRL must be a delta */
855 if (!delta->base_crl_number) 908 if (!delta->base_crl_number)
856 return 0; 909 return 0;
857 /* Base must have a CRL number */ 910 /* Base must have a CRL number */
858 if (!base->crl_number) 911 if (!base->crl_number)
859 return 0; 912 return 0;
860 /* Issuer names must match */ 913 /* Issuer names must match */
861 if (X509_NAME_cmp(X509_CRL_get_issuer(base), 914 if (X509_NAME_cmp(X509_CRL_get_issuer(base),
862 X509_CRL_get_issuer(delta))) 915 X509_CRL_get_issuer(delta)))
863 return 0; 916 return 0;
864 /* AKID and IDP must match */ 917 /* AKID and IDP must match */
865 if (!crl_extension_match(delta, base, NID_authority_key_identifier)) 918 if (!crl_extension_match(delta, base, NID_authority_key_identifier))
866 return 0; 919 return 0;
867 if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) 920 if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
868 return 0; 921 return 0;
869 /* Delta CRL base number must not exceed Full CRL number. */ 922 /* Delta CRL base number must not exceed Full CRL number. */
870 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) 923 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
871 return 0; 924 return 0;
872 /* Delta CRL number must exceed full CRL number */ 925 /* Delta CRL number must exceed full CRL number */
873 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) 926 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
874 return 1; 927 return 1;
875 return 0; 928 return 0;
876} 929}
877 930
@@ -879,11 +932,13 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
879 * or retrieve a chain of deltas... 932 * or retrieve a chain of deltas...
880 */ 933 */
881 934
882static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, 935static void
883 X509_CRL *base, STACK_OF(X509_CRL) *crls) 936get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base,
937 STACK_OF(X509_CRL) *crls)
884{ 938{
885 X509_CRL *delta; 939 X509_CRL *delta;
886 int i; 940 int i;
941
887 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) 942 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
888 return; 943 return;
889 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) 944 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
@@ -908,11 +963,10 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
908 * no new reasons the CRL is rejected, otherwise reasons is updated. 963 * no new reasons the CRL is rejected, otherwise reasons is updated.
909 */ 964 */
910 965
911static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 966static int
912 unsigned int *preasons, 967get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons,
913 X509_CRL *crl, X509 *x) 968 X509_CRL *crl, X509 *x)
914{ 969{
915
916 int crl_score = 0; 970 int crl_score = 0;
917 unsigned int tmp_reasons = *preasons, crl_reasons; 971 unsigned int tmp_reasons = *preasons, crl_reasons;
918 972
@@ -968,11 +1022,11 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
968 *preasons = tmp_reasons; 1022 *preasons = tmp_reasons;
969 1023
970 return crl_score; 1024 return crl_score;
971
972} 1025}
973 1026
974static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, 1027static void
975 X509 **pissuer, int *pcrl_score) 1028crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
1029 int *pcrl_score)
976{ 1030{
977 X509 *crl_issuer = NULL; 1031 X509 *crl_issuer = NULL;
978 X509_NAME *cnm = X509_CRL_get_issuer(crl); 1032 X509_NAME *cnm = X509_CRL_get_issuer(crl);
@@ -1026,14 +1080,16 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1026/* Check the path of a CRL issuer certificate. This creates a new 1080/* Check the path of a CRL issuer certificate. This creates a new
1027 * X509_STORE_CTX and populates it with most of the parameters from the 1081 * X509_STORE_CTX and populates it with most of the parameters from the
1028 * parent. This could be optimised somewhat since a lot of path checking 1082 * parent. This could be optimised somewhat since a lot of path checking
1029 * will be duplicated by the parent, but this will rarely be used in 1083 * will be duplicated by the parent, but this will rarely be used in
1030 * practice. 1084 * practice.
1031 */ 1085 */
1032 1086
1033static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) 1087static int
1088check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1034{ 1089{
1035 X509_STORE_CTX crl_ctx; 1090 X509_STORE_CTX crl_ctx;
1036 int ret; 1091 int ret;
1092
1037 /* Don't allow recursive CRL path validation */ 1093 /* Don't allow recursive CRL path validation */
1038 if (ctx->parent) 1094 if (ctx->parent)
1039 return 0; 1095 return 0;
@@ -1054,9 +1110,9 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1054 goto err; 1110 goto err;
1055 1111
1056 /* Check chain is acceptable */ 1112 /* Check chain is acceptable */
1057
1058 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); 1113 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1059 err: 1114
1115err:
1060 X509_STORE_CTX_cleanup(&crl_ctx); 1116 X509_STORE_CTX_cleanup(&crl_ctx);
1061 return ret; 1117 return ret;
1062} 1118}
@@ -1069,11 +1125,12 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1069 * until this is resolved we use the RFC5280 version 1125 * until this is resolved we use the RFC5280 version
1070 */ 1126 */
1071 1127
1072static int check_crl_chain(X509_STORE_CTX *ctx, 1128static int
1073 STACK_OF(X509) *cert_path, 1129check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
1074 STACK_OF(X509) *crl_path) 1130 STACK_OF(X509) *crl_path)
1075{ 1131{
1076 X509 *cert_ta, *crl_ta; 1132 X509 *cert_ta, *crl_ta;
1133
1077 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); 1134 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1078 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); 1135 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1079 if (!X509_cmp(cert_ta, crl_ta)) 1136 if (!X509_cmp(cert_ta, crl_ta))
@@ -1088,13 +1145,14 @@ static int check_crl_chain(X509_STORE_CTX *ctx,
1088 * 4. One is NULL: automatic match. 1145 * 4. One is NULL: automatic match.
1089 */ 1146 */
1090 1147
1091 1148static int
1092static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) 1149idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1093{ 1150{
1094 X509_NAME *nm = NULL; 1151 X509_NAME *nm = NULL;
1095 GENERAL_NAMES *gens = NULL; 1152 GENERAL_NAMES *gens = NULL;
1096 GENERAL_NAME *gena, *genb; 1153 GENERAL_NAME *gena, *genb;
1097 int i, j; 1154 int i, j;
1155
1098 if (!a || !b) 1156 if (!a || !b)
1099 return 1; 1157 return 1;
1100 if (a->type == 1) { 1158 if (a->type == 1) {
@@ -1123,7 +1181,7 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1123 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ 1181 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1124 if (nm) { 1182 if (nm) {
1125 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { 1183 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1126 gena = sk_GENERAL_NAME_value(gens, i); 1184 gena = sk_GENERAL_NAME_value(gens, i);
1127 if (gena->type != GEN_DIRNAME) 1185 if (gena->type != GEN_DIRNAME)
1128 continue; 1186 continue;
1129 if (!X509_NAME_cmp(nm, gena->d.directoryName)) 1187 if (!X509_NAME_cmp(nm, gena->d.directoryName))
@@ -1144,13 +1202,14 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1144 } 1202 }
1145 1203
1146 return 0; 1204 return 0;
1147
1148} 1205}
1149 1206
1150static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) 1207static int
1208crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1151{ 1209{
1152 int i; 1210 int i;
1153 X509_NAME *nm = X509_CRL_get_issuer(crl); 1211 X509_NAME *nm = X509_CRL_get_issuer(crl);
1212
1154 /* If no CRLissuer return is successful iff don't need a match */ 1213 /* If no CRLissuer return is successful iff don't need a match */
1155 if (!dp->CRLissuer) 1214 if (!dp->CRLissuer)
1156 return !!(crl_score & CRL_SCORE_ISSUER_NAME); 1215 return !!(crl_score & CRL_SCORE_ISSUER_NAME);
@@ -1166,10 +1225,11 @@ static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1166 1225
1167/* Check CRLDP and IDP */ 1226/* Check CRLDP and IDP */
1168 1227
1169static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, 1228static int
1170 unsigned int *preasons) 1229crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons)
1171{ 1230{
1172 int i; 1231 int i;
1232
1173 if (crl->idp_flags & IDP_ONLYATTR) 1233 if (crl->idp_flags & IDP_ONLYATTR)
1174 return 0; 1234 return 0;
1175 if (x->ex_flags & EXFLAG_CA) { 1235 if (x->ex_flags & EXFLAG_CA) {
@@ -1184,13 +1244,14 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1184 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); 1244 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1185 if (crldp_check_crlissuer(dp, crl, crl_score)) { 1245 if (crldp_check_crlissuer(dp, crl, crl_score)) {
1186 if (!crl->idp || 1246 if (!crl->idp ||
1187 idp_check_dp(dp->distpoint, crl->idp->distpoint)) { 1247 idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1188 *preasons &= dp->dp_reasons; 1248 *preasons &= dp->dp_reasons;
1189 return 1; 1249 return 1;
1190 } 1250 }
1191 } 1251 }
1192 } 1252 }
1193 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) 1253 if ((!crl->idp || !crl->idp->distpoint) &&
1254 (crl_score & CRL_SCORE_ISSUER_NAME))
1194 return 1; 1255 return 1;
1195 return 0; 1256 return 0;
1196} 1257}
@@ -1198,9 +1259,9 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1198/* Retrieve CRL corresponding to current certificate. 1259/* Retrieve CRL corresponding to current certificate.
1199 * If deltas enabled try to find a delta CRL too 1260 * If deltas enabled try to find a delta CRL too
1200 */ 1261 */
1201 1262
1202static int get_crl_delta(X509_STORE_CTX *ctx, 1263static int
1203 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) 1264get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1204{ 1265{
1205 int ok; 1266 int ok;
1206 X509 *issuer = NULL; 1267 X509 *issuer = NULL;
@@ -1209,15 +1270,14 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
1209 X509_CRL *crl = NULL, *dcrl = NULL; 1270 X509_CRL *crl = NULL, *dcrl = NULL;
1210 STACK_OF(X509_CRL) *skcrl; 1271 STACK_OF(X509_CRL) *skcrl;
1211 X509_NAME *nm = X509_get_issuer_name(x); 1272 X509_NAME *nm = X509_get_issuer_name(x);
1212 reasons = ctx->current_reasons;
1213 ok = get_crl_sk(ctx, &crl, &dcrl,
1214 &issuer, &crl_score, &reasons, ctx->crls);
1215 1273
1274 reasons = ctx->current_reasons;
1275 ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons,
1276 ctx->crls);
1216 if (ok) 1277 if (ok)
1217 goto done; 1278 goto done;
1218 1279
1219 /* Lookup CRLs from store */ 1280 /* Lookup CRLs from store */
1220
1221 skcrl = ctx->lookup_crls(ctx, nm); 1281 skcrl = ctx->lookup_crls(ctx, nm);
1222 1282
1223 /* If no CRLs found and a near match from get_crl_sk use that */ 1283 /* If no CRLs found and a near match from get_crl_sk use that */
@@ -1228,7 +1288,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
1228 1288
1229 sk_X509_CRL_pop_free(skcrl, X509_CRL_free); 1289 sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1230 1290
1231 done: 1291done:
1232 1292
1233 /* If we got any kind of CRL use it and return success */ 1293 /* If we got any kind of CRL use it and return success */
1234 if (crl) { 1294 if (crl) {
@@ -1244,11 +1304,13 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
1244} 1304}
1245 1305
1246/* Check CRL validity */ 1306/* Check CRL validity */
1247static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) 1307static int
1308check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1248{ 1309{
1249 X509 *issuer = NULL; 1310 X509 *issuer = NULL;
1250 EVP_PKEY *ikey = NULL; 1311 EVP_PKEY *ikey = NULL;
1251 int ok = 0, chnum, cnum; 1312 int ok = 0, chnum, cnum;
1313
1252 cnum = ctx->error_depth; 1314 cnum = ctx->error_depth;
1253 chnum = sk_X509_num(ctx->chain) - 1; 1315 chnum = sk_X509_num(ctx->chain) - 1;
1254 /* if we have an alternative CRL issuer cert use that */ 1316 /* if we have an alternative CRL issuer cert use that */
@@ -1262,44 +1324,50 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1262 } else { 1324 } else {
1263 issuer = sk_X509_value(ctx->chain, chnum); 1325 issuer = sk_X509_value(ctx->chain, chnum);
1264 /* If not self signed, can't check signature */ 1326 /* If not self signed, can't check signature */
1265 if(!ctx->check_issued(ctx, issuer, issuer)) { 1327 if (!ctx->check_issued(ctx, issuer, issuer)) {
1266 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; 1328 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1267 ok = ctx->verify_cb(0, ctx); 1329 ok = ctx->verify_cb(0, ctx);
1268 if(!ok) goto err; 1330 if (!ok)
1331 goto err;
1269 } 1332 }
1270 } 1333 }
1271 1334
1272 if(issuer) { 1335 if (issuer) {
1273 /* Skip most tests for deltas because they have already 1336 /* Skip most tests for deltas because they have already
1274 * been done 1337 * been done
1275 */ 1338 */
1276 if (!crl->base_crl_number) { 1339 if (!crl->base_crl_number) {
1277 /* Check for cRLSign bit if keyUsage present */ 1340 /* Check for cRLSign bit if keyUsage present */
1278 if ((issuer->ex_flags & EXFLAG_KUSAGE) && 1341 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1279 !(issuer->ex_kusage & KU_CRL_SIGN)) { 1342 !(issuer->ex_kusage & KU_CRL_SIGN)) {
1280 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; 1343 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1281 ok = ctx->verify_cb(0, ctx); 1344 ok = ctx->verify_cb(0, ctx);
1282 if(!ok) goto err; 1345 if (!ok)
1346 goto err;
1283 } 1347 }
1284 1348
1285 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { 1349 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1286 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; 1350 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1287 ok = ctx->verify_cb(0, ctx); 1351 ok = ctx->verify_cb(0, ctx);
1288 if(!ok) goto err; 1352 if (!ok)
1353 goto err;
1289 } 1354 }
1290 1355
1291 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { 1356 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
1292 if (check_crl_path(ctx, ctx->current_issuer) <= 0) { 1357 if (check_crl_path(ctx,
1358 ctx->current_issuer) <= 0) {
1293 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; 1359 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1294 ok = ctx->verify_cb(0, ctx); 1360 ok = ctx->verify_cb(0, ctx);
1295 if(!ok) goto err; 1361 if (!ok)
1362 goto err;
1296 } 1363 }
1297 } 1364 }
1298 1365
1299 if (crl->idp_flags & IDP_INVALID) { 1366 if (crl->idp_flags & IDP_INVALID) {
1300 ctx->error = X509_V_ERR_INVALID_EXTENSION; 1367 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1301 ok = ctx->verify_cb(0, ctx); 1368 ok = ctx->verify_cb(0, ctx);
1302 if(!ok) goto err; 1369 if (!ok)
1370 goto err;
1303 } 1371 }
1304 1372
1305 1373
@@ -1314,16 +1382,18 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1314 /* Attempt to get issuer certificate public key */ 1382 /* Attempt to get issuer certificate public key */
1315 ikey = X509_get_pubkey(issuer); 1383 ikey = X509_get_pubkey(issuer);
1316 1384
1317 if(!ikey) { 1385 if (!ikey) {
1318 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1386 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1319 ok = ctx->verify_cb(0, ctx); 1387 ok = ctx->verify_cb(0, ctx);
1320 if (!ok) goto err; 1388 if (!ok)
1389 goto err;
1321 } else { 1390 } else {
1322 /* Verify CRL signature */ 1391 /* Verify CRL signature */
1323 if(X509_CRL_verify(crl, ikey) <= 0) { 1392 if (X509_CRL_verify(crl, ikey) <= 0) {
1324 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; 1393 ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
1325 ok = ctx->verify_cb(0, ctx); 1394 ok = ctx->verify_cb(0, ctx);
1326 if (!ok) goto err; 1395 if (!ok)
1396 goto err;
1327 } 1397 }
1328 } 1398 }
1329 } 1399 }
@@ -1336,20 +1406,22 @@ err:
1336} 1406}
1337 1407
1338/* Check certificate against CRL */ 1408/* Check certificate against CRL */
1339static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) 1409static int
1410cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1340{ 1411{
1341 int ok; 1412 int ok;
1342 X509_REVOKED *rev; 1413 X509_REVOKED *rev;
1414
1343 /* The rules changed for this... previously if a CRL contained 1415 /* The rules changed for this... previously if a CRL contained
1344 * unhandled critical extensions it could still be used to indicate 1416 * unhandled critical extensions it could still be used to indicate
1345 * a certificate was revoked. This has since been changed since 1417 * a certificate was revoked. This has since been changed since
1346 * critical extension can change the meaning of CRL entries. 1418 * critical extension can change the meaning of CRL entries.
1347 */ 1419 */
1348 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 1420 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
1349 && (crl->flags & EXFLAG_CRITICAL)) { 1421 (crl->flags & EXFLAG_CRITICAL)) {
1350 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; 1422 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1351 ok = ctx->verify_cb(0, ctx); 1423 ok = ctx->verify_cb(0, ctx);
1352 if(!ok) 1424 if (!ok)
1353 return 0; 1425 return 0;
1354 } 1426 }
1355 /* Look for serial number of certificate in CRL 1427 /* Look for serial number of certificate in CRL
@@ -1367,15 +1439,17 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1367 return 1; 1439 return 1;
1368} 1440}
1369 1441
1370static int check_policy(X509_STORE_CTX *ctx) 1442static int
1443check_policy(X509_STORE_CTX *ctx)
1371{ 1444{
1372 int ret; 1445 int ret;
1446
1373 if (ctx->parent) 1447 if (ctx->parent)
1374 return 1; 1448 return 1;
1375 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, 1449 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1376 ctx->param->policies, ctx->param->flags); 1450 ctx->param->policies, ctx->param->flags);
1377 if (ret == 0) { 1451 if (ret == 0) {
1378 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); 1452 X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE);
1379 return 0; 1453 return 0;
1380 } 1454 }
1381 /* Invalid or inconsistent extensions */ 1455 /* Invalid or inconsistent extensions */
@@ -1391,7 +1465,7 @@ static int check_policy(X509_STORE_CTX *ctx)
1391 continue; 1465 continue;
1392 ctx->current_cert = x; 1466 ctx->current_cert = x;
1393 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; 1467 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1394 if(!ctx->verify_cb(0, ctx)) 1468 if (!ctx->verify_cb(0, ctx))
1395 return 0; 1469 return 0;
1396 } 1470 }
1397 return 1; 1471 return 1;
@@ -1412,7 +1486,8 @@ static int check_policy(X509_STORE_CTX *ctx)
1412 return 1; 1486 return 1;
1413} 1487}
1414 1488
1415static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) 1489static int
1490check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1416{ 1491{
1417 time_t *ptime; 1492 time_t *ptime;
1418 int i; 1493 int i;
@@ -1422,32 +1497,32 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1422 else 1497 else
1423 ptime = NULL; 1498 ptime = NULL;
1424 1499
1425 i=X509_cmp_time(X509_get_notBefore(x), ptime); 1500 i = X509_cmp_time(X509_get_notBefore(x), ptime);
1426 if (i == 0) { 1501 if (i == 0) {
1427 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 1502 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1428 ctx->current_cert=x; 1503 ctx->current_cert = x;
1429 if (!ctx->verify_cb(0, ctx)) 1504 if (!ctx->verify_cb(0, ctx))
1430 return 0; 1505 return 0;
1431 } 1506 }
1432 1507
1433 if (i > 0) { 1508 if (i > 0) {
1434 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; 1509 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1435 ctx->current_cert=x; 1510 ctx->current_cert = x;
1436 if (!ctx->verify_cb(0, ctx)) 1511 if (!ctx->verify_cb(0, ctx))
1437 return 0; 1512 return 0;
1438 } 1513 }
1439 1514
1440 i=X509_cmp_time(X509_get_notAfter(x), ptime); 1515 i = X509_cmp_time(X509_get_notAfter(x), ptime);
1441 if (i == 0) { 1516 if (i == 0) {
1442 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 1517 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1443 ctx->current_cert=x; 1518 ctx->current_cert = x;
1444 if (!ctx->verify_cb(0, ctx)) 1519 if (!ctx->verify_cb(0, ctx))
1445 return 0; 1520 return 0;
1446 } 1521 }
1447 1522
1448 if (i < 0) { 1523 if (i < 0) {
1449 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; 1524 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1450 ctx->current_cert=x; 1525 ctx->current_cert = x;
1451 if (!ctx->verify_cb(0, ctx)) 1526 if (!ctx->verify_cb(0, ctx))
1452 return 0; 1527 return 0;
1453 } 1528 }
@@ -1455,60 +1530,63 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1455 return 1; 1530 return 1;
1456} 1531}
1457 1532
1458static int internal_verify(X509_STORE_CTX *ctx) 1533static int
1534internal_verify(X509_STORE_CTX *ctx)
1459{ 1535{
1460 int ok=0,n; 1536 int ok = 0, n;
1461 X509 *xs,*xi; 1537 X509 *xs, *xi;
1462 EVP_PKEY *pkey=NULL; 1538 EVP_PKEY *pkey = NULL;
1463 int (*cb)(int xok,X509_STORE_CTX *xctx); 1539 int (*cb)(int xok, X509_STORE_CTX *xctx);
1464 1540
1465 cb=ctx->verify_cb; 1541 cb = ctx->verify_cb;
1466 1542
1467 n=sk_X509_num(ctx->chain); 1543 n = sk_X509_num(ctx->chain);
1468 ctx->error_depth=n-1; 1544 ctx->error_depth = n - 1;
1469 n--; 1545 n--;
1470 xi=sk_X509_value(ctx->chain,n); 1546 xi = sk_X509_value(ctx->chain, n);
1471 1547
1472 if (ctx->check_issued(ctx, xi, xi)) 1548 if (ctx->check_issued(ctx, xi, xi))
1473 xs=xi; 1549 xs = xi;
1474 else { 1550 else {
1475 if (n <= 0) { 1551 if (n <= 0) {
1476 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; 1552 ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1477 ctx->current_cert=xi; 1553 ctx->current_cert = xi;
1478 ok=cb(0,ctx); 1554 ok = cb(0, ctx);
1479 goto end; 1555 goto end;
1480 } else { 1556 } else {
1481 n--; 1557 n--;
1482 ctx->error_depth=n; 1558 ctx->error_depth = n;
1483 xs=sk_X509_value(ctx->chain,n); 1559 xs = sk_X509_value(ctx->chain, n);
1484 } 1560 }
1485 } 1561 }
1486 1562
1487/* ctx->error=0; not needed */ 1563/* ctx->error=0; not needed */
1488 while (n >= 0) { 1564 while (n >= 0) {
1489 ctx->error_depth=n; 1565 ctx->error_depth = n;
1490 1566
1491 /* Skip signature check for self signed certificates unless 1567 /* Skip signature check for self signed certificates unless
1492 * explicitly asked for. It doesn't add any security and 1568 * explicitly asked for. It doesn't add any security and
1493 * just wastes time. 1569 * just wastes time.
1494 */ 1570 */
1495 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { 1571 if (!xs->valid && (xs != xi ||
1496 if ((pkey=X509_get_pubkey(xi)) == NULL) { 1572 (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
1497 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1573 if ((pkey = X509_get_pubkey(xi)) == NULL) {
1498 ctx->current_cert=xi; 1574 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1499 ok=(*cb)(0,ctx); 1575 ctx->current_cert = xi;
1500 if (!ok) goto end; 1576 ok = (*cb)(0, ctx);
1501 } else if (X509_verify(xs,pkey) <= 0) { 1577 if (!ok)
1502 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; 1578 goto end;
1503 ctx->current_cert=xs; 1579 } else if (X509_verify(xs, pkey) <= 0) {
1504 ok=(*cb)(0,ctx); 1580 ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
1581 ctx->current_cert = xs;
1582 ok = (*cb)(0, ctx);
1505 if (!ok) { 1583 if (!ok) {
1506 EVP_PKEY_free(pkey); 1584 EVP_PKEY_free(pkey);
1507 goto end; 1585 goto end;
1508 } 1586 }
1509 } 1587 }
1510 EVP_PKEY_free(pkey); 1588 EVP_PKEY_free(pkey);
1511 pkey=NULL; 1589 pkey = NULL;
1512 } 1590 }
1513 1591
1514 xs->valid = 1; 1592 xs->valid = 1;
@@ -1518,200 +1596,225 @@ static int internal_verify(X509_STORE_CTX *ctx)
1518 goto end; 1596 goto end;
1519 1597
1520 /* The last error (if any) is still in the error value */ 1598 /* The last error (if any) is still in the error value */
1521 ctx->current_issuer=xi; 1599 ctx->current_issuer = xi;
1522 ctx->current_cert=xs; 1600 ctx->current_cert = xs;
1523 ok=(*cb)(1,ctx); 1601 ok = (*cb)(1, ctx);
1524 if (!ok) goto end; 1602 if (!ok)
1603 goto end;
1525 1604
1526 n--; 1605 n--;
1527 if (n >= 0) { 1606 if (n >= 0) {
1528 xi=xs; 1607 xi = xs;
1529 xs=sk_X509_value(ctx->chain,n); 1608 xs = sk_X509_value(ctx->chain, n);
1530 } 1609 }
1531 } 1610 }
1532 ok=1; 1611 ok = 1;
1612
1533end: 1613end:
1534 return ok; 1614 return ok;
1535} 1615}
1536 1616
1537int X509_cmp_current_time(const ASN1_TIME *ctm) 1617int
1618X509_cmp_current_time(const ASN1_TIME *ctm)
1538{ 1619{
1539 return X509_cmp_time(ctm, NULL); 1620 return X509_cmp_time(ctm, NULL);
1540} 1621}
1541 1622
1542int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) 1623int
1624X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1543{ 1625{
1544 char *str; 1626 char *str;
1545 ASN1_TIME atm; 1627 ASN1_TIME atm;
1546 long offset; 1628 long offset;
1547 char buff1[24],buff2[24],*p; 1629 char buff1[24], buff2[24], *p;
1548 int i,j; 1630 int i, j;
1549 1631
1550 p=buff1; 1632 p = buff1;
1551 i=ctm->length; 1633 i = ctm->length;
1552 str=(char *)ctm->data; 1634 str = (char *)ctm->data;
1553 if (ctm->type == V_ASN1_UTCTIME) { 1635 if (ctm->type == V_ASN1_UTCTIME) {
1554 if ((i < 11) || (i > 17)) return 0; 1636 if ((i < 11) || (i > 17))
1555 memcpy(p,str,10); 1637 return 0;
1556 p+=10; 1638 memcpy(p, str, 10);
1557 str+=10; 1639 p += 10;
1640 str += 10;
1558 } else { 1641 } else {
1559 if (i < 13) return 0; 1642 if (i < 13)
1560 memcpy(p,str,12); 1643 return 0;
1561 p+=12; 1644 memcpy(p, str, 12);
1562 str+=12; 1645 p += 12;
1646 str += 12;
1563 } 1647 }
1564 1648
1565 if ((*str == 'Z') || (*str == '-') || (*str == '+')) { 1649 if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
1566 *(p++)='0'; 1650 *(p++) = '0';
1567 *(p++)='0'; 1651 *(p++) = '0';
1568 } else { 1652 } else {
1569 *(p++)= *(str++); 1653 *(p++) = *(str++);
1570 *(p++)= *(str++); 1654 *(p++) = *(str++);
1571 /* Skip any fractional seconds... */ 1655 /* Skip any fractional seconds... */
1572 if (*str == '.') { 1656 if (*str == '.') {
1573 str++; 1657 str++;
1574 while ((*str >= '0') && (*str <= '9')) str++; 1658 while ((*str >= '0') && (*str <= '9'))
1659 str++;
1575 } 1660 }
1576
1577 } 1661 }
1578 *(p++)='Z'; 1662 *(p++) = 'Z';
1579 *(p++)='\0'; 1663 *(p++) = '\0';
1580 1664
1581 if (*str == 'Z') 1665 if (*str == 'Z')
1582 offset=0; 1666 offset = 0;
1583 else { 1667 else {
1584 if ((*str != '+') && (*str != '-')) 1668 if ((*str != '+') && (*str != '-'))
1585 return 0; 1669 return 0;
1586 offset=((str[1]-'0')*10+(str[2]-'0'))*60; 1670 offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
1587 offset+=(str[3]-'0')*10+(str[4]-'0'); 1671 offset += (str[3] - '0') * 10 + (str[4] - '0');
1588 if (*str == '-') 1672 if (*str == '-')
1589 offset= -offset; 1673 offset = -offset;
1590 } 1674 }
1591 atm.type=ctm->type; 1675 atm.type = ctm->type;
1592 atm.flags = 0; 1676 atm.flags = 0;
1593 atm.length=sizeof(buff2); 1677 atm.length = sizeof(buff2);
1594 atm.data=(unsigned char *)buff2; 1678 atm.data = (unsigned char *)buff2;
1595 1679
1596 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL) 1680 if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL)
1597 return 0; 1681 return 0;
1598 1682
1599 if (ctm->type == V_ASN1_UTCTIME) { 1683 if (ctm->type == V_ASN1_UTCTIME) {
1600 i=(buff1[0]-'0')*10+(buff1[1]-'0'); 1684 i = (buff1[0] - '0') * 10 + (buff1[1] - '0');
1601 if (i < 50) i+=100; /* cf. RFC 2459 */ 1685 if (i < 50)
1602 j=(buff2[0]-'0')*10+(buff2[1]-'0'); 1686 i += 100; /* cf. RFC 2459 */
1603 if (j < 50) j+=100; 1687 j = (buff2[0] - '0') * 10 + (buff2[1] - '0');
1604 1688 if (j < 50)
1605 if (i < j) return -1; 1689 j += 100;
1606 if (i > j) return 1; 1690 if (i < j)
1691 return -1;
1692 if (i > j)
1693 return 1;
1607 } 1694 }
1608 i=strcmp(buff1,buff2); 1695 i = strcmp(buff1, buff2);
1609 if (i == 0) /* wait a second then return younger :-) */ 1696 if (i == 0) /* wait a second then return younger :-) */
1610 return -1; 1697 return -1;
1611 else 1698 else
1612 return i; 1699 return i;
1613} 1700}
1614 1701
1615ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) 1702ASN1_TIME *
1703X509_gmtime_adj(ASN1_TIME *s, long adj)
1616{ 1704{
1617 return X509_time_adj(s, adj, NULL); 1705 return X509_time_adj(s, adj, NULL);
1618} 1706}
1619 1707
1620ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) 1708ASN1_TIME *
1709X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1621{ 1710{
1622 return X509_time_adj_ex(s, 0, offset_sec, in_tm); 1711 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1623} 1712}
1624 1713
1625ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, 1714ASN1_TIME *
1626 int offset_day, long offset_sec, time_t *in_tm) 1715X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_tm)
1627{ 1716{
1628 time_t t; 1717 time_t t;
1629 1718
1630 if (in_tm) t = *in_tm; 1719 if (in_tm)
1631 else time(&t); 1720 t = *in_tm;
1721 else
1722 time(&t);
1632 1723
1633 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) { 1724 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
1634 if (s->type == V_ASN1_UTCTIME) 1725 if (s->type == V_ASN1_UTCTIME)
1635 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); 1726 return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec);
1636 if (s->type == V_ASN1_GENERALIZEDTIME) 1727 if (s->type == V_ASN1_GENERALIZEDTIME)
1637 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, 1728 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
1638 offset_sec); 1729 offset_sec);
1639 } 1730 }
1640 return ASN1_TIME_adj(s, t, offset_day, offset_sec); 1731 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1641} 1732}
1642 1733
1643int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) 1734int
1735X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1644{ 1736{
1645 EVP_PKEY *ktmp=NULL,*ktmp2; 1737 EVP_PKEY *ktmp = NULL, *ktmp2;
1646 int i,j; 1738 int i, j;
1647 1739
1648 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; 1740 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey))
1741 return 1;
1649 1742
1650 for (i=0; i<sk_X509_num(chain); i++) { 1743 for (i = 0; i < sk_X509_num(chain); i++) {
1651 ktmp=X509_get_pubkey(sk_X509_value(chain,i)); 1744 ktmp = X509_get_pubkey(sk_X509_value(chain, i));
1652 if (ktmp == NULL) { 1745 if (ktmp == NULL) {
1653 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); 1746 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
1747 X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1654 return 0; 1748 return 0;
1655 } 1749 }
1656 if (!EVP_PKEY_missing_parameters(ktmp)) 1750 if (!EVP_PKEY_missing_parameters(ktmp))
1657 break; 1751 break;
1658 else { 1752 else {
1659 EVP_PKEY_free(ktmp); 1753 EVP_PKEY_free(ktmp);
1660 ktmp=NULL; 1754 ktmp = NULL;
1661 } 1755 }
1662 } 1756 }
1663 if (ktmp == NULL) { 1757 if (ktmp == NULL) {
1664 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); 1758 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
1759 X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1665 return 0; 1760 return 0;
1666 } 1761 }
1667 1762
1668 /* first, populate the other certs */ 1763 /* first, populate the other certs */
1669 for (j=i-1; j >= 0; j--) { 1764 for (j = i - 1; j >= 0; j--) {
1670 ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); 1765 ktmp2 = X509_get_pubkey(sk_X509_value(chain, j));
1671 EVP_PKEY_copy_parameters(ktmp2,ktmp); 1766 EVP_PKEY_copy_parameters(ktmp2, ktmp);
1672 EVP_PKEY_free(ktmp2); 1767 EVP_PKEY_free(ktmp2);
1673 } 1768 }
1674 1769
1675 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); 1770 if (pkey != NULL)
1771 EVP_PKEY_copy_parameters(pkey, ktmp);
1676 EVP_PKEY_free(ktmp); 1772 EVP_PKEY_free(ktmp);
1677 return 1; 1773 return 1;
1678} 1774}
1679 1775
1680int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 1776int
1681 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 1777X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1778 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
1682{ 1779{
1683 /* This function is (usually) called only once, by 1780 /* This function is (usually) called only once, by
1684 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ 1781 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1685 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, 1782 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX,
1686 new_func, dup_func, free_func); 1783 argl, argp, new_func, dup_func, free_func);
1687} 1784}
1688 1785
1689int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) 1786int
1787X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
1690{ 1788{
1691 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); 1789 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
1692} 1790}
1693 1791
1694void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) 1792void *
1793X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
1695{ 1794{
1696 return CRYPTO_get_ex_data(&ctx->ex_data,idx); 1795 return CRYPTO_get_ex_data(&ctx->ex_data, idx);
1697} 1796}
1698 1797
1699int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) 1798int
1799X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
1700{ 1800{
1701 return ctx->error; 1801 return ctx->error;
1702} 1802}
1703 1803
1704void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) 1804void
1805X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
1705{ 1806{
1706 ctx->error=err; 1807 ctx->error = err;
1707} 1808}
1708 1809
1709int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) 1810int
1811X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
1710{ 1812{
1711 return ctx->error_depth; 1813 return ctx->error_depth;
1712} 1814}
1713 1815
1714X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) 1816X509 *
1817X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
1715{ 1818{
1716 return ctx->current_cert; 1819 return ctx->current_cert;
1717} 1820}
@@ -1726,7 +1829,9 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1726 int i; 1829 int i;
1727 X509 *x; 1830 X509 *x;
1728 STACK_OF(X509) *chain; 1831 STACK_OF(X509) *chain;
1729 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; 1832
1833 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain)))
1834 return NULL;
1730 for (i = 0; i < sk_X509_num(chain); i++) { 1835 for (i = 0; i < sk_X509_num(chain); i++) {
1731 x = sk_X509_value(chain, i); 1836 x = sk_X509_value(chain, i);
1732 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 1837 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
@@ -1734,42 +1839,50 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1734 return chain; 1839 return chain;
1735} 1840}
1736 1841
1737X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) 1842X509 *
1843X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
1738{ 1844{
1739 return ctx->current_issuer; 1845 return ctx->current_issuer;
1740} 1846}
1741 1847
1742X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) 1848X509_CRL *
1849X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
1743{ 1850{
1744 return ctx->current_crl; 1851 return ctx->current_crl;
1745} 1852}
1746 1853
1747X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) 1854X509_STORE_CTX *
1855X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
1748{ 1856{
1749 return ctx->parent; 1857 return ctx->parent;
1750} 1858}
1751 1859
1752void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) 1860void
1861X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
1753{ 1862{
1754 ctx->cert=x; 1863 ctx->cert = x;
1755} 1864}
1756 1865
1757void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 1866void
1867X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1758{ 1868{
1759 ctx->untrusted=sk; 1869 ctx->untrusted = sk;
1760} 1870}
1761 1871
1762void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) 1872void
1873X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1763{ 1874{
1764 ctx->crls=sk; 1875 ctx->crls = sk;
1765} 1876}
1766 1877
1767int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) 1878int
1879X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
1768{ 1880{
1769 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); 1881 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
1770} 1882}
1771 1883
1772int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) 1884int
1885X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1773{ 1886{
1774 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); 1887 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
1775} 1888}
@@ -1784,19 +1897,22 @@ int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1784 * aren't set then we use the default of SSL client/server. 1897 * aren't set then we use the default of SSL client/server.
1785 */ 1898 */
1786 1899
1787int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, 1900int
1788 int purpose, int trust) 1901X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1902 int purpose, int trust)
1789{ 1903{
1790 int idx; 1904 int idx;
1905
1791 /* If purpose not set use default */ 1906 /* If purpose not set use default */
1792 if (!purpose) purpose = def_purpose; 1907 if (!purpose)
1908 purpose = def_purpose;
1793 /* If we have a purpose then check it is valid */ 1909 /* If we have a purpose then check it is valid */
1794 if (purpose) { 1910 if (purpose) {
1795 X509_PURPOSE *ptmp; 1911 X509_PURPOSE *ptmp;
1796 idx = X509_PURPOSE_get_by_id(purpose); 1912 idx = X509_PURPOSE_get_by_id(purpose);
1797 if (idx == -1) { 1913 if (idx == -1) {
1798 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1914 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1799 X509_R_UNKNOWN_PURPOSE_ID); 1915 X509_R_UNKNOWN_PURPOSE_ID);
1800 return 0; 1916 return 0;
1801 } 1917 }
1802 ptmp = X509_PURPOSE_get0(idx); 1918 ptmp = X509_PURPOSE_get0(idx);
@@ -1804,74 +1920,82 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1804 idx = X509_PURPOSE_get_by_id(def_purpose); 1920 idx = X509_PURPOSE_get_by_id(def_purpose);
1805 if (idx == -1) { 1921 if (idx == -1) {
1806 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1922 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1807 X509_R_UNKNOWN_PURPOSE_ID); 1923 X509_R_UNKNOWN_PURPOSE_ID);
1808 return 0; 1924 return 0;
1809 } 1925 }
1810 ptmp = X509_PURPOSE_get0(idx); 1926 ptmp = X509_PURPOSE_get0(idx);
1811 } 1927 }
1812 /* If trust not set then get from purpose default */ 1928 /* If trust not set then get from purpose default */
1813 if (!trust) trust = ptmp->trust; 1929 if (!trust)
1930 trust = ptmp->trust;
1814 } 1931 }
1815 if (trust) { 1932 if (trust) {
1816 idx = X509_TRUST_get_by_id(trust); 1933 idx = X509_TRUST_get_by_id(trust);
1817 if (idx == -1) { 1934 if (idx == -1) {
1818 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1935 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1819 X509_R_UNKNOWN_TRUST_ID); 1936 X509_R_UNKNOWN_TRUST_ID);
1820 return 0; 1937 return 0;
1821 } 1938 }
1822 } 1939 }
1823 1940
1824 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; 1941 if (purpose && !ctx->param->purpose)
1825 if (trust && !ctx->param->trust) ctx->param->trust = trust; 1942 ctx->param->purpose = purpose;
1943 if (trust && !ctx->param->trust)
1944 ctx->param->trust = trust;
1826 return 1; 1945 return 1;
1827} 1946}
1828 1947
1829X509_STORE_CTX *X509_STORE_CTX_new(void) 1948X509_STORE_CTX *
1949X509_STORE_CTX_new(void)
1830{ 1950{
1831 X509_STORE_CTX *ctx; 1951 X509_STORE_CTX *ctx;
1952
1832 ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX)); 1953 ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX));
1833 if (!ctx) { 1954 if (!ctx) {
1834 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); 1955 X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE);
1835 return NULL; 1956 return NULL;
1836 } 1957 }
1837 memset(ctx, 0, sizeof(X509_STORE_CTX)); 1958 memset(ctx, 0, sizeof(X509_STORE_CTX));
1838 return ctx; 1959 return ctx;
1839} 1960}
1840 1961
1841void X509_STORE_CTX_free(X509_STORE_CTX *ctx) 1962void
1963X509_STORE_CTX_free(X509_STORE_CTX *ctx)
1842{ 1964{
1843 X509_STORE_CTX_cleanup(ctx); 1965 X509_STORE_CTX_cleanup(ctx);
1844 free(ctx); 1966 free(ctx);
1845} 1967}
1846 1968
1847int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, 1969int
1848 STACK_OF(X509) *chain) 1970X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1971 STACK_OF(X509) *chain)
1849{ 1972{
1850 int ret = 1; 1973 int ret = 1;
1851 ctx->ctx=store; 1974
1852 ctx->current_method=0; 1975 ctx->ctx = store;
1853 ctx->cert=x509; 1976 ctx->current_method = 0;
1854 ctx->untrusted=chain; 1977 ctx->cert = x509;
1978 ctx->untrusted = chain;
1855 ctx->crls = NULL; 1979 ctx->crls = NULL;
1856 ctx->last_untrusted=0; 1980 ctx->last_untrusted = 0;
1857 ctx->other_ctx=NULL; 1981 ctx->other_ctx = NULL;
1858 ctx->valid=0; 1982 ctx->valid = 0;
1859 ctx->chain=NULL; 1983 ctx->chain = NULL;
1860 ctx->error=0; 1984 ctx->error = 0;
1861 ctx->explicit_policy=0; 1985 ctx->explicit_policy = 0;
1862 ctx->error_depth=0; 1986 ctx->error_depth = 0;
1863 ctx->current_cert=NULL; 1987 ctx->current_cert = NULL;
1864 ctx->current_issuer=NULL; 1988 ctx->current_issuer = NULL;
1865 ctx->current_crl=NULL; 1989 ctx->current_crl = NULL;
1866 ctx->current_crl_score=0; 1990 ctx->current_crl_score = 0;
1867 ctx->current_reasons=0; 1991 ctx->current_reasons = 0;
1868 ctx->tree = NULL; 1992 ctx->tree = NULL;
1869 ctx->parent = NULL; 1993 ctx->parent = NULL;
1870 1994
1871 ctx->param = X509_VERIFY_PARAM_new(); 1995 ctx->param = X509_VERIFY_PARAM_new();
1872 1996
1873 if (!ctx->param) { 1997 if (!ctx->param) {
1874 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 1998 X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
1875 return 0; 1999 return 0;
1876 } 2000 }
1877 2001
@@ -1879,7 +2003,6 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1879 * use defaults. 2003 * use defaults.
1880 */ 2004 */
1881 2005
1882
1883 if (store) 2006 if (store)
1884 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); 2007 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
1885 else 2008 else
@@ -1893,10 +2016,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1893 2016
1894 if (ret) 2017 if (ret)
1895 ret = X509_VERIFY_PARAM_inherit(ctx->param, 2018 ret = X509_VERIFY_PARAM_inherit(ctx->param,
1896 X509_VERIFY_PARAM_lookup("default")); 2019 X509_VERIFY_PARAM_lookup("default"));
1897 2020
1898 if (ret == 0) { 2021 if (ret == 0) {
1899 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 2022 X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
1900 return 0; 2023 return 0;
1901 } 2024 }
1902 2025
@@ -1957,10 +2080,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1957 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a 2080 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
1958 * corresponding "new" here and remove this bogus initialisation. */ 2081 * corresponding "new" here and remove this bogus initialisation. */
1959 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ 2082 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
1960 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, 2083 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
1961 &(ctx->ex_data))) { 2084 &(ctx->ex_data))) {
1962 free(ctx); 2085 free(ctx);
1963 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 2086 X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
1964 return 0; 2087 return 0;
1965 } 2088 }
1966 return 1; 2089 return 1;
@@ -1970,64 +2093,75 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1970 * This avoids X509_STORE nastiness where it isn't needed. 2093 * This avoids X509_STORE nastiness where it isn't needed.
1971 */ 2094 */
1972 2095
1973void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 2096void
2097X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1974{ 2098{
1975 ctx->other_ctx = sk; 2099 ctx->other_ctx = sk;
1976 ctx->get_issuer = get_issuer_sk; 2100 ctx->get_issuer = get_issuer_sk;
1977} 2101}
1978 2102
1979void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) 2103void
2104X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
1980{ 2105{
1981 if (ctx->cleanup) ctx->cleanup(ctx); 2106 if (ctx->cleanup)
2107 ctx->cleanup(ctx);
1982 if (ctx->param != NULL) { 2108 if (ctx->param != NULL) {
1983 if (ctx->parent == NULL) 2109 if (ctx->parent == NULL)
1984 X509_VERIFY_PARAM_free(ctx->param); 2110 X509_VERIFY_PARAM_free(ctx->param);
1985 ctx->param=NULL; 2111 ctx->param = NULL;
1986 } 2112 }
1987 if (ctx->tree != NULL) { 2113 if (ctx->tree != NULL) {
1988 X509_policy_tree_free(ctx->tree); 2114 X509_policy_tree_free(ctx->tree);
1989 ctx->tree=NULL; 2115 ctx->tree = NULL;
1990 } 2116 }
1991 if (ctx->chain != NULL) { 2117 if (ctx->chain != NULL) {
1992 sk_X509_pop_free(ctx->chain,X509_free); 2118 sk_X509_pop_free(ctx->chain, X509_free);
1993 ctx->chain=NULL; 2119 ctx->chain = NULL;
1994 } 2120 }
1995 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); 2121 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX,
1996 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); 2122 ctx, &(ctx->ex_data));
2123 memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
1997} 2124}
1998 2125
1999void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) 2126void
2127X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2000{ 2128{
2001 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 2129 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2002} 2130}
2003 2131
2004void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) 2132void
2133X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2005{ 2134{
2006 X509_VERIFY_PARAM_set_flags(ctx->param, flags); 2135 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2007} 2136}
2008 2137
2009void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) 2138void
2139X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2010{ 2140{
2011 X509_VERIFY_PARAM_set_time(ctx->param, t); 2141 X509_VERIFY_PARAM_set_time(ctx->param, t);
2012} 2142}
2013 2143
2014void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, 2144void
2015 int (*verify_cb)(int, X509_STORE_CTX *)) 2145X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2146 int (*verify_cb)(int, X509_STORE_CTX *))
2016{ 2147{
2017 ctx->verify_cb=verify_cb; 2148 ctx->verify_cb = verify_cb;
2018} 2149}
2019 2150
2020X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) 2151X509_POLICY_TREE *
2152X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2021{ 2153{
2022 return ctx->tree; 2154 return ctx->tree;
2023} 2155}
2024 2156
2025int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) 2157int
2158X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2026{ 2159{
2027 return ctx->explicit_policy; 2160 return ctx->explicit_policy;
2028} 2161}
2029 2162
2030int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) 2163int
2164X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2031{ 2165{
2032 const X509_VERIFY_PARAM *param; 2166 const X509_VERIFY_PARAM *param;
2033 param = X509_VERIFY_PARAM_lookup(name); 2167 param = X509_VERIFY_PARAM_lookup(name);
@@ -2036,12 +2170,14 @@ int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2036 return X509_VERIFY_PARAM_inherit(ctx->param, param); 2170 return X509_VERIFY_PARAM_inherit(ctx->param, param);
2037} 2171}
2038 2172
2039X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) 2173X509_VERIFY_PARAM *
2174X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2040{ 2175{
2041 return ctx->param; 2176 return ctx->param;
2042} 2177}
2043 2178
2044void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) 2179void
2180X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2045{ 2181{
2046 if (ctx->param) 2182 if (ctx->param)
2047 X509_VERIFY_PARAM_free(ctx->param); 2183 X509_VERIFY_PARAM_free(ctx->param);
diff --git a/src/lib/libssl/src/crypto/x509/x509_vpm.c b/src/lib/libssl/src/crypto/x509/x509_vpm.c
index 7f0824f75e..f0d2a0902e 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vpm.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vpm.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -67,7 +67,8 @@
67 67
68/* X509_VERIFY_PARAM functions */ 68/* X509_VERIFY_PARAM functions */
69 69
70static void x509_verify_param_zero(X509_VERIFY_PARAM *param) 70static void
71x509_verify_param_zero(X509_VERIFY_PARAM *param)
71{ 72{
72 if (!param) 73 if (!param)
73 return; 74 return;
@@ -84,16 +85,19 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
84 } 85 }
85} 86}
86 87
87X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) 88X509_VERIFY_PARAM *
89X509_VERIFY_PARAM_new(void)
88{ 90{
89 X509_VERIFY_PARAM *param; 91 X509_VERIFY_PARAM *param;
92
90 param = malloc(sizeof(X509_VERIFY_PARAM)); 93 param = malloc(sizeof(X509_VERIFY_PARAM));
91 memset(param, 0, sizeof(X509_VERIFY_PARAM)); 94 memset(param, 0, sizeof(X509_VERIFY_PARAM));
92 x509_verify_param_zero(param); 95 x509_verify_param_zero(param);
93 return param; 96 return param;
94} 97}
95 98
96void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) 99void
100X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
97{ 101{
98 x509_verify_param_zero(param); 102 x509_verify_param_zero(param);
99 free(param); 103 free(param);
@@ -109,7 +113,7 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
109 * for SSL servers or clients but only if the application has not set new 113 * for SSL servers or clients but only if the application has not set new
110 * ones. 114 * ones.
111 * 115 *
112 * The "inh_flags" field determines how this function behaves. 116 * The "inh_flags" field determines how this function behaves.
113 * 117 *
114 * Normally any values which are set in the default are not copied from the 118 * Normally any values which are set in the default are not copied from the
115 * destination and verify flags are ORed together. 119 * destination and verify flags are ORed together.
@@ -141,13 +145,14 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
141#define x509_verify_param_copy(field, def) \ 145#define x509_verify_param_copy(field, def) \
142 if (test_x509_verify_param_copy(field, def)) \ 146 if (test_x509_verify_param_copy(field, def)) \
143 dest->field = src->field 147 dest->field = src->field
144
145 148
146int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, 149
147 const X509_VERIFY_PARAM *src) 150int
151X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src)
148{ 152{
149 unsigned long inh_flags; 153 unsigned long inh_flags;
150 int to_default, to_overwrite; 154 int to_default, to_overwrite;
155
151 if (!src) 156 if (!src)
152 return 1; 157 return 1;
153 inh_flags = dest->inh_flags | src->inh_flags; 158 inh_flags = dest->inh_flags | src->inh_flags;
@@ -193,18 +198,20 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
193 return 1; 198 return 1;
194} 199}
195 200
196int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, 201int
197 const X509_VERIFY_PARAM *from) 202X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from)
198{ 203{
199 unsigned long save_flags = to->inh_flags; 204 unsigned long save_flags = to->inh_flags;
200 int ret; 205 int ret;
206
201 to->inh_flags |= X509_VP_FLAG_DEFAULT; 207 to->inh_flags |= X509_VP_FLAG_DEFAULT;
202 ret = X509_VERIFY_PARAM_inherit(to, from); 208 ret = X509_VERIFY_PARAM_inherit(to, from);
203 to->inh_flags = save_flags; 209 to->inh_flags = save_flags;
204 return ret; 210 return ret;
205} 211}
206 212
207int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) 213int
214X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
208{ 215{
209 if (param->name) 216 if (param->name)
210 free(param->name); 217 free(param->name);
@@ -214,7 +221,8 @@ int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
214 return 0; 221 return 0;
215} 222}
216 223
217int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) 224int
225X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
218{ 226{
219 param->flags |= flags; 227 param->flags |= flags;
220 if (flags & X509_V_FLAG_POLICY_MASK) 228 if (flags & X509_V_FLAG_POLICY_MASK)
@@ -222,39 +230,46 @@ int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
222 return 1; 230 return 1;
223} 231}
224 232
225int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags) 233int
234X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
226{ 235{
227 param->flags &= ~flags; 236 param->flags &= ~flags;
228 return 1; 237 return 1;
229} 238}
230 239
231unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) 240unsigned long
241X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
232{ 242{
233 return param->flags; 243 return param->flags;
234} 244}
235 245
236int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) 246int
247X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
237{ 248{
238 return X509_PURPOSE_set(&param->purpose, purpose); 249 return X509_PURPOSE_set(&param->purpose, purpose);
239} 250}
240 251
241int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) 252int
253X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
242{ 254{
243 return X509_TRUST_set(&param->trust, trust); 255 return X509_TRUST_set(&param->trust, trust);
244} 256}
245 257
246void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) 258void
259X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
247{ 260{
248 param->depth = depth; 261 param->depth = depth;
249} 262}
250 263
251void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) 264void
265X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
252{ 266{
253 param->check_time = t; 267 param->check_time = t;
254 param->flags |= X509_V_FLAG_USE_CHECK_TIME; 268 param->flags |= X509_V_FLAG_USE_CHECK_TIME;
255} 269}
256 270
257int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) 271int
272X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
258{ 273{
259 if (!param->policies) { 274 if (!param->policies) {
260 param->policies = sk_ASN1_OBJECT_new_null(); 275 param->policies = sk_ASN1_OBJECT_new_null();
@@ -266,11 +281,13 @@ int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
266 return 1; 281 return 1;
267} 282}
268 283
269int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 284int
270 STACK_OF(ASN1_OBJECT) *policies) 285X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
286 STACK_OF(ASN1_OBJECT) *policies)
271{ 287{
272 int i; 288 int i;
273 ASN1_OBJECT *oid, *doid; 289 ASN1_OBJECT *oid, *doid;
290
274 if (!param) 291 if (!param)
275 return 0; 292 return 0;
276 if (param->policies) 293 if (param->policies)
@@ -299,7 +316,8 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
299 return 1; 316 return 1;
300} 317}
301 318
302int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) 319int
320X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
303{ 321{
304 return param->depth; 322 return param->depth;
305} 323}
@@ -312,80 +330,81 @@ int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
312 330
313static const X509_VERIFY_PARAM default_table[] = { 331static const X509_VERIFY_PARAM default_table[] = {
314 { 332 {
315 "default", /* X509 default parameters */ 333 "default", /* X509 default parameters */
316 0, /* Check time */ 334 0, /* Check time */
317 0, /* internal flags */ 335 0, /* internal flags */
318 0, /* flags */ 336 0, /* flags */
319 0, /* purpose */ 337 0, /* purpose */
320 0, /* trust */ 338 0, /* trust */
321 100, /* depth */ 339 100, /* depth */
322 NULL /* policies */ 340 NULL /* policies */
323 }, 341 },
324 { 342 {
325 "pkcs7", /* S/MIME sign parameters */ 343 "pkcs7", /* S/MIME sign parameters */
326 0, /* Check time */ 344 0, /* Check time */
327 0, /* internal flags */ 345 0, /* internal flags */
328 0, /* flags */ 346 0, /* flags */
329 X509_PURPOSE_SMIME_SIGN, /* purpose */ 347 X509_PURPOSE_SMIME_SIGN, /* purpose */
330 X509_TRUST_EMAIL, /* trust */ 348 X509_TRUST_EMAIL, /* trust */
331 -1, /* depth */ 349 -1, /* depth */
332 NULL /* policies */ 350 NULL /* policies */
333 }, 351 },
334 { 352 {
335 "smime_sign", /* S/MIME sign parameters */ 353 "smime_sign", /* S/MIME sign parameters */
336 0, /* Check time */ 354 0, /* Check time */
337 0, /* internal flags */ 355 0, /* internal flags */
338 0, /* flags */ 356 0, /* flags */
339 X509_PURPOSE_SMIME_SIGN, /* purpose */ 357 X509_PURPOSE_SMIME_SIGN, /* purpose */
340 X509_TRUST_EMAIL, /* trust */ 358 X509_TRUST_EMAIL, /* trust */
341 -1, /* depth */ 359 -1, /* depth */
342 NULL /* policies */ 360 NULL /* policies */
343 }, 361 },
344 { 362 {
345 "ssl_client", /* SSL/TLS client parameters */ 363 "ssl_client", /* SSL/TLS client parameters */
346 0, /* Check time */ 364 0, /* Check time */
347 0, /* internal flags */ 365 0, /* internal flags */
348 0, /* flags */ 366 0, /* flags */
349 X509_PURPOSE_SSL_CLIENT, /* purpose */ 367 X509_PURPOSE_SSL_CLIENT, /* purpose */
350 X509_TRUST_SSL_CLIENT, /* trust */ 368 X509_TRUST_SSL_CLIENT, /* trust */
351 -1, /* depth */ 369 -1, /* depth */
352 NULL /* policies */ 370 NULL /* policies */
353 }, 371 },
354 { 372 {
355 "ssl_server", /* SSL/TLS server parameters */ 373 "ssl_server", /* SSL/TLS server parameters */
356 0, /* Check time */ 374 0, /* Check time */
357 0, /* internal flags */ 375 0, /* internal flags */
358 0, /* flags */ 376 0, /* flags */
359 X509_PURPOSE_SSL_SERVER, /* purpose */ 377 X509_PURPOSE_SSL_SERVER, /* purpose */
360 X509_TRUST_SSL_SERVER, /* trust */ 378 X509_TRUST_SSL_SERVER, /* trust */
361 -1, /* depth */ 379 -1, /* depth */
362 NULL /* policies */ 380 NULL /* policies */
363 } 381 }
364}; 382};
365 383
366static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL; 384static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
367 385
368static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b) 386static int
369 387table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
370{ 388{
371 return strcmp(a->name, b->name); 389 return strcmp(a->name, b->name);
372} 390}
373 391
374DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, 392DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
375 table); 393IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
376IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
377 table);
378 394
379static int param_cmp(const X509_VERIFY_PARAM * const *a, 395static int
380 const X509_VERIFY_PARAM * const *b) 396param_cmp(const X509_VERIFY_PARAM * const *a,
397 const X509_VERIFY_PARAM * const *b)
381{ 398{
382 return strcmp((*a)->name, (*b)->name); 399 return strcmp((*a)->name, (*b)->name);
383} 400}
384 401
385int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) 402int
403X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
386{ 404{
387 int idx; 405 int idx;
388 X509_VERIFY_PARAM *ptmp; 406 X509_VERIFY_PARAM *ptmp;
407
389 if (!param_table) { 408 if (!param_table) {
390 param_table = sk_X509_VERIFY_PARAM_new(param_cmp); 409 param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
391 if (!param_table) 410 if (!param_table)
@@ -403,7 +422,8 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
403 return 1; 422 return 1;
404} 423}
405 424
406const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) 425const X509_VERIFY_PARAM *
426X509_VERIFY_PARAM_lookup(const char *name)
407{ 427{
408 int idx; 428 int idx;
409 X509_VERIFY_PARAM pm; 429 X509_VERIFY_PARAM pm;
@@ -415,13 +435,14 @@ const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
415 return sk_X509_VERIFY_PARAM_value(param_table, idx); 435 return sk_X509_VERIFY_PARAM_value(param_table, idx);
416 } 436 }
417 return OBJ_bsearch_table(&pm, default_table, 437 return OBJ_bsearch_table(&pm, default_table,
418 sizeof(default_table)/sizeof(X509_VERIFY_PARAM)); 438 sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
419} 439}
420 440
421void X509_VERIFY_PARAM_table_cleanup(void) 441void
442X509_VERIFY_PARAM_table_cleanup(void)
422{ 443{
423 if (param_table) 444 if (param_table)
424 sk_X509_VERIFY_PARAM_pop_free(param_table, 445 sk_X509_VERIFY_PARAM_pop_free(param_table,
425 X509_VERIFY_PARAM_free); 446 X509_VERIFY_PARAM_free);
426 param_table = NULL; 447 param_table = NULL;
427} 448}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 17:35:27 +0000