1 files changed, 36 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h
index fad6c93231..ced6b306e5 100644
--- a/src/lib/libcrypto/x509/x509_internal.h
+++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_internal.h,v 1.1 2020/09/11 18:34:29 beck Exp $ */
+/* $OpenBSD: x509_internal.h,v 1.2 2020/09/13 15:06:17 beck Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -20,6 +20,13 @@
 /* Internal use only, not public API */
 #include <netinet/in.h>
+#include <openssl/x509_verify.h>
+/* Hard limits on structure size and number of signature checks. */
+#define X509_VERIFY_MAX_CHAINS          8       /* Max validated chains */
+#define X509_VERIFY_MAX_CHAIN_CERTS     32      /* Max depth of a chain */
+#define X509_VERIFY_MAX_SIGCHECKS       256     /* Max signature checks */
 /*
 * Limit the number of names and constraints we will check in a chain
 * to avoid a hostile input DOS
@@ -53,8 +60,36 @@ struct x509_verify_chain {
        struct x509_constraints_names *names;   /* All names from all certs */
 };
+struct x509_verify_ctx {
+        X509_STORE_CTX *xsc;
+        struct x509_verify_chain **chains;      /* Validated chains */
+        size_t chains_count;
+        STACK_OF(X509) *roots;          /* Trusted roots for this validation */
+        STACK_OF(X509) *intermediates;  /* Intermediates provided by peer */
+        time_t *check_time;             /* Time for validity checks */
+        int purpose;                    /* Cert purpose we are validating */
+        size_t max_chains;              /* Max chains to return */
+        size_t max_depth;               /* Max chain depth for validation */
+        size_t max_sigs;                /* Max number of signature checks */
+        size_t sig_checks;              /* Number of signature checks done */
+        size_t error_depth;             /* Depth of last error seen */
+        int error;                      /* Last error seen */
+};
+int ASN1_time_tm_clamp_notafter(struct tm *tm);
 __BEGIN_HIDDEN_DECLS
+int x509_vfy_check_id(X509_STORE_CTX *ctx);
+int x509_vfy_check_revocation(X509_STORE_CTX *ctx);
+int x509_vfy_check_policy(X509_STORE_CTX *ctx);
+int x509_vfy_check_trust(X509_STORE_CTX *ctx);
+int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);
+void x509v3_cache_extensions(X509 *x);
+struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc,
+    STACK_OF(X509) *roots);
 void x509_constraints_name_clear(struct x509_constraints_name *name);
 int x509_constraints_names_add(struct x509_constraints_names *names,
    struct x509_constraints_name *name);

diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h index fad6c93231..ced6b306e5 100644 --- a/src/lib/libcrypto/x509/x509_internal.h +++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_internal.h,v 1.1 2020/09/11 18:34:29 beck Exp $ */	1	/* $OpenBSD: x509_internal.h,v 1.2 2020/09/13 15:06:17 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -20,6 +20,13 @@
20	/* Internal use only, not public API */	20	/* Internal use only, not public API */
21	#include <netinet/in.h>	21	#include <netinet/in.h>
22		22
		23	#include <openssl/x509_verify.h>
		24
		25	/* Hard limits on structure size and number of signature checks. */
		26	#define X509_VERIFY_MAX_CHAINS 8 /* Max validated chains */
		27	#define X509_VERIFY_MAX_CHAIN_CERTS 32 /* Max depth of a chain */
		28	#define X509_VERIFY_MAX_SIGCHECKS 256 /* Max signature checks */
		29
23	/*	30	/*
24	* Limit the number of names and constraints we will check in a chain	31	* Limit the number of names and constraints we will check in a chain
25	* to avoid a hostile input DOS	32	* to avoid a hostile input DOS
@@ -53,8 +60,36 @@ struct x509_verify_chain {
53	struct x509_constraints_names names; / All names from all certs */	60	struct x509_constraints_names names; / All names from all certs */
54	};	61	};
55		62
		63	struct x509_verify_ctx {
		64	X509_STORE_CTX *xsc;
		65	struct x509_verify_chain *chains; / Validated chains */
		66	size_t chains_count;
		67	STACK_OF(X509) roots; / Trusted roots for this validation */
		68	STACK_OF(X509) intermediates; / Intermediates provided by peer */
		69	time_t check_time; / Time for validity checks */
		70	int purpose; /* Cert purpose we are validating */
		71	size_t max_chains; /* Max chains to return */
		72	size_t max_depth; /* Max chain depth for validation */
		73	size_t max_sigs; /* Max number of signature checks */
		74	size_t sig_checks; /* Number of signature checks done */
		75	size_t error_depth; /* Depth of last error seen */
		76	int error; /* Last error seen */
		77	};
		78
		79	int ASN1_time_tm_clamp_notafter(struct tm *tm);
		80
56	__BEGIN_HIDDEN_DECLS	81	__BEGIN_HIDDEN_DECLS
57		82
		83	int x509_vfy_check_id(X509_STORE_CTX *ctx);
		84	int x509_vfy_check_revocation(X509_STORE_CTX *ctx);
		85	int x509_vfy_check_policy(X509_STORE_CTX *ctx);
		86	int x509_vfy_check_trust(X509_STORE_CTX *ctx);
		87	int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);
		88	void x509v3_cache_extensions(X509 *x);
		89
		90	struct x509_verify_ctx x509_verify_ctx_new_from_xsc(X509_STORE_CTX xsc,
		91	STACK_OF(X509) *roots);
		92
58	void x509_constraints_name_clear(struct x509_constraints_name *name);	93	void x509_constraints_name_clear(struct x509_constraints_name *name);
59	int x509_constraints_names_add(struct x509_constraints_names *names,	94	int x509_constraints_names_add(struct x509_constraints_names *names,
60	struct x509_constraints_name *name);	95	struct x509_constraints_name *name);