summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_vfy.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c2602
1 files changed, 0 insertions, 2602 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
deleted file mode 100644
index c93ae81bd8..0000000000
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ /dev/null
@@ -1,2602 +0,0 @@
1/* $OpenBSD: x509_vfy.c,v 1.147 2025/03/04 08:43:25 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <errno.h>
60#include <stdio.h>
61#include <string.h>
62#include <time.h>
63#include <unistd.h>
64
65#include <openssl/opensslconf.h>
66
67#include <openssl/asn1.h>
68#include <openssl/buffer.h>
69#include <openssl/crypto.h>
70#include <openssl/err.h>
71#include <openssl/evp.h>
72#include <openssl/lhash.h>
73#include <openssl/objects.h>
74#include <openssl/x509.h>
75#include <openssl/x509v3.h>
76
77#include "asn1_local.h"
78#include "x509_internal.h"
79#include "x509_issuer_cache.h"
80#include "x509_local.h"
81
82/* CRL score values */
83
84/* No unhandled critical extensions */
85
86#define CRL_SCORE_NOCRITICAL 0x100
87
88/* certificate is within CRL scope */
89
90#define CRL_SCORE_SCOPE 0x080
91
92/* CRL times valid */
93
94#define CRL_SCORE_TIME 0x040
95
96/* Issuer name matches certificate */
97
98#define CRL_SCORE_ISSUER_NAME 0x020
99
100/* If this score or above CRL is probably valid */
101
102#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
103
104/* CRL issuer is certificate issuer */
105
106#define CRL_SCORE_ISSUER_CERT 0x018
107
108/* CRL issuer is on certificate path */
109
110#define CRL_SCORE_SAME_PATH 0x008
111
112/* CRL issuer matches CRL AKID */
113
114#define CRL_SCORE_AKID 0x004
115
116/* Have a delta CRL with valid times */
117
118#define CRL_SCORE_TIME_DELTA 0x002
119
120static int x509_vfy_check_crl(X509_STORE_CTX *ctx, X509_CRL *crl);
121static int x509_vfy_cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
122
123static int null_callback(int ok, X509_STORE_CTX *e);
124static int check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer);
125static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x,
126 int allow_expired);
127static int check_name_constraints(X509_STORE_CTX *ctx);
128static int check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth);
129
130static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
131 unsigned int *preasons, X509_CRL *crl, X509 *x);
132static int get_crl_delta(X509_STORE_CTX *ctx,
133 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
134static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
135 X509_CRL *base, STACK_OF(X509_CRL) *crls);
136static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
137 int *pcrl_score);
138static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
139 unsigned int *preasons);
140static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
141static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
142 STACK_OF(X509) *crl_path);
143static int X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time,
144 int clamp_notafter);
145
146static int internal_verify(X509_STORE_CTX *ctx);
147static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
148static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err);
149
150static int
151null_callback(int ok, X509_STORE_CTX *e)
152{
153 return ok;
154}
155
156/* Return 1 if a certificate is self signed */
157static int
158cert_self_signed(X509 *x)
159{
160 X509_check_purpose(x, -1, 0);
161 if (x->ex_flags & EXFLAG_SS)
162 return 1;
163 else
164 return 0;
165}
166
167static int
168check_id_error(X509_STORE_CTX *ctx, int errcode)
169{
170 ctx->error = errcode;
171 ctx->current_cert = ctx->cert;
172 ctx->error_depth = 0;
173 return ctx->verify_cb(0, ctx);
174}
175
176static int
177x509_vfy_check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)
178{
179 int i, n;
180 char *name;
181
182 n = sk_OPENSSL_STRING_num(vpm->hosts);
183 free(vpm->peername);
184 vpm->peername = NULL;
185
186 for (i = 0; i < n; ++i) {
187 name = sk_OPENSSL_STRING_value(vpm->hosts, i);
188 if (X509_check_host(x, name, strlen(name), vpm->hostflags,
189 &vpm->peername) > 0)
190 return 1;
191 }
192 return n == 0;
193}
194
195int
196x509_vfy_check_id(X509_STORE_CTX *ctx)
197{
198 X509_VERIFY_PARAM *vpm = ctx->param;
199 X509 *x = ctx->cert;
200
201 if (vpm->hosts && x509_vfy_check_hosts(x, vpm) <= 0) {
202 if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
203 return 0;
204 }
205 if (vpm->email != NULL && X509_check_email(x, vpm->email, vpm->emaillen, 0)
206 <= 0) {
207 if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
208 return 0;
209 }
210 if (vpm->ip != NULL && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
211 if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
212 return 0;
213 }
214 return 1;
215}
216
217/*
218 * This is the effectively broken legacy OpenSSL chain builder. It
219 * might find an unvalidated chain and leave it sitting in
220 * ctx->chain. It does not correctly handle many cases where multiple
221 * chains could exist.
222 *
223 * Oh no.. I know a dirty word...
224 * Oooooooh..
225 */
226static int
227X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
228{
229 X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
230 int bad_chain = 0;
231 X509_VERIFY_PARAM *param = ctx->param;
232 int ok = 0, ret = 0;
233 int depth, i;
234 int num, j, retry, trust;
235 int (*cb) (int xok, X509_STORE_CTX *xctx);
236 STACK_OF(X509) *sktmp = NULL;
237
238 cb = ctx->verify_cb;
239
240 /*
241 * First we make sure the chain we are going to build is
242 * present and that the first entry is in place.
243 */
244 ctx->chain = sk_X509_new_null();
245 if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
246 X509error(ERR_R_MALLOC_FAILURE);
247 ctx->error = X509_V_ERR_OUT_OF_MEM;
248 goto end;
249 }
250 X509_up_ref(ctx->cert);
251 ctx->num_untrusted = 1;
252
253 /* We use a temporary STACK so we can chop and hack at it */
254 if (ctx->untrusted != NULL &&
255 (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
256 X509error(ERR_R_MALLOC_FAILURE);
257 ctx->error = X509_V_ERR_OUT_OF_MEM;
258 goto end;
259 }
260
261 num = sk_X509_num(ctx->chain);
262 x = sk_X509_value(ctx->chain, num - 1);
263 depth = param->depth;
264
265 for (;;) {
266 /* If we have enough, we break */
267 /* FIXME: If this happens, we should take
268 * note of it and, if appropriate, use the
269 * X509_V_ERR_CERT_CHAIN_TOO_LONG error code
270 * later.
271 */
272 if (depth < num)
273 break;
274 /* If we are self signed, we break */
275 if (cert_self_signed(x))
276 break;
277 /*
278 * If asked see if we can find issuer in trusted store first
279 */
280 if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
281 ok = ctx->get_issuer(&xtmp, ctx, x);
282 if (ok < 0) {
283 ctx->error = X509_V_ERR_STORE_LOOKUP;
284 goto end;
285 }
286 /*
287 * If successful for now free up cert so it
288 * will be picked up again later.
289 */
290 if (ok > 0) {
291 X509_free(xtmp);
292 break;
293 }
294 }
295 /* If we were passed a cert chain, use it first */
296 if (ctx->untrusted != NULL) {
297 /*
298 * If we do not find a non-expired untrusted cert, peek
299 * ahead and see if we can satisfy this from the trusted
300 * store. If not, see if we have an expired untrusted cert.
301 */
302 xtmp = find_issuer(ctx, sktmp, x, 0);
303 if (xtmp == NULL &&
304 !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)) {
305 ok = ctx->get_issuer(&xtmp, ctx, x);
306 if (ok < 0) {
307 ctx->error = X509_V_ERR_STORE_LOOKUP;
308 goto end;
309 }
310 if (ok > 0) {
311 X509_free(xtmp);
312 break;
313 }
314 xtmp = find_issuer(ctx, sktmp, x, 1);
315 }
316 if (xtmp != NULL) {
317 if (!sk_X509_push(ctx->chain, xtmp)) {
318 X509error(ERR_R_MALLOC_FAILURE);
319 ctx->error = X509_V_ERR_OUT_OF_MEM;
320 ok = 0;
321 goto end;
322 }
323 X509_up_ref(xtmp);
324 (void)sk_X509_delete_ptr(sktmp, xtmp);
325 ctx->num_untrusted++;
326 x = xtmp;
327 num++;
328 /*
329 * reparse the full chain for the next one
330 */
331 continue;
332 }
333 }
334 break;
335 }
336 /* Remember how many untrusted certs we have */
337 j = num;
338
339 /*
340 * At this point, chain should contain a list of untrusted
341 * certificates. We now need to add at least one trusted one,
342 * if possible, otherwise we complain.
343 */
344
345 do {
346 /*
347 * Examine last certificate in chain and see if it is
348 * self signed.
349 */
350 i = sk_X509_num(ctx->chain);
351 x = sk_X509_value(ctx->chain, i - 1);
352 if (cert_self_signed(x)) {
353 /* we have a self signed certificate */
354 if (i == 1) {
355 /*
356 * We have a single self signed
357 * certificate: see if we can find it
358 * in the store. We must have an exact
359 * match to avoid possible
360 * impersonation.
361 */
362 ok = ctx->get_issuer(&xtmp, ctx, x);
363 if ((ok <= 0) || X509_cmp(x, xtmp)) {
364 ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
365 ctx->current_cert = x;
366 ctx->error_depth = i - 1;
367 if (ok == 1)
368 X509_free(xtmp);
369 bad_chain = 1;
370 ok = cb(0, ctx);
371 if (!ok)
372 goto end;
373 } else {
374 /*
375 * We have a match: replace
376 * certificate with store
377 * version so we get any trust
378 * settings.
379 */
380 X509_free(x);
381 x = xtmp;
382 (void)sk_X509_set(ctx->chain, i - 1, x);
383 ctx->num_untrusted = 0;
384 }
385 } else {
386 /*
387 * extract and save self signed
388 * certificate for later use
389 */
390 chain_ss = sk_X509_pop(ctx->chain);
391 ctx->num_untrusted--;
392 num--;
393 j--;
394 x = sk_X509_value(ctx->chain, num - 1);
395 }
396 }
397 /* We now lookup certs from the certificate store */
398 for (;;) {
399 /* If we have enough, we break */
400 if (depth < num)
401 break;
402 /* If we are self signed, we break */
403 if (cert_self_signed(x))
404 break;
405 ok = ctx->get_issuer(&xtmp, ctx, x);
406
407 if (ok < 0) {
408 ctx->error = X509_V_ERR_STORE_LOOKUP;
409 goto end;
410 }
411 if (ok == 0)
412 break;
413 x = xtmp;
414 if (!sk_X509_push(ctx->chain, x)) {
415 X509_free(xtmp);
416 X509error(ERR_R_MALLOC_FAILURE);
417 ctx->error = X509_V_ERR_OUT_OF_MEM;
418 ok = 0;
419 goto end;
420 }
421 num++;
422 }
423
424 /* we now have our chain, lets check it... */
425 trust = x509_vfy_check_trust(ctx);
426
427 /* If explicitly rejected error */
428 if (trust == X509_TRUST_REJECTED) {
429 ok = 0;
430 goto end;
431 }
432 /*
433 * If it's not explicitly trusted then check if there
434 * is an alternative chain that could be used. We only
435 * do this if we haven't already checked via
436 * TRUSTED_FIRST and the user hasn't switched off
437 * alternate chain checking
438 */
439 retry = 0;
440 if (trust != X509_TRUST_TRUSTED &&
441 !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) &&
442 !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
443 while (j-- > 1) {
444 xtmp2 = sk_X509_value(ctx->chain, j - 1);
445 ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
446 if (ok < 0)
447 goto end;
448 /* Check if we found an alternate chain */
449 if (ok > 0) {
450 /*
451 * Free up the found cert
452 * we'll add it again later
453 */
454 X509_free(xtmp);
455 /*
456 * Dump all the certs above
457 * this point - we've found an
458 * alternate chain
459 */
460 while (num > j) {
461 xtmp = sk_X509_pop(ctx->chain);
462 X509_free(xtmp);
463 num--;
464 }
465 ctx->num_untrusted = sk_X509_num(ctx->chain);
466 retry = 1;
467 break;
468 }
469 }
470 }
471 } while (retry);
472
473 /*
474 * If not explicitly trusted then indicate error unless it's a single
475 * self signed certificate in which case we've indicated an error already
476 * and set bad_chain == 1
477 */
478 if (trust != X509_TRUST_TRUSTED && !bad_chain) {
479 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
480 if (ctx->num_untrusted >= num)
481 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
482 else
483 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
484 ctx->current_cert = x;
485 } else {
486 if (!sk_X509_push(ctx->chain, chain_ss)) {
487 X509error(ERR_R_MALLOC_FAILURE);
488 ctx->error = X509_V_ERR_OUT_OF_MEM;
489 ok = 0;
490 goto end;
491 }
492 num++;
493 ctx->num_untrusted = num;
494 ctx->current_cert = chain_ss;
495 ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
496 chain_ss = NULL;
497 }
498
499 ctx->error_depth = num - 1;
500 bad_chain = 1;
501 ok = cb(0, ctx);
502 if (!ok)
503 goto end;
504 }
505
506 ret = 1;
507 end:
508 sk_X509_free(sktmp);
509 X509_free(chain_ss);
510 *bad = bad_chain;
511 *out_ok = ok;
512
513 return ret;
514}
515
516static int
517X509_verify_cert_legacy(X509_STORE_CTX *ctx)
518{
519 int ok = 0, bad_chain;
520
521 ctx->error = X509_V_OK; /* Initialize to OK */
522
523 if (!X509_verify_cert_legacy_build_chain(ctx, &bad_chain, &ok))
524 goto end;
525
526 /* We have the chain complete: now we need to check its purpose */
527 ok = x509_vfy_check_chain_extensions(ctx);
528 if (!ok)
529 goto end;
530
531 /* Check that the chain satisfies the security level. */
532 ok = x509_vfy_check_security_level(ctx);
533 if (!ok)
534 goto end;
535
536 /* Check name constraints */
537 ok = check_name_constraints(ctx);
538 if (!ok)
539 goto end;
540
541#ifndef OPENSSL_NO_RFC3779
542 ok = X509v3_asid_validate_path(ctx);
543 if (!ok)
544 goto end;
545
546 ok = X509v3_addr_validate_path(ctx);
547 if (!ok)
548 goto end;
549#endif
550
551 ok = x509_vfy_check_id(ctx);
552 if (!ok)
553 goto end;
554
555 /*
556 * Check revocation status: we do this after copying parameters because
557 * they may be needed for CRL signature verification.
558 */
559 ok = x509_vfy_check_revocation(ctx);
560 if (!ok)
561 goto end;
562
563 /* At this point, we have a chain and need to verify it */
564 if (ctx->verify != NULL)
565 ok = ctx->verify(ctx);
566 else
567 ok = internal_verify(ctx);
568 if (!ok)
569 goto end;
570
571 /* If we get this far evaluate policies */
572 if (!bad_chain)
573 ok = x509_vfy_check_policy(ctx);
574
575 end:
576 /* Safety net, error returns must set ctx->error */
577 if (ok <= 0 && ctx->error == X509_V_OK)
578 ctx->error = X509_V_ERR_UNSPECIFIED;
579
580 return ok;
581}
582
583int
584X509_verify_cert(X509_STORE_CTX *ctx)
585{
586 struct x509_verify_ctx *vctx = NULL;
587 int chain_count = 0;
588
589 if (ctx->cert == NULL) {
590 X509error(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
591 ctx->error = X509_V_ERR_INVALID_CALL;
592 return -1;
593 }
594 if (ctx->chain != NULL) {
595 /*
596 * This X509_STORE_CTX has already been used to verify
597 * a cert. We cannot do another one.
598 */
599 X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
600 ctx->error = X509_V_ERR_INVALID_CALL;
601 return -1;
602 }
603 if (ctx->param->poisoned) {
604 /*
605 * This X509_STORE_CTX had failures setting
606 * up verify parameters. We can not use it.
607 */
608 X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
609 ctx->error = X509_V_ERR_INVALID_CALL;
610 return -1;
611 }
612 if (ctx->error != X509_V_ERR_INVALID_CALL) {
613 /*
614 * This X509_STORE_CTX has not been properly initialized.
615 */
616 X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
617 ctx->error = X509_V_ERR_INVALID_CALL;
618 return -1;
619 }
620
621 /*
622 * If the certificate's public key is too weak, don't bother
623 * continuing.
624 */
625 if (!check_key_level(ctx, ctx->cert) &&
626 !verify_cb_cert(ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL))
627 return 0;
628
629 /*
630 * If flags request legacy, use the legacy verifier. If we
631 * requested "no alt chains" from the age of hammer pants, use
632 * the legacy verifier because the multi chain verifier really
633 * does find all the "alt chains".
634 *
635 * XXX deprecate the NO_ALT_CHAINS flag?
636 */
637 if ((ctx->param->flags & X509_V_FLAG_LEGACY_VERIFY) ||
638 (ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS))
639 return X509_verify_cert_legacy(ctx);
640
641 /* Use the modern multi-chain verifier from x509_verify_cert */
642
643 if ((vctx = x509_verify_ctx_new_from_xsc(ctx)) != NULL) {
644 ctx->error = X509_V_OK; /* Initialize to OK */
645 chain_count = x509_verify(vctx, NULL, NULL);
646 }
647 x509_verify_ctx_free(vctx);
648
649 /* if we succeed we have a chain in ctx->chain */
650 return chain_count > 0 && ctx->chain != NULL;
651}
652LCRYPTO_ALIAS(X509_verify_cert);
653
654/* Given a STACK_OF(X509) find the issuer of cert (if any)
655 */
656
657static X509 *
658find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x,
659 int allow_expired)
660{
661 int i;
662 X509 *issuer, *rv = NULL;
663
664 for (i = 0; i < sk_X509_num(sk); i++) {
665 issuer = sk_X509_value(sk, i);
666 if (ctx->check_issued(ctx, x, issuer)) {
667 if (x509_check_cert_time(ctx, issuer, -1))
668 return issuer;
669 if (allow_expired)
670 rv = issuer;
671 }
672 }
673 return rv;
674}
675
676/* Given a possible certificate and issuer check them */
677
678static int
679check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer)
680{
681 /*
682 * Yes, the arguments of X509_STORE_CTX_check_issued_fn were exposed in
683 * reverse order compared to the already public X509_check_issued()...
684 */
685 return X509_check_issued(issuer, subject) == X509_V_OK;
686}
687
688/* Alternative lookup method: look from a STACK stored in ctx->trusted */
689
690static int
691x509_vfy_get_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
692{
693 *issuer = find_issuer(ctx, ctx->trusted, x, 1);
694 if (*issuer) {
695 CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
696 return 1;
697 } else
698 return 0;
699}
700
701/* Check a certificate chains extensions for consistency
702 * with the supplied purpose
703 */
704
705int
706x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
707{
708 int i, ok = 0, must_be_ca, plen = 0;
709 X509 *x;
710 int (*cb)(int xok, X509_STORE_CTX *xctx);
711 int proxy_path_length = 0;
712 int purpose;
713
714 cb = ctx->verify_cb;
715
716 /* must_be_ca can have 1 of 3 values:
717 -1: we accept both CA and non-CA certificates, to allow direct
718 use of self-signed certificates (which are marked as CA).
719 0: we only accept non-CA certificates. This is currently not
720 used, but the possibility is present for future extensions.
721 1: we only accept CA certificates. This is currently used for
722 all certificates in the chain except the leaf certificate.
723 */
724 must_be_ca = -1;
725
726 /* CRL path validation */
727 if (ctx->parent)
728 purpose = X509_PURPOSE_CRL_SIGN;
729 else
730 purpose = ctx->param->purpose;
731
732 /* Check all untrusted certificates */
733 for (i = 0; i < ctx->num_untrusted; i++) {
734 int ret;
735 x = sk_X509_value(ctx->chain, i);
736 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
737 (x->ex_flags & EXFLAG_CRITICAL)) {
738 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
739 ctx->error_depth = i;
740 ctx->current_cert = x;
741 ok = cb(0, ctx);
742 if (!ok)
743 goto end;
744 }
745 ret = X509_check_ca(x);
746 if (must_be_ca == -1) {
747 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
748 (ret != 1) && (ret != 0)) {
749 ret = 0;
750 ctx->error = X509_V_ERR_INVALID_CA;
751 } else
752 ret = 1;
753 } else {
754 if ((ret == 0) ||
755 ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
756 (ret != 1))) {
757 ret = 0;
758 ctx->error = X509_V_ERR_INVALID_CA;
759 } else
760 ret = 1;
761 }
762 if (ret == 0) {
763 ctx->error_depth = i;
764 ctx->current_cert = x;
765 ok = cb(0, ctx);
766 if (!ok)
767 goto end;
768 }
769 if (ctx->param->purpose > 0) {
770 ret = X509_check_purpose(x, purpose, must_be_ca > 0);
771 if ((ret == 0) ||
772 ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
773 (ret != 1))) {
774 ctx->error = X509_V_ERR_INVALID_PURPOSE;
775 ctx->error_depth = i;
776 ctx->current_cert = x;
777 ok = cb(0, ctx);
778 if (!ok)
779 goto end;
780 }
781 }
782 /* Check pathlen if not self issued */
783 if ((i > 1) && !(x->ex_flags & EXFLAG_SI) &&
784 (x->ex_pathlen != -1) &&
785 (plen > (x->ex_pathlen + proxy_path_length + 1))) {
786 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
787 ctx->error_depth = i;
788 ctx->current_cert = x;
789 ok = cb(0, ctx);
790 if (!ok)
791 goto end;
792 }
793 /* Increment path length if not self issued */
794 if (!(x->ex_flags & EXFLAG_SI))
795 plen++;
796 must_be_ca = 1;
797 }
798
799 ok = 1;
800
801 end:
802 return ok;
803}
804
805static int
806check_name_constraints(X509_STORE_CTX *ctx)
807{
808 if (!x509_constraints_chain(ctx->chain, &ctx->error,
809 &ctx->error_depth)) {
810 ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
811 if (!ctx->verify_cb(0, ctx))
812 return 0;
813 }
814 return 1;
815}
816
817/* Given a certificate try and find an exact match in the store */
818
819static X509 *
820lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
821{
822 STACK_OF(X509) *certs;
823 X509 *xtmp = NULL;
824 size_t i;
825
826 /* Lookup all certs with matching subject name */
827 certs = X509_STORE_CTX_get1_certs(ctx, X509_get_subject_name(x));
828 if (certs == NULL)
829 return NULL;
830
831 /* Look for exact match */
832 for (i = 0; i < sk_X509_num(certs); i++) {
833 xtmp = sk_X509_value(certs, i);
834 if (!X509_cmp(xtmp, x))
835 break;
836 }
837
838 if (i < sk_X509_num(certs))
839 X509_up_ref(xtmp);
840 else
841 xtmp = NULL;
842
843 sk_X509_pop_free(certs, X509_free);
844 return xtmp;
845}
846
847X509 *
848x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
849{
850 if (ctx->store == NULL || ctx->store->objs == NULL)
851 return NULL;
852 return lookup_cert_match(ctx, x);
853}
854
855int
856x509_vfy_check_trust(X509_STORE_CTX *ctx)
857{
858 size_t i;
859 int ok;
860 X509 *x = NULL;
861 int (*cb) (int xok, X509_STORE_CTX *xctx);
862
863 cb = ctx->verify_cb;
864 /* Check all trusted certificates in chain */
865 for (i = ctx->num_untrusted; i < sk_X509_num(ctx->chain); i++) {
866 x = sk_X509_value(ctx->chain, i);
867 ok = X509_check_trust(x, ctx->param->trust, 0);
868
869 /* If explicitly trusted return trusted */
870 if (ok == X509_TRUST_TRUSTED)
871 return X509_TRUST_TRUSTED;
872 /*
873 * If explicitly rejected notify callback and reject if not
874 * overridden.
875 */
876 if (ok == X509_TRUST_REJECTED) {
877 ctx->error_depth = i;
878 ctx->current_cert = x;
879 ctx->error = X509_V_ERR_CERT_REJECTED;
880 ok = cb(0, ctx);
881 if (!ok)
882 return X509_TRUST_REJECTED;
883 }
884 }
885 /*
886 * If we accept partial chains and have at least one trusted certificate
887 * return success.
888 */
889 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
890 X509 *mx;
891 if (ctx->num_untrusted < (int)sk_X509_num(ctx->chain))
892 return X509_TRUST_TRUSTED;
893 x = sk_X509_value(ctx->chain, 0);
894 mx = lookup_cert_match(ctx, x);
895 if (mx) {
896 (void)sk_X509_set(ctx->chain, 0, mx);
897 X509_free(x);
898 ctx->num_untrusted = 0;
899 return X509_TRUST_TRUSTED;
900 }
901 }
902
903 /*
904 * If no trusted certs in chain at all return untrusted and allow
905 * standard (no issuer cert) etc errors to be indicated.
906 */
907 return X509_TRUST_UNTRUSTED;
908}
909
910int
911x509_vfy_check_revocation(X509_STORE_CTX *ctx)
912{
913 int i, last, ok;
914
915 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
916 return 1;
917 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
918 last = sk_X509_num(ctx->chain) - 1;
919 else {
920 /* If checking CRL paths this isn't the EE certificate */
921 if (ctx->parent)
922 return 1;
923 last = 0;
924 }
925 for (i = 0; i <= last; i++) {
926 ok = check_cert(ctx, ctx->chain, i);
927 if (!ok)
928 return ok;
929 }
930 return 1;
931}
932
933static int
934check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth)
935{
936 X509_CRL *crl = NULL, *dcrl = NULL;
937 X509 *x;
938 int ok = 0, cnum;
939 unsigned int last_reasons;
940
941 cnum = ctx->error_depth = depth;
942 x = sk_X509_value(chain, cnum);
943 ctx->current_cert = x;
944 ctx->current_issuer = NULL;
945 ctx->current_crl_score = 0;
946 ctx->current_reasons = 0;
947 while (ctx->current_reasons != CRLDP_ALL_REASONS) {
948 last_reasons = ctx->current_reasons;
949 /* Try to retrieve relevant CRL */
950 ok = get_crl_delta(ctx, &crl, &dcrl, x);
951 if (!ok) {
952 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
953 ok = ctx->verify_cb(0, ctx);
954 goto err;
955 }
956 ctx->current_crl = crl;
957 ok = x509_vfy_check_crl(ctx, crl);
958 if (!ok)
959 goto err;
960
961 if (dcrl) {
962 ok = x509_vfy_check_crl(ctx, dcrl);
963 if (!ok)
964 goto err;
965 ok = x509_vfy_cert_crl(ctx, dcrl, x);
966 if (!ok)
967 goto err;
968 } else
969 ok = 1;
970
971 /* Don't look in full CRL if delta reason is removefromCRL */
972 if (ok != 2) {
973 ok = x509_vfy_cert_crl(ctx, crl, x);
974 if (!ok)
975 goto err;
976 }
977
978 ctx->current_crl = NULL;
979 X509_CRL_free(crl);
980 X509_CRL_free(dcrl);
981 crl = NULL;
982 dcrl = NULL;
983 /* If reasons not updated we wont get anywhere by
984 * another iteration, so exit loop.
985 */
986 if (last_reasons == ctx->current_reasons) {
987 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
988 ok = ctx->verify_cb(0, ctx);
989 goto err;
990 }
991 }
992
993err:
994 ctx->current_crl = NULL;
995 X509_CRL_free(crl);
996 X509_CRL_free(dcrl);
997 return ok;
998}
999
1000/* Check CRL times against values in X509_STORE_CTX */
1001
1002static int
1003check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
1004{
1005 time_t *ptime;
1006 int i;
1007
1008 if (notify)
1009 ctx->current_crl = crl;
1010 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1011 ptime = &ctx->param->check_time;
1012 else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
1013 return 1;
1014 else
1015 ptime = NULL;
1016
1017 i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
1018 if (i == 0) {
1019 if (!notify)
1020 return 0;
1021 ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
1022 if (!ctx->verify_cb(0, ctx))
1023 return 0;
1024 }
1025
1026 if (i > 0) {
1027 if (!notify)
1028 return 0;
1029 ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
1030 if (!ctx->verify_cb(0, ctx))
1031 return 0;
1032 }
1033
1034 if (X509_CRL_get_nextUpdate(crl)) {
1035 i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
1036
1037 if (i == 0) {
1038 if (!notify)
1039 return 0;
1040 ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
1041 if (!ctx->verify_cb(0, ctx))
1042 return 0;
1043 }
1044 /* Ignore expiry of base CRL is delta is valid */
1045 if ((i < 0) &&
1046 !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
1047 if (!notify)
1048 return 0;
1049 ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
1050 if (!ctx->verify_cb(0, ctx))
1051 return 0;
1052 }
1053 }
1054
1055 if (notify)
1056 ctx->current_crl = NULL;
1057
1058 return 1;
1059}
1060
1061static int
1062get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
1063 X509 **pissuer, int *pscore, unsigned int *preasons,
1064 STACK_OF(X509_CRL) *crls)
1065{
1066 int i, crl_score, best_score = *pscore;
1067 unsigned int reasons, best_reasons = 0;
1068 X509 *x = ctx->current_cert;
1069 X509_CRL *crl, *best_crl = NULL;
1070 X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
1071
1072 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1073 crl = sk_X509_CRL_value(crls, i);
1074 reasons = *preasons;
1075 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
1076
1077 if (crl_score > best_score) {
1078 best_crl = crl;
1079 best_crl_issuer = crl_issuer;
1080 best_score = crl_score;
1081 best_reasons = reasons;
1082 }
1083 }
1084
1085 if (best_crl) {
1086 if (*pcrl)
1087 X509_CRL_free(*pcrl);
1088 *pcrl = best_crl;
1089 *pissuer = best_crl_issuer;
1090 *pscore = best_score;
1091 *preasons = best_reasons;
1092 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
1093 if (*pdcrl) {
1094 X509_CRL_free(*pdcrl);
1095 *pdcrl = NULL;
1096 }
1097 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
1098 }
1099
1100 if (best_score >= CRL_SCORE_VALID)
1101 return 1;
1102
1103 return 0;
1104}
1105
1106/* Compare two CRL extensions for delta checking purposes. They should be
1107 * both present or both absent. If both present all fields must be identical.
1108 */
1109
1110static int
1111crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
1112{
1113 ASN1_OCTET_STRING *exta, *extb;
1114 int i;
1115
1116 i = X509_CRL_get_ext_by_NID(a, nid, -1);
1117 if (i >= 0) {
1118 /* Can't have multiple occurrences */
1119 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
1120 return 0;
1121 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
1122 } else
1123 exta = NULL;
1124
1125 i = X509_CRL_get_ext_by_NID(b, nid, -1);
1126
1127 if (i >= 0) {
1128 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
1129 return 0;
1130 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
1131 } else
1132 extb = NULL;
1133
1134 if (!exta && !extb)
1135 return 1;
1136
1137 if (!exta || !extb)
1138 return 0;
1139
1140 if (ASN1_OCTET_STRING_cmp(exta, extb))
1141 return 0;
1142
1143 return 1;
1144}
1145
1146/* See if a base and delta are compatible */
1147
1148static int
1149check_delta_base(X509_CRL *delta, X509_CRL *base)
1150{
1151 /* Delta CRL must be a delta */
1152 if (!delta->base_crl_number)
1153 return 0;
1154 /* Base must have a CRL number */
1155 if (!base->crl_number)
1156 return 0;
1157 /* Issuer names must match */
1158 if (X509_NAME_cmp(X509_CRL_get_issuer(base),
1159 X509_CRL_get_issuer(delta)))
1160 return 0;
1161 /* AKID and IDP must match */
1162 if (!crl_extension_match(delta, base, NID_authority_key_identifier))
1163 return 0;
1164 if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
1165 return 0;
1166 /* Delta CRL base number must not exceed Full CRL number. */
1167 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
1168 return 0;
1169 /* Delta CRL number must exceed full CRL number */
1170 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
1171 return 1;
1172 return 0;
1173}
1174
1175/* For a given base CRL find a delta... maybe extend to delta scoring
1176 * or retrieve a chain of deltas...
1177 */
1178
1179static void
1180get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base,
1181 STACK_OF(X509_CRL) *crls)
1182{
1183 X509_CRL *delta;
1184 int i;
1185
1186 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
1187 return;
1188 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
1189 return;
1190 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1191 delta = sk_X509_CRL_value(crls, i);
1192 if (check_delta_base(delta, base)) {
1193 if (check_crl_time(ctx, delta, 0))
1194 *pscore |= CRL_SCORE_TIME_DELTA;
1195 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
1196 *dcrl = delta;
1197 return;
1198 }
1199 }
1200 *dcrl = NULL;
1201}
1202
1203/* For a given CRL return how suitable it is for the supplied certificate 'x'.
1204 * The return value is a mask of several criteria.
1205 * If the issuer is not the certificate issuer this is returned in *pissuer.
1206 * The reasons mask is also used to determine if the CRL is suitable: if
1207 * no new reasons the CRL is rejected, otherwise reasons is updated.
1208 */
1209
1210static int
1211get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons,
1212 X509_CRL *crl, X509 *x)
1213{
1214 int crl_score = 0;
1215 unsigned int tmp_reasons = *preasons, crl_reasons;
1216
1217 /* First see if we can reject CRL straight away */
1218
1219 /* Invalid IDP cannot be processed */
1220 if (crl->idp_flags & IDP_INVALID)
1221 return 0;
1222 /* Reason codes or indirect CRLs need extended CRL support */
1223 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
1224 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
1225 return 0;
1226 } else if (crl->idp_flags & IDP_REASONS) {
1227 /* If no new reasons reject */
1228 if (!(crl->idp_reasons & ~tmp_reasons))
1229 return 0;
1230 }
1231 /* Don't process deltas at this stage */
1232 else if (crl->base_crl_number)
1233 return 0;
1234 /* If issuer name doesn't match certificate need indirect CRL */
1235 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
1236 if (!(crl->idp_flags & IDP_INDIRECT))
1237 return 0;
1238 } else
1239 crl_score |= CRL_SCORE_ISSUER_NAME;
1240
1241 if (!(crl->flags & EXFLAG_CRITICAL))
1242 crl_score |= CRL_SCORE_NOCRITICAL;
1243
1244 /* Check expiry */
1245 if (check_crl_time(ctx, crl, 0))
1246 crl_score |= CRL_SCORE_TIME;
1247
1248 /* Check authority key ID and locate certificate issuer */
1249 crl_akid_check(ctx, crl, pissuer, &crl_score);
1250
1251 /* If we can't locate certificate issuer at this point forget it */
1252
1253 if (!(crl_score & CRL_SCORE_AKID))
1254 return 0;
1255
1256 /* Check cert for matching CRL distribution points */
1257
1258 if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
1259 /* If no new reasons reject */
1260 if (!(crl_reasons & ~tmp_reasons))
1261 return 0;
1262 tmp_reasons |= crl_reasons;
1263 crl_score |= CRL_SCORE_SCOPE;
1264 }
1265
1266 *preasons = tmp_reasons;
1267
1268 return crl_score;
1269}
1270
1271static void
1272crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
1273 int *pcrl_score)
1274{
1275 X509 *crl_issuer = NULL;
1276 X509_NAME *cnm = X509_CRL_get_issuer(crl);
1277 int cidx = ctx->error_depth;
1278 int i;
1279
1280 if (cidx != sk_X509_num(ctx->chain) - 1)
1281 cidx++;
1282
1283 crl_issuer = sk_X509_value(ctx->chain, cidx);
1284
1285 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1286 if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
1287 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT;
1288 *pissuer = crl_issuer;
1289 return;
1290 }
1291 }
1292
1293 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) {
1294 crl_issuer = sk_X509_value(ctx->chain, cidx);
1295 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1296 continue;
1297 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1298 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH;
1299 *pissuer = crl_issuer;
1300 return;
1301 }
1302 }
1303
1304 /* Anything else needs extended CRL support */
1305
1306 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
1307 return;
1308
1309 /* Otherwise the CRL issuer is not on the path. Look for it in the
1310 * set of untrusted certificates.
1311 */
1312 for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
1313 crl_issuer = sk_X509_value(ctx->untrusted, i);
1314 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1315 continue;
1316 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1317 *pissuer = crl_issuer;
1318 *pcrl_score |= CRL_SCORE_AKID;
1319 return;
1320 }
1321 }
1322}
1323
1324/* Check the path of a CRL issuer certificate. This creates a new
1325 * X509_STORE_CTX and populates it with most of the parameters from the
1326 * parent. This could be optimised somewhat since a lot of path checking
1327 * will be duplicated by the parent, but this will rarely be used in
1328 * practice.
1329 */
1330
1331static int
1332check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1333{
1334 X509_STORE_CTX crl_ctx;
1335 int ret;
1336
1337 /* Don't allow recursive CRL path validation */
1338 if (ctx->parent)
1339 return 0;
1340 if (!X509_STORE_CTX_init(&crl_ctx, ctx->store, x, ctx->untrusted)) {
1341 ret = -1;
1342 goto err;
1343 }
1344
1345 crl_ctx.crls = ctx->crls;
1346 /* Copy verify params across */
1347 X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1348
1349 crl_ctx.parent = ctx;
1350 crl_ctx.verify_cb = ctx->verify_cb;
1351
1352 /* Verify CRL issuer */
1353 ret = X509_verify_cert(&crl_ctx);
1354
1355 if (ret <= 0)
1356 goto err;
1357
1358 /* Check chain is acceptable */
1359 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1360
1361err:
1362 X509_STORE_CTX_cleanup(&crl_ctx);
1363 return ret;
1364}
1365
1366/* RFC3280 says nothing about the relationship between CRL path
1367 * and certificate path, which could lead to situations where a
1368 * certificate could be revoked or validated by a CA not authorised
1369 * to do so. RFC5280 is more strict and states that the two paths must
1370 * end in the same trust anchor, though some discussions remain...
1371 * until this is resolved we use the RFC5280 version
1372 */
1373
1374static int
1375check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
1376 STACK_OF(X509) *crl_path)
1377{
1378 X509 *cert_ta, *crl_ta;
1379
1380 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1381 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1382 if (!X509_cmp(cert_ta, crl_ta))
1383 return 1;
1384 return 0;
1385}
1386
1387/* Check for match between two dist point names: three separate cases.
1388 * 1. Both are relative names and compare X509_NAME types.
1389 * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES.
1390 * 3. Both are full names and compare two GENERAL_NAMES.
1391 * 4. One is NULL: automatic match.
1392 */
1393
1394static int
1395idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1396{
1397 X509_NAME *nm = NULL;
1398 GENERAL_NAMES *gens = NULL;
1399 GENERAL_NAME *gena, *genb;
1400 int i, j;
1401
1402 if (!a || !b)
1403 return 1;
1404 if (a->type == 1) {
1405 if (!a->dpname)
1406 return 0;
1407 /* Case 1: two X509_NAME */
1408 if (b->type == 1) {
1409 if (!b->dpname)
1410 return 0;
1411 if (!X509_NAME_cmp(a->dpname, b->dpname))
1412 return 1;
1413 else
1414 return 0;
1415 }
1416 /* Case 2: set name and GENERAL_NAMES appropriately */
1417 nm = a->dpname;
1418 gens = b->name.fullname;
1419 } else if (b->type == 1) {
1420 if (!b->dpname)
1421 return 0;
1422 /* Case 2: set name and GENERAL_NAMES appropriately */
1423 gens = a->name.fullname;
1424 nm = b->dpname;
1425 }
1426
1427 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1428 if (nm) {
1429 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1430 gena = sk_GENERAL_NAME_value(gens, i);
1431 if (gena->type != GEN_DIRNAME)
1432 continue;
1433 if (!X509_NAME_cmp(nm, gena->d.directoryName))
1434 return 1;
1435 }
1436 return 0;
1437 }
1438
1439 /* Else case 3: two GENERAL_NAMES */
1440
1441 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
1442 gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1443 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
1444 genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1445 if (!GENERAL_NAME_cmp(gena, genb))
1446 return 1;
1447 }
1448 }
1449
1450 return 0;
1451}
1452
1453static int
1454crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1455{
1456 int i;
1457 X509_NAME *nm = X509_CRL_get_issuer(crl);
1458
1459 /* If no CRLissuer return is successful iff don't need a match */
1460 if (!dp->CRLissuer)
1461 return !!(crl_score & CRL_SCORE_ISSUER_NAME);
1462 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
1463 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1464 if (gen->type != GEN_DIRNAME)
1465 continue;
1466 if (!X509_NAME_cmp(gen->d.directoryName, nm))
1467 return 1;
1468 }
1469 return 0;
1470}
1471
1472/* Check CRLDP and IDP */
1473
1474static int
1475crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons)
1476{
1477 int i;
1478
1479 if (crl->idp_flags & IDP_ONLYATTR)
1480 return 0;
1481 if (x->ex_flags & EXFLAG_CA) {
1482 if (crl->idp_flags & IDP_ONLYUSER)
1483 return 0;
1484 } else {
1485 if (crl->idp_flags & IDP_ONLYCA)
1486 return 0;
1487 }
1488 *preasons = crl->idp_reasons;
1489 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
1490 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1491 if (crldp_check_crlissuer(dp, crl, crl_score)) {
1492 if (!crl->idp ||
1493 idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1494 *preasons &= dp->dp_reasons;
1495 return 1;
1496 }
1497 }
1498 }
1499 if ((!crl->idp || !crl->idp->distpoint) &&
1500 (crl_score & CRL_SCORE_ISSUER_NAME))
1501 return 1;
1502 return 0;
1503}
1504
1505/* Retrieve CRL corresponding to current certificate.
1506 * If deltas enabled try to find a delta CRL too
1507 */
1508
1509static int
1510get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1511{
1512 int ok;
1513 X509 *issuer = NULL;
1514 int crl_score = 0;
1515 unsigned int reasons;
1516 X509_CRL *crl = NULL, *dcrl = NULL;
1517 STACK_OF(X509_CRL) *skcrl;
1518 X509_NAME *nm = X509_get_issuer_name(x);
1519
1520 reasons = ctx->current_reasons;
1521 ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons,
1522 ctx->crls);
1523 if (ok)
1524 goto done;
1525
1526 /* Lookup CRLs from store */
1527 skcrl = X509_STORE_CTX_get1_crls(ctx, nm);
1528
1529 /* If no CRLs found and a near match from get_crl_sk use that */
1530 if (!skcrl && crl)
1531 goto done;
1532
1533 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1534
1535 sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1536
1537done:
1538
1539 /* If we got any kind of CRL use it and return success */
1540 if (crl) {
1541 ctx->current_issuer = issuer;
1542 ctx->current_crl_score = crl_score;
1543 ctx->current_reasons = reasons;
1544 *pcrl = crl;
1545 *pdcrl = dcrl;
1546 return 1;
1547 }
1548
1549 return 0;
1550}
1551
1552/* Matches x509_verify_parent_signature() */
1553static int
1554x509_crl_verify_parent_signature(X509 *parent, X509_CRL *crl, int *error)
1555{
1556 EVP_PKEY *pkey;
1557 int cached;
1558 int ret = 0;
1559
1560 /* Use cached value if we have it */
1561 if ((cached = x509_issuer_cache_find(parent->hash, crl->hash)) >= 0) {
1562 if (cached == 0)
1563 *error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
1564 return cached;
1565 }
1566
1567 /* Check signature. Did parent sign crl? */
1568 if ((pkey = X509_get0_pubkey(parent)) == NULL) {
1569 *error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1570 return 0;
1571 }
1572 if (X509_CRL_verify(crl, pkey) <= 0)
1573 *error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
1574 else
1575 ret = 1;
1576
1577 /* Add result to cache */
1578 x509_issuer_cache_add(parent->hash, crl->hash, ret);
1579
1580 return ret;
1581}
1582
1583/* Check CRL validity */
1584static int
1585x509_vfy_check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1586{
1587 X509 *issuer = NULL;
1588 int ok = 0, chnum, cnum;
1589
1590 cnum = ctx->error_depth;
1591 chnum = sk_X509_num(ctx->chain) - 1;
1592 /* if we have an alternative CRL issuer cert use that */
1593 if (ctx->current_issuer) {
1594 issuer = ctx->current_issuer;
1595 } else if (cnum < chnum) {
1596 /*
1597 * Else find CRL issuer: if not last certificate then issuer
1598 * is next certificate in chain.
1599 */
1600 issuer = sk_X509_value(ctx->chain, cnum + 1);
1601 } else {
1602 issuer = sk_X509_value(ctx->chain, chnum);
1603 /* If not self signed, can't check signature */
1604 if (!ctx->check_issued(ctx, issuer, issuer)) {
1605 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1606 ok = ctx->verify_cb(0, ctx);
1607 if (!ok)
1608 goto err;
1609 }
1610 }
1611
1612 if (issuer) {
1613 /* Skip most tests for deltas because they have already
1614 * been done
1615 */
1616 if (!crl->base_crl_number) {
1617 /* Check for cRLSign bit if keyUsage present */
1618 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1619 !(issuer->ex_kusage & KU_CRL_SIGN)) {
1620 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1621 ok = ctx->verify_cb(0, ctx);
1622 if (!ok)
1623 goto err;
1624 }
1625
1626 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1627 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1628 ok = ctx->verify_cb(0, ctx);
1629 if (!ok)
1630 goto err;
1631 }
1632
1633 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
1634 if (check_crl_path(ctx,
1635 ctx->current_issuer) <= 0) {
1636 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1637 ok = ctx->verify_cb(0, ctx);
1638 if (!ok)
1639 goto err;
1640 }
1641 }
1642
1643 if (crl->idp_flags & IDP_INVALID) {
1644 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1645 ok = ctx->verify_cb(0, ctx);
1646 if (!ok)
1647 goto err;
1648 }
1649
1650
1651 }
1652
1653 if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
1654 ok = check_crl_time(ctx, crl, 1);
1655 if (!ok)
1656 goto err;
1657 }
1658
1659 if (!x509_crl_verify_parent_signature(issuer, crl, &ctx->error)) {
1660 ok = ctx->verify_cb(0, ctx);
1661 if (!ok)
1662 goto err;
1663 }
1664 }
1665
1666 ok = 1;
1667
1668 err:
1669 return ok;
1670}
1671
1672/* Check certificate against CRL */
1673static int
1674x509_vfy_cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1675{
1676 int ok;
1677 X509_REVOKED *rev;
1678
1679 /* The rules changed for this... previously if a CRL contained
1680 * unhandled critical extensions it could still be used to indicate
1681 * a certificate was revoked. This has since been changed since
1682 * critical extension can change the meaning of CRL entries.
1683 */
1684 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
1685 (crl->flags & EXFLAG_CRITICAL)) {
1686 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1687 ok = ctx->verify_cb(0, ctx);
1688 if (!ok)
1689 return 0;
1690 }
1691 /* Look for serial number of certificate in CRL
1692 * If found make sure reason is not removeFromCRL.
1693 */
1694 if (X509_CRL_get0_by_cert(crl, &rev, x)) {
1695 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1696 return 2;
1697 ctx->error = X509_V_ERR_CERT_REVOKED;
1698 ok = ctx->verify_cb(0, ctx);
1699 if (!ok)
1700 return 0;
1701 }
1702
1703 return 1;
1704}
1705
1706int
1707x509_vfy_check_policy(X509_STORE_CTX *ctx)
1708{
1709 X509 *current_cert = NULL;
1710 int ret;
1711
1712 if (ctx->parent != NULL)
1713 return 1;
1714
1715 ret = X509_policy_check(ctx->chain, ctx->param->policies,
1716 ctx->param->flags, &current_cert);
1717 if (ret != X509_V_OK) {
1718 ctx->current_cert = current_cert;
1719 ctx->error = ret;
1720 if (ret == X509_V_ERR_OUT_OF_MEM)
1721 return 0;
1722 return ctx->verify_cb(0, ctx);
1723 }
1724
1725 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
1726 ctx->current_cert = NULL;
1727 /*
1728 * Verification errors need to be "sticky", a callback may have
1729 * allowed an SSL handshake to continue despite an error, and
1730 * we must then remain in an error state. Therefore, we MUST
1731 * NOT clear earlier verification errors by setting the error
1732 * to X509_V_OK.
1733 */
1734 if (!ctx->verify_cb(2, ctx))
1735 return 0;
1736 }
1737
1738 return 1;
1739}
1740
1741/*
1742 * Inform the verify callback of an error.
1743 *
1744 * If x is not NULL it is the error cert, otherwise use the chain cert
1745 * at depth.
1746 *
1747 * If err is not X509_V_OK, that's the error value, otherwise leave
1748 * unchanged (presumably set by the caller).
1749 *
1750 * Returns 0 to abort verification with an error, non-zero to continue.
1751 */
1752static int
1753verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err)
1754{
1755 ctx->error_depth = depth;
1756 ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth);
1757 if (err != X509_V_OK)
1758 ctx->error = err;
1759 return ctx->verify_cb(0, ctx);
1760}
1761
1762/*
1763 * Check certificate validity times.
1764 *
1765 * If depth >= 0, invoke verification callbacks on error, otherwise just return
1766 * the validation status.
1767 *
1768 * Return 1 on success, 0 otherwise.
1769 */
1770int
1771x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
1772{
1773 time_t ptime;
1774 int i;
1775
1776 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1777 ptime = ctx->param->check_time;
1778 else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
1779 return 1;
1780 else
1781 ptime = time(NULL);
1782
1783 i = X509_cmp_time(X509_get_notBefore(x), &ptime);
1784
1785 if (i >= 0 && depth < 0)
1786 return 0;
1787 if (i == 0 && !verify_cb_cert(ctx, x, depth,
1788 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD))
1789 return 0;
1790 if (i > 0 && !verify_cb_cert(ctx, x, depth,
1791 X509_V_ERR_CERT_NOT_YET_VALID))
1792 return 0;
1793
1794 i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1);
1795
1796 if (i <= 0 && depth < 0)
1797 return 0;
1798 if (i == 0 && !verify_cb_cert(ctx, x, depth,
1799 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD))
1800 return 0;
1801 if (i < 0 && !verify_cb_cert(ctx, x, depth,
1802 X509_V_ERR_CERT_HAS_EXPIRED))
1803 return 0;
1804
1805 return 1;
1806}
1807
1808static int
1809x509_vfy_internal_verify(X509_STORE_CTX *ctx, int chain_verified)
1810{
1811 int n = sk_X509_num(ctx->chain) - 1;
1812 X509 *xi = sk_X509_value(ctx->chain, n);
1813 X509 *xs;
1814
1815 if (ctx->check_issued(ctx, xi, xi))
1816 xs = xi;
1817 else {
1818 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
1819 xs = xi;
1820 goto check_cert;
1821 }
1822 if (n <= 0)
1823 return verify_cb_cert(ctx, xi, 0,
1824 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE);
1825 n--;
1826 ctx->error_depth = n;
1827 xs = sk_X509_value(ctx->chain, n);
1828 }
1829
1830 /*
1831 * Do not clear ctx->error=0, it must be "sticky", only the
1832 * user's callback is allowed to reset errors (at its own
1833 * peril).
1834 */
1835 while (n >= 0) {
1836
1837 /*
1838 * Skip signature check for self signed certificates
1839 * unless explicitly asked for. It doesn't add any
1840 * security and just wastes time. If the issuer's
1841 * public key is unusable, report the issuer
1842 * certificate and its depth (rather than the depth of
1843 * the subject).
1844 */
1845 if (!chain_verified && ( xs != xi ||
1846 (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
1847 EVP_PKEY *pkey;
1848 if ((pkey = X509_get_pubkey(xi)) == NULL) {
1849 if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,
1850 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
1851 return 0;
1852 } else if (X509_verify(xs, pkey) <= 0) {
1853 if (!verify_cb_cert(ctx, xs, n,
1854 X509_V_ERR_CERT_SIGNATURE_FAILURE)) {
1855 EVP_PKEY_free(pkey);
1856 return 0;
1857 }
1858 }
1859 EVP_PKEY_free(pkey);
1860 }
1861check_cert:
1862 /* Calls verify callback as needed */
1863 if (!chain_verified && !x509_check_cert_time(ctx, xs, n))
1864 return 0;
1865
1866 /*
1867 * Signal success at this depth. However, the
1868 * previous error (if any) is retained.
1869 */
1870 ctx->current_issuer = xi;
1871 ctx->current_cert = xs;
1872 ctx->error_depth = n;
1873 if (!ctx->verify_cb(1, ctx))
1874 return 0;
1875
1876 if (--n >= 0) {
1877 xi = xs;
1878 xs = sk_X509_value(ctx->chain, n);
1879 }
1880 }
1881 return 1;
1882}
1883
1884static int
1885internal_verify(X509_STORE_CTX *ctx)
1886{
1887 return x509_vfy_internal_verify(ctx, 0);
1888}
1889
1890/*
1891 * Internal verify, but with a chain where the verification
1892 * math has already been performed.
1893 */
1894int
1895x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx)
1896{
1897 return x509_vfy_internal_verify(ctx, 1);
1898}
1899
1900int
1901X509_cmp_current_time(const ASN1_TIME *ctm)
1902{
1903 return X509_cmp_time(ctm, NULL);
1904}
1905LCRYPTO_ALIAS(X509_cmp_current_time);
1906
1907/*
1908 * Compare a possibly unvalidated ASN1_TIME string against a time_t
1909 * using RFC 5280 rules for the time string. If *cmp_time is NULL
1910 * the current system time is used.
1911 *
1912 * XXX NOTE that unlike what you expect a "cmp" function to do in C,
1913 * XXX this one is "special", and returns 0 for error.
1914 *
1915 * Returns:
1916 * -1 if the ASN1_time is earlier than OR the same as *cmp_time.
1917 * 1 if the ASN1_time is later than *cmp_time.
1918 * 0 on error.
1919 */
1920static int
1921X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int is_notafter)
1922{
1923 time_t compare, cert_time;
1924
1925 if (cmp_time == NULL)
1926 compare = time(NULL);
1927 else
1928 compare = *cmp_time;
1929
1930 if (!x509_verify_asn1_time_to_time_t(ctm, is_notafter, &cert_time))
1931 return 0; /* invalid time */
1932
1933 if (cert_time <= compare)
1934 return -1; /* 0 is used for error, so map same to less than */
1935
1936 return 1;
1937}
1938
1939int
1940X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1941{
1942 return X509_cmp_time_internal(ctm, cmp_time, 0);
1943}
1944LCRYPTO_ALIAS(X509_cmp_time);
1945
1946
1947ASN1_TIME *
1948X509_gmtime_adj(ASN1_TIME *s, long adj)
1949{
1950 return X509_time_adj(s, adj, NULL);
1951}
1952LCRYPTO_ALIAS(X509_gmtime_adj);
1953
1954ASN1_TIME *
1955X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_time)
1956{
1957 return X509_time_adj_ex(s, 0, offset_sec, in_time);
1958}
1959LCRYPTO_ALIAS(X509_time_adj);
1960
1961ASN1_TIME *
1962X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_time)
1963{
1964 time_t t;
1965 if (in_time == NULL)
1966 t = time(NULL);
1967 else
1968 t = *in_time;
1969
1970 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1971}
1972LCRYPTO_ALIAS(X509_time_adj_ex);
1973
1974int
1975X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1976{
1977 EVP_PKEY *ktmp = NULL, *ktmp2;
1978 int i, j;
1979
1980 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey))
1981 return 1;
1982
1983 for (i = 0; i < sk_X509_num(chain); i++) {
1984 ktmp = X509_get0_pubkey(sk_X509_value(chain, i));
1985 if (ktmp == NULL) {
1986 X509error(X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1987 return 0;
1988 }
1989 if (!EVP_PKEY_missing_parameters(ktmp))
1990 break;
1991 else
1992 ktmp = NULL;
1993 }
1994 if (ktmp == NULL) {
1995 X509error(X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1996 return 0;
1997 }
1998
1999 /* first, populate the other certs */
2000 for (j = i - 1; j >= 0; j--) {
2001 if ((ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j))) == NULL)
2002 return 0;
2003 if (!EVP_PKEY_copy_parameters(ktmp2, ktmp))
2004 return 0;
2005 }
2006
2007 if (pkey != NULL)
2008 if (!EVP_PKEY_copy_parameters(pkey, ktmp))
2009 return 0;
2010 return 1;
2011}
2012LCRYPTO_ALIAS(X509_get_pubkey_parameters);
2013
2014int
2015X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
2016 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
2017{
2018 /* This function is (usually) called only once, by
2019 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
2020 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX,
2021 argl, argp, new_func, dup_func, free_func);
2022}
2023LCRYPTO_ALIAS(X509_STORE_CTX_get_ex_new_index);
2024
2025int
2026X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
2027{
2028 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
2029}
2030LCRYPTO_ALIAS(X509_STORE_CTX_set_ex_data);
2031
2032void *
2033X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
2034{
2035 return CRYPTO_get_ex_data(&ctx->ex_data, idx);
2036}
2037LCRYPTO_ALIAS(X509_STORE_CTX_get_ex_data);
2038
2039int
2040X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
2041{
2042 return ctx->error;
2043}
2044LCRYPTO_ALIAS(X509_STORE_CTX_get_error);
2045
2046void
2047X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
2048{
2049 ctx->error = err;
2050}
2051LCRYPTO_ALIAS(X509_STORE_CTX_set_error);
2052
2053int
2054X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
2055{
2056 return ctx->error_depth;
2057}
2058LCRYPTO_ALIAS(X509_STORE_CTX_get_error_depth);
2059
2060void
2061X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth)
2062{
2063 ctx->error_depth = depth;
2064}
2065LCRYPTO_ALIAS(X509_STORE_CTX_set_error_depth);
2066
2067X509 *
2068X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
2069{
2070 return ctx->current_cert;
2071}
2072LCRYPTO_ALIAS(X509_STORE_CTX_get_current_cert);
2073
2074void
2075X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x)
2076{
2077 ctx->current_cert = x;
2078}
2079LCRYPTO_ALIAS(X509_STORE_CTX_set_current_cert);
2080
2081STACK_OF(X509) *
2082X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
2083{
2084 return ctx->chain;
2085}
2086LCRYPTO_ALIAS(X509_STORE_CTX_get_chain);
2087
2088STACK_OF(X509) *
2089X509_STORE_CTX_get0_chain(X509_STORE_CTX *xs)
2090{
2091 return xs->chain;
2092}
2093LCRYPTO_ALIAS(X509_STORE_CTX_get0_chain);
2094
2095STACK_OF(X509) *
2096X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
2097{
2098 int i;
2099 X509 *x;
2100 STACK_OF(X509) *chain;
2101
2102 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain)))
2103 return NULL;
2104 for (i = 0; i < sk_X509_num(chain); i++) {
2105 x = sk_X509_value(chain, i);
2106 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
2107 }
2108 return chain;
2109}
2110LCRYPTO_ALIAS(X509_STORE_CTX_get1_chain);
2111
2112X509 *
2113X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
2114{
2115 return ctx->current_issuer;
2116}
2117LCRYPTO_ALIAS(X509_STORE_CTX_get0_current_issuer);
2118
2119X509_CRL *
2120X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
2121{
2122 return ctx->current_crl;
2123}
2124LCRYPTO_ALIAS(X509_STORE_CTX_get0_current_crl);
2125
2126X509_STORE_CTX *
2127X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
2128{
2129 return ctx->parent;
2130}
2131LCRYPTO_ALIAS(X509_STORE_CTX_get0_parent_ctx);
2132
2133X509_STORE *
2134X509_STORE_CTX_get0_store(X509_STORE_CTX *xs)
2135{
2136 return xs->store;
2137}
2138LCRYPTO_ALIAS(X509_STORE_CTX_get0_store);
2139
2140void
2141X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
2142{
2143 ctx->cert = x;
2144}
2145LCRYPTO_ALIAS(X509_STORE_CTX_set_cert);
2146
2147void
2148X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2149{
2150 ctx->untrusted = sk;
2151}
2152LCRYPTO_ALIAS(X509_STORE_CTX_set_chain);
2153
2154void
2155X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
2156{
2157 ctx->crls = sk;
2158}
2159LCRYPTO_ALIAS(X509_STORE_CTX_set0_crls);
2160
2161/*
2162 * This function is used to set the X509_STORE_CTX purpose and trust
2163 * values. This is intended to be used when another structure has its
2164 * own trust and purpose values which (if set) will be inherited by
2165 * the ctx. If they aren't set then we will usually have a default
2166 * purpose in mind which should then be used to set the trust value.
2167 * An example of this is SSL use: an SSL structure will have its own
2168 * purpose and trust settings which the application can set: if they
2169 * aren't set then we use the default of SSL client/server.
2170 */
2171int
2172X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose_id)
2173{
2174 const X509_PURPOSE *purpose;
2175 int idx;
2176
2177 /* XXX - Match wacky/documented behavior. Do we need to keep this? */
2178 if (purpose_id == 0)
2179 return 1;
2180
2181 if (purpose_id < X509_PURPOSE_MIN || purpose_id > X509_PURPOSE_MAX) {
2182 X509error(X509_R_UNKNOWN_PURPOSE_ID);
2183 return 0;
2184 }
2185 idx = purpose_id - X509_PURPOSE_MIN;
2186 if ((purpose = X509_PURPOSE_get0(idx)) == NULL) {
2187 X509error(X509_R_UNKNOWN_PURPOSE_ID);
2188 return 0;
2189 }
2190
2191 /* XXX - Succeeding while ignoring purpose_id and trust is awful. */
2192 if (ctx->param->purpose == 0)
2193 ctx->param->purpose = purpose_id;
2194 if (ctx->param->trust == 0)
2195 ctx->param->trust = X509_PURPOSE_get_trust(purpose);
2196
2197 return 1;
2198}
2199LCRYPTO_ALIAS(X509_STORE_CTX_set_purpose);
2200
2201int
2202X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust_id)
2203{
2204 /* XXX - Match wacky/documented behavior. Do we need to keep this? */
2205 if (trust_id == 0)
2206 return 1;
2207
2208 if (trust_id < X509_TRUST_MIN || trust_id > X509_TRUST_MAX) {
2209 X509error(X509_R_UNKNOWN_TRUST_ID);
2210 return 0;
2211 }
2212
2213 /* XXX - Succeeding while ignoring the trust_id is awful. */
2214 if (ctx->param->trust == 0)
2215 ctx->param->trust = trust_id;
2216
2217 return 1;
2218}
2219LCRYPTO_ALIAS(X509_STORE_CTX_set_trust);
2220
2221X509_STORE_CTX *
2222X509_STORE_CTX_new(void)
2223{
2224 X509_STORE_CTX *ctx;
2225
2226 ctx = calloc(1, sizeof(X509_STORE_CTX));
2227 if (!ctx) {
2228 X509error(ERR_R_MALLOC_FAILURE);
2229 return NULL;
2230 }
2231 return ctx;
2232}
2233LCRYPTO_ALIAS(X509_STORE_CTX_new);
2234
2235void
2236X509_STORE_CTX_free(X509_STORE_CTX *ctx)
2237{
2238 if (ctx == NULL)
2239 return;
2240
2241 X509_STORE_CTX_cleanup(ctx);
2242 free(ctx);
2243}
2244LCRYPTO_ALIAS(X509_STORE_CTX_free);
2245
2246int
2247X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *leaf,
2248 STACK_OF(X509) *untrusted)
2249{
2250 int param_ret = 1;
2251
2252 /*
2253 * Make sure everything is initialized properly even in case of an
2254 * early return due to an error.
2255 *
2256 * While this 'ctx' can be reused, X509_STORE_CTX_cleanup() will have
2257 * freed everything and memset ex_data anyway. This also allows us
2258 * to safely use X509_STORE_CTX variables from the stack which will
2259 * have uninitialized data.
2260 */
2261 memset(ctx, 0, sizeof(*ctx));
2262
2263 /*
2264 * Start with this set to not valid - it will be set to valid
2265 * in X509_verify_cert.
2266 */
2267 ctx->error = X509_V_ERR_INVALID_CALL;
2268
2269 /*
2270 * Set values other than 0. Keep this in the same order as
2271 * X509_STORE_CTX except for values that may fail. All fields that
2272 * may fail should go last to make sure 'ctx' is as consistent as
2273 * possible even on early exits.
2274 */
2275 ctx->store = store;
2276 ctx->cert = leaf;
2277 ctx->untrusted = untrusted;
2278
2279 if (store && store->verify)
2280 ctx->verify = store->verify;
2281 else
2282 ctx->verify = internal_verify;
2283
2284 if (store && store->verify_cb)
2285 ctx->verify_cb = store->verify_cb;
2286 else
2287 ctx->verify_cb = null_callback;
2288
2289 ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2290 ctx->check_issued = check_issued;
2291
2292 ctx->param = X509_VERIFY_PARAM_new();
2293 if (!ctx->param) {
2294 X509error(ERR_R_MALLOC_FAILURE);
2295 return 0;
2296 }
2297
2298 /* Inherit callbacks and flags from X509_STORE if not set
2299 * use defaults.
2300 */
2301 if (store)
2302 param_ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
2303 else
2304 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
2305
2306 if (param_ret)
2307 param_ret = X509_VERIFY_PARAM_inherit(ctx->param,
2308 X509_VERIFY_PARAM_lookup("default"));
2309
2310 if (param_ret == 0) {
2311 X509error(ERR_R_MALLOC_FAILURE);
2312 return 0;
2313 }
2314
2315 if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
2316 &ctx->ex_data) == 0) {
2317 X509error(ERR_R_MALLOC_FAILURE);
2318 return 0;
2319 }
2320 return 1;
2321}
2322LCRYPTO_ALIAS(X509_STORE_CTX_init);
2323
2324/* Set alternative lookup method: just a STACK of trusted certificates.
2325 * This avoids X509_STORE nastiness where it isn't needed.
2326 */
2327
2328void
2329X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *trusted)
2330{
2331 X509_STORE_CTX_set0_trusted_stack(ctx, trusted);
2332}
2333LCRYPTO_ALIAS(X509_STORE_CTX_trusted_stack);
2334
2335void
2336X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *trusted)
2337{
2338 ctx->trusted = trusted;
2339 ctx->get_issuer = x509_vfy_get_trusted_issuer;
2340}
2341LCRYPTO_ALIAS(X509_STORE_CTX_set0_trusted_stack);
2342
2343void
2344X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2345{
2346 if (ctx->param != NULL) {
2347 if (ctx->parent == NULL)
2348 X509_VERIFY_PARAM_free(ctx->param);
2349 ctx->param = NULL;
2350 }
2351 if (ctx->chain != NULL) {
2352 sk_X509_pop_free(ctx->chain, X509_free);
2353 ctx->chain = NULL;
2354 }
2355 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &ctx->ex_data);
2356 memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
2357}
2358LCRYPTO_ALIAS(X509_STORE_CTX_cleanup);
2359
2360void
2361X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2362{
2363 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2364}
2365LCRYPTO_ALIAS(X509_STORE_CTX_set_depth);
2366
2367void
2368X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2369{
2370 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2371}
2372LCRYPTO_ALIAS(X509_STORE_CTX_set_flags);
2373
2374void
2375X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2376{
2377 X509_VERIFY_PARAM_set_time(ctx->param, t);
2378}
2379LCRYPTO_ALIAS(X509_STORE_CTX_set_time);
2380
2381int
2382(*X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx))(int, X509_STORE_CTX *)
2383{
2384 return ctx->verify_cb;
2385}
2386LCRYPTO_ALIAS(X509_STORE_CTX_get_verify_cb);
2387
2388void
2389X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2390 int (*verify_cb)(int, X509_STORE_CTX *))
2391{
2392 ctx->verify_cb = verify_cb;
2393}
2394LCRYPTO_ALIAS(X509_STORE_CTX_set_verify_cb);
2395
2396int
2397(*X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx))(X509_STORE_CTX *)
2398{
2399 return ctx->verify;
2400}
2401LCRYPTO_ALIAS(X509_STORE_CTX_get_verify);
2402
2403void
2404X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, int (*verify)(X509_STORE_CTX *))
2405{
2406 ctx->verify = verify;
2407}
2408LCRYPTO_ALIAS(X509_STORE_CTX_set_verify);
2409
2410X509_STORE_CTX_check_issued_fn
2411X509_STORE_get_check_issued(X509_STORE *store)
2412{
2413 return store->check_issued;
2414}
2415LCRYPTO_ALIAS(X509_STORE_get_check_issued);
2416
2417void
2418X509_STORE_set_check_issued(X509_STORE *store,
2419 X509_STORE_CTX_check_issued_fn check_issued)
2420{
2421 store->check_issued = check_issued;
2422}
2423LCRYPTO_ALIAS(X509_STORE_set_check_issued);
2424
2425X509_STORE_CTX_check_issued_fn
2426X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx)
2427{
2428 return ctx->check_issued;
2429}
2430LCRYPTO_ALIAS(X509_STORE_CTX_get_check_issued);
2431
2432X509 *
2433X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
2434{
2435 return ctx->cert;
2436}
2437LCRYPTO_ALIAS(X509_STORE_CTX_get0_cert);
2438
2439STACK_OF(X509) *
2440X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
2441{
2442 return ctx->untrusted;
2443}
2444LCRYPTO_ALIAS(X509_STORE_CTX_get0_untrusted);
2445
2446void
2447X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2448{
2449 ctx->untrusted = sk;
2450}
2451LCRYPTO_ALIAS(X509_STORE_CTX_set0_untrusted);
2452
2453void
2454X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2455{
2456 sk_X509_pop_free(ctx->chain, X509_free);
2457 ctx->chain = sk;
2458}
2459LCRYPTO_ALIAS(X509_STORE_CTX_set0_verified_chain);
2460
2461int
2462X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)
2463{
2464 return ctx->num_untrusted;
2465}
2466LCRYPTO_ALIAS(X509_STORE_CTX_get_num_untrusted);
2467
2468int
2469X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2470{
2471 const X509_VERIFY_PARAM *param;
2472 param = X509_VERIFY_PARAM_lookup(name);
2473 if (!param)
2474 return 0;
2475 return X509_VERIFY_PARAM_inherit(ctx->param, param);
2476}
2477LCRYPTO_ALIAS(X509_STORE_CTX_set_default);
2478
2479X509_VERIFY_PARAM *
2480X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2481{
2482 return ctx->param;
2483}
2484LCRYPTO_ALIAS(X509_STORE_CTX_get0_param);
2485
2486void
2487X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2488{
2489 if (ctx->param)
2490 X509_VERIFY_PARAM_free(ctx->param);
2491 ctx->param = param;
2492}
2493LCRYPTO_ALIAS(X509_STORE_CTX_set0_param);
2494
2495/*
2496 * Check if |bits| are adequate for |security level|.
2497 * Returns 1 if ok, 0 otherwise.
2498 */
2499static int
2500enough_bits_for_security_level(int bits, int level)
2501{
2502 /*
2503 * Sigh. OpenSSL does this silly squashing, so we will
2504 * too. Derp for Derp compatibility being important.
2505 */
2506 if (level < 0)
2507 level = 0;
2508 if (level > 5)
2509 level = 5;
2510
2511 switch (level) {
2512 case 0:
2513 return 1;
2514 case 1:
2515 return bits >= 80;
2516 case 2:
2517 return bits >= 112;
2518 case 3:
2519 return bits >= 128;
2520 case 4:
2521 return bits >= 192;
2522 case 5:
2523 return bits >= 256;
2524 default:
2525 return 0;
2526 }
2527}
2528
2529/*
2530 * Check whether the public key of |cert| meets the security level of |ctx|.
2531 *
2532 * Returns 1 on success, 0 otherwise.
2533 */
2534static int
2535check_key_level(X509_STORE_CTX *ctx, X509 *cert)
2536{
2537 EVP_PKEY *pkey;
2538 int bits;
2539
2540 /* Unsupported or malformed keys are not secure */
2541 if ((pkey = X509_get0_pubkey(cert)) == NULL)
2542 return 0;
2543
2544 if ((bits = EVP_PKEY_security_bits(pkey)) <= 0)
2545 return 0;
2546
2547 return enough_bits_for_security_level(bits, ctx->param->security_level);
2548}
2549
2550/*
2551 * Check whether the signature digest algorithm of |cert| meets the security
2552 * level of |ctx|. Do not check trust anchors (self-signed or not).
2553 *
2554 * Returns 1 on success, 0 otherwise.
2555 */
2556static int
2557check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
2558{
2559 int bits;
2560
2561 if (!X509_get_signature_info(cert, NULL, NULL, &bits, NULL))
2562 return 0;
2563
2564 return enough_bits_for_security_level(bits, ctx->param->security_level);
2565}
2566
2567int
2568x509_vfy_check_security_level(X509_STORE_CTX *ctx)
2569{
2570 int num = sk_X509_num(ctx->chain);
2571 int i;
2572
2573 if (ctx->param->security_level <= 0)
2574 return 1;
2575
2576 for (i = 0; i < num; i++) {
2577 X509 *cert = sk_X509_value(ctx->chain, i);
2578
2579 /*
2580 * We've already checked the security of the leaf key, so here
2581 * we only check the security of issuer keys.
2582 */
2583 if (i > 0) {
2584 if (!check_key_level(ctx, cert) &&
2585 !verify_cb_cert(ctx, cert, i,
2586 X509_V_ERR_CA_KEY_TOO_SMALL))
2587 return 0;
2588 }
2589
2590 /*
2591 * We also check the signature algorithm security of all certs
2592 * except those of the trust anchor at index num - 1.
2593 */
2594 if (i == num - 1)
2595 break;
2596
2597 if (!check_sig_level(ctx, cert) &&
2598 !verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK))
2599 return 0;
2600 }
2601 return 1;
2602}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-06 22:31:02 +0000