1 files changed, 0 insertions, 639 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
deleted file mode 100644
index c72ee4a385..0000000000
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ /dev/null
@@ -1,639 +0,0 @@
-/* crypto/x509/x509_vfy.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <time.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <openssl/crypto.h>
-#include "cryptlib.h"
-#include <openssl/lhash.h>
-#include <openssl/buffer.h>
-#include <openssl/evp.h>
-#include <openssl/asn1.h>
-#include <openssl/x509.h>
-#include <openssl/objects.h>
-static int null_callback(int ok,X509_STORE_CTX *e);
-static int internal_verify(X509_STORE_CTX *ctx);
-const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
-static STACK *x509_store_ctx_method=NULL;
-static int x509_store_ctx_num=0;
-#if 0
-static int x509_store_num=1;
-static STACK *x509_store_method=NULL;
-#endif
-static int null_callback(int ok, X509_STORE_CTX *e)
-        {
-        return(ok);
-        }
-#if 0
-static int x509_subject_cmp(X509 **a, X509 **b)
-        {
-        return(X509_subject_name_cmp(*a,*b));
-        }
-#endif
-int X509_verify_cert(X509_STORE_CTX *ctx)
-        {
-        X509 *x,*xtmp,*chain_ss=NULL;
-        X509_NAME *xn;
-        X509_OBJECT obj;
-        int depth,i,ok=0;
-        int num;
-        int (*cb)();
-        STACK_OF(X509) *sktmp=NULL;
-        if (ctx->cert == NULL)
-                {
-                X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
-                return(-1);
-                }
-        cb=ctx->ctx->verify_cb;
-        if (cb == NULL) cb=null_callback;
-        /* first we make sure the chain we are going to build is
-         * present and that the first entry is in place */
-        if (ctx->chain == NULL)
-                {
-                if (    ((ctx->chain=sk_X509_new_null()) == NULL) ||
-                        (!sk_X509_push(ctx->chain,ctx->cert)))
-                        {
-                        X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
-                        goto end;
-                        }
-                CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
-                ctx->last_untrusted=1;
-                }
-        /* We use a temporary so we can chop and hack at it */
-        if (ctx->untrusted != NULL
-            && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
-                {
-                X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
-                goto end;
-                }
-        num=sk_X509_num(ctx->chain);
-        x=sk_X509_value(ctx->chain,num-1);
-        depth=ctx->depth;
-        for (;;)
-                {
-                /* If we have enough, we break */
-                if (depth < num) break; /* FIXME: If this happens, we should take
-                                         * note of it and, if appropriate, use the
-                                         * X509_V_ERR_CERT_CHAIN_TOO_LONG error
-                                         * code later.
-                                         */
-                /* If we are self signed, we break */
-                xn=X509_get_issuer_name(x);
-                if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
-                        break;
-                /* If we were passed a cert chain, use it first */
-                if (ctx->untrusted != NULL)
-                        {
-                        xtmp=X509_find_by_subject(sktmp,xn);
-                        if (xtmp != NULL)
-                                {
-                                if (!sk_X509_push(ctx->chain,xtmp))
-                                        {
-                                        X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
-                                        goto end;
-                                        }
-                                CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
-                                sk_X509_delete_ptr(sktmp,xtmp);
-                                ctx->last_untrusted++;
-                                x=xtmp;
-                                num++;
-                                /* reparse the full chain for
-                                 * the next one */
-                                continue;
-                                }
-                        }
-                break;
-                }
-        /* at this point, chain should contain a list of untrusted
-         * certificates.  We now need to add at least one trusted one,
-         * if possible, otherwise we complain. */
-        i=sk_X509_num(ctx->chain);
-        x=sk_X509_value(ctx->chain,i-1);
-        if (X509_NAME_cmp(X509_get_subject_name(x),X509_get_issuer_name(x))
-                == 0)
-                {
-                /* we have a self signed certificate */
-                if (sk_X509_num(ctx->chain) == 1)
-                        {
-                        ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
-                        ctx->current_cert=x;
-                        ctx->error_depth=i-1;
-                        ok=cb(0,ctx);
-                        if (!ok) goto end;
-                        }
-                else
-                        {
-                        /* worry more about this one elsewhere */
-                        chain_ss=sk_X509_pop(ctx->chain);
-                        ctx->last_untrusted--;
-                        num--;
-                        x=sk_X509_value(ctx->chain,num-1);
-                        }
-                }
-        /* We now lookup certs from the certificate store */
-        for (;;)
-                {
-                /* If we have enough, we break */
-                if (depth < num) break;
-                /* If we are self signed, we break */
-                xn=X509_get_issuer_name(x);
-                if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
-                        break;
-                ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
-                if (ok != X509_LU_X509)
-                        {
-                        if (ok == X509_LU_RETRY)
-                                {
-                                X509_OBJECT_free_contents(&obj);
-                                X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY);
-                                return(ok);
-                                }
-                        else if (ok != X509_LU_FAIL)
-                                {
-                                X509_OBJECT_free_contents(&obj);
-                                /* not good :-(, break anyway */
-                                return(ok);
-                                }
-                        break;
-                        }
-                x=obj.data.x509;
-                if (!sk_X509_push(ctx->chain,obj.data.x509))
-                        {
-                        X509_OBJECT_free_contents(&obj);
-                        X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
-                        return(0);
-                        }
-                num++;
-                }
-        /* we now have our chain, lets check it... */
-        xn=X509_get_issuer_name(x);
-        if (X509_NAME_cmp(X509_get_subject_name(x),xn) != 0)
-                {
-                if ((chain_ss == NULL) || (X509_NAME_cmp(X509_get_subject_name(chain_ss),xn) != 0))
-                        {
-                        if (ctx->last_untrusted >= num)
-                                ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
-                        else
-                                ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
-                        ctx->current_cert=x;
-                        }
-                else
-                        {
-                        sk_X509_push(ctx->chain,chain_ss);
-                        num++;
-                        ctx->last_untrusted=num;
-                        ctx->current_cert=chain_ss;
-                        ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
-                        chain_ss=NULL;
-                        }
-                ctx->error_depth=num-1;
-                ok=cb(0,ctx);
-                if (!ok) goto end;
-                }
-        /* We may as well copy down any DSA parameters that are required */
-        X509_get_pubkey_parameters(NULL,ctx->chain);
-        /* At this point, we have a chain and just need to verify it */
-        if (ctx->ctx->verify != NULL)
-                ok=ctx->ctx->verify(ctx);
-        else
-                ok=internal_verify(ctx);
-        if (0)
-                {
-end:
-                X509_get_pubkey_parameters(NULL,ctx->chain);
-                }
-        if (sktmp != NULL) sk_X509_free(sktmp);
-        if (chain_ss != NULL) X509_free(chain_ss);
-        return(ok);
-        }
-static int internal_verify(X509_STORE_CTX *ctx)
-        {
-        int i,ok=0,n;
-        X509 *xs,*xi;
-        EVP_PKEY *pkey=NULL;
-        int (*cb)();
-        cb=ctx->ctx->verify_cb;
-        if (cb == NULL) cb=null_callback;
-        n=sk_X509_num(ctx->chain);
-        ctx->error_depth=n-1;
-        n--;
-        xi=sk_X509_value(ctx->chain,n);
-        if (X509_NAME_cmp(X509_get_subject_name(xi),
-                X509_get_issuer_name(xi)) == 0)
-                xs=xi;
-        else
-                {
-                if (n <= 0)
-                        {
-                        ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
-                        ctx->current_cert=xi;
-                        ok=cb(0,ctx);
-                        goto end;
-                        }
-                else
-                        {
-                        n--;
-                        ctx->error_depth=n;
-                        xs=sk_X509_value(ctx->chain,n);
-                        }
-                }
-/*      ctx->error=0;  not needed */
-        while (n >= 0)
-                {
-                ctx->error_depth=n;
-                if (!xs->valid)
-                        {
-                        if ((pkey=X509_get_pubkey(xi)) == NULL)
-                                {
-                                ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
-                                ctx->current_cert=xi;
-                                ok=(*cb)(0,ctx);
-                                if (!ok) goto end;
-                                }
-                        if (X509_verify(xs,pkey) <= 0)
-                                {
-                                EVP_PKEY_free(pkey);
-                                ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
-                                ctx->current_cert=xs;
-                                ok=(*cb)(0,ctx);
-                                if (!ok) goto end;
-                                }
-                        EVP_PKEY_free(pkey);
-                        pkey=NULL;
-                        i=X509_cmp_current_time(X509_get_notBefore(xs));
-                        if (i == 0)
-                                {
-                                ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
-                                ctx->current_cert=xs;
-                                ok=(*cb)(0,ctx);
-                                if (!ok) goto end;
-                                }
-                        if (i > 0)
-                                {
-                                ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
-                                ctx->current_cert=xs;
-                                ok=(*cb)(0,ctx);
-                                if (!ok) goto end;
-                                }
-                        xs->valid=1;
-                        }
-                i=X509_cmp_current_time(X509_get_notAfter(xs));
-                if (i == 0)
-                        {
-                        ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
-                        ctx->current_cert=xs;
-                        ok=(*cb)(0,ctx);
-                        if (!ok) goto end;
-                        }
-                if (i < 0)
-                        {
-                        ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
-                        ctx->current_cert=xs;
-                        ok=(*cb)(0,ctx);
-                        if (!ok) goto end;
-                        }
-                /* CRL CHECK */
-                /* The last error (if any) is still in the error value */
-                ctx->current_cert=xs;
-                ok=(*cb)(1,ctx);
-                if (!ok) goto end;
-                n--;
-                if (n >= 0)
-                        {
-                        xi=xs;
-                        xs=sk_X509_value(ctx->chain,n);
-                        }
-                }
-        ok=1;
-end:
-        return(ok);
-        }
-int X509_cmp_current_time(ASN1_UTCTIME *ctm)
-        {
-        char *str;
-        ASN1_UTCTIME atm;
-        time_t offset;
-        char buff1[24],buff2[24],*p;
-        int i,j;
-        p=buff1;
-        i=ctm->length;
-        str=(char *)ctm->data;
-        if ((i < 11) || (i > 17)) return(0);
-        memcpy(p,str,10);
-        p+=10;
-        str+=10;
-        if ((*str == 'Z') || (*str == '-') || (*str == '+'))
-                { *(p++)='0'; *(p++)='0'; }
-        else    { *(p++)= *(str++); *(p++)= *(str++); }
-        *(p++)='Z';
-        *(p++)='\0';
-        if (*str == 'Z')
-                offset=0;
-        else
-                {
-                if ((*str != '+') && (str[5] != '-'))
-                        return(0);
-                offset=((str[1]-'0')*10+(str[2]-'0'))*60;
-                offset+=(str[3]-'0')*10+(str[4]-'0');
-                if (*str == '-')
-                        offset= -offset;
-                }
-        atm.type=V_ASN1_UTCTIME;
-        atm.length=sizeof(buff2);
-        atm.data=(unsigned char *)buff2;
-        X509_gmtime_adj(&atm,-offset);
-        i=(buff1[0]-'0')*10+(buff1[1]-'0');
-        if (i < 50) i+=100; /* cf. RFC 2459 */
-        j=(buff2[0]-'0')*10+(buff2[1]-'0');
-        if (j < 50) j+=100;
-        if (i < j) return (-1);
-        if (i > j) return (1);
-        i=strcmp(buff1,buff2);
-        if (i == 0) /* wait a second then return younger :-) */
-                return(-1);
-        else
-                return(i);
-        }
-ASN1_UTCTIME *X509_gmtime_adj(ASN1_UTCTIME *s, long adj)
-        {
-        time_t t;
-        time(&t);
-        t+=adj;
-        return(ASN1_UTCTIME_set(s,t));
-        }
-int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
-        {
-        EVP_PKEY *ktmp=NULL,*ktmp2;
-        int i,j;
-        if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return(1);
-        for (i=0; i<sk_X509_num(chain); i++)
-                {
-                ktmp=X509_get_pubkey(sk_X509_value(chain,i));
-                if (ktmp == NULL)
-                        {
-                        X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
-                        return(0);
-                        }
-                if (!EVP_PKEY_missing_parameters(ktmp))
-                        break;
-                else
-                        {
-                        EVP_PKEY_free(ktmp);
-                        ktmp=NULL;
-                        }
-                }
-        if (ktmp == NULL)
-                {
-                X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
-                return(0);
-                }
-        /* first, populate the other certs */
-        for (j=i-1; j >= 0; j--)
-                {
-                ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
-                EVP_PKEY_copy_parameters(ktmp2,ktmp);
-                EVP_PKEY_free(ktmp2);
-                }
-        
-        if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
-        EVP_PKEY_free(ktmp);
-        return(1);
-        }
-int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
-        {
-        X509_OBJECT *obj,*r;
-        int ret=1;
-        if (x == NULL) return(0);
-        obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
-        if (obj == NULL)
-                {
-                X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        obj->type=X509_LU_X509;
-        obj->data.x509=x;
-        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
-        X509_OBJECT_up_ref_count(obj);
-        r=(X509_OBJECT *)lh_insert(ctx->certs,(char *)obj);
-        if (r != NULL)
-                { /* oops, put it back */
-                lh_delete(ctx->certs,(char *)obj);
-                X509_OBJECT_free_contents(obj);
-                Free(obj);
-                lh_insert(ctx->certs,(char *)r);
-                X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
-                ret=0;
-                }
-        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
-        return(ret);    
-        }
-int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
-        {
-        X509_OBJECT *obj,*r;
-        int ret=1;
-        if (x == NULL) return(0);
-        obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
-        if (obj == NULL)
-                {
-                X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        obj->type=X509_LU_CRL;
-        obj->data.crl=x;
-        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
-        X509_OBJECT_up_ref_count(obj);
-        r=(X509_OBJECT *)lh_insert(ctx->certs,(char *)obj);
-        if (r != NULL)
-                { /* oops, put it back */
-                lh_delete(ctx->certs,(char *)obj);
-                X509_OBJECT_free_contents(obj);
-                Free(obj);
-                lh_insert(ctx->certs,(char *)r);
-                X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
-                ret=0;
-                }
-        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
-        return(ret);    
-        }
-int X509_STORE_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-             int (*dup_func)(), void (*free_func)())
-        {
-        x509_store_ctx_num++;
-        return(CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
-                &x509_store_ctx_method,
-                argl,argp,new_func,dup_func,free_func));
-        }
-int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
-        {
-        return(CRYPTO_set_ex_data(&ctx->ex_data,idx,data));
-        }
-void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
-        {
-        return(CRYPTO_get_ex_data(&ctx->ex_data,idx));
-        }
-int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
-        {
-        return(ctx->error);
-        }
-void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
-        {
-        ctx->error=err;
-        }
-int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
-        {
-        return(ctx->error_depth);
-        }
-X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
-        {
-        return(ctx->current_cert);
-        }
-STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
-        {
-        return(ctx->chain);
-        }
-void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
-        {
-        ctx->cert=x;
-        }
-void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
-        {
-        ctx->untrusted=sk;
-        }
-IMPLEMENT_STACK_OF(X509)
-IMPLEMENT_ASN1_SET_OF(X509)
-IMPLEMENT_STACK_OF(X509_NAME)
-IMPLEMENT_STACK_OF(X509_ATTRIBUTE)
-IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c deleted file mode 100644 index c72ee4a385..0000000000 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ /dev/null
@@ -1,639 +0,0 @@
1	/* crypto/x509/x509_vfy.c */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.
4	*
5	* This package is an SSL implementation written
6	* by Eric Young (eay@cryptsoft.com).
7	* The implementation was written so as to conform with Netscapes SSL.
8	*
9	* This library is free for commercial and non-commercial use as long as
10	* the following conditions are aheared to. The following conditions
11	* apply to all code found in this distribution, be it the RC4, RSA,
12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
13	* included with this distribution is covered by the same copyright terms
14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
15	*
16	* Copyright remains Eric Young's, and as such any Copyright notices in
17	* the code are not to be removed.
18	* If this package is used in a product, Eric Young should be given attribution
19	* as the author of the parts of the library used.
20	* This can be in the form of a textual message at program startup or
21	* in documentation (online or textual) provided with the package.
22	*
23	* Redistribution and use in source and binary forms, with or without
24	* modification, are permitted provided that the following conditions
25	* are met:
26	* 1. Redistributions of source code must retain the copyright
27	* notice, this list of conditions and the following disclaimer.
28	* 2. Redistributions in binary form must reproduce the above copyright
29	* notice, this list of conditions and the following disclaimer in the
30	* documentation and/or other materials provided with the distribution.
31	* 3. All advertising materials mentioning features or use of this software
32	* must display the following acknowledgement:
33	* "This product includes cryptographic software written by
34	* Eric Young (eay@cryptsoft.com)"
35	* The word 'cryptographic' can be left out if the rouines from the library
36	* being used are not cryptographic related :-).
37	* 4. If you include any Windows specific code (or a derivative thereof) from
38	* the apps directory (application code) you must include an acknowledgement:
39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40	*
41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51	* SUCH DAMAGE.
52	*
53	* The licence and distribution terms for any publically available version or
54	* derivative of this code cannot be changed. i.e. this code cannot simply be
55	* copied and put under another distribution licence
56	* [including the GNU Public Licence.]
57	*/
58
59	#include <stdio.h>
60	#include <time.h>
61	#include <errno.h>
62	#include <sys/types.h>
63	#include <sys/stat.h>
64
65	#include <openssl/crypto.h>
66	#include "cryptlib.h"
67	#include <openssl/lhash.h>
68	#include <openssl/buffer.h>
69	#include <openssl/evp.h>
70	#include <openssl/asn1.h>
71	#include <openssl/x509.h>
72	#include <openssl/objects.h>
73
74	static int null_callback(int ok,X509_STORE_CTX *e);
75	static int internal_verify(X509_STORE_CTX *ctx);
76	const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
77
78	static STACK *x509_store_ctx_method=NULL;
79	static int x509_store_ctx_num=0;
80	#if 0
81	static int x509_store_num=1;
82	static STACK *x509_store_method=NULL;
83	#endif
84
85	static int null_callback(int ok, X509_STORE_CTX *e)
86	{
87	return(ok);
88	}
89
90	#if 0
91	static int x509_subject_cmp(X509 a, X509 b)
92	{
93	return(X509_subject_name_cmp(a,b));
94	}
95	#endif
96
97	int X509_verify_cert(X509_STORE_CTX *ctx)
98	{
99	X509 x,xtmp,*chain_ss=NULL;
100	X509_NAME *xn;
101	X509_OBJECT obj;
102	int depth,i,ok=0;
103	int num;
104	int (*cb)();
105	STACK_OF(X509) *sktmp=NULL;
106
107	if (ctx->cert == NULL)
108	{
109	X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
110	return(-1);
111	}
112
113	cb=ctx->ctx->verify_cb;
114	if (cb == NULL) cb=null_callback;
115
116	/* first we make sure the chain we are going to build is
117	* present and that the first entry is in place */
118	if (ctx->chain == NULL)
119	{
120	if ( ((ctx->chain=sk_X509_new_null()) == NULL) \|\|
121	(!sk_X509_push(ctx->chain,ctx->cert)))
122	{
123	X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
124	goto end;
125	}
126	CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
127	ctx->last_untrusted=1;
128	}
129
130	/* We use a temporary so we can chop and hack at it */
131	if (ctx->untrusted != NULL
132	&& (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
133	{
134	X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
135	goto end;
136	}
137
138	num=sk_X509_num(ctx->chain);
139	x=sk_X509_value(ctx->chain,num-1);
140	depth=ctx->depth;
141
142
143	for (;;)
144	{
145	/* If we have enough, we break */
146	if (depth < num) break; /* FIXME: If this happens, we should take
147	* note of it and, if appropriate, use the
148	* X509_V_ERR_CERT_CHAIN_TOO_LONG error
149	* code later.
150	*/
151
152	/* If we are self signed, we break */
153	xn=X509_get_issuer_name(x);
154	if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
155	break;
156
157	/* If we were passed a cert chain, use it first */
158	if (ctx->untrusted != NULL)
159	{
160	xtmp=X509_find_by_subject(sktmp,xn);
161	if (xtmp != NULL)
162	{
163	if (!sk_X509_push(ctx->chain,xtmp))
164	{
165	X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
166	goto end;
167	}
168	CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
169	sk_X509_delete_ptr(sktmp,xtmp);
170	ctx->last_untrusted++;
171	x=xtmp;
172	num++;
173	/* reparse the full chain for
174	* the next one */
175	continue;
176	}
177	}
178	break;
179	}
180
181	/* at this point, chain should contain a list of untrusted
182	* certificates. We now need to add at least one trusted one,
183	* if possible, otherwise we complain. */
184
185	i=sk_X509_num(ctx->chain);
186	x=sk_X509_value(ctx->chain,i-1);
187	if (X509_NAME_cmp(X509_get_subject_name(x),X509_get_issuer_name(x))
188	== 0)
189	{
190	/* we have a self signed certificate */
191	if (sk_X509_num(ctx->chain) == 1)
192	{
193	ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
194	ctx->current_cert=x;
195	ctx->error_depth=i-1;
196	ok=cb(0,ctx);
197	if (!ok) goto end;
198	}
199	else
200	{
201	/* worry more about this one elsewhere */
202	chain_ss=sk_X509_pop(ctx->chain);
203	ctx->last_untrusted--;
204	num--;
205	x=sk_X509_value(ctx->chain,num-1);
206	}
207	}
208
209	/* We now lookup certs from the certificate store */
210	for (;;)
211	{
212	/* If we have enough, we break */
213	if (depth < num) break;
214
215	/* If we are self signed, we break */
216	xn=X509_get_issuer_name(x);
217	if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
218	break;
219
220	ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
221	if (ok != X509_LU_X509)
222	{
223	if (ok == X509_LU_RETRY)
224	{
225	X509_OBJECT_free_contents(&obj);
226	X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY);
227	return(ok);
228	}
229	else if (ok != X509_LU_FAIL)
230	{
231	X509_OBJECT_free_contents(&obj);
232	/* not good :-(, break anyway */
233	return(ok);
234	}
235	break;
236	}
237	x=obj.data.x509;
238	if (!sk_X509_push(ctx->chain,obj.data.x509))
239	{
240	X509_OBJECT_free_contents(&obj);
241	X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
242	return(0);
243	}
244	num++;
245	}
246
247	/* we now have our chain, lets check it... */
248	xn=X509_get_issuer_name(x);
249	if (X509_NAME_cmp(X509_get_subject_name(x),xn) != 0)
250	{
251	if ((chain_ss == NULL) \|\| (X509_NAME_cmp(X509_get_subject_name(chain_ss),xn) != 0))
252	{
253	if (ctx->last_untrusted >= num)
254	ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
255	else
256	ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
257	ctx->current_cert=x;
258	}
259	else
260	{
261
262	sk_X509_push(ctx->chain,chain_ss);
263	num++;
264	ctx->last_untrusted=num;
265	ctx->current_cert=chain_ss;
266	ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
267	chain_ss=NULL;
268	}
269
270	ctx->error_depth=num-1;
271	ok=cb(0,ctx);
272	if (!ok) goto end;
273	}
274
275	/* We may as well copy down any DSA parameters that are required */
276	X509_get_pubkey_parameters(NULL,ctx->chain);
277
278	/* At this point, we have a chain and just need to verify it */
279	if (ctx->ctx->verify != NULL)
280	ok=ctx->ctx->verify(ctx);
281	else
282	ok=internal_verify(ctx);
283	if (0)
284	{
285	end:
286	X509_get_pubkey_parameters(NULL,ctx->chain);
287	}
288	if (sktmp != NULL) sk_X509_free(sktmp);
289	if (chain_ss != NULL) X509_free(chain_ss);
290	return(ok);
291	}
292
293	static int internal_verify(X509_STORE_CTX *ctx)
294	{
295	int i,ok=0,n;
296	X509 xs,xi;
297	EVP_PKEY *pkey=NULL;
298	int (*cb)();
299
300	cb=ctx->ctx->verify_cb;
301	if (cb == NULL) cb=null_callback;
302
303	n=sk_X509_num(ctx->chain);
304	ctx->error_depth=n-1;
305	n--;
306	xi=sk_X509_value(ctx->chain,n);
307	if (X509_NAME_cmp(X509_get_subject_name(xi),
308	X509_get_issuer_name(xi)) == 0)
309	xs=xi;
310	else
311	{
312	if (n <= 0)
313	{
314	ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
315	ctx->current_cert=xi;
316	ok=cb(0,ctx);
317	goto end;
318	}
319	else
320	{
321	n--;
322	ctx->error_depth=n;
323	xs=sk_X509_value(ctx->chain,n);
324	}
325	}
326
327	/* ctx->error=0; not needed */
328	while (n >= 0)
329	{
330	ctx->error_depth=n;
331	if (!xs->valid)
332	{
333	if ((pkey=X509_get_pubkey(xi)) == NULL)
334	{
335	ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
336	ctx->current_cert=xi;
337	ok=(*cb)(0,ctx);
338	if (!ok) goto end;
339	}
340	if (X509_verify(xs,pkey) <= 0)
341	{
342	EVP_PKEY_free(pkey);
343	ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
344	ctx->current_cert=xs;
345	ok=(*cb)(0,ctx);
346	if (!ok) goto end;
347	}
348	EVP_PKEY_free(pkey);
349	pkey=NULL;
350
351	i=X509_cmp_current_time(X509_get_notBefore(xs));
352	if (i == 0)
353	{
354	ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
355	ctx->current_cert=xs;
356	ok=(*cb)(0,ctx);
357	if (!ok) goto end;
358	}
359	if (i > 0)
360	{
361	ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
362	ctx->current_cert=xs;
363	ok=(*cb)(0,ctx);
364	if (!ok) goto end;
365	}
366	xs->valid=1;
367	}
368
369	i=X509_cmp_current_time(X509_get_notAfter(xs));
370	if (i == 0)
371	{
372	ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
373	ctx->current_cert=xs;
374	ok=(*cb)(0,ctx);
375	if (!ok) goto end;
376	}
377
378	if (i < 0)
379	{
380	ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
381	ctx->current_cert=xs;
382	ok=(*cb)(0,ctx);
383	if (!ok) goto end;
384	}
385
386	/* CRL CHECK */
387
388	/* The last error (if any) is still in the error value */
389	ctx->current_cert=xs;
390	ok=(*cb)(1,ctx);
391	if (!ok) goto end;
392
393	n--;
394	if (n >= 0)
395	{
396	xi=xs;
397	xs=sk_X509_value(ctx->chain,n);
398	}
399	}
400	ok=1;
401	end:
402	return(ok);
403	}
404
405	int X509_cmp_current_time(ASN1_UTCTIME *ctm)
406	{
407	char *str;
408	ASN1_UTCTIME atm;
409	time_t offset;
410	char buff1[24],buff2[24],*p;
411	int i,j;
412
413	p=buff1;
414	i=ctm->length;
415	str=(char *)ctm->data;
416	if ((i < 11) \|\| (i > 17)) return(0);
417	memcpy(p,str,10);
418	p+=10;
419	str+=10;
420
421	if ((str == 'Z') \|\| (str == '-') \|\| (*str == '+'))
422	{ (p++)='0'; (p++)='0'; }
423	else { (p++)= (str++); (p++)= (str++); }
424	*(p++)='Z';
425	*(p++)='\0';
426
427	if (*str == 'Z')
428	offset=0;
429	else
430	{
431	if ((*str != '+') && (str[5] != '-'))
432	return(0);
433	offset=((str[1]-'0')10+(str[2]-'0'))60;
434	offset+=(str[3]-'0')*10+(str[4]-'0');
435	if (*str == '-')
436	offset= -offset;
437	}
438	atm.type=V_ASN1_UTCTIME;
439	atm.length=sizeof(buff2);
440	atm.data=(unsigned char *)buff2;
441
442	X509_gmtime_adj(&atm,-offset);
443
444	i=(buff1[0]-'0')*10+(buff1[1]-'0');
445	if (i < 50) i+=100; /* cf. RFC 2459 */
446	j=(buff2[0]-'0')*10+(buff2[1]-'0');
447	if (j < 50) j+=100;
448
449	if (i < j) return (-1);
450	if (i > j) return (1);
451	i=strcmp(buff1,buff2);
452	if (i == 0) /* wait a second then return younger :-) */
453	return(-1);
454	else
455	return(i);
456	}
457
458	ASN1_UTCTIME X509_gmtime_adj(ASN1_UTCTIME s, long adj)
459	{
460	time_t t;
461
462	time(&t);
463	t+=adj;
464	return(ASN1_UTCTIME_set(s,t));
465	}
466
467	int X509_get_pubkey_parameters(EVP_PKEY pkey, STACK_OF(X509) chain)
468	{
469	EVP_PKEY ktmp=NULL,ktmp2;
470	int i,j;
471
472	if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return(1);
473
474	for (i=0; i<sk_X509_num(chain); i++)
475	{
476	ktmp=X509_get_pubkey(sk_X509_value(chain,i));
477	if (ktmp == NULL)
478	{
479	X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
480	return(0);
481	}
482	if (!EVP_PKEY_missing_parameters(ktmp))
483	break;
484	else
485	{
486	EVP_PKEY_free(ktmp);
487	ktmp=NULL;
488	}
489	}
490	if (ktmp == NULL)
491	{
492	X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
493	return(0);
494	}
495
496	/* first, populate the other certs */
497	for (j=i-1; j >= 0; j--)
498	{
499	ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
500	EVP_PKEY_copy_parameters(ktmp2,ktmp);
501	EVP_PKEY_free(ktmp2);
502	}
503
504	if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
505	EVP_PKEY_free(ktmp);
506	return(1);
507	}
508
509	int X509_STORE_add_cert(X509_STORE ctx, X509 x)
510	{
511	X509_OBJECT obj,r;
512	int ret=1;
513
514	if (x == NULL) return(0);
515	obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
516	if (obj == NULL)
517	{
518	X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
519	return(0);
520	}
521	obj->type=X509_LU_X509;
522	obj->data.x509=x;
523
524	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
525
526	X509_OBJECT_up_ref_count(obj);
527
528	r=(X509_OBJECT )lh_insert(ctx->certs,(char )obj);
529	if (r != NULL)
530	{ /* oops, put it back */
531	lh_delete(ctx->certs,(char *)obj);
532	X509_OBJECT_free_contents(obj);
533	Free(obj);
534	lh_insert(ctx->certs,(char *)r);
535	X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
536	ret=0;
537	}
538
539	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
540
541	return(ret);
542	}
543
544	int X509_STORE_add_crl(X509_STORE ctx, X509_CRL x)
545	{
546	X509_OBJECT obj,r;
547	int ret=1;
548
549	if (x == NULL) return(0);
550	obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
551	if (obj == NULL)
552	{
553	X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
554	return(0);
555	}
556	obj->type=X509_LU_CRL;
557	obj->data.crl=x;
558
559	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
560
561	X509_OBJECT_up_ref_count(obj);
562
563	r=(X509_OBJECT )lh_insert(ctx->certs,(char )obj);
564	if (r != NULL)
565	{ /* oops, put it back */
566	lh_delete(ctx->certs,(char *)obj);
567	X509_OBJECT_free_contents(obj);
568	Free(obj);
569	lh_insert(ctx->certs,(char *)r);
570	X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
571	ret=0;
572	}
573
574	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
575
576	return(ret);
577	}
578
579	int X509_STORE_CTX_get_ex_new_index(long argl, char argp, int (new_func)(),
580	int (dup_func)(), void (free_func)())
581	{
582	x509_store_ctx_num++;
583	return(CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
584	&x509_store_ctx_method,
585	argl,argp,new_func,dup_func,free_func));
586	}
587
588	int X509_STORE_CTX_set_ex_data(X509_STORE_CTX ctx, int idx, void data)
589	{
590	return(CRYPTO_set_ex_data(&ctx->ex_data,idx,data));
591	}
592
593	void X509_STORE_CTX_get_ex_data(X509_STORE_CTX ctx, int idx)
594	{
595	return(CRYPTO_get_ex_data(&ctx->ex_data,idx));
596	}
597
598	int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
599	{
600	return(ctx->error);
601	}
602
603	void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
604	{
605	ctx->error=err;
606	}
607
608	int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
609	{
610	return(ctx->error_depth);
611	}
612
613	X509 X509_STORE_CTX_get_current_cert(X509_STORE_CTX ctx)
614	{
615	return(ctx->current_cert);
616	}
617
618	STACK_OF(X509) X509_STORE_CTX_get_chain(X509_STORE_CTX ctx)
619	{
620	return(ctx->chain);
621	}
622
623	void X509_STORE_CTX_set_cert(X509_STORE_CTX ctx, X509 x)
624	{
625	ctx->cert=x;
626	}
627
628	void X509_STORE_CTX_set_chain(X509_STORE_CTX ctx, STACK_OF(X509) sk)
629	{
630	ctx->untrusted=sk;
631	}
632
633	IMPLEMENT_STACK_OF(X509)
634	IMPLEMENT_ASN1_SET_OF(X509)
635
636	IMPLEMENT_STACK_OF(X509_NAME)
637
638	IMPLEMENT_STACK_OF(X509_ATTRIBUTE)
639	IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)