summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_vfy.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/x509/x509_vfy.c')
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c910
1 files changed, 372 insertions, 538 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 077bfd8f2d..6e9dd7cc6a 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -139,19 +139,19 @@ const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
139 139
140 140
141static int null_callback(int ok, X509_STORE_CTX *e) 141static int null_callback(int ok, X509_STORE_CTX *e)
142 { 142{
143 return ok; 143 return ok;
144 } 144}
145 145
146#if 0 146#if 0
147static int x509_subject_cmp(X509 **a, X509 **b) 147static int x509_subject_cmp(X509 **a, X509 **b)
148 { 148{
149 return X509_subject_name_cmp(*a,*b); 149 return X509_subject_name_cmp(*a,*b);
150 } 150}
151#endif 151#endif
152 152
153int X509_verify_cert(X509_STORE_CTX *ctx) 153int X509_verify_cert(X509_STORE_CTX *ctx)
154 { 154{
155 X509 *x,*xtmp,*chain_ss=NULL; 155 X509 *x,*xtmp,*chain_ss=NULL;
156 int bad_chain = 0; 156 int bad_chain = 0;
157 X509_VERIFY_PARAM *param = ctx->param; 157 X509_VERIFY_PARAM *param = ctx->param;
@@ -159,43 +159,38 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
159 int num; 159 int num;
160 int (*cb)(int xok,X509_STORE_CTX *xctx); 160 int (*cb)(int xok,X509_STORE_CTX *xctx);
161 STACK_OF(X509) *sktmp=NULL; 161 STACK_OF(X509) *sktmp=NULL;
162 if (ctx->cert == NULL) 162 if (ctx->cert == NULL) {
163 {
164 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); 163 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
165 return -1; 164 return -1;
166 } 165 }
167 166
168 cb=ctx->verify_cb; 167 cb=ctx->verify_cb;
169 168
170 /* first we make sure the chain we are going to build is 169 /* first we make sure the chain we are going to build is
171 * present and that the first entry is in place */ 170 * present and that the first entry is in place */
172 if (ctx->chain == NULL) 171 if (ctx->chain == NULL) {
173 {
174 if ( ((ctx->chain=sk_X509_new_null()) == NULL) || 172 if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
175 (!sk_X509_push(ctx->chain,ctx->cert))) 173 (!sk_X509_push(ctx->chain,ctx->cert))) {
176 {
177 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 174 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
178 goto end; 175 goto end;
179 } 176 }
180 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); 177 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
181 ctx->last_untrusted=1; 178 ctx->last_untrusted=1;
182 } 179 }
183 180
184 /* We use a temporary STACK so we can chop and hack at it */ 181 /* We use a temporary STACK so we can chop and hack at it */
185 if (ctx->untrusted != NULL 182 if (ctx->untrusted != NULL
186 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) 183 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) {
187 {
188 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 184 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
189 goto end; 185 goto end;
190 } 186 }
191 187
192 num=sk_X509_num(ctx->chain); 188 num=sk_X509_num(ctx->chain);
193 x=sk_X509_value(ctx->chain,num-1); 189 x=sk_X509_value(ctx->chain,num-1);
194 depth=param->depth; 190 depth=param->depth;
195 191
196 192
197 for (;;) 193 for (;;) {
198 {
199 /* If we have enough, we break */ 194 /* If we have enough, we break */
200 if (depth < num) break; /* FIXME: If this happens, we should take 195 if (depth < num) break; /* FIXME: If this happens, we should take
201 * note of it and, if appropriate, use the 196 * note of it and, if appropriate, use the
@@ -207,16 +202,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
207 if (ctx->check_issued(ctx, x,x)) break; 202 if (ctx->check_issued(ctx, x,x)) break;
208 203
209 /* If we were passed a cert chain, use it first */ 204 /* If we were passed a cert chain, use it first */
210 if (ctx->untrusted != NULL) 205 if (ctx->untrusted != NULL) {
211 {
212 xtmp=find_issuer(ctx, sktmp,x); 206 xtmp=find_issuer(ctx, sktmp,x);
213 if (xtmp != NULL) 207 if (xtmp != NULL) {
214 { 208 if (!sk_X509_push(ctx->chain,xtmp)) {
215 if (!sk_X509_push(ctx->chain,xtmp))
216 {
217 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 209 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
218 goto end; 210 goto end;
219 } 211 }
220 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); 212 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
221 (void)sk_X509_delete_ptr(sktmp,xtmp); 213 (void)sk_X509_delete_ptr(sktmp,xtmp);
222 ctx->last_untrusted++; 214 ctx->last_untrusted++;
@@ -225,10 +217,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
225 /* reparse the full chain for 217 /* reparse the full chain for
226 * the next one */ 218 * the next one */
227 continue; 219 continue;
228 }
229 } 220 }
230 break;
231 } 221 }
222 break;
223 }
232 224
233 /* at this point, chain should contain a list of untrusted 225 /* at this point, chain should contain a list of untrusted
234 * certificates. We now need to add at least one trusted one, 226 * certificates. We now need to add at least one trusted one,
@@ -240,18 +232,15 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
240 232
241 i=sk_X509_num(ctx->chain); 233 i=sk_X509_num(ctx->chain);
242 x=sk_X509_value(ctx->chain,i-1); 234 x=sk_X509_value(ctx->chain,i-1);
243 if (ctx->check_issued(ctx, x, x)) 235 if (ctx->check_issued(ctx, x, x)) {
244 {
245 /* we have a self signed certificate */ 236 /* we have a self signed certificate */
246 if (sk_X509_num(ctx->chain) == 1) 237 if (sk_X509_num(ctx->chain) == 1) {
247 {
248 /* We have a single self signed certificate: see if 238 /* We have a single self signed certificate: see if
249 * we can find it in the store. We must have an exact 239 * we can find it in the store. We must have an exact
250 * match to avoid possible impersonation. 240 * match to avoid possible impersonation.
251 */ 241 */
252 ok = ctx->get_issuer(&xtmp, ctx, x); 242 ok = ctx->get_issuer(&xtmp, ctx, x);
253 if ((ok <= 0) || X509_cmp(x, xtmp)) 243 if ((ok <= 0) || X509_cmp(x, xtmp)) {
254 {
255 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; 244 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
256 ctx->current_cert=x; 245 ctx->current_cert=x;
257 ctx->error_depth=i-1; 246 ctx->error_depth=i-1;
@@ -259,9 +248,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
259 bad_chain = 1; 248 bad_chain = 1;
260 ok=cb(0,ctx); 249 ok=cb(0,ctx);
261 if (!ok) goto end; 250 if (!ok) goto end;
262 } 251 } else {
263 else
264 {
265 /* We have a match: replace certificate with store version 252 /* We have a match: replace certificate with store version
266 * so we get any trust settings. 253 * so we get any trust settings.
267 */ 254 */
@@ -269,21 +256,18 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
269 x = xtmp; 256 x = xtmp;
270 (void)sk_X509_set(ctx->chain, i - 1, x); 257 (void)sk_X509_set(ctx->chain, i - 1, x);
271 ctx->last_untrusted=0; 258 ctx->last_untrusted=0;
272 }
273 } 259 }
274 else 260 } else {
275 {
276 /* extract and save self signed certificate for later use */ 261 /* extract and save self signed certificate for later use */
277 chain_ss=sk_X509_pop(ctx->chain); 262 chain_ss=sk_X509_pop(ctx->chain);
278 ctx->last_untrusted--; 263 ctx->last_untrusted--;
279 num--; 264 num--;
280 x=sk_X509_value(ctx->chain,num-1); 265 x=sk_X509_value(ctx->chain,num-1);
281 }
282 } 266 }
267 }
283 268
284 /* We now lookup certs from the certificate store */ 269 /* We now lookup certs from the certificate store */
285 for (;;) 270 for (;;) {
286 {
287 /* If we have enough, we break */ 271 /* If we have enough, we break */
288 if (depth < num) break; 272 if (depth < num) break;
289 273
@@ -296,30 +280,25 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
296 if (ok == 0) break; 280 if (ok == 0) break;
297 281
298 x = xtmp; 282 x = xtmp;
299 if (!sk_X509_push(ctx->chain,x)) 283 if (!sk_X509_push(ctx->chain,x)) {
300 {
301 X509_free(xtmp); 284 X509_free(xtmp);
302 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 285 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
303 return 0; 286 return 0;
304 }
305 num++;
306 } 287 }
288 num++;
289 }
307 290
308 /* we now have our chain, lets check it... */ 291 /* we now have our chain, lets check it... */
309 292
310 /* Is last certificate looked up self signed? */ 293 /* Is last certificate looked up self signed? */
311 if (!ctx->check_issued(ctx,x,x)) 294 if (!ctx->check_issued(ctx,x,x)) {
312 { 295 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
313 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
314 {
315 if (ctx->last_untrusted >= num) 296 if (ctx->last_untrusted >= num)
316 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 297 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
317 else 298 else
318 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; 299 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
319 ctx->current_cert=x; 300 ctx->current_cert=x;
320 } 301 } else {
321 else
322 {
323 302
324 sk_X509_push(ctx->chain,chain_ss); 303 sk_X509_push(ctx->chain,chain_ss);
325 num++; 304 num++;
@@ -327,13 +306,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
327 ctx->current_cert=chain_ss; 306 ctx->current_cert=chain_ss;
328 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 307 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
329 chain_ss=NULL; 308 chain_ss=NULL;
330 } 309 }
331 310
332 ctx->error_depth=num-1; 311 ctx->error_depth=num-1;
333 bad_chain = 1; 312 bad_chain = 1;
334 ok=cb(0,ctx); 313 ok=cb(0,ctx);
335 if (!ok) goto end; 314 if (!ok) goto end;
336 } 315 }
337 316
338 /* We have the chain complete: now we need to check its purpose */ 317 /* We have the chain complete: now we need to check its purpose */
339 ok = check_chain_extensions(ctx); 318 ok = check_chain_extensions(ctx);
@@ -381,15 +360,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
381 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) 360 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
382 ok = ctx->check_policy(ctx); 361 ok = ctx->check_policy(ctx);
383 if(!ok) goto end; 362 if(!ok) goto end;
384 if (0) 363 if (0) {
385 {
386end: 364end:
387 X509_get_pubkey_parameters(NULL,ctx->chain); 365 X509_get_pubkey_parameters(NULL,ctx->chain);
388 } 366 }
389 if (sktmp != NULL) sk_X509_free(sktmp); 367 if (sktmp != NULL) sk_X509_free(sktmp);
390 if (chain_ss != NULL) X509_free(chain_ss); 368 if (chain_ss != NULL) X509_free(chain_ss);
391 return ok; 369 return ok;
392 } 370}
393 371
394 372
395/* Given a STACK_OF(X509) find the issuer of cert (if any) 373/* Given a STACK_OF(X509) find the issuer of cert (if any)
@@ -399,12 +377,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
399{ 377{
400 int i; 378 int i;
401 X509 *issuer; 379 X509 *issuer;
402 for (i = 0; i < sk_X509_num(sk); i++) 380 for (i = 0; i < sk_X509_num(sk); i++) {
403 {
404 issuer = sk_X509_value(sk, i); 381 issuer = sk_X509_value(sk, i);
405 if (ctx->check_issued(ctx, x, issuer)) 382 if (ctx->check_issued(ctx, x, issuer))
406 return issuer; 383 return issuer;
407 } 384 }
408 return NULL; 385 return NULL;
409} 386}
410 387
@@ -431,12 +408,10 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
431static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 408static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
432{ 409{
433 *issuer = find_issuer(ctx, ctx->other_ctx, x); 410 *issuer = find_issuer(ctx, ctx->other_ctx, x);
434 if (*issuer) 411 if (*issuer) {
435 {
436 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); 412 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
437 return 1; 413 return 1;
438 } 414 } else
439 else
440 return 0; 415 return 0;
441} 416}
442 417
@@ -469,13 +444,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
469 must_be_ca = -1; 444 must_be_ca = -1;
470 445
471 /* CRL path validation */ 446 /* CRL path validation */
472 if (ctx->parent) 447 if (ctx->parent) {
473 {
474 allow_proxy_certs = 0; 448 allow_proxy_certs = 0;
475 purpose = X509_PURPOSE_CRL_SIGN; 449 purpose = X509_PURPOSE_CRL_SIGN;
476 } 450 } else {
477 else
478 {
479 allow_proxy_certs = 451 allow_proxy_certs =
480 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); 452 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
481 /* A hack to keep people who don't want to modify their 453 /* A hack to keep people who don't want to modify their
@@ -483,96 +455,82 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
483 if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) 455 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
484 allow_proxy_certs = 1; 456 allow_proxy_certs = 1;
485 purpose = ctx->param->purpose; 457 purpose = ctx->param->purpose;
486 } 458 }
487 459
488 /* Check all untrusted certificates */ 460 /* Check all untrusted certificates */
489 for (i = 0; i < ctx->last_untrusted; i++) 461 for (i = 0; i < ctx->last_untrusted; i++) {
490 {
491 int ret; 462 int ret;
492 x = sk_X509_value(ctx->chain, i); 463 x = sk_X509_value(ctx->chain, i);
493 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 464 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
494 && (x->ex_flags & EXFLAG_CRITICAL)) 465 && (x->ex_flags & EXFLAG_CRITICAL)) {
495 {
496 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 466 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
497 ctx->error_depth = i; 467 ctx->error_depth = i;
498 ctx->current_cert = x; 468 ctx->current_cert = x;
499 ok=cb(0,ctx); 469 ok=cb(0,ctx);
500 if (!ok) goto end; 470 if (!ok) goto end;
501 } 471 }
502 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) 472 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
503 {
504 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; 473 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
505 ctx->error_depth = i; 474 ctx->error_depth = i;
506 ctx->current_cert = x; 475 ctx->current_cert = x;
507 ok=cb(0,ctx); 476 ok=cb(0,ctx);
508 if (!ok) goto end; 477 if (!ok) goto end;
509 } 478 }
510 ret = X509_check_ca(x); 479 ret = X509_check_ca(x);
511 switch(must_be_ca) 480 switch(must_be_ca) {
512 {
513 case -1: 481 case -1:
514 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 482 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
515 && (ret != 1) && (ret != 0)) 483 && (ret != 1) && (ret != 0)) {
516 {
517 ret = 0; 484 ret = 0;
518 ctx->error = X509_V_ERR_INVALID_CA; 485 ctx->error = X509_V_ERR_INVALID_CA;
519 } 486 } else
520 else
521 ret = 1; 487 ret = 1;
522 break; 488 break;
523 case 0: 489 case 0:
524 if (ret != 0) 490 if (ret != 0) {
525 {
526 ret = 0; 491 ret = 0;
527 ctx->error = X509_V_ERR_INVALID_NON_CA; 492 ctx->error = X509_V_ERR_INVALID_NON_CA;
528 } 493 } else
529 else
530 ret = 1; 494 ret = 1;
531 break; 495 break;
532 default: 496 default:
533 if ((ret == 0) 497 if ((ret == 0)
534 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 498 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
535 && (ret != 1))) 499 && (ret != 1))) {
536 {
537 ret = 0; 500 ret = 0;
538 ctx->error = X509_V_ERR_INVALID_CA; 501 ctx->error = X509_V_ERR_INVALID_CA;
539 } 502 } else
540 else
541 ret = 1; 503 ret = 1;
542 break; 504 break;
543 } 505 }
544 if (ret == 0) 506 if (ret == 0) {
545 {
546 ctx->error_depth = i; 507 ctx->error_depth = i;
547 ctx->current_cert = x; 508 ctx->current_cert = x;
548 ok=cb(0,ctx); 509 ok=cb(0,ctx);
549 if (!ok) goto end; 510 if (!ok) goto end;
550 } 511 }
551 if (ctx->param->purpose > 0) 512 if (ctx->param->purpose > 0) {
552 {
553 ret = X509_check_purpose(x, purpose, must_be_ca > 0); 513 ret = X509_check_purpose(x, purpose, must_be_ca > 0);
554 if ((ret == 0) 514 if ((ret == 0)
555 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 515 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
556 && (ret != 1))) 516 && (ret != 1))) {
557 {
558 ctx->error = X509_V_ERR_INVALID_PURPOSE; 517 ctx->error = X509_V_ERR_INVALID_PURPOSE;
559 ctx->error_depth = i; 518 ctx->error_depth = i;
560 ctx->current_cert = x; 519 ctx->current_cert = x;
561 ok=cb(0,ctx); 520 ok=cb(0,ctx);
562 if (!ok) goto end; 521 if (!ok) goto end;
563 }
564 } 522 }
523 }
565 /* Check pathlen if not self issued */ 524 /* Check pathlen if not self issued */
566 if ((i > 1) && !(x->ex_flags & EXFLAG_SI) 525 if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
567 && (x->ex_pathlen != -1) 526 && (x->ex_pathlen != -1)
568 && (plen > (x->ex_pathlen + proxy_path_length + 1))) 527 && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
569 {
570 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; 528 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
571 ctx->error_depth = i; 529 ctx->error_depth = i;
572 ctx->current_cert = x; 530 ctx->current_cert = x;
573 ok=cb(0,ctx); 531 ok=cb(0,ctx);
574 if (!ok) goto end; 532 if (!ok) goto end;
575 } 533 }
576 /* Increment path length if not self issued */ 534 /* Increment path length if not self issued */
577 if (!(x->ex_flags & EXFLAG_SI)) 535 if (!(x->ex_flags & EXFLAG_SI))
578 plen++; 536 plen++;
@@ -580,23 +538,20 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
580 certificate must be another proxy certificate or a EE 538 certificate must be another proxy certificate or a EE
581 certificate. If not, the next certificate must be a 539 certificate. If not, the next certificate must be a
582 CA certificate. */ 540 CA certificate. */
583 if (x->ex_flags & EXFLAG_PROXY) 541 if (x->ex_flags & EXFLAG_PROXY) {
584 { 542 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
585 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
586 {
587 ctx->error = 543 ctx->error =
588 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; 544 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
589 ctx->error_depth = i; 545 ctx->error_depth = i;
590 ctx->current_cert = x; 546 ctx->current_cert = x;
591 ok=cb(0,ctx); 547 ok=cb(0,ctx);
592 if (!ok) goto end; 548 if (!ok) goto end;
593 } 549 }
594 proxy_path_length++; 550 proxy_path_length++;
595 must_be_ca = 0; 551 must_be_ca = 0;
596 } 552 } else
597 else
598 must_be_ca = 1; 553 must_be_ca = 1;
599 } 554 }
600 ok = 1; 555 ok = 1;
601 end: 556 end:
602 return ok; 557 return ok;
@@ -604,12 +559,11 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
604} 559}
605 560
606static int check_name_constraints(X509_STORE_CTX *ctx) 561static int check_name_constraints(X509_STORE_CTX *ctx)
607 { 562{
608 X509 *x; 563 X509 *x;
609 int i, j, rv; 564 int i, j, rv;
610 /* Check name constraints for all certificates */ 565 /* Check name constraints for all certificates */
611 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) 566 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
612 {
613 x = sk_X509_value(ctx->chain, i); 567 x = sk_X509_value(ctx->chain, i);
614 /* Ignore self issued certs unless last in chain */ 568 /* Ignore self issued certs unless last in chain */
615 if (i && (x->ex_flags & EXFLAG_SI)) 569 if (i && (x->ex_flags & EXFLAG_SI))
@@ -619,25 +573,22 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
619 * speaking needed but if it includes constraints it is to be 573 * speaking needed but if it includes constraints it is to be
620 * assumed it expects them to be obeyed. 574 * assumed it expects them to be obeyed.
621 */ 575 */
622 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) 576 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
623 {
624 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; 577 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
625 if (nc) 578 if (nc) {
626 {
627 rv = NAME_CONSTRAINTS_check(x, nc); 579 rv = NAME_CONSTRAINTS_check(x, nc);
628 if (rv != X509_V_OK) 580 if (rv != X509_V_OK) {
629 {
630 ctx->error = rv; 581 ctx->error = rv;
631 ctx->error_depth = i; 582 ctx->error_depth = i;
632 ctx->current_cert = x; 583 ctx->current_cert = x;
633 if (!ctx->verify_cb(0,ctx)) 584 if (!ctx->verify_cb(0,ctx))
634 return 0; 585 return 0;
635 }
636 } 586 }
637 } 587 }
638 } 588 }
639 return 1;
640 } 589 }
590 return 1;
591}
641 592
642static int check_trust(X509_STORE_CTX *ctx) 593static int check_trust(X509_STORE_CTX *ctx)
643{ 594{
@@ -666,30 +617,27 @@ static int check_trust(X509_STORE_CTX *ctx)
666} 617}
667 618
668static int check_revocation(X509_STORE_CTX *ctx) 619static int check_revocation(X509_STORE_CTX *ctx)
669 { 620{
670 int i, last, ok; 621 int i, last, ok;
671 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) 622 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
672 return 1; 623 return 1;
673 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) 624 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
674 last = sk_X509_num(ctx->chain) - 1; 625 last = sk_X509_num(ctx->chain) - 1;
675 else 626 else {
676 {
677 /* If checking CRL paths this isn't the EE certificate */ 627 /* If checking CRL paths this isn't the EE certificate */
678 if (ctx->parent) 628 if (ctx->parent)
679 return 1; 629 return 1;
680 last = 0; 630 last = 0;
681 } 631 }
682 for(i = 0; i <= last; i++) 632 for(i = 0; i <= last; i++) {
683 {
684 ctx->error_depth = i; 633 ctx->error_depth = i;
685 ok = check_cert(ctx); 634 ok = check_cert(ctx);
686 if (!ok) return ok; 635 if (!ok) return ok;
687 }
688 return 1;
689 } 636 }
637 return 1;
638}
690 639
691static int check_cert(X509_STORE_CTX *ctx) 640static int check_cert(X509_STORE_CTX *ctx) {
692 {
693 X509_CRL *crl = NULL, *dcrl = NULL; 641 X509_CRL *crl = NULL, *dcrl = NULL;
694 X509 *x; 642 X509 *x;
695 int ok, cnum; 643 int ok, cnum;
@@ -700,8 +648,7 @@ static int check_cert(X509_STORE_CTX *ctx)
700 ctx->current_issuer = NULL; 648 ctx->current_issuer = NULL;
701 ctx->current_crl_score = 0; 649 ctx->current_crl_score = 0;
702 ctx->current_reasons = 0; 650 ctx->current_reasons = 0;
703 while (ctx->current_reasons != CRLDP_ALL_REASONS) 651 while (ctx->current_reasons != CRLDP_ALL_REASONS) {
704 {
705 last_reasons = ctx->current_reasons; 652 last_reasons = ctx->current_reasons;
706 /* Try to retrieve relevant CRL */ 653 /* Try to retrieve relevant CRL */
707 if (ctx->get_crl) 654 if (ctx->get_crl)
@@ -711,36 +658,32 @@ static int check_cert(X509_STORE_CTX *ctx)
711 /* If error looking up CRL, nothing we can do except 658 /* If error looking up CRL, nothing we can do except
712 * notify callback 659 * notify callback
713 */ 660 */
714 if(!ok) 661 if(!ok) {
715 {
716 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 662 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
717 ok = ctx->verify_cb(0, ctx); 663 ok = ctx->verify_cb(0, ctx);
718 goto err; 664 goto err;
719 } 665 }
720 ctx->current_crl = crl; 666 ctx->current_crl = crl;
721 ok = ctx->check_crl(ctx, crl); 667 ok = ctx->check_crl(ctx, crl);
722 if (!ok) 668 if (!ok)
723 goto err; 669 goto err;
724 670
725 if (dcrl) 671 if (dcrl) {
726 {
727 ok = ctx->check_crl(ctx, dcrl); 672 ok = ctx->check_crl(ctx, dcrl);
728 if (!ok) 673 if (!ok)
729 goto err; 674 goto err;
730 ok = ctx->cert_crl(ctx, dcrl, x); 675 ok = ctx->cert_crl(ctx, dcrl, x);
731 if (!ok) 676 if (!ok)
732 goto err; 677 goto err;
733 } 678 } else
734 else
735 ok = 1; 679 ok = 1;
736 680
737 /* Don't look in full CRL if delta reason is removefromCRL */ 681 /* Don't look in full CRL if delta reason is removefromCRL */
738 if (ok != 2) 682 if (ok != 2) {
739 {
740 ok = ctx->cert_crl(ctx, crl, x); 683 ok = ctx->cert_crl(ctx, crl, x);
741 if (!ok) 684 if (!ok)
742 goto err; 685 goto err;
743 } 686 }
744 687
745 X509_CRL_free(crl); 688 X509_CRL_free(crl);
746 X509_CRL_free(dcrl); 689 X509_CRL_free(dcrl);
@@ -749,26 +692,25 @@ static int check_cert(X509_STORE_CTX *ctx)
749 /* If reasons not updated we wont get anywhere by 692 /* If reasons not updated we wont get anywhere by
750 * another iteration, so exit loop. 693 * another iteration, so exit loop.
751 */ 694 */
752 if (last_reasons == ctx->current_reasons) 695 if (last_reasons == ctx->current_reasons) {
753 {
754 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 696 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
755 ok = ctx->verify_cb(0, ctx); 697 ok = ctx->verify_cb(0, ctx);
756 goto err; 698 goto err;
757 }
758 } 699 }
759 err: 700 }
701err:
760 X509_CRL_free(crl); 702 X509_CRL_free(crl);
761 X509_CRL_free(dcrl); 703 X509_CRL_free(dcrl);
762 704
763 ctx->current_crl = NULL; 705 ctx->current_crl = NULL;
764 return ok; 706 return ok;
765 707
766 } 708}
767 709
768/* Check CRL times against values in X509_STORE_CTX */ 710/* Check CRL times against values in X509_STORE_CTX */
769 711
770static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) 712static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
771 { 713{
772 time_t *ptime; 714 time_t *ptime;
773 int i; 715 int i;
774 if (notify) 716 if (notify)
@@ -779,80 +721,72 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
779 ptime = NULL; 721 ptime = NULL;
780 722
781 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); 723 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
782 if (i == 0) 724 if (i == 0) {
783 {
784 if (!notify) 725 if (!notify)
785 return 0; 726 return 0;
786 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; 727 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
787 if (!ctx->verify_cb(0, ctx)) 728 if (!ctx->verify_cb(0, ctx))
788 return 0; 729 return 0;
789 } 730 }
790 731
791 if (i > 0) 732 if (i > 0) {
792 {
793 if (!notify) 733 if (!notify)
794 return 0; 734 return 0;
795 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; 735 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
796 if (!ctx->verify_cb(0, ctx)) 736 if (!ctx->verify_cb(0, ctx))
797 return 0; 737 return 0;
798 } 738 }
799 739
800 if(X509_CRL_get_nextUpdate(crl)) 740 if(X509_CRL_get_nextUpdate(crl)) {
801 {
802 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); 741 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
803 742
804 if (i == 0) 743 if (i == 0) {
805 {
806 if (!notify) 744 if (!notify)
807 return 0; 745 return 0;
808 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; 746 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
809 if (!ctx->verify_cb(0, ctx)) 747 if (!ctx->verify_cb(0, ctx))
810 return 0; 748 return 0;
811 } 749 }
812 /* Ignore expiry of base CRL is delta is valid */ 750 /* Ignore expiry of base CRL is delta is valid */
813 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) 751 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
814 {
815 if (!notify) 752 if (!notify)
816 return 0; 753 return 0;
817 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; 754 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
818 if (!ctx->verify_cb(0, ctx)) 755 if (!ctx->verify_cb(0, ctx))
819 return 0; 756 return 0;
820 }
821 } 757 }
758 }
822 759
823 if (notify) 760 if (notify)
824 ctx->current_crl = NULL; 761 ctx->current_crl = NULL;
825 762
826 return 1; 763 return 1;
827 } 764}
828 765
829static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, 766static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
830 X509 **pissuer, int *pscore, unsigned int *preasons, 767 X509 **pissuer, int *pscore, unsigned int *preasons,
831 STACK_OF(X509_CRL) *crls) 768 STACK_OF(X509_CRL) *crls)
832 { 769{
833 int i, crl_score, best_score = *pscore; 770 int i, crl_score, best_score = *pscore;
834 unsigned int reasons, best_reasons = 0; 771 unsigned int reasons, best_reasons = 0;
835 X509 *x = ctx->current_cert; 772 X509 *x = ctx->current_cert;
836 X509_CRL *crl, *best_crl = NULL; 773 X509_CRL *crl, *best_crl = NULL;
837 X509 *crl_issuer = NULL, *best_crl_issuer = NULL; 774 X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
838 775
839 for (i = 0; i < sk_X509_CRL_num(crls); i++) 776 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
840 {
841 crl = sk_X509_CRL_value(crls, i); 777 crl = sk_X509_CRL_value(crls, i);
842 reasons = *preasons; 778 reasons = *preasons;
843 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); 779 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
844 780
845 if (crl_score > best_score) 781 if (crl_score > best_score) {
846 {
847 best_crl = crl; 782 best_crl = crl;
848 best_crl_issuer = crl_issuer; 783 best_crl_issuer = crl_issuer;
849 best_score = crl_score; 784 best_score = crl_score;
850 best_reasons = reasons; 785 best_reasons = reasons;
851 }
852 } 786 }
787 }
853 788
854 if (best_crl) 789 if (best_crl) {
855 {
856 if (*pcrl) 790 if (*pcrl)
857 X509_CRL_free(*pcrl); 791 X509_CRL_free(*pcrl);
858 *pcrl = best_crl; 792 *pcrl = best_crl;
@@ -860,49 +794,44 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
860 *pscore = best_score; 794 *pscore = best_score;
861 *preasons = best_reasons; 795 *preasons = best_reasons;
862 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); 796 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
863 if (*pdcrl) 797 if (*pdcrl) {
864 {
865 X509_CRL_free(*pdcrl); 798 X509_CRL_free(*pdcrl);
866 *pdcrl = NULL; 799 *pdcrl = NULL;
867 }
868 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
869 } 800 }
801 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
802 }
870 803
871 if (best_score >= CRL_SCORE_VALID) 804 if (best_score >= CRL_SCORE_VALID)
872 return 1; 805 return 1;
873 806
874 return 0; 807 return 0;
875 } 808}
876 809
877/* Compare two CRL extensions for delta checking purposes. They should be 810/* Compare two CRL extensions for delta checking purposes. They should be
878 * both present or both absent. If both present all fields must be identical. 811 * both present or both absent. If both present all fields must be identical.
879 */ 812 */
880 813
881static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) 814static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
882 { 815{
883 ASN1_OCTET_STRING *exta, *extb; 816 ASN1_OCTET_STRING *exta, *extb;
884 int i; 817 int i;
885 i = X509_CRL_get_ext_by_NID(a, nid, -1); 818 i = X509_CRL_get_ext_by_NID(a, nid, -1);
886 if (i >= 0) 819 if (i >= 0) {
887 {
888 /* Can't have multiple occurrences */ 820 /* Can't have multiple occurrences */
889 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) 821 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
890 return 0; 822 return 0;
891 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); 823 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
892 } 824 } else
893 else
894 exta = NULL; 825 exta = NULL;
895 826
896 i = X509_CRL_get_ext_by_NID(b, nid, -1); 827 i = X509_CRL_get_ext_by_NID(b, nid, -1);
897 828
898 if (i >= 0) 829 if (i >= 0) {
899 {
900 830
901 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) 831 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
902 return 0; 832 return 0;
903 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); 833 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
904 } 834 } else
905 else
906 extb = NULL; 835 extb = NULL;
907 836
908 if (!exta && !extb) 837 if (!exta && !extb)
@@ -916,12 +845,12 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
916 return 0; 845 return 0;
917 846
918 return 1; 847 return 1;
919 } 848}
920 849
921/* See if a base and delta are compatible */ 850/* See if a base and delta are compatible */
922 851
923static int check_delta_base(X509_CRL *delta, X509_CRL *base) 852static int check_delta_base(X509_CRL *delta, X509_CRL *base)
924 { 853{
925 /* Delta CRL must be a delta */ 854 /* Delta CRL must be a delta */
926 if (!delta->base_crl_number) 855 if (!delta->base_crl_number)
927 return 0; 856 return 0;
@@ -944,7 +873,7 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
944 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) 873 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
945 return 1; 874 return 1;
946 return 0; 875 return 0;
947 } 876}
948 877
949/* For a given base CRL find a delta... maybe extend to delta scoring 878/* For a given base CRL find a delta... maybe extend to delta scoring
950 * or retrieve a chain of deltas... 879 * or retrieve a chain of deltas...
@@ -952,27 +881,25 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
952 881
953static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, 882static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
954 X509_CRL *base, STACK_OF(X509_CRL) *crls) 883 X509_CRL *base, STACK_OF(X509_CRL) *crls)
955 { 884{
956 X509_CRL *delta; 885 X509_CRL *delta;
957 int i; 886 int i;
958 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) 887 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
959 return; 888 return;
960 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) 889 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
961 return; 890 return;
962 for (i = 0; i < sk_X509_CRL_num(crls); i++) 891 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
963 {
964 delta = sk_X509_CRL_value(crls, i); 892 delta = sk_X509_CRL_value(crls, i);
965 if (check_delta_base(delta, base)) 893 if (check_delta_base(delta, base)) {
966 {
967 if (check_crl_time(ctx, delta, 0)) 894 if (check_crl_time(ctx, delta, 0))
968 *pscore |= CRL_SCORE_TIME_DELTA; 895 *pscore |= CRL_SCORE_TIME_DELTA;
969 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); 896 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
970 *dcrl = delta; 897 *dcrl = delta;
971 return; 898 return;
972 }
973 } 899 }
974 *dcrl = NULL;
975 } 900 }
901 *dcrl = NULL;
902}
976 903
977/* For a given CRL return how suitable it is for the supplied certificate 'x'. 904/* For a given CRL return how suitable it is for the supplied certificate 'x'.
978 * The return value is a mask of several criteria. 905 * The return value is a mask of several criteria.
@@ -984,7 +911,7 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
984static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 911static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
985 unsigned int *preasons, 912 unsigned int *preasons,
986 X509_CRL *crl, X509 *x) 913 X509_CRL *crl, X509 *x)
987 { 914{
988 915
989 int crl_score = 0; 916 int crl_score = 0;
990 unsigned int tmp_reasons = *preasons, crl_reasons; 917 unsigned int tmp_reasons = *preasons, crl_reasons;
@@ -995,27 +922,22 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
995 if (crl->idp_flags & IDP_INVALID) 922 if (crl->idp_flags & IDP_INVALID)
996 return 0; 923 return 0;
997 /* Reason codes or indirect CRLs need extended CRL support */ 924 /* Reason codes or indirect CRLs need extended CRL support */
998 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) 925 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
999 {
1000 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) 926 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
1001 return 0; 927 return 0;
1002 } 928 } else if (crl->idp_flags & IDP_REASONS) {
1003 else if (crl->idp_flags & IDP_REASONS)
1004 {
1005 /* If no new reasons reject */ 929 /* If no new reasons reject */
1006 if (!(crl->idp_reasons & ~tmp_reasons)) 930 if (!(crl->idp_reasons & ~tmp_reasons))
1007 return 0; 931 return 0;
1008 } 932 }
1009 /* Don't process deltas at this stage */ 933 /* Don't process deltas at this stage */
1010 else if (crl->base_crl_number) 934 else if (crl->base_crl_number)
1011 return 0; 935 return 0;
1012 /* If issuer name doesn't match certificate need indirect CRL */ 936 /* If issuer name doesn't match certificate need indirect CRL */
1013 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) 937 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
1014 {
1015 if (!(crl->idp_flags & IDP_INDIRECT)) 938 if (!(crl->idp_flags & IDP_INDIRECT))
1016 return 0; 939 return 0;
1017 } 940 } else
1018 else
1019 crl_score |= CRL_SCORE_ISSUER_NAME; 941 crl_score |= CRL_SCORE_ISSUER_NAME;
1020 942
1021 if (!(crl->flags & EXFLAG_CRITICAL)) 943 if (!(crl->flags & EXFLAG_CRITICAL))
@@ -1035,24 +957,23 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
1035 957
1036 /* Check cert for matching CRL distribution points */ 958 /* Check cert for matching CRL distribution points */
1037 959
1038 if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) 960 if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
1039 {
1040 /* If no new reasons reject */ 961 /* If no new reasons reject */
1041 if (!(crl_reasons & ~tmp_reasons)) 962 if (!(crl_reasons & ~tmp_reasons))
1042 return 0; 963 return 0;
1043 tmp_reasons |= crl_reasons; 964 tmp_reasons |= crl_reasons;
1044 crl_score |= CRL_SCORE_SCOPE; 965 crl_score |= CRL_SCORE_SCOPE;
1045 } 966 }
1046 967
1047 *preasons = tmp_reasons; 968 *preasons = tmp_reasons;
1048 969
1049 return crl_score; 970 return crl_score;
1050 971
1051 } 972}
1052 973
1053static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, 974static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1054 X509 **pissuer, int *pcrl_score) 975 X509 **pissuer, int *pcrl_score)
1055 { 976{
1056 X509 *crl_issuer = NULL; 977 X509 *crl_issuer = NULL;
1057 X509_NAME *cnm = X509_CRL_get_issuer(crl); 978 X509_NAME *cnm = X509_CRL_get_issuer(crl);
1058 int cidx = ctx->error_depth; 979 int cidx = ctx->error_depth;
@@ -1063,28 +984,24 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1063 984
1064 crl_issuer = sk_X509_value(ctx->chain, cidx); 985 crl_issuer = sk_X509_value(ctx->chain, cidx);
1065 986
1066 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) 987 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1067 { 988 if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
1068 if (*pcrl_score & CRL_SCORE_ISSUER_NAME)
1069 {
1070 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT; 989 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT;
1071 *pissuer = crl_issuer; 990 *pissuer = crl_issuer;
1072 return; 991 return;
1073 }
1074 } 992 }
993 }
1075 994
1076 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) 995 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) {
1077 {
1078 crl_issuer = sk_X509_value(ctx->chain, cidx); 996 crl_issuer = sk_X509_value(ctx->chain, cidx);
1079 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) 997 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1080 continue; 998 continue;
1081 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) 999 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1082 {
1083 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH; 1000 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH;
1084 *pissuer = crl_issuer; 1001 *pissuer = crl_issuer;
1085 return; 1002 return;
1086 }
1087 } 1003 }
1004 }
1088 1005
1089 /* Anything else needs extended CRL support */ 1006 /* Anything else needs extended CRL support */
1090 1007
@@ -1094,19 +1011,17 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1094 /* Otherwise the CRL issuer is not on the path. Look for it in the 1011 /* Otherwise the CRL issuer is not on the path. Look for it in the
1095 * set of untrusted certificates. 1012 * set of untrusted certificates.
1096 */ 1013 */
1097 for (i = 0; i < sk_X509_num(ctx->untrusted); i++) 1014 for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
1098 {
1099 crl_issuer = sk_X509_value(ctx->untrusted, i); 1015 crl_issuer = sk_X509_value(ctx->untrusted, i);
1100 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) 1016 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1101 continue; 1017 continue;
1102 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) 1018 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1103 {
1104 *pissuer = crl_issuer; 1019 *pissuer = crl_issuer;
1105 *pcrl_score |= CRL_SCORE_AKID; 1020 *pcrl_score |= CRL_SCORE_AKID;
1106 return; 1021 return;
1107 }
1108 } 1022 }
1109 } 1023 }
1024}
1110 1025
1111/* Check the path of a CRL issuer certificate. This creates a new 1026/* Check the path of a CRL issuer certificate. This creates a new
1112 * X509_STORE_CTX and populates it with most of the parameters from the 1027 * X509_STORE_CTX and populates it with most of the parameters from the
@@ -1116,7 +1031,7 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1116 */ 1031 */
1117 1032
1118static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) 1033static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1119 { 1034{
1120 X509_STORE_CTX crl_ctx; 1035 X509_STORE_CTX crl_ctx;
1121 int ret; 1036 int ret;
1122 /* Don't allow recursive CRL path validation */ 1037 /* Don't allow recursive CRL path validation */
@@ -1144,7 +1059,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1144 err: 1059 err:
1145 X509_STORE_CTX_cleanup(&crl_ctx); 1060 X509_STORE_CTX_cleanup(&crl_ctx);
1146 return ret; 1061 return ret;
1147 } 1062}
1148 1063
1149/* RFC3280 says nothing about the relationship between CRL path 1064/* RFC3280 says nothing about the relationship between CRL path
1150 * and certificate path, which could lead to situations where a 1065 * and certificate path, which could lead to situations where a
@@ -1157,14 +1072,14 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1157static int check_crl_chain(X509_STORE_CTX *ctx, 1072static int check_crl_chain(X509_STORE_CTX *ctx,
1158 STACK_OF(X509) *cert_path, 1073 STACK_OF(X509) *cert_path,
1159 STACK_OF(X509) *crl_path) 1074 STACK_OF(X509) *crl_path)
1160 { 1075{
1161 X509 *cert_ta, *crl_ta; 1076 X509 *cert_ta, *crl_ta;
1162 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); 1077 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1163 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); 1078 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1164 if (!X509_cmp(cert_ta, crl_ta)) 1079 if (!X509_cmp(cert_ta, crl_ta))
1165 return 1; 1080 return 1;
1166 return 0; 1081 return 0;
1167 } 1082}
1168 1083
1169/* Check for match between two dist point names: three separate cases. 1084/* Check for match between two dist point names: three separate cases.
1170 * 1. Both are relative names and compare X509_NAME types. 1085 * 1. Both are relative names and compare X509_NAME types.
@@ -1175,125 +1090,110 @@ static int check_crl_chain(X509_STORE_CTX *ctx,
1175 1090
1176 1091
1177static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) 1092static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1178 { 1093{
1179 X509_NAME *nm = NULL; 1094 X509_NAME *nm = NULL;
1180 GENERAL_NAMES *gens = NULL; 1095 GENERAL_NAMES *gens = NULL;
1181 GENERAL_NAME *gena, *genb; 1096 GENERAL_NAME *gena, *genb;
1182 int i, j; 1097 int i, j;
1183 if (!a || !b) 1098 if (!a || !b)
1184 return 1; 1099 return 1;
1185 if (a->type == 1) 1100 if (a->type == 1) {
1186 {
1187 if (!a->dpname) 1101 if (!a->dpname)
1188 return 0; 1102 return 0;
1189 /* Case 1: two X509_NAME */ 1103 /* Case 1: two X509_NAME */
1190 if (b->type == 1) 1104 if (b->type == 1) {
1191 {
1192 if (!b->dpname) 1105 if (!b->dpname)
1193 return 0; 1106 return 0;
1194 if (!X509_NAME_cmp(a->dpname, b->dpname)) 1107 if (!X509_NAME_cmp(a->dpname, b->dpname))
1195 return 1; 1108 return 1;
1196 else 1109 else
1197 return 0; 1110 return 0;
1198 } 1111 }
1199 /* Case 2: set name and GENERAL_NAMES appropriately */ 1112 /* Case 2: set name and GENERAL_NAMES appropriately */
1200 nm = a->dpname; 1113 nm = a->dpname;
1201 gens = b->name.fullname; 1114 gens = b->name.fullname;
1202 } 1115 } else if (b->type == 1) {
1203 else if (b->type == 1)
1204 {
1205 if (!b->dpname) 1116 if (!b->dpname)
1206 return 0; 1117 return 0;
1207 /* Case 2: set name and GENERAL_NAMES appropriately */ 1118 /* Case 2: set name and GENERAL_NAMES appropriately */
1208 gens = a->name.fullname; 1119 gens = a->name.fullname;
1209 nm = b->dpname; 1120 nm = b->dpname;
1210 } 1121 }
1211 1122
1212 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ 1123 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1213 if (nm) 1124 if (nm) {
1214 { 1125 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1215 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
1216 {
1217 gena = sk_GENERAL_NAME_value(gens, i); 1126 gena = sk_GENERAL_NAME_value(gens, i);
1218 if (gena->type != GEN_DIRNAME) 1127 if (gena->type != GEN_DIRNAME)
1219 continue; 1128 continue;
1220 if (!X509_NAME_cmp(nm, gena->d.directoryName)) 1129 if (!X509_NAME_cmp(nm, gena->d.directoryName))
1221 return 1; 1130 return 1;
1222 }
1223 return 0;
1224 } 1131 }
1132 return 0;
1133 }
1225 1134
1226 /* Else case 3: two GENERAL_NAMES */ 1135 /* Else case 3: two GENERAL_NAMES */
1227 1136
1228 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) 1137 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
1229 {
1230 gena = sk_GENERAL_NAME_value(a->name.fullname, i); 1138 gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1231 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) 1139 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
1232 {
1233 genb = sk_GENERAL_NAME_value(b->name.fullname, j); 1140 genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1234 if (!GENERAL_NAME_cmp(gena, genb)) 1141 if (!GENERAL_NAME_cmp(gena, genb))
1235 return 1; 1142 return 1;
1236 }
1237 } 1143 }
1144 }
1238 1145
1239 return 0; 1146 return 0;
1240 1147
1241 } 1148}
1242 1149
1243static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) 1150static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1244 { 1151{
1245 int i; 1152 int i;
1246 X509_NAME *nm = X509_CRL_get_issuer(crl); 1153 X509_NAME *nm = X509_CRL_get_issuer(crl);
1247 /* If no CRLissuer return is successful iff don't need a match */ 1154 /* If no CRLissuer return is successful iff don't need a match */
1248 if (!dp->CRLissuer) 1155 if (!dp->CRLissuer)
1249 return !!(crl_score & CRL_SCORE_ISSUER_NAME); 1156 return !!(crl_score & CRL_SCORE_ISSUER_NAME);
1250 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) 1157 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
1251 {
1252 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); 1158 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1253 if (gen->type != GEN_DIRNAME) 1159 if (gen->type != GEN_DIRNAME)
1254 continue; 1160 continue;
1255 if (!X509_NAME_cmp(gen->d.directoryName, nm)) 1161 if (!X509_NAME_cmp(gen->d.directoryName, nm))
1256 return 1; 1162 return 1;
1257 }
1258 return 0;
1259 } 1163 }
1164 return 0;
1165}
1260 1166
1261/* Check CRLDP and IDP */ 1167/* Check CRLDP and IDP */
1262 1168
1263static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, 1169static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1264 unsigned int *preasons) 1170 unsigned int *preasons)
1265 { 1171{
1266 int i; 1172 int i;
1267 if (crl->idp_flags & IDP_ONLYATTR) 1173 if (crl->idp_flags & IDP_ONLYATTR)
1268 return 0; 1174 return 0;
1269 if (x->ex_flags & EXFLAG_CA) 1175 if (x->ex_flags & EXFLAG_CA) {
1270 {
1271 if (crl->idp_flags & IDP_ONLYUSER) 1176 if (crl->idp_flags & IDP_ONLYUSER)
1272 return 0; 1177 return 0;
1273 } 1178 } else {
1274 else
1275 {
1276 if (crl->idp_flags & IDP_ONLYCA) 1179 if (crl->idp_flags & IDP_ONLYCA)
1277 return 0; 1180 return 0;
1278 } 1181 }
1279 *preasons = crl->idp_reasons; 1182 *preasons = crl->idp_reasons;
1280 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) 1183 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
1281 {
1282 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); 1184 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1283 if (crldp_check_crlissuer(dp, crl, crl_score)) 1185 if (crldp_check_crlissuer(dp, crl, crl_score)) {
1284 {
1285 if (!crl->idp || 1186 if (!crl->idp ||
1286 idp_check_dp(dp->distpoint, crl->idp->distpoint)) 1187 idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1287 {
1288 *preasons &= dp->dp_reasons; 1188 *preasons &= dp->dp_reasons;
1289 return 1; 1189 return 1;
1290 }
1291 } 1190 }
1292 } 1191 }
1192 }
1293 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) 1193 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
1294 return 1; 1194 return 1;
1295 return 0; 1195 return 0;
1296 } 1196}
1297 1197
1298/* Retrieve CRL corresponding to current certificate. 1198/* Retrieve CRL corresponding to current certificate.
1299 * If deltas enabled try to find a delta CRL too 1199 * If deltas enabled try to find a delta CRL too
@@ -1301,7 +1201,7 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1301 1201
1302static int get_crl_delta(X509_STORE_CTX *ctx, 1202static int get_crl_delta(X509_STORE_CTX *ctx,
1303 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) 1203 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1304 { 1204{
1305 int ok; 1205 int ok;
1306 X509 *issuer = NULL; 1206 X509 *issuer = NULL;
1307 int crl_score = 0; 1207 int crl_score = 0;
@@ -1331,129 +1231,113 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
1331 done: 1231 done:
1332 1232
1333 /* If we got any kind of CRL use it and return success */ 1233 /* If we got any kind of CRL use it and return success */
1334 if (crl) 1234 if (crl) {
1335 {
1336 ctx->current_issuer = issuer; 1235 ctx->current_issuer = issuer;
1337 ctx->current_crl_score = crl_score; 1236 ctx->current_crl_score = crl_score;
1338 ctx->current_reasons = reasons; 1237 ctx->current_reasons = reasons;
1339 *pcrl = crl; 1238 *pcrl = crl;
1340 *pdcrl = dcrl; 1239 *pdcrl = dcrl;
1341 return 1; 1240 return 1;
1342 } 1241 }
1343 1242
1344 return 0; 1243 return 0;
1345 } 1244}
1346 1245
1347/* Check CRL validity */ 1246/* Check CRL validity */
1348static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) 1247static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1349 { 1248{
1350 X509 *issuer = NULL; 1249 X509 *issuer = NULL;
1351 EVP_PKEY *ikey = NULL; 1250 EVP_PKEY *ikey = NULL;
1352 int ok = 0, chnum, cnum; 1251 int ok = 0, chnum, cnum;
1353 cnum = ctx->error_depth; 1252 cnum = ctx->error_depth;
1354 chnum = sk_X509_num(ctx->chain) - 1; 1253 chnum = sk_X509_num(ctx->chain) - 1;
1355 /* if we have an alternative CRL issuer cert use that */ 1254 /* if we have an alternative CRL issuer cert use that */
1356 if (ctx->current_issuer) 1255 if (ctx->current_issuer) {
1357 issuer = ctx->current_issuer; 1256 issuer = ctx->current_issuer;
1358 1257 } else if (cnum < chnum) {
1359 /* Else find CRL issuer: if not last certificate then issuer 1258 /* Else find CRL issuer: if not last certificate then issuer
1360 * is next certificate in chain. 1259 * is next certificate in chain.
1361 */ 1260 */
1362 else if (cnum < chnum)
1363 issuer = sk_X509_value(ctx->chain, cnum + 1); 1261 issuer = sk_X509_value(ctx->chain, cnum + 1);
1364 else 1262 } else {
1365 {
1366 issuer = sk_X509_value(ctx->chain, chnum); 1263 issuer = sk_X509_value(ctx->chain, chnum);
1367 /* If not self signed, can't check signature */ 1264 /* If not self signed, can't check signature */
1368 if(!ctx->check_issued(ctx, issuer, issuer)) 1265 if(!ctx->check_issued(ctx, issuer, issuer)) {
1369 {
1370 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; 1266 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1371 ok = ctx->verify_cb(0, ctx); 1267 ok = ctx->verify_cb(0, ctx);
1372 if(!ok) goto err; 1268 if(!ok) goto err;
1373 }
1374 } 1269 }
1270 }
1375 1271
1376 if(issuer) 1272 if(issuer) {
1377 {
1378 /* Skip most tests for deltas because they have already 1273 /* Skip most tests for deltas because they have already
1379 * been done 1274 * been done
1380 */ 1275 */
1381 if (!crl->base_crl_number) 1276 if (!crl->base_crl_number) {
1382 {
1383 /* Check for cRLSign bit if keyUsage present */ 1277 /* Check for cRLSign bit if keyUsage present */
1384 if ((issuer->ex_flags & EXFLAG_KUSAGE) && 1278 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1385 !(issuer->ex_kusage & KU_CRL_SIGN)) 1279 !(issuer->ex_kusage & KU_CRL_SIGN)) {
1386 {
1387 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; 1280 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1388 ok = ctx->verify_cb(0, ctx); 1281 ok = ctx->verify_cb(0, ctx);
1389 if(!ok) goto err; 1282 if(!ok) goto err;
1390 } 1283 }
1391 1284
1392 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) 1285 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1393 {
1394 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; 1286 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1395 ok = ctx->verify_cb(0, ctx); 1287 ok = ctx->verify_cb(0, ctx);
1396 if(!ok) goto err; 1288 if(!ok) goto err;
1397 } 1289 }
1398 1290
1399 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) 1291 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
1400 { 1292 if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
1401 if (check_crl_path(ctx, ctx->current_issuer) <= 0)
1402 {
1403 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; 1293 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1404 ok = ctx->verify_cb(0, ctx); 1294 ok = ctx->verify_cb(0, ctx);
1405 if(!ok) goto err; 1295 if(!ok) goto err;
1406 }
1407 } 1296 }
1297 }
1408 1298
1409 if (crl->idp_flags & IDP_INVALID) 1299 if (crl->idp_flags & IDP_INVALID) {
1410 {
1411 ctx->error = X509_V_ERR_INVALID_EXTENSION; 1300 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1412 ok = ctx->verify_cb(0, ctx); 1301 ok = ctx->verify_cb(0, ctx);
1413 if(!ok) goto err; 1302 if(!ok) goto err;
1414 } 1303 }
1415 1304
1416 1305
1417 } 1306 }
1418 1307
1419 if (!(ctx->current_crl_score & CRL_SCORE_TIME)) 1308 if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
1420 {
1421 ok = check_crl_time(ctx, crl, 1); 1309 ok = check_crl_time(ctx, crl, 1);
1422 if (!ok) 1310 if (!ok)
1423 goto err; 1311 goto err;
1424 } 1312 }
1425 1313
1426 /* Attempt to get issuer certificate public key */ 1314 /* Attempt to get issuer certificate public key */
1427 ikey = X509_get_pubkey(issuer); 1315 ikey = X509_get_pubkey(issuer);
1428 1316
1429 if(!ikey) 1317 if(!ikey) {
1430 {
1431 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1318 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1432 ok = ctx->verify_cb(0, ctx); 1319 ok = ctx->verify_cb(0, ctx);
1433 if (!ok) goto err; 1320 if (!ok) goto err;
1434 } 1321 } else {
1435 else
1436 {
1437 /* Verify CRL signature */ 1322 /* Verify CRL signature */
1438 if(X509_CRL_verify(crl, ikey) <= 0) 1323 if(X509_CRL_verify(crl, ikey) <= 0) {
1439 {
1440 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; 1324 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
1441 ok = ctx->verify_cb(0, ctx); 1325 ok = ctx->verify_cb(0, ctx);
1442 if (!ok) goto err; 1326 if (!ok) goto err;
1443 }
1444 } 1327 }
1445 } 1328 }
1329 }
1446 1330
1447 ok = 1; 1331 ok = 1;
1448 1332
1449 err: 1333err:
1450 EVP_PKEY_free(ikey); 1334 EVP_PKEY_free(ikey);
1451 return ok; 1335 return ok;
1452 } 1336}
1453 1337
1454/* Check certificate against CRL */ 1338/* Check certificate against CRL */
1455static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) 1339static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1456 { 1340{
1457 int ok; 1341 int ok;
1458 X509_REVOKED *rev; 1342 X509_REVOKED *rev;
1459 /* The rules changed for this... previously if a CRL contained 1343 /* The rules changed for this... previously if a CRL contained
@@ -1462,51 +1346,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1462 * critical extension can change the meaning of CRL entries. 1346 * critical extension can change the meaning of CRL entries.
1463 */ 1347 */
1464 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 1348 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1465 && (crl->flags & EXFLAG_CRITICAL)) 1349 && (crl->flags & EXFLAG_CRITICAL)) {
1466 {
1467 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; 1350 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1468 ok = ctx->verify_cb(0, ctx); 1351 ok = ctx->verify_cb(0, ctx);
1469 if(!ok) 1352 if(!ok)
1470 return 0; 1353 return 0;
1471 } 1354 }
1472 /* Look for serial number of certificate in CRL 1355 /* Look for serial number of certificate in CRL
1473 * If found make sure reason is not removeFromCRL. 1356 * If found make sure reason is not removeFromCRL.
1474 */ 1357 */
1475 if (X509_CRL_get0_by_cert(crl, &rev, x)) 1358 if (X509_CRL_get0_by_cert(crl, &rev, x)) {
1476 {
1477 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) 1359 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1478 return 2; 1360 return 2;
1479 ctx->error = X509_V_ERR_CERT_REVOKED; 1361 ctx->error = X509_V_ERR_CERT_REVOKED;
1480 ok = ctx->verify_cb(0, ctx); 1362 ok = ctx->verify_cb(0, ctx);
1481 if (!ok) 1363 if (!ok)
1482 return 0; 1364 return 0;
1483 } 1365 }
1484 1366
1485 return 1; 1367 return 1;
1486 } 1368}
1487 1369
1488static int check_policy(X509_STORE_CTX *ctx) 1370static int check_policy(X509_STORE_CTX *ctx)
1489 { 1371{
1490 int ret; 1372 int ret;
1491 if (ctx->parent) 1373 if (ctx->parent)
1492 return 1; 1374 return 1;
1493 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, 1375 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1494 ctx->param->policies, ctx->param->flags); 1376 ctx->param->policies, ctx->param->flags);
1495 if (ret == 0) 1377 if (ret == 0) {
1496 {
1497 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); 1378 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
1498 return 0; 1379 return 0;
1499 } 1380 }
1500 /* Invalid or inconsistent extensions */ 1381 /* Invalid or inconsistent extensions */
1501 if (ret == -1) 1382 if (ret == -1) {
1502 {
1503 /* Locate certificates with bad extensions and notify 1383 /* Locate certificates with bad extensions and notify
1504 * callback. 1384 * callback.
1505 */ 1385 */
1506 X509 *x; 1386 X509 *x;
1507 int i; 1387 int i;
1508 for (i = 1; i < sk_X509_num(ctx->chain); i++) 1388 for (i = 1; i < sk_X509_num(ctx->chain); i++) {
1509 {
1510 x = sk_X509_value(ctx->chain, i); 1389 x = sk_X509_value(ctx->chain, i);
1511 if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) 1390 if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1512 continue; 1391 continue;
@@ -1514,29 +1393,27 @@ static int check_policy(X509_STORE_CTX *ctx)
1514 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; 1393 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1515 if(!ctx->verify_cb(0, ctx)) 1394 if(!ctx->verify_cb(0, ctx))
1516 return 0; 1395 return 0;
1517 }
1518 return 1;
1519 } 1396 }
1520 if (ret == -2) 1397 return 1;
1521 { 1398 }
1399 if (ret == -2) {
1522 ctx->current_cert = NULL; 1400 ctx->current_cert = NULL;
1523 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; 1401 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1524 return ctx->verify_cb(0, ctx); 1402 return ctx->verify_cb(0, ctx);
1525 } 1403 }
1526 1404
1527 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) 1405 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
1528 {
1529 ctx->current_cert = NULL; 1406 ctx->current_cert = NULL;
1530 ctx->error = X509_V_OK; 1407 ctx->error = X509_V_OK;
1531 if (!ctx->verify_cb(2, ctx)) 1408 if (!ctx->verify_cb(2, ctx))
1532 return 0; 1409 return 0;
1533 } 1410 }
1534 1411
1535 return 1; 1412 return 1;
1536 } 1413}
1537 1414
1538static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) 1415static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1539 { 1416{
1540 time_t *ptime; 1417 time_t *ptime;
1541 int i; 1418 int i;
1542 1419
@@ -1546,44 +1423,40 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1546 ptime = NULL; 1423 ptime = NULL;
1547 1424
1548 i=X509_cmp_time(X509_get_notBefore(x), ptime); 1425 i=X509_cmp_time(X509_get_notBefore(x), ptime);
1549 if (i == 0) 1426 if (i == 0) {
1550 {
1551 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 1427 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1552 ctx->current_cert=x; 1428 ctx->current_cert=x;
1553 if (!ctx->verify_cb(0, ctx)) 1429 if (!ctx->verify_cb(0, ctx))
1554 return 0; 1430 return 0;
1555 } 1431 }
1556 1432
1557 if (i > 0) 1433 if (i > 0) {
1558 {
1559 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; 1434 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
1560 ctx->current_cert=x; 1435 ctx->current_cert=x;
1561 if (!ctx->verify_cb(0, ctx)) 1436 if (!ctx->verify_cb(0, ctx))
1562 return 0; 1437 return 0;
1563 } 1438 }
1564 1439
1565 i=X509_cmp_time(X509_get_notAfter(x), ptime); 1440 i=X509_cmp_time(X509_get_notAfter(x), ptime);
1566 if (i == 0) 1441 if (i == 0) {
1567 {
1568 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 1442 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1569 ctx->current_cert=x; 1443 ctx->current_cert=x;
1570 if (!ctx->verify_cb(0, ctx)) 1444 if (!ctx->verify_cb(0, ctx))
1571 return 0; 1445 return 0;
1572 } 1446 }
1573 1447
1574 if (i < 0) 1448 if (i < 0) {
1575 {
1576 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; 1449 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
1577 ctx->current_cert=x; 1450 ctx->current_cert=x;
1578 if (!ctx->verify_cb(0, ctx)) 1451 if (!ctx->verify_cb(0, ctx))
1579 return 0; 1452 return 0;
1580 } 1453 }
1581 1454
1582 return 1; 1455 return 1;
1583 } 1456}
1584 1457
1585static int internal_verify(X509_STORE_CTX *ctx) 1458static int internal_verify(X509_STORE_CTX *ctx)
1586 { 1459{
1587 int ok=0,n; 1460 int ok=0,n;
1588 X509 *xs,*xi; 1461 X509 *xs,*xi;
1589 EVP_PKEY *pkey=NULL; 1462 EVP_PKEY *pkey=NULL;
@@ -1598,55 +1471,45 @@ static int internal_verify(X509_STORE_CTX *ctx)
1598 1471
1599 if (ctx->check_issued(ctx, xi, xi)) 1472 if (ctx->check_issued(ctx, xi, xi))
1600 xs=xi; 1473 xs=xi;
1601 else 1474 else {
1602 { 1475 if (n <= 0) {
1603 if (n <= 0)
1604 {
1605 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; 1476 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1606 ctx->current_cert=xi; 1477 ctx->current_cert=xi;
1607 ok=cb(0,ctx); 1478 ok=cb(0,ctx);
1608 goto end; 1479 goto end;
1609 } 1480 } else {
1610 else
1611 {
1612 n--; 1481 n--;
1613 ctx->error_depth=n; 1482 ctx->error_depth=n;
1614 xs=sk_X509_value(ctx->chain,n); 1483 xs=sk_X509_value(ctx->chain,n);
1615 }
1616 } 1484 }
1485 }
1617 1486
1618/* ctx->error=0; not needed */ 1487/* ctx->error=0; not needed */
1619 while (n >= 0) 1488 while (n >= 0) {
1620 {
1621 ctx->error_depth=n; 1489 ctx->error_depth=n;
1622 1490
1623 /* Skip signature check for self signed certificates unless 1491 /* Skip signature check for self signed certificates unless
1624 * explicitly asked for. It doesn't add any security and 1492 * explicitly asked for. It doesn't add any security and
1625 * just wastes time. 1493 * just wastes time.
1626 */ 1494 */
1627 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) 1495 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
1628 { 1496 if ((pkey=X509_get_pubkey(xi)) == NULL) {
1629 if ((pkey=X509_get_pubkey(xi)) == NULL)
1630 {
1631 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1497 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1632 ctx->current_cert=xi; 1498 ctx->current_cert=xi;
1633 ok=(*cb)(0,ctx); 1499 ok=(*cb)(0,ctx);
1634 if (!ok) goto end; 1500 if (!ok) goto end;
1635 } 1501 } else if (X509_verify(xs,pkey) <= 0) {
1636 else if (X509_verify(xs,pkey) <= 0)
1637 {
1638 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; 1502 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
1639 ctx->current_cert=xs; 1503 ctx->current_cert=xs;
1640 ok=(*cb)(0,ctx); 1504 ok=(*cb)(0,ctx);
1641 if (!ok) 1505 if (!ok) {
1642 {
1643 EVP_PKEY_free(pkey); 1506 EVP_PKEY_free(pkey);
1644 goto end; 1507 goto end;
1645 }
1646 } 1508 }
1509 }
1647 EVP_PKEY_free(pkey); 1510 EVP_PKEY_free(pkey);
1648 pkey=NULL; 1511 pkey=NULL;
1649 } 1512 }
1650 1513
1651 xs->valid = 1; 1514 xs->valid = 1;
1652 1515
@@ -1661,16 +1524,15 @@ static int internal_verify(X509_STORE_CTX *ctx)
1661 if (!ok) goto end; 1524 if (!ok) goto end;
1662 1525
1663 n--; 1526 n--;
1664 if (n >= 0) 1527 if (n >= 0) {
1665 {
1666 xi=xs; 1528 xi=xs;
1667 xs=sk_X509_value(ctx->chain,n); 1529 xs=sk_X509_value(ctx->chain,n);
1668 }
1669 } 1530 }
1531 }
1670 ok=1; 1532 ok=1;
1671end: 1533end:
1672 return ok; 1534 return ok;
1673 } 1535}
1674 1536
1675int X509_cmp_current_time(const ASN1_TIME *ctm) 1537int X509_cmp_current_time(const ASN1_TIME *ctm)
1676{ 1538{
@@ -1678,7 +1540,7 @@ int X509_cmp_current_time(const ASN1_TIME *ctm)
1678} 1540}
1679 1541
1680int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) 1542int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1681 { 1543{
1682 char *str; 1544 char *str;
1683 ASN1_TIME atm; 1545 ASN1_TIME atm;
1684 long offset; 1546 long offset;
@@ -1688,49 +1550,44 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1688 p=buff1; 1550 p=buff1;
1689 i=ctm->length; 1551 i=ctm->length;
1690 str=(char *)ctm->data; 1552 str=(char *)ctm->data;
1691 if (ctm->type == V_ASN1_UTCTIME) 1553 if (ctm->type == V_ASN1_UTCTIME) {
1692 {
1693 if ((i < 11) || (i > 17)) return 0; 1554 if ((i < 11) || (i > 17)) return 0;
1694 memcpy(p,str,10); 1555 memcpy(p,str,10);
1695 p+=10; 1556 p+=10;
1696 str+=10; 1557 str+=10;
1697 } 1558 } else {
1698 else
1699 {
1700 if (i < 13) return 0; 1559 if (i < 13) return 0;
1701 memcpy(p,str,12); 1560 memcpy(p,str,12);
1702 p+=12; 1561 p+=12;
1703 str+=12; 1562 str+=12;
1704 } 1563 }
1705 1564
1706 if ((*str == 'Z') || (*str == '-') || (*str == '+')) 1565 if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
1707 { *(p++)='0'; *(p++)='0'; } 1566 *(p++)='0';
1708 else 1567 *(p++)='0';
1709 { 1568 } else {
1710 *(p++)= *(str++); 1569 *(p++)= *(str++);
1711 *(p++)= *(str++); 1570 *(p++)= *(str++);
1712 /* Skip any fractional seconds... */ 1571 /* Skip any fractional seconds... */
1713 if (*str == '.') 1572 if (*str == '.') {
1714 {
1715 str++; 1573 str++;
1716 while ((*str >= '0') && (*str <= '9')) str++; 1574 while ((*str >= '0') && (*str <= '9')) str++;
1717 }
1718
1719 } 1575 }
1576
1577 }
1720 *(p++)='Z'; 1578 *(p++)='Z';
1721 *(p++)='\0'; 1579 *(p++)='\0';
1722 1580
1723 if (*str == 'Z') 1581 if (*str == 'Z')
1724 offset=0; 1582 offset=0;
1725 else 1583 else {
1726 {
1727 if ((*str != '+') && (*str != '-')) 1584 if ((*str != '+') && (*str != '-'))
1728 return 0; 1585 return 0;
1729 offset=((str[1]-'0')*10+(str[2]-'0'))*60; 1586 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
1730 offset+=(str[3]-'0')*10+(str[4]-'0'); 1587 offset+=(str[3]-'0')*10+(str[4]-'0');
1731 if (*str == '-') 1588 if (*str == '-')
1732 offset= -offset; 1589 offset= -offset;
1733 } 1590 }
1734 atm.type=ctm->type; 1591 atm.type=ctm->type;
1735 atm.flags = 0; 1592 atm.flags = 0;
1736 atm.length=sizeof(buff2); 1593 atm.length=sizeof(buff2);
@@ -1739,8 +1596,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1739 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL) 1596 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
1740 return 0; 1597 return 0;
1741 1598
1742 if (ctm->type == V_ASN1_UTCTIME) 1599 if (ctm->type == V_ASN1_UTCTIME) {
1743 {
1744 i=(buff1[0]-'0')*10+(buff1[1]-'0'); 1600 i=(buff1[0]-'0')*10+(buff1[1]-'0');
1745 if (i < 50) i+=100; /* cf. RFC 2459 */ 1601 if (i < 50) i+=100; /* cf. RFC 2459 */
1746 j=(buff2[0]-'0')*10+(buff2[1]-'0'); 1602 j=(buff2[0]-'0')*10+(buff2[1]-'0');
@@ -1748,13 +1604,13 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1748 1604
1749 if (i < j) return -1; 1605 if (i < j) return -1;
1750 if (i > j) return 1; 1606 if (i > j) return 1;
1751 } 1607 }
1752 i=strcmp(buff1,buff2); 1608 i=strcmp(buff1,buff2);
1753 if (i == 0) /* wait a second then return younger :-) */ 1609 if (i == 0) /* wait a second then return younger :-) */
1754 return -1; 1610 return -1;
1755 else 1611 else
1756 return i; 1612 return i;
1757 } 1613}
1758 1614
1759ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) 1615ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1760{ 1616{
@@ -1762,168 +1618,161 @@ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1762} 1618}
1763 1619
1764ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) 1620ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1765 { 1621{
1766 return X509_time_adj_ex(s, 0, offset_sec, in_tm); 1622 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1767 } 1623}
1768 1624
1769ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, 1625ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1770 int offset_day, long offset_sec, time_t *in_tm) 1626 int offset_day, long offset_sec, time_t *in_tm)
1771 { 1627{
1772 time_t t; 1628 time_t t;
1773 1629
1774 if (in_tm) t = *in_tm; 1630 if (in_tm) t = *in_tm;
1775 else time(&t); 1631 else time(&t);
1776 1632
1777 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) 1633 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
1778 {
1779 if (s->type == V_ASN1_UTCTIME) 1634 if (s->type == V_ASN1_UTCTIME)
1780 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); 1635 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
1781 if (s->type == V_ASN1_GENERALIZEDTIME) 1636 if (s->type == V_ASN1_GENERALIZEDTIME)
1782 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, 1637 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
1783 offset_sec); 1638 offset_sec);
1784 }
1785 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1786 } 1639 }
1640 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1641}
1787 1642
1788int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) 1643int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1789 { 1644{
1790 EVP_PKEY *ktmp=NULL,*ktmp2; 1645 EVP_PKEY *ktmp=NULL,*ktmp2;
1791 int i,j; 1646 int i,j;
1792 1647
1793 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; 1648 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
1794 1649
1795 for (i=0; i<sk_X509_num(chain); i++) 1650 for (i=0; i<sk_X509_num(chain); i++) {
1796 {
1797 ktmp=X509_get_pubkey(sk_X509_value(chain,i)); 1651 ktmp=X509_get_pubkey(sk_X509_value(chain,i));
1798 if (ktmp == NULL) 1652 if (ktmp == NULL) {
1799 {
1800 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); 1653 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1801 return 0; 1654 return 0;
1802 } 1655 }
1803 if (!EVP_PKEY_missing_parameters(ktmp)) 1656 if (!EVP_PKEY_missing_parameters(ktmp))
1804 break; 1657 break;
1805 else 1658 else {
1806 {
1807 EVP_PKEY_free(ktmp); 1659 EVP_PKEY_free(ktmp);
1808 ktmp=NULL; 1660 ktmp=NULL;
1809 }
1810 } 1661 }
1811 if (ktmp == NULL) 1662 }
1812 { 1663 if (ktmp == NULL) {
1813 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); 1664 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1814 return 0; 1665 return 0;
1815 } 1666 }
1816 1667
1817 /* first, populate the other certs */ 1668 /* first, populate the other certs */
1818 for (j=i-1; j >= 0; j--) 1669 for (j=i-1; j >= 0; j--) {
1819 {
1820 ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); 1670 ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
1821 EVP_PKEY_copy_parameters(ktmp2,ktmp); 1671 EVP_PKEY_copy_parameters(ktmp2,ktmp);
1822 EVP_PKEY_free(ktmp2); 1672 EVP_PKEY_free(ktmp2);
1823 } 1673 }
1824 1674
1825 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); 1675 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
1826 EVP_PKEY_free(ktmp); 1676 EVP_PKEY_free(ktmp);
1827 return 1; 1677 return 1;
1828 } 1678}
1829 1679
1830int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 1680int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1831 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 1681 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
1832 { 1682{
1833 /* This function is (usually) called only once, by 1683 /* This function is (usually) called only once, by
1834 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ 1684 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1835 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, 1685 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
1836 new_func, dup_func, free_func); 1686 new_func, dup_func, free_func);
1837 } 1687}
1838 1688
1839int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) 1689int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
1840 { 1690{
1841 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); 1691 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
1842 } 1692}
1843 1693
1844void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) 1694void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
1845 { 1695{
1846 return CRYPTO_get_ex_data(&ctx->ex_data,idx); 1696 return CRYPTO_get_ex_data(&ctx->ex_data,idx);
1847 } 1697}
1848 1698
1849int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) 1699int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
1850 { 1700{
1851 return ctx->error; 1701 return ctx->error;
1852 } 1702}
1853 1703
1854void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) 1704void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
1855 { 1705{
1856 ctx->error=err; 1706 ctx->error=err;
1857 } 1707}
1858 1708
1859int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) 1709int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
1860 { 1710{
1861 return ctx->error_depth; 1711 return ctx->error_depth;
1862 } 1712}
1863 1713
1864X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) 1714X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
1865 { 1715{
1866 return ctx->current_cert; 1716 return ctx->current_cert;
1867 } 1717}
1868 1718
1869STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) 1719STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
1870 { 1720{
1871 return ctx->chain; 1721 return ctx->chain;
1872 } 1722}
1873 1723
1874STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) 1724STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1875 { 1725{
1876 int i; 1726 int i;
1877 X509 *x; 1727 X509 *x;
1878 STACK_OF(X509) *chain; 1728 STACK_OF(X509) *chain;
1879 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; 1729 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
1880 for (i = 0; i < sk_X509_num(chain); i++) 1730 for (i = 0; i < sk_X509_num(chain); i++) {
1881 {
1882 x = sk_X509_value(chain, i); 1731 x = sk_X509_value(chain, i);
1883 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 1732 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1884 }
1885 return chain;
1886 } 1733 }
1734 return chain;
1735}
1887 1736
1888X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) 1737X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
1889 { 1738{
1890 return ctx->current_issuer; 1739 return ctx->current_issuer;
1891 } 1740}
1892 1741
1893X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) 1742X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
1894 { 1743{
1895 return ctx->current_crl; 1744 return ctx->current_crl;
1896 } 1745}
1897 1746
1898X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) 1747X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
1899 { 1748{
1900 return ctx->parent; 1749 return ctx->parent;
1901 } 1750}
1902 1751
1903void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) 1752void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
1904 { 1753{
1905 ctx->cert=x; 1754 ctx->cert=x;
1906 } 1755}
1907 1756
1908void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 1757void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1909 { 1758{
1910 ctx->untrusted=sk; 1759 ctx->untrusted=sk;
1911 } 1760}
1912 1761
1913void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) 1762void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1914 { 1763{
1915 ctx->crls=sk; 1764 ctx->crls=sk;
1916 } 1765}
1917 1766
1918int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) 1767int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
1919 { 1768{
1920 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); 1769 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
1921 } 1770}
1922 1771
1923int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) 1772int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1924 { 1773{
1925 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); 1774 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
1926 } 1775}
1927 1776
1928/* This function is used to set the X509_STORE_CTX purpose and trust 1777/* This function is used to set the X509_STORE_CTX purpose and trust
1929 * values. This is intended to be used when another structure has its 1778 * values. This is intended to be used when another structure has its
@@ -1942,41 +1791,35 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1942 /* If purpose not set use default */ 1791 /* If purpose not set use default */
1943 if (!purpose) purpose = def_purpose; 1792 if (!purpose) purpose = def_purpose;
1944 /* If we have a purpose then check it is valid */ 1793 /* If we have a purpose then check it is valid */
1945 if (purpose) 1794 if (purpose) {
1946 {
1947 X509_PURPOSE *ptmp; 1795 X509_PURPOSE *ptmp;
1948 idx = X509_PURPOSE_get_by_id(purpose); 1796 idx = X509_PURPOSE_get_by_id(purpose);
1949 if (idx == -1) 1797 if (idx == -1) {
1950 {
1951 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1798 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1952 X509_R_UNKNOWN_PURPOSE_ID); 1799 X509_R_UNKNOWN_PURPOSE_ID);
1953 return 0; 1800 return 0;
1954 } 1801 }
1955 ptmp = X509_PURPOSE_get0(idx); 1802 ptmp = X509_PURPOSE_get0(idx);
1956 if (ptmp->trust == X509_TRUST_DEFAULT) 1803 if (ptmp->trust == X509_TRUST_DEFAULT) {
1957 {
1958 idx = X509_PURPOSE_get_by_id(def_purpose); 1804 idx = X509_PURPOSE_get_by_id(def_purpose);
1959 if (idx == -1) 1805 if (idx == -1) {
1960 {
1961 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1806 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1962 X509_R_UNKNOWN_PURPOSE_ID); 1807 X509_R_UNKNOWN_PURPOSE_ID);
1963 return 0; 1808 return 0;
1964 }
1965 ptmp = X509_PURPOSE_get0(idx);
1966 } 1809 }
1810 ptmp = X509_PURPOSE_get0(idx);
1811 }
1967 /* If trust not set then get from purpose default */ 1812 /* If trust not set then get from purpose default */
1968 if (!trust) trust = ptmp->trust; 1813 if (!trust) trust = ptmp->trust;
1969 } 1814 }
1970 if (trust) 1815 if (trust) {
1971 {
1972 idx = X509_TRUST_get_by_id(trust); 1816 idx = X509_TRUST_get_by_id(trust);
1973 if (idx == -1) 1817 if (idx == -1) {
1974 {
1975 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1818 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1976 X509_R_UNKNOWN_TRUST_ID); 1819 X509_R_UNKNOWN_TRUST_ID);
1977 return 0; 1820 return 0;
1978 }
1979 } 1821 }
1822 }
1980 1823
1981 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; 1824 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
1982 if (trust && !ctx->param->trust) ctx->param->trust = trust; 1825 if (trust && !ctx->param->trust) ctx->param->trust = trust;
@@ -1987,11 +1830,10 @@ X509_STORE_CTX *X509_STORE_CTX_new(void)
1987{ 1830{
1988 X509_STORE_CTX *ctx; 1831 X509_STORE_CTX *ctx;
1989 ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX)); 1832 ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX));
1990 if (!ctx) 1833 if (!ctx) {
1991 {
1992 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); 1834 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
1993 return NULL; 1835 return NULL;
1994 } 1836 }
1995 memset(ctx, 0, sizeof(X509_STORE_CTX)); 1837 memset(ctx, 0, sizeof(X509_STORE_CTX));
1996 return ctx; 1838 return ctx;
1997} 1839}
@@ -2004,7 +1846,7 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
2004 1846
2005int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, 1847int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2006 STACK_OF(X509) *chain) 1848 STACK_OF(X509) *chain)
2007 { 1849{
2008 int ret = 1; 1850 int ret = 1;
2009 ctx->ctx=store; 1851 ctx->ctx=store;
2010 ctx->current_method=0; 1852 ctx->current_method=0;
@@ -2028,11 +1870,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2028 1870
2029 ctx->param = X509_VERIFY_PARAM_new(); 1871 ctx->param = X509_VERIFY_PARAM_new();
2030 1872
2031 if (!ctx->param) 1873 if (!ctx->param) {
2032 {
2033 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 1874 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2034 return 0; 1875 return 0;
2035 } 1876 }
2036 1877
2037 /* Inherit callbacks and flags from X509_STORE if not set 1878 /* Inherit callbacks and flags from X509_STORE if not set
2038 * use defaults. 1879 * use defaults.
@@ -2044,23 +1885,20 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2044 else 1885 else
2045 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; 1886 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
2046 1887
2047 if (store) 1888 if (store) {
2048 {
2049 ctx->verify_cb = store->verify_cb; 1889 ctx->verify_cb = store->verify_cb;
2050 ctx->cleanup = store->cleanup; 1890 ctx->cleanup = store->cleanup;
2051 } 1891 } else
2052 else
2053 ctx->cleanup = 0; 1892 ctx->cleanup = 0;
2054 1893
2055 if (ret) 1894 if (ret)
2056 ret = X509_VERIFY_PARAM_inherit(ctx->param, 1895 ret = X509_VERIFY_PARAM_inherit(ctx->param,
2057 X509_VERIFY_PARAM_lookup("default")); 1896 X509_VERIFY_PARAM_lookup("default"));
2058 1897
2059 if (ret == 0) 1898 if (ret == 0) {
2060 {
2061 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 1899 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2062 return 0; 1900 return 0;
2063 } 1901 }
2064 1902
2065 if (store && store->check_issued) 1903 if (store && store->check_issued)
2066 ctx->check_issued = store->check_issued; 1904 ctx->check_issued = store->check_issued;
@@ -2120,14 +1958,13 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2120 * corresponding "new" here and remove this bogus initialisation. */ 1958 * corresponding "new" here and remove this bogus initialisation. */
2121 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ 1959 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
2122 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, 1960 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
2123 &(ctx->ex_data))) 1961 &(ctx->ex_data))) {
2124 {
2125 free(ctx); 1962 free(ctx);
2126 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 1963 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2127 return 0; 1964 return 0;
2128 }
2129 return 1;
2130 } 1965 }
1966 return 1;
1967}
2131 1968
2132/* Set alternative lookup method: just a STACK of trusted certificates. 1969/* Set alternative lookup method: just a STACK of trusted certificates.
2133 * This avoids X509_STORE nastiness where it isn't needed. 1970 * This avoids X509_STORE nastiness where it isn't needed.
@@ -2140,79 +1977,76 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2140} 1977}
2141 1978
2142void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) 1979void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2143 { 1980{
2144 if (ctx->cleanup) ctx->cleanup(ctx); 1981 if (ctx->cleanup) ctx->cleanup(ctx);
2145 if (ctx->param != NULL) 1982 if (ctx->param != NULL) {
2146 {
2147 if (ctx->parent == NULL) 1983 if (ctx->parent == NULL)
2148 X509_VERIFY_PARAM_free(ctx->param); 1984 X509_VERIFY_PARAM_free(ctx->param);
2149 ctx->param=NULL; 1985 ctx->param=NULL;
2150 } 1986 }
2151 if (ctx->tree != NULL) 1987 if (ctx->tree != NULL) {
2152 {
2153 X509_policy_tree_free(ctx->tree); 1988 X509_policy_tree_free(ctx->tree);
2154 ctx->tree=NULL; 1989 ctx->tree=NULL;
2155 } 1990 }
2156 if (ctx->chain != NULL) 1991 if (ctx->chain != NULL) {
2157 {
2158 sk_X509_pop_free(ctx->chain,X509_free); 1992 sk_X509_pop_free(ctx->chain,X509_free);
2159 ctx->chain=NULL; 1993 ctx->chain=NULL;
2160 } 1994 }
2161 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); 1995 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
2162 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); 1996 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
2163 } 1997}
2164 1998
2165void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) 1999void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2166 { 2000{
2167 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 2001 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2168 } 2002}
2169 2003
2170void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) 2004void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2171 { 2005{
2172 X509_VERIFY_PARAM_set_flags(ctx->param, flags); 2006 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2173 } 2007}
2174 2008
2175void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) 2009void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2176 { 2010{
2177 X509_VERIFY_PARAM_set_time(ctx->param, t); 2011 X509_VERIFY_PARAM_set_time(ctx->param, t);
2178 } 2012}
2179 2013
2180void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, 2014void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2181 int (*verify_cb)(int, X509_STORE_CTX *)) 2015 int (*verify_cb)(int, X509_STORE_CTX *))
2182 { 2016{
2183 ctx->verify_cb=verify_cb; 2017 ctx->verify_cb=verify_cb;
2184 } 2018}
2185 2019
2186X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) 2020X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2187 { 2021{
2188 return ctx->tree; 2022 return ctx->tree;
2189 } 2023}
2190 2024
2191int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) 2025int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2192 { 2026{
2193 return ctx->explicit_policy; 2027 return ctx->explicit_policy;
2194 } 2028}
2195 2029
2196int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) 2030int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2197 { 2031{
2198 const X509_VERIFY_PARAM *param; 2032 const X509_VERIFY_PARAM *param;
2199 param = X509_VERIFY_PARAM_lookup(name); 2033 param = X509_VERIFY_PARAM_lookup(name);
2200 if (!param) 2034 if (!param)
2201 return 0; 2035 return 0;
2202 return X509_VERIFY_PARAM_inherit(ctx->param, param); 2036 return X509_VERIFY_PARAM_inherit(ctx->param, param);
2203 } 2037}
2204 2038
2205X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) 2039X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2206 { 2040{
2207 return ctx->param; 2041 return ctx->param;
2208 } 2042}
2209 2043
2210void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) 2044void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2211 { 2045{
2212 if (ctx->param) 2046 if (ctx->param)
2213 X509_VERIFY_PARAM_free(ctx->param); 2047 X509_VERIFY_PARAM_free(ctx->param);
2214 ctx->param = param; 2048 ctx->param = param;
2215 } 2049}
2216 2050
2217IMPLEMENT_STACK_OF(X509) 2051IMPLEMENT_STACK_OF(X509)
2218IMPLEMENT_ASN1_SET_OF(X509) 2052IMPLEMENT_ASN1_SET_OF(X509)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-19 19:08:10 +0000