summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_vfy.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/x509/x509_vfy.c')
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c972
1 files changed, 554 insertions, 418 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 6e9dd7cc6a..0024904c20 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -108,7 +108,7 @@
108 108
109#define CRL_SCORE_TIME_DELTA 0x002 109#define CRL_SCORE_TIME_DELTA 0x002
110 110
111static int null_callback(int ok,X509_STORE_CTX *e); 111static int null_callback(int ok, X509_STORE_CTX *e);
112static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); 112static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
113static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); 113static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
114static int check_chain_extensions(X509_STORE_CTX *ctx); 114static int check_chain_extensions(X509_STORE_CTX *ctx);
@@ -119,100 +119,106 @@ static int check_cert(X509_STORE_CTX *ctx);
119static int check_policy(X509_STORE_CTX *ctx); 119static int check_policy(X509_STORE_CTX *ctx);
120 120
121static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 121static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
122 unsigned int *preasons, 122 unsigned int *preasons, X509_CRL *crl, X509 *x);
123 X509_CRL *crl, X509 *x);
124static int get_crl_delta(X509_STORE_CTX *ctx, 123static int get_crl_delta(X509_STORE_CTX *ctx,
125 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); 124 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
126static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, 125static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
127 X509_CRL *base, STACK_OF(X509_CRL) *crls); 126 X509_CRL *base, STACK_OF(X509_CRL) *crls);
128static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, 127static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
129 X509 **pissuer, int *pcrl_score); 128 int *pcrl_score);
130static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, 129static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
131 unsigned int *preasons); 130 unsigned int *preasons);
132static int check_crl_path(X509_STORE_CTX *ctx, X509 *x); 131static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
133static int check_crl_chain(X509_STORE_CTX *ctx, 132static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
134 STACK_OF(X509) *cert_path, 133 STACK_OF(X509) *crl_path);
135 STACK_OF(X509) *crl_path);
136 134
137static int internal_verify(X509_STORE_CTX *ctx); 135static int internal_verify(X509_STORE_CTX *ctx);
138const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; 136const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
139 137
140 138
141static int null_callback(int ok, X509_STORE_CTX *e) 139static int
140null_callback(int ok, X509_STORE_CTX *e)
142{ 141{
143 return ok; 142 return ok;
144} 143}
145 144
146#if 0 145#if 0
147static int x509_subject_cmp(X509 **a, X509 **b) 146static int
147x509_subject_cmp(X509 **a, X509 **b)
148{ 148{
149 return X509_subject_name_cmp(*a,*b); 149 return X509_subject_name_cmp(*a, *b);
150} 150}
151#endif 151#endif
152 152
153int X509_verify_cert(X509_STORE_CTX *ctx) 153int
154X509_verify_cert(X509_STORE_CTX *ctx)
154{ 155{
155 X509 *x,*xtmp,*chain_ss=NULL; 156 X509 *x, *xtmp, *chain_ss = NULL;
156 int bad_chain = 0; 157 int bad_chain = 0;
157 X509_VERIFY_PARAM *param = ctx->param; 158 X509_VERIFY_PARAM *param = ctx->param;
158 int depth,i,ok=0; 159 int depth, i, ok = 0;
159 int num; 160 int num;
160 int (*cb)(int xok,X509_STORE_CTX *xctx); 161 int (*cb)(int xok, X509_STORE_CTX *xctx);
161 STACK_OF(X509) *sktmp=NULL; 162 STACK_OF(X509) *sktmp = NULL;
163
162 if (ctx->cert == NULL) { 164 if (ctx->cert == NULL) {
163 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); 165 X509err(X509_F_X509_VERIFY_CERT,
166 X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
164 return -1; 167 return -1;
165 } 168 }
166 169
167 cb=ctx->verify_cb; 170 cb = ctx->verify_cb;
168 171
169 /* first we make sure the chain we are going to build is 172 /* first we make sure the chain we are going to build is
170 * present and that the first entry is in place */ 173 * present and that the first entry is in place */
171 if (ctx->chain == NULL) { 174 if (ctx->chain == NULL) {
172 if ( ((ctx->chain=sk_X509_new_null()) == NULL) || 175 if (((ctx->chain = sk_X509_new_null()) == NULL) ||
173 (!sk_X509_push(ctx->chain,ctx->cert))) { 176 (!sk_X509_push(ctx->chain, ctx->cert))) {
174 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 177 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
175 goto end; 178 goto end;
176 } 179 }
177 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); 180 CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509);
178 ctx->last_untrusted=1; 181 ctx->last_untrusted = 1;
179 } 182 }
180 183
181 /* We use a temporary STACK so we can chop and hack at it */ 184 /* We use a temporary STACK so we can chop and hack at it */
182 if (ctx->untrusted != NULL 185 if (ctx->untrusted != NULL &&
183 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) { 186 (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
184 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 187 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
185 goto end; 188 goto end;
186 } 189 }
187 190
188 num=sk_X509_num(ctx->chain); 191 num = sk_X509_num(ctx->chain);
189 x=sk_X509_value(ctx->chain,num-1); 192 x = sk_X509_value(ctx->chain, num - 1);
190 depth=param->depth; 193 depth = param->depth;
191
192 194
193 for (;;) { 195 for (;;) {
194 /* If we have enough, we break */ 196 /* If we have enough, we break */
195 if (depth < num) break; /* FIXME: If this happens, we should take 197 if (depth < num)
196 * note of it and, if appropriate, use the 198 break; /* FIXME: If this happens, we should take
197 * X509_V_ERR_CERT_CHAIN_TOO_LONG error 199 * note of it and, if appropriate, use the
198 * code later. 200 * X509_V_ERR_CERT_CHAIN_TOO_LONG error
199 */ 201 * code later.
202 */
200 203
201 /* If we are self signed, we break */ 204 /* If we are self signed, we break */
202 if (ctx->check_issued(ctx, x,x)) break; 205 if (ctx->check_issued(ctx, x, x))
206 break;
203 207
204 /* If we were passed a cert chain, use it first */ 208 /* If we were passed a cert chain, use it first */
205 if (ctx->untrusted != NULL) { 209 if (ctx->untrusted != NULL) {
206 xtmp=find_issuer(ctx, sktmp,x); 210 xtmp = find_issuer(ctx, sktmp, x);
207 if (xtmp != NULL) { 211 if (xtmp != NULL) {
208 if (!sk_X509_push(ctx->chain,xtmp)) { 212 if (!sk_X509_push(ctx->chain, xtmp)) {
209 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 213 X509err(X509_F_X509_VERIFY_CERT,
214 ERR_R_MALLOC_FAILURE);
210 goto end; 215 goto end;
211 } 216 }
212 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); 217 CRYPTO_add(&xtmp->references, 1,
213 (void)sk_X509_delete_ptr(sktmp,xtmp); 218 CRYPTO_LOCK_X509);
219 (void)sk_X509_delete_ptr(sktmp, xtmp);
214 ctx->last_untrusted++; 220 ctx->last_untrusted++;
215 x=xtmp; 221 x = xtmp;
216 num++; 222 num++;
217 /* reparse the full chain for 223 /* reparse the full chain for
218 * the next one */ 224 * the next one */
@@ -230,8 +236,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
230 * is self signed. 236 * is self signed.
231 */ 237 */
232 238
233 i=sk_X509_num(ctx->chain); 239 i = sk_X509_num(ctx->chain);
234 x=sk_X509_value(ctx->chain,i-1); 240 x = sk_X509_value(ctx->chain, i - 1);
235 if (ctx->check_issued(ctx, x, x)) { 241 if (ctx->check_issued(ctx, x, x)) {
236 /* we have a self signed certificate */ 242 /* we have a self signed certificate */
237 if (sk_X509_num(ctx->chain) == 1) { 243 if (sk_X509_num(ctx->chain) == 1) {
@@ -241,13 +247,16 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
241 */ 247 */
242 ok = ctx->get_issuer(&xtmp, ctx, x); 248 ok = ctx->get_issuer(&xtmp, ctx, x);
243 if ((ok <= 0) || X509_cmp(x, xtmp)) { 249 if ((ok <= 0) || X509_cmp(x, xtmp)) {
244 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; 250 ctx->error =
245 ctx->current_cert=x; 251 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
246 ctx->error_depth=i-1; 252 ctx->current_cert = x;
247 if (ok == 1) X509_free(xtmp); 253 ctx->error_depth = i - 1;
254 if (ok == 1)
255 X509_free(xtmp);
248 bad_chain = 1; 256 bad_chain = 1;
249 ok=cb(0,ctx); 257 ok = cb(0, ctx);
250 if (!ok) goto end; 258 if (!ok)
259 goto end;
251 } else { 260 } else {
252 /* We have a match: replace certificate with store version 261 /* We have a match: replace certificate with store version
253 * so we get any trust settings. 262 * so we get any trust settings.
@@ -255,34 +264,37 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
255 X509_free(x); 264 X509_free(x);
256 x = xtmp; 265 x = xtmp;
257 (void)sk_X509_set(ctx->chain, i - 1, x); 266 (void)sk_X509_set(ctx->chain, i - 1, x);
258 ctx->last_untrusted=0; 267 ctx->last_untrusted = 0;
259 } 268 }
260 } else { 269 } else {
261 /* extract and save self signed certificate for later use */ 270 /* extract and save self signed certificate for later use */
262 chain_ss=sk_X509_pop(ctx->chain); 271 chain_ss = sk_X509_pop(ctx->chain);
263 ctx->last_untrusted--; 272 ctx->last_untrusted--;
264 num--; 273 num--;
265 x=sk_X509_value(ctx->chain,num-1); 274 x = sk_X509_value(ctx->chain, num - 1);
266 } 275 }
267 } 276 }
268 277
269 /* We now lookup certs from the certificate store */ 278 /* We now lookup certs from the certificate store */
270 for (;;) { 279 for (;;) {
271 /* If we have enough, we break */ 280 /* If we have enough, we break */
272 if (depth < num) break; 281 if (depth < num)
282 break;
273 283
274 /* If we are self signed, we break */ 284 /* If we are self signed, we break */
275 if (ctx->check_issued(ctx,x,x)) break; 285 if (ctx->check_issued(ctx, x, x))
286 break;
276 287
277 ok = ctx->get_issuer(&xtmp, ctx, x); 288 ok = ctx->get_issuer(&xtmp, ctx, x);
278 289 if (ok < 0)
279 if (ok < 0) return ok; 290 return ok;
280 if (ok == 0) break; 291 if (ok == 0)
292 break;
281 293
282 x = xtmp; 294 x = xtmp;
283 if (!sk_X509_push(ctx->chain,x)) { 295 if (!sk_X509_push(ctx->chain, x)) {
284 X509_free(xtmp); 296 X509_free(xtmp);
285 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 297 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
286 return 0; 298 return 0;
287 } 299 }
288 num++; 300 num++;
@@ -291,81 +303,94 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
291 /* we now have our chain, lets check it... */ 303 /* we now have our chain, lets check it... */
292 304
293 /* Is last certificate looked up self signed? */ 305 /* Is last certificate looked up self signed? */
294 if (!ctx->check_issued(ctx,x,x)) { 306 if (!ctx->check_issued(ctx, x, x)) {
295 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { 307 if ((chain_ss == NULL) ||
308 !ctx->check_issued(ctx, x, chain_ss)) {
296 if (ctx->last_untrusted >= num) 309 if (ctx->last_untrusted >= num)
297 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 310 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
298 else 311 else
299 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; 312 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
300 ctx->current_cert=x; 313 ctx->current_cert = x;
301 } else { 314 } else {
302 315
303 sk_X509_push(ctx->chain,chain_ss); 316 sk_X509_push(ctx->chain, chain_ss);
304 num++; 317 num++;
305 ctx->last_untrusted=num; 318 ctx->last_untrusted = num;
306 ctx->current_cert=chain_ss; 319 ctx->current_cert = chain_ss;
307 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 320 ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
308 chain_ss=NULL; 321 chain_ss = NULL;
309 } 322 }
310 323
311 ctx->error_depth=num-1; 324 ctx->error_depth = num - 1;
312 bad_chain = 1; 325 bad_chain = 1;
313 ok=cb(0,ctx); 326 ok = cb(0, ctx);
314 if (!ok) goto end; 327 if (!ok)
328 goto end;
315 } 329 }
316 330
317 /* We have the chain complete: now we need to check its purpose */ 331 /* We have the chain complete: now we need to check its purpose */
318 ok = check_chain_extensions(ctx); 332 ok = check_chain_extensions(ctx);
319 333
320 if (!ok) goto end; 334 if (!ok)
335 goto end;
321 336
322 /* Check name constraints */ 337 /* Check name constraints */
323 338
324 ok = check_name_constraints(ctx); 339 ok = check_name_constraints(ctx);
325 340
326 if (!ok) goto end; 341 if (!ok)
342 goto end;
327 343
328 /* The chain extensions are OK: check trust */ 344 /* The chain extensions are OK: check trust */
329 345
330 if (param->trust > 0) ok = check_trust(ctx); 346 if (param->trust > 0)
347 ok = check_trust(ctx);
331 348
332 if (!ok) goto end; 349 if (!ok)
350 goto end;
333 351
334 /* We may as well copy down any DSA parameters that are required */ 352 /* We may as well copy down any DSA parameters that are required */
335 X509_get_pubkey_parameters(NULL,ctx->chain); 353 X509_get_pubkey_parameters(NULL, ctx->chain);
336 354
337 /* Check revocation status: we do this after copying parameters 355 /* Check revocation status: we do this after copying parameters
338 * because they may be needed for CRL signature verification. 356 * because they may be needed for CRL signature verification.
339 */ 357 */
340 358
341 ok = ctx->check_revocation(ctx); 359 ok = ctx->check_revocation(ctx);
342 if(!ok) goto end; 360 if (!ok)
361 goto end;
343 362
344 /* At this point, we have a chain and need to verify it */ 363 /* At this point, we have a chain and need to verify it */
345 if (ctx->verify != NULL) 364 if (ctx->verify != NULL)
346 ok=ctx->verify(ctx); 365 ok = ctx->verify(ctx);
347 else 366 else
348 ok=internal_verify(ctx); 367 ok = internal_verify(ctx);
349 if(!ok) goto end; 368 if (!ok)
369 goto end;
350 370
351#ifndef OPENSSL_NO_RFC3779 371#ifndef OPENSSL_NO_RFC3779
352 /* RFC 3779 path validation, now that CRL check has been done */ 372 /* RFC 3779 path validation, now that CRL check has been done */
353 ok = v3_asid_validate_path(ctx); 373 ok = v3_asid_validate_path(ctx);
354 if (!ok) goto end; 374 if (!ok)
375 goto end;
355 ok = v3_addr_validate_path(ctx); 376 ok = v3_addr_validate_path(ctx);
356 if (!ok) goto end; 377 if (!ok)
378 goto end;
357#endif 379#endif
358 380
359 /* If we get this far evaluate policies */ 381 /* If we get this far evaluate policies */
360 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) 382 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
361 ok = ctx->check_policy(ctx); 383 ok = ctx->check_policy(ctx);
362 if(!ok) goto end; 384 if (!ok)
385 goto end;
363 if (0) { 386 if (0) {
364end: 387end:
365 X509_get_pubkey_parameters(NULL,ctx->chain); 388 X509_get_pubkey_parameters(NULL, ctx->chain);
366 } 389 }
367 if (sktmp != NULL) sk_X509_free(sktmp); 390 if (sktmp != NULL)
368 if (chain_ss != NULL) X509_free(chain_ss); 391 sk_X509_free(sktmp);
392 if (chain_ss != NULL)
393 X509_free(chain_ss);
369 return ok; 394 return ok;
370} 395}
371 396
@@ -373,10 +398,12 @@ end:
373/* Given a STACK_OF(X509) find the issuer of cert (if any) 398/* Given a STACK_OF(X509) find the issuer of cert (if any)
374 */ 399 */
375 400
376static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) 401static X509 *
402find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
377{ 403{
378 int i; 404 int i;
379 X509 *issuer; 405 X509 *issuer;
406
380 for (i = 0; i < sk_X509_num(sk); i++) { 407 for (i = 0; i < sk_X509_num(sk); i++) {
381 issuer = sk_X509_value(sk, i); 408 issuer = sk_X509_value(sk, i);
382 if (ctx->check_issued(ctx, x, issuer)) 409 if (ctx->check_issued(ctx, x, issuer))
@@ -387,9 +414,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
387 414
388/* Given a possible certificate and issuer check them */ 415/* Given a possible certificate and issuer check them */
389 416
390static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) 417static int
418check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
391{ 419{
392 int ret; 420 int ret;
421
393 ret = X509_check_issued(issuer, x); 422 ret = X509_check_issued(issuer, x);
394 if (ret == X509_V_OK) 423 if (ret == X509_V_OK)
395 return 1; 424 return 1;
@@ -405,33 +434,35 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
405 434
406/* Alternative lookup method: look from a STACK stored in other_ctx */ 435/* Alternative lookup method: look from a STACK stored in other_ctx */
407 436
408static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 437static int
438get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
409{ 439{
410 *issuer = find_issuer(ctx, ctx->other_ctx, x); 440 *issuer = find_issuer(ctx, ctx->other_ctx, x);
411 if (*issuer) { 441 if (*issuer) {
412 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); 442 CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
413 return 1; 443 return 1;
414 } else 444 } else
415 return 0; 445 return 0;
416} 446}
417
418 447
419/* Check a certificate chains extensions for consistency 448/* Check a certificate chains extensions for consistency
420 * with the supplied purpose 449 * with the supplied purpose
421 */ 450 */
422 451
423static int check_chain_extensions(X509_STORE_CTX *ctx) 452static int
453check_chain_extensions(X509_STORE_CTX *ctx)
424{ 454{
425#ifdef OPENSSL_NO_CHAIN_VERIFY 455#ifdef OPENSSL_NO_CHAIN_VERIFY
426 return 1; 456 return 1;
427#else 457#else
428 int i, ok=0, must_be_ca, plen = 0; 458 int i, ok = 0, must_be_ca, plen = 0;
429 X509 *x; 459 X509 *x;
430 int (*cb)(int xok,X509_STORE_CTX *xctx); 460 int (*cb)(int xok, X509_STORE_CTX *xctx);
431 int proxy_path_length = 0; 461 int proxy_path_length = 0;
432 int purpose; 462 int purpose;
433 int allow_proxy_certs; 463 int allow_proxy_certs;
434 cb=ctx->verify_cb; 464
465 cb = ctx->verify_cb;
435 466
436 /* must_be_ca can have 1 of 3 values: 467 /* must_be_ca can have 1 of 3 values:
437 -1: we accept both CA and non-CA certificates, to allow direct 468 -1: we accept both CA and non-CA certificates, to allow direct
@@ -449,7 +480,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
449 purpose = X509_PURPOSE_CRL_SIGN; 480 purpose = X509_PURPOSE_CRL_SIGN;
450 } else { 481 } else {
451 allow_proxy_certs = 482 allow_proxy_certs =
452 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); 483 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
453 /* A hack to keep people who don't want to modify their 484 /* A hack to keep people who don't want to modify their
454 software happy */ 485 software happy */
455 if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) 486 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
@@ -461,26 +492,28 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
461 for (i = 0; i < ctx->last_untrusted; i++) { 492 for (i = 0; i < ctx->last_untrusted; i++) {
462 int ret; 493 int ret;
463 x = sk_X509_value(ctx->chain, i); 494 x = sk_X509_value(ctx->chain, i);
464 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 495 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
465 && (x->ex_flags & EXFLAG_CRITICAL)) { 496 (x->ex_flags & EXFLAG_CRITICAL)) {
466 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 497 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
467 ctx->error_depth = i; 498 ctx->error_depth = i;
468 ctx->current_cert = x; 499 ctx->current_cert = x;
469 ok=cb(0,ctx); 500 ok = cb(0, ctx);
470 if (!ok) goto end; 501 if (!ok)
502 goto end;
471 } 503 }
472 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { 504 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
473 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; 505 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
474 ctx->error_depth = i; 506 ctx->error_depth = i;
475 ctx->current_cert = x; 507 ctx->current_cert = x;
476 ok=cb(0,ctx); 508 ok = cb(0, ctx);
477 if (!ok) goto end; 509 if (!ok)
510 goto end;
478 } 511 }
479 ret = X509_check_ca(x); 512 ret = X509_check_ca(x);
480 switch(must_be_ca) { 513 switch (must_be_ca) {
481 case -1: 514 case -1:
482 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 515 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
483 && (ret != 1) && (ret != 0)) { 516 (ret != 1) && (ret != 0)) {
484 ret = 0; 517 ret = 0;
485 ctx->error = X509_V_ERR_INVALID_CA; 518 ctx->error = X509_V_ERR_INVALID_CA;
486 } else 519 } else
@@ -494,9 +527,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
494 ret = 1; 527 ret = 1;
495 break; 528 break;
496 default: 529 default:
497 if ((ret == 0) 530 if ((ret == 0) ||
498 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 531 ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
499 && (ret != 1))) { 532 (ret != 1))) {
500 ret = 0; 533 ret = 0;
501 ctx->error = X509_V_ERR_INVALID_CA; 534 ctx->error = X509_V_ERR_INVALID_CA;
502 } else 535 } else
@@ -506,30 +539,33 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
506 if (ret == 0) { 539 if (ret == 0) {
507 ctx->error_depth = i; 540 ctx->error_depth = i;
508 ctx->current_cert = x; 541 ctx->current_cert = x;
509 ok=cb(0,ctx); 542 ok = cb(0, ctx);
510 if (!ok) goto end; 543 if (!ok)
544 goto end;
511 } 545 }
512 if (ctx->param->purpose > 0) { 546 if (ctx->param->purpose > 0) {
513 ret = X509_check_purpose(x, purpose, must_be_ca > 0); 547 ret = X509_check_purpose(x, purpose, must_be_ca > 0);
514 if ((ret == 0) 548 if ((ret == 0) ||
515 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) 549 ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
516 && (ret != 1))) { 550 (ret != 1))) {
517 ctx->error = X509_V_ERR_INVALID_PURPOSE; 551 ctx->error = X509_V_ERR_INVALID_PURPOSE;
518 ctx->error_depth = i; 552 ctx->error_depth = i;
519 ctx->current_cert = x; 553 ctx->current_cert = x;
520 ok=cb(0,ctx); 554 ok = cb(0, ctx);
521 if (!ok) goto end; 555 if (!ok)
556 goto end;
522 } 557 }
523 } 558 }
524 /* Check pathlen if not self issued */ 559 /* Check pathlen if not self issued */
525 if ((i > 1) && !(x->ex_flags & EXFLAG_SI) 560 if ((i > 1) && !(x->ex_flags & EXFLAG_SI) &&
526 && (x->ex_pathlen != -1) 561 (x->ex_pathlen != -1) &&
527 && (plen > (x->ex_pathlen + proxy_path_length + 1))) { 562 (plen > (x->ex_pathlen + proxy_path_length + 1))) {
528 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; 563 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
529 ctx->error_depth = i; 564 ctx->error_depth = i;
530 ctx->current_cert = x; 565 ctx->current_cert = x;
531 ok=cb(0,ctx); 566 ok = cb(0, ctx);
532 if (!ok) goto end; 567 if (!ok)
568 goto end;
533 } 569 }
534 /* Increment path length if not self issued */ 570 /* Increment path length if not self issued */
535 if (!(x->ex_flags & EXFLAG_SI)) 571 if (!(x->ex_flags & EXFLAG_SI))
@@ -541,11 +577,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
541 if (x->ex_flags & EXFLAG_PROXY) { 577 if (x->ex_flags & EXFLAG_PROXY) {
542 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { 578 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
543 ctx->error = 579 ctx->error =
544 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; 580 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
545 ctx->error_depth = i; 581 ctx->error_depth = i;
546 ctx->current_cert = x; 582 ctx->current_cert = x;
547 ok=cb(0,ctx); 583 ok = cb(0, ctx);
548 if (!ok) goto end; 584 if (!ok)
585 goto end;
549 } 586 }
550 proxy_path_length++; 587 proxy_path_length++;
551 must_be_ca = 0; 588 must_be_ca = 0;
@@ -553,15 +590,18 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
553 must_be_ca = 1; 590 must_be_ca = 1;
554 } 591 }
555 ok = 1; 592 ok = 1;
556 end: 593
594end:
557 return ok; 595 return ok;
558#endif 596#endif
559} 597}
560 598
561static int check_name_constraints(X509_STORE_CTX *ctx) 599static int
600check_name_constraints(X509_STORE_CTX *ctx)
562{ 601{
563 X509 *x; 602 X509 *x;
564 int i, j, rv; 603 int i, j, rv;
604
565 /* Check name constraints for all certificates */ 605 /* Check name constraints for all certificates */
566 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { 606 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
567 x = sk_X509_value(ctx->chain, i); 607 x = sk_X509_value(ctx->chain, i);
@@ -581,7 +621,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
581 ctx->error = rv; 621 ctx->error = rv;
582 ctx->error_depth = i; 622 ctx->error_depth = i;
583 ctx->current_cert = x; 623 ctx->current_cert = x;
584 if (!ctx->verify_cb(0,ctx)) 624 if (!ctx->verify_cb(0, ctx))
585 return 0; 625 return 0;
586 } 626 }
587 } 627 }
@@ -590,16 +630,18 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
590 return 1; 630 return 1;
591} 631}
592 632
593static int check_trust(X509_STORE_CTX *ctx) 633static int
634check_trust(X509_STORE_CTX *ctx)
594{ 635{
595#ifdef OPENSSL_NO_CHAIN_VERIFY 636#ifdef OPENSSL_NO_CHAIN_VERIFY
596 return 1; 637 return 1;
597#else 638#else
598 int i, ok; 639 int i, ok;
599 X509 *x; 640 X509 *x;
600 int (*cb)(int xok,X509_STORE_CTX *xctx); 641 int (*cb)(int xok, X509_STORE_CTX *xctx);
601 cb=ctx->verify_cb; 642
602/* For now just check the last certificate in the chain */ 643 cb = ctx->verify_cb;
644 /* For now just check the last certificate in the chain */
603 i = sk_X509_num(ctx->chain) - 1; 645 i = sk_X509_num(ctx->chain) - 1;
604 x = sk_X509_value(ctx->chain, i); 646 x = sk_X509_value(ctx->chain, i);
605 ok = X509_check_trust(x, ctx->param->trust, 0); 647 ok = X509_check_trust(x, ctx->param->trust, 0);
@@ -616,9 +658,11 @@ static int check_trust(X509_STORE_CTX *ctx)
616#endif 658#endif
617} 659}
618 660
619static int check_revocation(X509_STORE_CTX *ctx) 661static int
662check_revocation(X509_STORE_CTX *ctx)
620{ 663{
621 int i, last, ok; 664 int i, last, ok;
665
622 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) 666 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
623 return 1; 667 return 1;
624 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) 668 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
@@ -629,19 +673,23 @@ static int check_revocation(X509_STORE_CTX *ctx)
629 return 1; 673 return 1;
630 last = 0; 674 last = 0;
631 } 675 }
632 for(i = 0; i <= last; i++) { 676 for (i = 0; i <= last; i++) {
633 ctx->error_depth = i; 677 ctx->error_depth = i;
634 ok = check_cert(ctx); 678 ok = check_cert(ctx);
635 if (!ok) return ok; 679 if (!ok)
680 return ok;
636 } 681 }
637 return 1; 682 return 1;
638} 683}
639 684
640static int check_cert(X509_STORE_CTX *ctx) { 685static int
686check_cert(X509_STORE_CTX *ctx)
687{
641 X509_CRL *crl = NULL, *dcrl = NULL; 688 X509_CRL *crl = NULL, *dcrl = NULL;
642 X509 *x; 689 X509 *x;
643 int ok, cnum; 690 int ok, cnum;
644 unsigned int last_reasons; 691 unsigned int last_reasons;
692
645 cnum = ctx->error_depth; 693 cnum = ctx->error_depth;
646 x = sk_X509_value(ctx->chain, cnum); 694 x = sk_X509_value(ctx->chain, cnum);
647 ctx->current_cert = x; 695 ctx->current_cert = x;
@@ -658,7 +706,7 @@ static int check_cert(X509_STORE_CTX *ctx) {
658 /* If error looking up CRL, nothing we can do except 706 /* If error looking up CRL, nothing we can do except
659 * notify callback 707 * notify callback
660 */ 708 */
661 if(!ok) { 709 if (!ok) {
662 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 710 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
663 ok = ctx->verify_cb(0, ctx); 711 ok = ctx->verify_cb(0, ctx);
664 goto err; 712 goto err;
@@ -698,21 +746,23 @@ static int check_cert(X509_STORE_CTX *ctx) {
698 goto err; 746 goto err;
699 } 747 }
700 } 748 }
749
701err: 750err:
702 X509_CRL_free(crl); 751 X509_CRL_free(crl);
703 X509_CRL_free(dcrl); 752 X509_CRL_free(dcrl);
704 753
705 ctx->current_crl = NULL; 754 ctx->current_crl = NULL;
706 return ok; 755 return ok;
707
708} 756}
709 757
710/* Check CRL times against values in X509_STORE_CTX */ 758/* Check CRL times against values in X509_STORE_CTX */
711 759
712static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) 760static int
761check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
713{ 762{
714 time_t *ptime; 763 time_t *ptime;
715 int i; 764 int i;
765
716 if (notify) 766 if (notify)
717 ctx->current_crl = crl; 767 ctx->current_crl = crl;
718 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) 768 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
@@ -720,11 +770,11 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
720 else 770 else
721 ptime = NULL; 771 ptime = NULL;
722 772
723 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); 773 i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
724 if (i == 0) { 774 if (i == 0) {
725 if (!notify) 775 if (!notify)
726 return 0; 776 return 0;
727 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; 777 ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
728 if (!ctx->verify_cb(0, ctx)) 778 if (!ctx->verify_cb(0, ctx))
729 return 0; 779 return 0;
730 } 780 }
@@ -732,26 +782,27 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
732 if (i > 0) { 782 if (i > 0) {
733 if (!notify) 783 if (!notify)
734 return 0; 784 return 0;
735 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; 785 ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
736 if (!ctx->verify_cb(0, ctx)) 786 if (!ctx->verify_cb(0, ctx))
737 return 0; 787 return 0;
738 } 788 }
739 789
740 if(X509_CRL_get_nextUpdate(crl)) { 790 if (X509_CRL_get_nextUpdate(crl)) {
741 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); 791 i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
742 792
743 if (i == 0) { 793 if (i == 0) {
744 if (!notify) 794 if (!notify)
745 return 0; 795 return 0;
746 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; 796 ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
747 if (!ctx->verify_cb(0, ctx)) 797 if (!ctx->verify_cb(0, ctx))
748 return 0; 798 return 0;
749 } 799 }
750 /* Ignore expiry of base CRL is delta is valid */ 800 /* Ignore expiry of base CRL is delta is valid */
751 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { 801 if ((i < 0) &&
802 !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
752 if (!notify) 803 if (!notify)
753 return 0; 804 return 0;
754 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; 805 ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
755 if (!ctx->verify_cb(0, ctx)) 806 if (!ctx->verify_cb(0, ctx))
756 return 0; 807 return 0;
757 } 808 }
@@ -763,9 +814,10 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
763 return 1; 814 return 1;
764} 815}
765 816
766static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, 817static int
767 X509 **pissuer, int *pscore, unsigned int *preasons, 818get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
768 STACK_OF(X509_CRL) *crls) 819 X509 **pissuer, int *pscore, unsigned int *preasons,
820 STACK_OF(X509_CRL) *crls)
769{ 821{
770 int i, crl_score, best_score = *pscore; 822 int i, crl_score, best_score = *pscore;
771 unsigned int reasons, best_reasons = 0; 823 unsigned int reasons, best_reasons = 0;
@@ -811,10 +863,12 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
811 * both present or both absent. If both present all fields must be identical. 863 * both present or both absent. If both present all fields must be identical.
812 */ 864 */
813 865
814static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) 866static int
867crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
815{ 868{
816 ASN1_OCTET_STRING *exta, *extb; 869 ASN1_OCTET_STRING *exta, *extb;
817 int i; 870 int i;
871
818 i = X509_CRL_get_ext_by_NID(a, nid, -1); 872 i = X509_CRL_get_ext_by_NID(a, nid, -1);
819 if (i >= 0) { 873 if (i >= 0) {
820 /* Can't have multiple occurrences */ 874 /* Can't have multiple occurrences */
@@ -827,7 +881,6 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
827 i = X509_CRL_get_ext_by_NID(b, nid, -1); 881 i = X509_CRL_get_ext_by_NID(b, nid, -1);
828 882
829 if (i >= 0) { 883 if (i >= 0) {
830
831 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) 884 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
832 return 0; 885 return 0;
833 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); 886 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
@@ -840,7 +893,6 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
840 if (!exta || !extb) 893 if (!exta || !extb)
841 return 0; 894 return 0;
842 895
843
844 if (ASN1_OCTET_STRING_cmp(exta, extb)) 896 if (ASN1_OCTET_STRING_cmp(exta, extb))
845 return 0; 897 return 0;
846 898
@@ -849,29 +901,30 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
849 901
850/* See if a base and delta are compatible */ 902/* See if a base and delta are compatible */
851 903
852static int check_delta_base(X509_CRL *delta, X509_CRL *base) 904static int
905check_delta_base(X509_CRL *delta, X509_CRL *base)
853{ 906{
854 /* Delta CRL must be a delta */ 907 /* Delta CRL must be a delta */
855 if (!delta->base_crl_number) 908 if (!delta->base_crl_number)
856 return 0; 909 return 0;
857 /* Base must have a CRL number */ 910 /* Base must have a CRL number */
858 if (!base->crl_number) 911 if (!base->crl_number)
859 return 0; 912 return 0;
860 /* Issuer names must match */ 913 /* Issuer names must match */
861 if (X509_NAME_cmp(X509_CRL_get_issuer(base), 914 if (X509_NAME_cmp(X509_CRL_get_issuer(base),
862 X509_CRL_get_issuer(delta))) 915 X509_CRL_get_issuer(delta)))
863 return 0; 916 return 0;
864 /* AKID and IDP must match */ 917 /* AKID and IDP must match */
865 if (!crl_extension_match(delta, base, NID_authority_key_identifier)) 918 if (!crl_extension_match(delta, base, NID_authority_key_identifier))
866 return 0; 919 return 0;
867 if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) 920 if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
868 return 0; 921 return 0;
869 /* Delta CRL base number must not exceed Full CRL number. */ 922 /* Delta CRL base number must not exceed Full CRL number. */
870 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) 923 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
871 return 0; 924 return 0;
872 /* Delta CRL number must exceed full CRL number */ 925 /* Delta CRL number must exceed full CRL number */
873 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) 926 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
874 return 1; 927 return 1;
875 return 0; 928 return 0;
876} 929}
877 930
@@ -879,11 +932,13 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
879 * or retrieve a chain of deltas... 932 * or retrieve a chain of deltas...
880 */ 933 */
881 934
882static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, 935static void
883 X509_CRL *base, STACK_OF(X509_CRL) *crls) 936get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base,
937 STACK_OF(X509_CRL) *crls)
884{ 938{
885 X509_CRL *delta; 939 X509_CRL *delta;
886 int i; 940 int i;
941
887 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) 942 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
888 return; 943 return;
889 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) 944 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
@@ -908,11 +963,10 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
908 * no new reasons the CRL is rejected, otherwise reasons is updated. 963 * no new reasons the CRL is rejected, otherwise reasons is updated.
909 */ 964 */
910 965
911static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 966static int
912 unsigned int *preasons, 967get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons,
913 X509_CRL *crl, X509 *x) 968 X509_CRL *crl, X509 *x)
914{ 969{
915
916 int crl_score = 0; 970 int crl_score = 0;
917 unsigned int tmp_reasons = *preasons, crl_reasons; 971 unsigned int tmp_reasons = *preasons, crl_reasons;
918 972
@@ -968,11 +1022,11 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
968 *preasons = tmp_reasons; 1022 *preasons = tmp_reasons;
969 1023
970 return crl_score; 1024 return crl_score;
971
972} 1025}
973 1026
974static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, 1027static void
975 X509 **pissuer, int *pcrl_score) 1028crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
1029 int *pcrl_score)
976{ 1030{
977 X509 *crl_issuer = NULL; 1031 X509 *crl_issuer = NULL;
978 X509_NAME *cnm = X509_CRL_get_issuer(crl); 1032 X509_NAME *cnm = X509_CRL_get_issuer(crl);
@@ -1026,14 +1080,16 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1026/* Check the path of a CRL issuer certificate. This creates a new 1080/* Check the path of a CRL issuer certificate. This creates a new
1027 * X509_STORE_CTX and populates it with most of the parameters from the 1081 * X509_STORE_CTX and populates it with most of the parameters from the
1028 * parent. This could be optimised somewhat since a lot of path checking 1082 * parent. This could be optimised somewhat since a lot of path checking
1029 * will be duplicated by the parent, but this will rarely be used in 1083 * will be duplicated by the parent, but this will rarely be used in
1030 * practice. 1084 * practice.
1031 */ 1085 */
1032 1086
1033static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) 1087static int
1088check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1034{ 1089{
1035 X509_STORE_CTX crl_ctx; 1090 X509_STORE_CTX crl_ctx;
1036 int ret; 1091 int ret;
1092
1037 /* Don't allow recursive CRL path validation */ 1093 /* Don't allow recursive CRL path validation */
1038 if (ctx->parent) 1094 if (ctx->parent)
1039 return 0; 1095 return 0;
@@ -1054,9 +1110,9 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1054 goto err; 1110 goto err;
1055 1111
1056 /* Check chain is acceptable */ 1112 /* Check chain is acceptable */
1057
1058 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); 1113 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1059 err: 1114
1115err:
1060 X509_STORE_CTX_cleanup(&crl_ctx); 1116 X509_STORE_CTX_cleanup(&crl_ctx);
1061 return ret; 1117 return ret;
1062} 1118}
@@ -1069,11 +1125,12 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1069 * until this is resolved we use the RFC5280 version 1125 * until this is resolved we use the RFC5280 version
1070 */ 1126 */
1071 1127
1072static int check_crl_chain(X509_STORE_CTX *ctx, 1128static int
1073 STACK_OF(X509) *cert_path, 1129check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
1074 STACK_OF(X509) *crl_path) 1130 STACK_OF(X509) *crl_path)
1075{ 1131{
1076 X509 *cert_ta, *crl_ta; 1132 X509 *cert_ta, *crl_ta;
1133
1077 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); 1134 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1078 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); 1135 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1079 if (!X509_cmp(cert_ta, crl_ta)) 1136 if (!X509_cmp(cert_ta, crl_ta))
@@ -1088,13 +1145,14 @@ static int check_crl_chain(X509_STORE_CTX *ctx,
1088 * 4. One is NULL: automatic match. 1145 * 4. One is NULL: automatic match.
1089 */ 1146 */
1090 1147
1091 1148static int
1092static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) 1149idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1093{ 1150{
1094 X509_NAME *nm = NULL; 1151 X509_NAME *nm = NULL;
1095 GENERAL_NAMES *gens = NULL; 1152 GENERAL_NAMES *gens = NULL;
1096 GENERAL_NAME *gena, *genb; 1153 GENERAL_NAME *gena, *genb;
1097 int i, j; 1154 int i, j;
1155
1098 if (!a || !b) 1156 if (!a || !b)
1099 return 1; 1157 return 1;
1100 if (a->type == 1) { 1158 if (a->type == 1) {
@@ -1123,7 +1181,7 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1123 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ 1181 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1124 if (nm) { 1182 if (nm) {
1125 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { 1183 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1126 gena = sk_GENERAL_NAME_value(gens, i); 1184 gena = sk_GENERAL_NAME_value(gens, i);
1127 if (gena->type != GEN_DIRNAME) 1185 if (gena->type != GEN_DIRNAME)
1128 continue; 1186 continue;
1129 if (!X509_NAME_cmp(nm, gena->d.directoryName)) 1187 if (!X509_NAME_cmp(nm, gena->d.directoryName))
@@ -1144,13 +1202,14 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1144 } 1202 }
1145 1203
1146 return 0; 1204 return 0;
1147
1148} 1205}
1149 1206
1150static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) 1207static int
1208crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1151{ 1209{
1152 int i; 1210 int i;
1153 X509_NAME *nm = X509_CRL_get_issuer(crl); 1211 X509_NAME *nm = X509_CRL_get_issuer(crl);
1212
1154 /* If no CRLissuer return is successful iff don't need a match */ 1213 /* If no CRLissuer return is successful iff don't need a match */
1155 if (!dp->CRLissuer) 1214 if (!dp->CRLissuer)
1156 return !!(crl_score & CRL_SCORE_ISSUER_NAME); 1215 return !!(crl_score & CRL_SCORE_ISSUER_NAME);
@@ -1166,10 +1225,11 @@ static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1166 1225
1167/* Check CRLDP and IDP */ 1226/* Check CRLDP and IDP */
1168 1227
1169static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, 1228static int
1170 unsigned int *preasons) 1229crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons)
1171{ 1230{
1172 int i; 1231 int i;
1232
1173 if (crl->idp_flags & IDP_ONLYATTR) 1233 if (crl->idp_flags & IDP_ONLYATTR)
1174 return 0; 1234 return 0;
1175 if (x->ex_flags & EXFLAG_CA) { 1235 if (x->ex_flags & EXFLAG_CA) {
@@ -1184,13 +1244,14 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1184 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); 1244 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1185 if (crldp_check_crlissuer(dp, crl, crl_score)) { 1245 if (crldp_check_crlissuer(dp, crl, crl_score)) {
1186 if (!crl->idp || 1246 if (!crl->idp ||
1187 idp_check_dp(dp->distpoint, crl->idp->distpoint)) { 1247 idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1188 *preasons &= dp->dp_reasons; 1248 *preasons &= dp->dp_reasons;
1189 return 1; 1249 return 1;
1190 } 1250 }
1191 } 1251 }
1192 } 1252 }
1193 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) 1253 if ((!crl->idp || !crl->idp->distpoint) &&
1254 (crl_score & CRL_SCORE_ISSUER_NAME))
1194 return 1; 1255 return 1;
1195 return 0; 1256 return 0;
1196} 1257}
@@ -1198,9 +1259,9 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1198/* Retrieve CRL corresponding to current certificate. 1259/* Retrieve CRL corresponding to current certificate.
1199 * If deltas enabled try to find a delta CRL too 1260 * If deltas enabled try to find a delta CRL too
1200 */ 1261 */
1201 1262
1202static int get_crl_delta(X509_STORE_CTX *ctx, 1263static int
1203 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) 1264get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1204{ 1265{
1205 int ok; 1266 int ok;
1206 X509 *issuer = NULL; 1267 X509 *issuer = NULL;
@@ -1209,15 +1270,14 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
1209 X509_CRL *crl = NULL, *dcrl = NULL; 1270 X509_CRL *crl = NULL, *dcrl = NULL;
1210 STACK_OF(X509_CRL) *skcrl; 1271 STACK_OF(X509_CRL) *skcrl;
1211 X509_NAME *nm = X509_get_issuer_name(x); 1272 X509_NAME *nm = X509_get_issuer_name(x);
1212 reasons = ctx->current_reasons;
1213 ok = get_crl_sk(ctx, &crl, &dcrl,
1214 &issuer, &crl_score, &reasons, ctx->crls);
1215 1273
1274 reasons = ctx->current_reasons;
1275 ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons,
1276 ctx->crls);
1216 if (ok) 1277 if (ok)
1217 goto done; 1278 goto done;
1218 1279
1219 /* Lookup CRLs from store */ 1280 /* Lookup CRLs from store */
1220
1221 skcrl = ctx->lookup_crls(ctx, nm); 1281 skcrl = ctx->lookup_crls(ctx, nm);
1222 1282
1223 /* If no CRLs found and a near match from get_crl_sk use that */ 1283 /* If no CRLs found and a near match from get_crl_sk use that */
@@ -1228,7 +1288,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
1228 1288
1229 sk_X509_CRL_pop_free(skcrl, X509_CRL_free); 1289 sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1230 1290
1231 done: 1291done:
1232 1292
1233 /* If we got any kind of CRL use it and return success */ 1293 /* If we got any kind of CRL use it and return success */
1234 if (crl) { 1294 if (crl) {
@@ -1244,11 +1304,13 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
1244} 1304}
1245 1305
1246/* Check CRL validity */ 1306/* Check CRL validity */
1247static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) 1307static int
1308check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1248{ 1309{
1249 X509 *issuer = NULL; 1310 X509 *issuer = NULL;
1250 EVP_PKEY *ikey = NULL; 1311 EVP_PKEY *ikey = NULL;
1251 int ok = 0, chnum, cnum; 1312 int ok = 0, chnum, cnum;
1313
1252 cnum = ctx->error_depth; 1314 cnum = ctx->error_depth;
1253 chnum = sk_X509_num(ctx->chain) - 1; 1315 chnum = sk_X509_num(ctx->chain) - 1;
1254 /* if we have an alternative CRL issuer cert use that */ 1316 /* if we have an alternative CRL issuer cert use that */
@@ -1262,44 +1324,50 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1262 } else { 1324 } else {
1263 issuer = sk_X509_value(ctx->chain, chnum); 1325 issuer = sk_X509_value(ctx->chain, chnum);
1264 /* If not self signed, can't check signature */ 1326 /* If not self signed, can't check signature */
1265 if(!ctx->check_issued(ctx, issuer, issuer)) { 1327 if (!ctx->check_issued(ctx, issuer, issuer)) {
1266 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; 1328 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1267 ok = ctx->verify_cb(0, ctx); 1329 ok = ctx->verify_cb(0, ctx);
1268 if(!ok) goto err; 1330 if (!ok)
1331 goto err;
1269 } 1332 }
1270 } 1333 }
1271 1334
1272 if(issuer) { 1335 if (issuer) {
1273 /* Skip most tests for deltas because they have already 1336 /* Skip most tests for deltas because they have already
1274 * been done 1337 * been done
1275 */ 1338 */
1276 if (!crl->base_crl_number) { 1339 if (!crl->base_crl_number) {
1277 /* Check for cRLSign bit if keyUsage present */ 1340 /* Check for cRLSign bit if keyUsage present */
1278 if ((issuer->ex_flags & EXFLAG_KUSAGE) && 1341 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1279 !(issuer->ex_kusage & KU_CRL_SIGN)) { 1342 !(issuer->ex_kusage & KU_CRL_SIGN)) {
1280 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; 1343 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1281 ok = ctx->verify_cb(0, ctx); 1344 ok = ctx->verify_cb(0, ctx);
1282 if(!ok) goto err; 1345 if (!ok)
1346 goto err;
1283 } 1347 }
1284 1348
1285 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { 1349 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1286 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; 1350 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1287 ok = ctx->verify_cb(0, ctx); 1351 ok = ctx->verify_cb(0, ctx);
1288 if(!ok) goto err; 1352 if (!ok)
1353 goto err;
1289 } 1354 }
1290 1355
1291 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { 1356 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
1292 if (check_crl_path(ctx, ctx->current_issuer) <= 0) { 1357 if (check_crl_path(ctx,
1358 ctx->current_issuer) <= 0) {
1293 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; 1359 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1294 ok = ctx->verify_cb(0, ctx); 1360 ok = ctx->verify_cb(0, ctx);
1295 if(!ok) goto err; 1361 if (!ok)
1362 goto err;
1296 } 1363 }
1297 } 1364 }
1298 1365
1299 if (crl->idp_flags & IDP_INVALID) { 1366 if (crl->idp_flags & IDP_INVALID) {
1300 ctx->error = X509_V_ERR_INVALID_EXTENSION; 1367 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1301 ok = ctx->verify_cb(0, ctx); 1368 ok = ctx->verify_cb(0, ctx);
1302 if(!ok) goto err; 1369 if (!ok)
1370 goto err;
1303 } 1371 }
1304 1372
1305 1373
@@ -1314,16 +1382,18 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1314 /* Attempt to get issuer certificate public key */ 1382 /* Attempt to get issuer certificate public key */
1315 ikey = X509_get_pubkey(issuer); 1383 ikey = X509_get_pubkey(issuer);
1316 1384
1317 if(!ikey) { 1385 if (!ikey) {
1318 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1386 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1319 ok = ctx->verify_cb(0, ctx); 1387 ok = ctx->verify_cb(0, ctx);
1320 if (!ok) goto err; 1388 if (!ok)
1389 goto err;
1321 } else { 1390 } else {
1322 /* Verify CRL signature */ 1391 /* Verify CRL signature */
1323 if(X509_CRL_verify(crl, ikey) <= 0) { 1392 if (X509_CRL_verify(crl, ikey) <= 0) {
1324 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; 1393 ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
1325 ok = ctx->verify_cb(0, ctx); 1394 ok = ctx->verify_cb(0, ctx);
1326 if (!ok) goto err; 1395 if (!ok)
1396 goto err;
1327 } 1397 }
1328 } 1398 }
1329 } 1399 }
@@ -1336,20 +1406,22 @@ err:
1336} 1406}
1337 1407
1338/* Check certificate against CRL */ 1408/* Check certificate against CRL */
1339static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) 1409static int
1410cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1340{ 1411{
1341 int ok; 1412 int ok;
1342 X509_REVOKED *rev; 1413 X509_REVOKED *rev;
1414
1343 /* The rules changed for this... previously if a CRL contained 1415 /* The rules changed for this... previously if a CRL contained
1344 * unhandled critical extensions it could still be used to indicate 1416 * unhandled critical extensions it could still be used to indicate
1345 * a certificate was revoked. This has since been changed since 1417 * a certificate was revoked. This has since been changed since
1346 * critical extension can change the meaning of CRL entries. 1418 * critical extension can change the meaning of CRL entries.
1347 */ 1419 */
1348 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) 1420 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
1349 && (crl->flags & EXFLAG_CRITICAL)) { 1421 (crl->flags & EXFLAG_CRITICAL)) {
1350 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; 1422 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1351 ok = ctx->verify_cb(0, ctx); 1423 ok = ctx->verify_cb(0, ctx);
1352 if(!ok) 1424 if (!ok)
1353 return 0; 1425 return 0;
1354 } 1426 }
1355 /* Look for serial number of certificate in CRL 1427 /* Look for serial number of certificate in CRL
@@ -1367,15 +1439,17 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1367 return 1; 1439 return 1;
1368} 1440}
1369 1441
1370static int check_policy(X509_STORE_CTX *ctx) 1442static int
1443check_policy(X509_STORE_CTX *ctx)
1371{ 1444{
1372 int ret; 1445 int ret;
1446
1373 if (ctx->parent) 1447 if (ctx->parent)
1374 return 1; 1448 return 1;
1375 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, 1449 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1376 ctx->param->policies, ctx->param->flags); 1450 ctx->param->policies, ctx->param->flags);
1377 if (ret == 0) { 1451 if (ret == 0) {
1378 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); 1452 X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE);
1379 return 0; 1453 return 0;
1380 } 1454 }
1381 /* Invalid or inconsistent extensions */ 1455 /* Invalid or inconsistent extensions */
@@ -1391,7 +1465,7 @@ static int check_policy(X509_STORE_CTX *ctx)
1391 continue; 1465 continue;
1392 ctx->current_cert = x; 1466 ctx->current_cert = x;
1393 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; 1467 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1394 if(!ctx->verify_cb(0, ctx)) 1468 if (!ctx->verify_cb(0, ctx))
1395 return 0; 1469 return 0;
1396 } 1470 }
1397 return 1; 1471 return 1;
@@ -1412,7 +1486,8 @@ static int check_policy(X509_STORE_CTX *ctx)
1412 return 1; 1486 return 1;
1413} 1487}
1414 1488
1415static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) 1489static int
1490check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1416{ 1491{
1417 time_t *ptime; 1492 time_t *ptime;
1418 int i; 1493 int i;
@@ -1422,32 +1497,32 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1422 else 1497 else
1423 ptime = NULL; 1498 ptime = NULL;
1424 1499
1425 i=X509_cmp_time(X509_get_notBefore(x), ptime); 1500 i = X509_cmp_time(X509_get_notBefore(x), ptime);
1426 if (i == 0) { 1501 if (i == 0) {
1427 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 1502 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1428 ctx->current_cert=x; 1503 ctx->current_cert = x;
1429 if (!ctx->verify_cb(0, ctx)) 1504 if (!ctx->verify_cb(0, ctx))
1430 return 0; 1505 return 0;
1431 } 1506 }
1432 1507
1433 if (i > 0) { 1508 if (i > 0) {
1434 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; 1509 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1435 ctx->current_cert=x; 1510 ctx->current_cert = x;
1436 if (!ctx->verify_cb(0, ctx)) 1511 if (!ctx->verify_cb(0, ctx))
1437 return 0; 1512 return 0;
1438 } 1513 }
1439 1514
1440 i=X509_cmp_time(X509_get_notAfter(x), ptime); 1515 i = X509_cmp_time(X509_get_notAfter(x), ptime);
1441 if (i == 0) { 1516 if (i == 0) {
1442 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 1517 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1443 ctx->current_cert=x; 1518 ctx->current_cert = x;
1444 if (!ctx->verify_cb(0, ctx)) 1519 if (!ctx->verify_cb(0, ctx))
1445 return 0; 1520 return 0;
1446 } 1521 }
1447 1522
1448 if (i < 0) { 1523 if (i < 0) {
1449 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; 1524 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1450 ctx->current_cert=x; 1525 ctx->current_cert = x;
1451 if (!ctx->verify_cb(0, ctx)) 1526 if (!ctx->verify_cb(0, ctx))
1452 return 0; 1527 return 0;
1453 } 1528 }
@@ -1455,60 +1530,63 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1455 return 1; 1530 return 1;
1456} 1531}
1457 1532
1458static int internal_verify(X509_STORE_CTX *ctx) 1533static int
1534internal_verify(X509_STORE_CTX *ctx)
1459{ 1535{
1460 int ok=0,n; 1536 int ok = 0, n;
1461 X509 *xs,*xi; 1537 X509 *xs, *xi;
1462 EVP_PKEY *pkey=NULL; 1538 EVP_PKEY *pkey = NULL;
1463 int (*cb)(int xok,X509_STORE_CTX *xctx); 1539 int (*cb)(int xok, X509_STORE_CTX *xctx);
1464 1540
1465 cb=ctx->verify_cb; 1541 cb = ctx->verify_cb;
1466 1542
1467 n=sk_X509_num(ctx->chain); 1543 n = sk_X509_num(ctx->chain);
1468 ctx->error_depth=n-1; 1544 ctx->error_depth = n - 1;
1469 n--; 1545 n--;
1470 xi=sk_X509_value(ctx->chain,n); 1546 xi = sk_X509_value(ctx->chain, n);
1471 1547
1472 if (ctx->check_issued(ctx, xi, xi)) 1548 if (ctx->check_issued(ctx, xi, xi))
1473 xs=xi; 1549 xs = xi;
1474 else { 1550 else {
1475 if (n <= 0) { 1551 if (n <= 0) {
1476 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; 1552 ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1477 ctx->current_cert=xi; 1553 ctx->current_cert = xi;
1478 ok=cb(0,ctx); 1554 ok = cb(0, ctx);
1479 goto end; 1555 goto end;
1480 } else { 1556 } else {
1481 n--; 1557 n--;
1482 ctx->error_depth=n; 1558 ctx->error_depth = n;
1483 xs=sk_X509_value(ctx->chain,n); 1559 xs = sk_X509_value(ctx->chain, n);
1484 } 1560 }
1485 } 1561 }
1486 1562
1487/* ctx->error=0; not needed */ 1563/* ctx->error=0; not needed */
1488 while (n >= 0) { 1564 while (n >= 0) {
1489 ctx->error_depth=n; 1565 ctx->error_depth = n;
1490 1566
1491 /* Skip signature check for self signed certificates unless 1567 /* Skip signature check for self signed certificates unless
1492 * explicitly asked for. It doesn't add any security and 1568 * explicitly asked for. It doesn't add any security and
1493 * just wastes time. 1569 * just wastes time.
1494 */ 1570 */
1495 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { 1571 if (!xs->valid && (xs != xi ||
1496 if ((pkey=X509_get_pubkey(xi)) == NULL) { 1572 (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
1497 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1573 if ((pkey = X509_get_pubkey(xi)) == NULL) {
1498 ctx->current_cert=xi; 1574 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1499 ok=(*cb)(0,ctx); 1575 ctx->current_cert = xi;
1500 if (!ok) goto end; 1576 ok = (*cb)(0, ctx);
1501 } else if (X509_verify(xs,pkey) <= 0) { 1577 if (!ok)
1502 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; 1578 goto end;
1503 ctx->current_cert=xs; 1579 } else if (X509_verify(xs, pkey) <= 0) {
1504 ok=(*cb)(0,ctx); 1580 ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
1581 ctx->current_cert = xs;
1582 ok = (*cb)(0, ctx);
1505 if (!ok) { 1583 if (!ok) {
1506 EVP_PKEY_free(pkey); 1584 EVP_PKEY_free(pkey);
1507 goto end; 1585 goto end;
1508 } 1586 }
1509 } 1587 }
1510 EVP_PKEY_free(pkey); 1588 EVP_PKEY_free(pkey);
1511 pkey=NULL; 1589 pkey = NULL;
1512 } 1590 }
1513 1591
1514 xs->valid = 1; 1592 xs->valid = 1;
@@ -1518,200 +1596,225 @@ static int internal_verify(X509_STORE_CTX *ctx)
1518 goto end; 1596 goto end;
1519 1597
1520 /* The last error (if any) is still in the error value */ 1598 /* The last error (if any) is still in the error value */
1521 ctx->current_issuer=xi; 1599 ctx->current_issuer = xi;
1522 ctx->current_cert=xs; 1600 ctx->current_cert = xs;
1523 ok=(*cb)(1,ctx); 1601 ok = (*cb)(1, ctx);
1524 if (!ok) goto end; 1602 if (!ok)
1603 goto end;
1525 1604
1526 n--; 1605 n--;
1527 if (n >= 0) { 1606 if (n >= 0) {
1528 xi=xs; 1607 xi = xs;
1529 xs=sk_X509_value(ctx->chain,n); 1608 xs = sk_X509_value(ctx->chain, n);
1530 } 1609 }
1531 } 1610 }
1532 ok=1; 1611 ok = 1;
1612
1533end: 1613end:
1534 return ok; 1614 return ok;
1535} 1615}
1536 1616
1537int X509_cmp_current_time(const ASN1_TIME *ctm) 1617int
1618X509_cmp_current_time(const ASN1_TIME *ctm)
1538{ 1619{
1539 return X509_cmp_time(ctm, NULL); 1620 return X509_cmp_time(ctm, NULL);
1540} 1621}
1541 1622
1542int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) 1623int
1624X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1543{ 1625{
1544 char *str; 1626 char *str;
1545 ASN1_TIME atm; 1627 ASN1_TIME atm;
1546 long offset; 1628 long offset;
1547 char buff1[24],buff2[24],*p; 1629 char buff1[24], buff2[24], *p;
1548 int i,j; 1630 int i, j;
1549 1631
1550 p=buff1; 1632 p = buff1;
1551 i=ctm->length; 1633 i = ctm->length;
1552 str=(char *)ctm->data; 1634 str = (char *)ctm->data;
1553 if (ctm->type == V_ASN1_UTCTIME) { 1635 if (ctm->type == V_ASN1_UTCTIME) {
1554 if ((i < 11) || (i > 17)) return 0; 1636 if ((i < 11) || (i > 17))
1555 memcpy(p,str,10); 1637 return 0;
1556 p+=10; 1638 memcpy(p, str, 10);
1557 str+=10; 1639 p += 10;
1640 str += 10;
1558 } else { 1641 } else {
1559 if (i < 13) return 0; 1642 if (i < 13)
1560 memcpy(p,str,12); 1643 return 0;
1561 p+=12; 1644 memcpy(p, str, 12);
1562 str+=12; 1645 p += 12;
1646 str += 12;
1563 } 1647 }
1564 1648
1565 if ((*str == 'Z') || (*str == '-') || (*str == '+')) { 1649 if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
1566 *(p++)='0'; 1650 *(p++) = '0';
1567 *(p++)='0'; 1651 *(p++) = '0';
1568 } else { 1652 } else {
1569 *(p++)= *(str++); 1653 *(p++) = *(str++);
1570 *(p++)= *(str++); 1654 *(p++) = *(str++);
1571 /* Skip any fractional seconds... */ 1655 /* Skip any fractional seconds... */
1572 if (*str == '.') { 1656 if (*str == '.') {
1573 str++; 1657 str++;
1574 while ((*str >= '0') && (*str <= '9')) str++; 1658 while ((*str >= '0') && (*str <= '9'))
1659 str++;
1575 } 1660 }
1576
1577 } 1661 }
1578 *(p++)='Z'; 1662 *(p++) = 'Z';
1579 *(p++)='\0'; 1663 *(p++) = '\0';
1580 1664
1581 if (*str == 'Z') 1665 if (*str == 'Z')
1582 offset=0; 1666 offset = 0;
1583 else { 1667 else {
1584 if ((*str != '+') && (*str != '-')) 1668 if ((*str != '+') && (*str != '-'))
1585 return 0; 1669 return 0;
1586 offset=((str[1]-'0')*10+(str[2]-'0'))*60; 1670 offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
1587 offset+=(str[3]-'0')*10+(str[4]-'0'); 1671 offset += (str[3] - '0') * 10 + (str[4] - '0');
1588 if (*str == '-') 1672 if (*str == '-')
1589 offset= -offset; 1673 offset = -offset;
1590 } 1674 }
1591 atm.type=ctm->type; 1675 atm.type = ctm->type;
1592 atm.flags = 0; 1676 atm.flags = 0;
1593 atm.length=sizeof(buff2); 1677 atm.length = sizeof(buff2);
1594 atm.data=(unsigned char *)buff2; 1678 atm.data = (unsigned char *)buff2;
1595 1679
1596 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL) 1680 if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL)
1597 return 0; 1681 return 0;
1598 1682
1599 if (ctm->type == V_ASN1_UTCTIME) { 1683 if (ctm->type == V_ASN1_UTCTIME) {
1600 i=(buff1[0]-'0')*10+(buff1[1]-'0'); 1684 i = (buff1[0] - '0') * 10 + (buff1[1] - '0');
1601 if (i < 50) i+=100; /* cf. RFC 2459 */ 1685 if (i < 50)
1602 j=(buff2[0]-'0')*10+(buff2[1]-'0'); 1686 i += 100; /* cf. RFC 2459 */
1603 if (j < 50) j+=100; 1687 j = (buff2[0] - '0') * 10 + (buff2[1] - '0');
1604 1688 if (j < 50)
1605 if (i < j) return -1; 1689 j += 100;
1606 if (i > j) return 1; 1690 if (i < j)
1691 return -1;
1692 if (i > j)
1693 return 1;
1607 } 1694 }
1608 i=strcmp(buff1,buff2); 1695 i = strcmp(buff1, buff2);
1609 if (i == 0) /* wait a second then return younger :-) */ 1696 if (i == 0) /* wait a second then return younger :-) */
1610 return -1; 1697 return -1;
1611 else 1698 else
1612 return i; 1699 return i;
1613} 1700}
1614 1701
1615ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) 1702ASN1_TIME *
1703X509_gmtime_adj(ASN1_TIME *s, long adj)
1616{ 1704{
1617 return X509_time_adj(s, adj, NULL); 1705 return X509_time_adj(s, adj, NULL);
1618} 1706}
1619 1707
1620ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) 1708ASN1_TIME *
1709X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1621{ 1710{
1622 return X509_time_adj_ex(s, 0, offset_sec, in_tm); 1711 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1623} 1712}
1624 1713
1625ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, 1714ASN1_TIME *
1626 int offset_day, long offset_sec, time_t *in_tm) 1715X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_tm)
1627{ 1716{
1628 time_t t; 1717 time_t t;
1629 1718
1630 if (in_tm) t = *in_tm; 1719 if (in_tm)
1631 else time(&t); 1720 t = *in_tm;
1721 else
1722 time(&t);
1632 1723
1633 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) { 1724 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
1634 if (s->type == V_ASN1_UTCTIME) 1725 if (s->type == V_ASN1_UTCTIME)
1635 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); 1726 return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec);
1636 if (s->type == V_ASN1_GENERALIZEDTIME) 1727 if (s->type == V_ASN1_GENERALIZEDTIME)
1637 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, 1728 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
1638 offset_sec); 1729 offset_sec);
1639 } 1730 }
1640 return ASN1_TIME_adj(s, t, offset_day, offset_sec); 1731 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1641} 1732}
1642 1733
1643int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) 1734int
1735X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1644{ 1736{
1645 EVP_PKEY *ktmp=NULL,*ktmp2; 1737 EVP_PKEY *ktmp = NULL, *ktmp2;
1646 int i,j; 1738 int i, j;
1647 1739
1648 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; 1740 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey))
1741 return 1;
1649 1742
1650 for (i=0; i<sk_X509_num(chain); i++) { 1743 for (i = 0; i < sk_X509_num(chain); i++) {
1651 ktmp=X509_get_pubkey(sk_X509_value(chain,i)); 1744 ktmp = X509_get_pubkey(sk_X509_value(chain, i));
1652 if (ktmp == NULL) { 1745 if (ktmp == NULL) {
1653 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); 1746 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
1747 X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1654 return 0; 1748 return 0;
1655 } 1749 }
1656 if (!EVP_PKEY_missing_parameters(ktmp)) 1750 if (!EVP_PKEY_missing_parameters(ktmp))
1657 break; 1751 break;
1658 else { 1752 else {
1659 EVP_PKEY_free(ktmp); 1753 EVP_PKEY_free(ktmp);
1660 ktmp=NULL; 1754 ktmp = NULL;
1661 } 1755 }
1662 } 1756 }
1663 if (ktmp == NULL) { 1757 if (ktmp == NULL) {
1664 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); 1758 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
1759 X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1665 return 0; 1760 return 0;
1666 } 1761 }
1667 1762
1668 /* first, populate the other certs */ 1763 /* first, populate the other certs */
1669 for (j=i-1; j >= 0; j--) { 1764 for (j = i - 1; j >= 0; j--) {
1670 ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); 1765 ktmp2 = X509_get_pubkey(sk_X509_value(chain, j));
1671 EVP_PKEY_copy_parameters(ktmp2,ktmp); 1766 EVP_PKEY_copy_parameters(ktmp2, ktmp);
1672 EVP_PKEY_free(ktmp2); 1767 EVP_PKEY_free(ktmp2);
1673 } 1768 }
1674 1769
1675 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); 1770 if (pkey != NULL)
1771 EVP_PKEY_copy_parameters(pkey, ktmp);
1676 EVP_PKEY_free(ktmp); 1772 EVP_PKEY_free(ktmp);
1677 return 1; 1773 return 1;
1678} 1774}
1679 1775
1680int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 1776int
1681 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 1777X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1778 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
1682{ 1779{
1683 /* This function is (usually) called only once, by 1780 /* This function is (usually) called only once, by
1684 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ 1781 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1685 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, 1782 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX,
1686 new_func, dup_func, free_func); 1783 argl, argp, new_func, dup_func, free_func);
1687} 1784}
1688 1785
1689int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) 1786int
1787X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
1690{ 1788{
1691 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); 1789 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
1692} 1790}
1693 1791
1694void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) 1792void *
1793X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
1695{ 1794{
1696 return CRYPTO_get_ex_data(&ctx->ex_data,idx); 1795 return CRYPTO_get_ex_data(&ctx->ex_data, idx);
1697} 1796}
1698 1797
1699int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) 1798int
1799X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
1700{ 1800{
1701 return ctx->error; 1801 return ctx->error;
1702} 1802}
1703 1803
1704void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) 1804void
1805X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
1705{ 1806{
1706 ctx->error=err; 1807 ctx->error = err;
1707} 1808}
1708 1809
1709int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) 1810int
1811X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
1710{ 1812{
1711 return ctx->error_depth; 1813 return ctx->error_depth;
1712} 1814}
1713 1815
1714X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) 1816X509 *
1817X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
1715{ 1818{
1716 return ctx->current_cert; 1819 return ctx->current_cert;
1717} 1820}
@@ -1726,7 +1829,9 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1726 int i; 1829 int i;
1727 X509 *x; 1830 X509 *x;
1728 STACK_OF(X509) *chain; 1831 STACK_OF(X509) *chain;
1729 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; 1832
1833 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain)))
1834 return NULL;
1730 for (i = 0; i < sk_X509_num(chain); i++) { 1835 for (i = 0; i < sk_X509_num(chain); i++) {
1731 x = sk_X509_value(chain, i); 1836 x = sk_X509_value(chain, i);
1732 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 1837 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
@@ -1734,42 +1839,50 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1734 return chain; 1839 return chain;
1735} 1840}
1736 1841
1737X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) 1842X509 *
1843X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
1738{ 1844{
1739 return ctx->current_issuer; 1845 return ctx->current_issuer;
1740} 1846}
1741 1847
1742X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) 1848X509_CRL *
1849X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
1743{ 1850{
1744 return ctx->current_crl; 1851 return ctx->current_crl;
1745} 1852}
1746 1853
1747X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) 1854X509_STORE_CTX *
1855X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
1748{ 1856{
1749 return ctx->parent; 1857 return ctx->parent;
1750} 1858}
1751 1859
1752void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) 1860void
1861X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
1753{ 1862{
1754 ctx->cert=x; 1863 ctx->cert = x;
1755} 1864}
1756 1865
1757void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 1866void
1867X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1758{ 1868{
1759 ctx->untrusted=sk; 1869 ctx->untrusted = sk;
1760} 1870}
1761 1871
1762void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) 1872void
1873X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1763{ 1874{
1764 ctx->crls=sk; 1875 ctx->crls = sk;
1765} 1876}
1766 1877
1767int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) 1878int
1879X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
1768{ 1880{
1769 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); 1881 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
1770} 1882}
1771 1883
1772int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) 1884int
1885X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1773{ 1886{
1774 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); 1887 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
1775} 1888}
@@ -1784,19 +1897,22 @@ int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1784 * aren't set then we use the default of SSL client/server. 1897 * aren't set then we use the default of SSL client/server.
1785 */ 1898 */
1786 1899
1787int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, 1900int
1788 int purpose, int trust) 1901X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1902 int purpose, int trust)
1789{ 1903{
1790 int idx; 1904 int idx;
1905
1791 /* If purpose not set use default */ 1906 /* If purpose not set use default */
1792 if (!purpose) purpose = def_purpose; 1907 if (!purpose)
1908 purpose = def_purpose;
1793 /* If we have a purpose then check it is valid */ 1909 /* If we have a purpose then check it is valid */
1794 if (purpose) { 1910 if (purpose) {
1795 X509_PURPOSE *ptmp; 1911 X509_PURPOSE *ptmp;
1796 idx = X509_PURPOSE_get_by_id(purpose); 1912 idx = X509_PURPOSE_get_by_id(purpose);
1797 if (idx == -1) { 1913 if (idx == -1) {
1798 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1914 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1799 X509_R_UNKNOWN_PURPOSE_ID); 1915 X509_R_UNKNOWN_PURPOSE_ID);
1800 return 0; 1916 return 0;
1801 } 1917 }
1802 ptmp = X509_PURPOSE_get0(idx); 1918 ptmp = X509_PURPOSE_get0(idx);
@@ -1804,74 +1920,82 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1804 idx = X509_PURPOSE_get_by_id(def_purpose); 1920 idx = X509_PURPOSE_get_by_id(def_purpose);
1805 if (idx == -1) { 1921 if (idx == -1) {
1806 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1922 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1807 X509_R_UNKNOWN_PURPOSE_ID); 1923 X509_R_UNKNOWN_PURPOSE_ID);
1808 return 0; 1924 return 0;
1809 } 1925 }
1810 ptmp = X509_PURPOSE_get0(idx); 1926 ptmp = X509_PURPOSE_get0(idx);
1811 } 1927 }
1812 /* If trust not set then get from purpose default */ 1928 /* If trust not set then get from purpose default */
1813 if (!trust) trust = ptmp->trust; 1929 if (!trust)
1930 trust = ptmp->trust;
1814 } 1931 }
1815 if (trust) { 1932 if (trust) {
1816 idx = X509_TRUST_get_by_id(trust); 1933 idx = X509_TRUST_get_by_id(trust);
1817 if (idx == -1) { 1934 if (idx == -1) {
1818 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 1935 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1819 X509_R_UNKNOWN_TRUST_ID); 1936 X509_R_UNKNOWN_TRUST_ID);
1820 return 0; 1937 return 0;
1821 } 1938 }
1822 } 1939 }
1823 1940
1824 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; 1941 if (purpose && !ctx->param->purpose)
1825 if (trust && !ctx->param->trust) ctx->param->trust = trust; 1942 ctx->param->purpose = purpose;
1943 if (trust && !ctx->param->trust)
1944 ctx->param->trust = trust;
1826 return 1; 1945 return 1;
1827} 1946}
1828 1947
1829X509_STORE_CTX *X509_STORE_CTX_new(void) 1948X509_STORE_CTX *
1949X509_STORE_CTX_new(void)
1830{ 1950{
1831 X509_STORE_CTX *ctx; 1951 X509_STORE_CTX *ctx;
1952
1832 ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX)); 1953 ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX));
1833 if (!ctx) { 1954 if (!ctx) {
1834 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); 1955 X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE);
1835 return NULL; 1956 return NULL;
1836 } 1957 }
1837 memset(ctx, 0, sizeof(X509_STORE_CTX)); 1958 memset(ctx, 0, sizeof(X509_STORE_CTX));
1838 return ctx; 1959 return ctx;
1839} 1960}
1840 1961
1841void X509_STORE_CTX_free(X509_STORE_CTX *ctx) 1962void
1963X509_STORE_CTX_free(X509_STORE_CTX *ctx)
1842{ 1964{
1843 X509_STORE_CTX_cleanup(ctx); 1965 X509_STORE_CTX_cleanup(ctx);
1844 free(ctx); 1966 free(ctx);
1845} 1967}
1846 1968
1847int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, 1969int
1848 STACK_OF(X509) *chain) 1970X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1971 STACK_OF(X509) *chain)
1849{ 1972{
1850 int ret = 1; 1973 int ret = 1;
1851 ctx->ctx=store; 1974
1852 ctx->current_method=0; 1975 ctx->ctx = store;
1853 ctx->cert=x509; 1976 ctx->current_method = 0;
1854 ctx->untrusted=chain; 1977 ctx->cert = x509;
1978 ctx->untrusted = chain;
1855 ctx->crls = NULL; 1979 ctx->crls = NULL;
1856 ctx->last_untrusted=0; 1980 ctx->last_untrusted = 0;
1857 ctx->other_ctx=NULL; 1981 ctx->other_ctx = NULL;
1858 ctx->valid=0; 1982 ctx->valid = 0;
1859 ctx->chain=NULL; 1983 ctx->chain = NULL;
1860 ctx->error=0; 1984 ctx->error = 0;
1861 ctx->explicit_policy=0; 1985 ctx->explicit_policy = 0;
1862 ctx->error_depth=0; 1986 ctx->error_depth = 0;
1863 ctx->current_cert=NULL; 1987 ctx->current_cert = NULL;
1864 ctx->current_issuer=NULL; 1988 ctx->current_issuer = NULL;
1865 ctx->current_crl=NULL; 1989 ctx->current_crl = NULL;
1866 ctx->current_crl_score=0; 1990 ctx->current_crl_score = 0;
1867 ctx->current_reasons=0; 1991 ctx->current_reasons = 0;
1868 ctx->tree = NULL; 1992 ctx->tree = NULL;
1869 ctx->parent = NULL; 1993 ctx->parent = NULL;
1870 1994
1871 ctx->param = X509_VERIFY_PARAM_new(); 1995 ctx->param = X509_VERIFY_PARAM_new();
1872 1996
1873 if (!ctx->param) { 1997 if (!ctx->param) {
1874 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 1998 X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
1875 return 0; 1999 return 0;
1876 } 2000 }
1877 2001
@@ -1879,7 +2003,6 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1879 * use defaults. 2003 * use defaults.
1880 */ 2004 */
1881 2005
1882
1883 if (store) 2006 if (store)
1884 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); 2007 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
1885 else 2008 else
@@ -1893,10 +2016,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1893 2016
1894 if (ret) 2017 if (ret)
1895 ret = X509_VERIFY_PARAM_inherit(ctx->param, 2018 ret = X509_VERIFY_PARAM_inherit(ctx->param,
1896 X509_VERIFY_PARAM_lookup("default")); 2019 X509_VERIFY_PARAM_lookup("default"));
1897 2020
1898 if (ret == 0) { 2021 if (ret == 0) {
1899 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 2022 X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
1900 return 0; 2023 return 0;
1901 } 2024 }
1902 2025
@@ -1957,10 +2080,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1957 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a 2080 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
1958 * corresponding "new" here and remove this bogus initialisation. */ 2081 * corresponding "new" here and remove this bogus initialisation. */
1959 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ 2082 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
1960 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, 2083 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
1961 &(ctx->ex_data))) { 2084 &(ctx->ex_data))) {
1962 free(ctx); 2085 free(ctx);
1963 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); 2086 X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
1964 return 0; 2087 return 0;
1965 } 2088 }
1966 return 1; 2089 return 1;
@@ -1970,64 +2093,75 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1970 * This avoids X509_STORE nastiness where it isn't needed. 2093 * This avoids X509_STORE nastiness where it isn't needed.
1971 */ 2094 */
1972 2095
1973void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 2096void
2097X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1974{ 2098{
1975 ctx->other_ctx = sk; 2099 ctx->other_ctx = sk;
1976 ctx->get_issuer = get_issuer_sk; 2100 ctx->get_issuer = get_issuer_sk;
1977} 2101}
1978 2102
1979void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) 2103void
2104X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
1980{ 2105{
1981 if (ctx->cleanup) ctx->cleanup(ctx); 2106 if (ctx->cleanup)
2107 ctx->cleanup(ctx);
1982 if (ctx->param != NULL) { 2108 if (ctx->param != NULL) {
1983 if (ctx->parent == NULL) 2109 if (ctx->parent == NULL)
1984 X509_VERIFY_PARAM_free(ctx->param); 2110 X509_VERIFY_PARAM_free(ctx->param);
1985 ctx->param=NULL; 2111 ctx->param = NULL;
1986 } 2112 }
1987 if (ctx->tree != NULL) { 2113 if (ctx->tree != NULL) {
1988 X509_policy_tree_free(ctx->tree); 2114 X509_policy_tree_free(ctx->tree);
1989 ctx->tree=NULL; 2115 ctx->tree = NULL;
1990 } 2116 }
1991 if (ctx->chain != NULL) { 2117 if (ctx->chain != NULL) {
1992 sk_X509_pop_free(ctx->chain,X509_free); 2118 sk_X509_pop_free(ctx->chain, X509_free);
1993 ctx->chain=NULL; 2119 ctx->chain = NULL;
1994 } 2120 }
1995 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); 2121 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX,
1996 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); 2122 ctx, &(ctx->ex_data));
2123 memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
1997} 2124}
1998 2125
1999void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) 2126void
2127X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2000{ 2128{
2001 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 2129 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2002} 2130}
2003 2131
2004void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) 2132void
2133X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2005{ 2134{
2006 X509_VERIFY_PARAM_set_flags(ctx->param, flags); 2135 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2007} 2136}
2008 2137
2009void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) 2138void
2139X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2010{ 2140{
2011 X509_VERIFY_PARAM_set_time(ctx->param, t); 2141 X509_VERIFY_PARAM_set_time(ctx->param, t);
2012} 2142}
2013 2143
2014void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, 2144void
2015 int (*verify_cb)(int, X509_STORE_CTX *)) 2145X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2146 int (*verify_cb)(int, X509_STORE_CTX *))
2016{ 2147{
2017 ctx->verify_cb=verify_cb; 2148 ctx->verify_cb = verify_cb;
2018} 2149}
2019 2150
2020X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) 2151X509_POLICY_TREE *
2152X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2021{ 2153{
2022 return ctx->tree; 2154 return ctx->tree;
2023} 2155}
2024 2156
2025int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) 2157int
2158X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2026{ 2159{
2027 return ctx->explicit_policy; 2160 return ctx->explicit_policy;
2028} 2161}
2029 2162
2030int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) 2163int
2164X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2031{ 2165{
2032 const X509_VERIFY_PARAM *param; 2166 const X509_VERIFY_PARAM *param;
2033 param = X509_VERIFY_PARAM_lookup(name); 2167 param = X509_VERIFY_PARAM_lookup(name);
@@ -2036,12 +2170,14 @@ int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2036 return X509_VERIFY_PARAM_inherit(ctx->param, param); 2170 return X509_VERIFY_PARAM_inherit(ctx->param, param);
2037} 2171}
2038 2172
2039X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) 2173X509_VERIFY_PARAM *
2174X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2040{ 2175{
2041 return ctx->param; 2176 return ctx->param;
2042} 2177}
2043 2178
2044void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) 2179void
2180X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2045{ 2181{
2046 if (ctx->param) 2182 if (ctx->param)
2047 X509_VERIFY_PARAM_free(ctx->param); 2183 X509_VERIFY_PARAM_free(ctx->param);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-27 14:16:42 +0000