summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_vfy.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/x509/x509_vfy.c')
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c491
1 files changed, 298 insertions, 193 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 3ddb2303d3..0f4110cc64 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -71,6 +71,8 @@
71#include <openssl/objects.h> 71#include <openssl/objects.h>
72 72
73static int null_callback(int ok,X509_STORE_CTX *e); 73static int null_callback(int ok,X509_STORE_CTX *e);
74static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
75static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
74static int check_chain_purpose(X509_STORE_CTX *ctx); 76static int check_chain_purpose(X509_STORE_CTX *ctx);
75static int check_trust(X509_STORE_CTX *ctx); 77static int check_trust(X509_STORE_CTX *ctx);
76static int internal_verify(X509_STORE_CTX *ctx); 78static int internal_verify(X509_STORE_CTX *ctx);
@@ -85,13 +87,13 @@ static STACK *x509_store_method=NULL;
85 87
86static int null_callback(int ok, X509_STORE_CTX *e) 88static int null_callback(int ok, X509_STORE_CTX *e)
87 { 89 {
88 return(ok); 90 return ok;
89 } 91 }
90 92
91#if 0 93#if 0
92static int x509_subject_cmp(X509 **a, X509 **b) 94static int x509_subject_cmp(X509 **a, X509 **b)
93 { 95 {
94 return(X509_subject_name_cmp(*a,*b)); 96 return X509_subject_name_cmp(*a,*b);
95 } 97 }
96#endif 98#endif
97 99
@@ -99,7 +101,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
99 { 101 {
100 X509 *x,*xtmp,*chain_ss=NULL; 102 X509 *x,*xtmp,*chain_ss=NULL;
101 X509_NAME *xn; 103 X509_NAME *xn;
102 X509_OBJECT obj;
103 int depth,i,ok=0; 104 int depth,i,ok=0;
104 int num; 105 int num;
105 int (*cb)(); 106 int (*cb)();
@@ -108,10 +109,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
108 if (ctx->cert == NULL) 109 if (ctx->cert == NULL)
109 { 110 {
110 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); 111 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
111 return(-1); 112 return -1;
112 } 113 }
113 114
114 cb=ctx->ctx->verify_cb; 115 cb=ctx->verify_cb;
115 if (cb == NULL) cb=null_callback; 116 if (cb == NULL) cb=null_callback;
116 117
117 /* first we make sure the chain we are going to build is 118 /* first we make sure the chain we are going to build is
@@ -152,13 +153,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
152 153
153 /* If we are self signed, we break */ 154 /* If we are self signed, we break */
154 xn=X509_get_issuer_name(x); 155 xn=X509_get_issuer_name(x);
155 if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0) 156 if (ctx->check_issued(ctx, x,x)) break;
156 break;
157 157
158 /* If we were passed a cert chain, use it first */ 158 /* If we were passed a cert chain, use it first */
159 if (ctx->untrusted != NULL) 159 if (ctx->untrusted != NULL)
160 { 160 {
161 xtmp=X509_find_by_subject(sktmp,xn); 161 xtmp=find_issuer(ctx, sktmp,x);
162 if (xtmp != NULL) 162 if (xtmp != NULL)
163 { 163 {
164 if (!sk_X509_push(ctx->chain,xtmp)) 164 if (!sk_X509_push(ctx->chain,xtmp))
@@ -183,11 +183,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
183 * certificates. We now need to add at least one trusted one, 183 * certificates. We now need to add at least one trusted one,
184 * if possible, otherwise we complain. */ 184 * if possible, otherwise we complain. */
185 185
186 /* Examine last certificate in chain and see if it
187 * is self signed.
188 */
189
186 i=sk_X509_num(ctx->chain); 190 i=sk_X509_num(ctx->chain);
187 x=sk_X509_value(ctx->chain,i-1); 191 x=sk_X509_value(ctx->chain,i-1);
188 xn = X509_get_subject_name(x); 192 xn = X509_get_subject_name(x);
189 if (X509_NAME_cmp(xn,X509_get_issuer_name(x)) 193 if (ctx->check_issued(ctx, x, x))
190 == 0)
191 { 194 {
192 /* we have a self signed certificate */ 195 /* we have a self signed certificate */
193 if (sk_X509_num(ctx->chain) == 1) 196 if (sk_X509_num(ctx->chain) == 1)
@@ -196,13 +199,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
196 * we can find it in the store. We must have an exact 199 * we can find it in the store. We must have an exact
197 * match to avoid possible impersonation. 200 * match to avoid possible impersonation.
198 */ 201 */
199 ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj); 202 ok = ctx->get_issuer(&xtmp, ctx, x);
200 if ((ok != X509_LU_X509) || X509_cmp(x, obj.data.x509)) 203 if ((ok <= 0) || X509_cmp(x, xtmp))
201 { 204 {
202 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; 205 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
203 ctx->current_cert=x; 206 ctx->current_cert=x;
204 ctx->error_depth=i-1; 207 ctx->error_depth=i-1;
205 if(ok == X509_LU_X509) X509_OBJECT_free_contents(&obj); 208 if (ok == 1) X509_free(xtmp);
206 ok=cb(0,ctx); 209 ok=cb(0,ctx);
207 if (!ok) goto end; 210 if (!ok) goto end;
208 } 211 }
@@ -212,14 +215,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
212 * so we get any trust settings. 215 * so we get any trust settings.
213 */ 216 */
214 X509_free(x); 217 X509_free(x);
215 x = obj.data.x509; 218 x = xtmp;
216 sk_X509_set(ctx->chain, i - 1, x); 219 sk_X509_set(ctx->chain, i - 1, x);
217 ctx->last_untrusted=0; 220 ctx->last_untrusted=0;
218 } 221 }
219 } 222 }
220 else 223 else
221 { 224 {
222 /* worry more about this one elsewhere */ 225 /* extract and save self signed certificate for later use */
223 chain_ss=sk_X509_pop(ctx->chain); 226 chain_ss=sk_X509_pop(ctx->chain);
224 ctx->last_untrusted--; 227 ctx->last_untrusted--;
225 num--; 228 num--;
@@ -235,41 +238,30 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
235 238
236 /* If we are self signed, we break */ 239 /* If we are self signed, we break */
237 xn=X509_get_issuer_name(x); 240 xn=X509_get_issuer_name(x);
238 if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0) 241 if (ctx->check_issued(ctx,x,x)) break;
239 break;
240 242
241 ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj); 243 ok = ctx->get_issuer(&xtmp, ctx, x);
242 if (ok != X509_LU_X509) 244
243 { 245 if (ok < 0) return ok;
244 if (ok == X509_LU_RETRY) 246 if (ok == 0) break;
245 { 247
246 X509_OBJECT_free_contents(&obj); 248 x = xtmp;
247 X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY); 249 if (!sk_X509_push(ctx->chain,x))
248 return(ok);
249 }
250 else if (ok != X509_LU_FAIL)
251 {
252 X509_OBJECT_free_contents(&obj);
253 /* not good :-(, break anyway */
254 return(ok);
255 }
256 break;
257 }
258 x=obj.data.x509;
259 if (!sk_X509_push(ctx->chain,obj.data.x509))
260 { 250 {
261 X509_OBJECT_free_contents(&obj); 251 X509_free(xtmp);
262 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); 252 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
263 return(0); 253 return 0;
264 } 254 }
265 num++; 255 num++;
266 } 256 }
267 257
268 /* we now have our chain, lets check it... */ 258 /* we now have our chain, lets check it... */
269 xn=X509_get_issuer_name(x); 259 xn=X509_get_issuer_name(x);
270 if (X509_NAME_cmp(X509_get_subject_name(x),xn) != 0) 260
261 /* Is last certificate looked up self signed? */
262 if (!ctx->check_issued(ctx,x,x))
271 { 263 {
272 if ((chain_ss == NULL) || (X509_NAME_cmp(X509_get_subject_name(chain_ss),xn) != 0)) 264 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
273 { 265 {
274 if (ctx->last_untrusted >= num) 266 if (ctx->last_untrusted >= num)
275 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 267 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
@@ -294,22 +286,22 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
294 } 286 }
295 287
296 /* We have the chain complete: now we need to check its purpose */ 288 /* We have the chain complete: now we need to check its purpose */
297 if(ctx->purpose > 0) ok = check_chain_purpose(ctx); 289 if (ctx->purpose > 0) ok = check_chain_purpose(ctx);
298 290
299 if(!ok) goto end; 291 if (!ok) goto end;
300 292
301 /* The chain extensions are OK: check trust */ 293 /* The chain extensions are OK: check trust */
302 294
303 if(ctx->trust > 0) ok = check_trust(ctx); 295 if (ctx->trust > 0) ok = check_trust(ctx);
304 296
305 if(!ok) goto end; 297 if (!ok) goto end;
306 298
307 /* We may as well copy down any DSA parameters that are required */ 299 /* We may as well copy down any DSA parameters that are required */
308 X509_get_pubkey_parameters(NULL,ctx->chain); 300 X509_get_pubkey_parameters(NULL,ctx->chain);
309 301
310 /* At this point, we have a chain and just need to verify it */ 302 /* At this point, we have a chain and just need to verify it */
311 if (ctx->ctx->verify != NULL) 303 if (ctx->verify != NULL)
312 ok=ctx->ctx->verify(ctx); 304 ok=ctx->verify(ctx);
313 else 305 else
314 ok=internal_verify(ctx); 306 ok=internal_verify(ctx);
315 if (0) 307 if (0)
@@ -319,9 +311,61 @@ end:
319 } 311 }
320 if (sktmp != NULL) sk_X509_free(sktmp); 312 if (sktmp != NULL) sk_X509_free(sktmp);
321 if (chain_ss != NULL) X509_free(chain_ss); 313 if (chain_ss != NULL) X509_free(chain_ss);
322 return(ok); 314 return ok;
323 } 315 }
324 316
317
318/* Given a STACK_OF(X509) find the issuer of cert (if any)
319 */
320
321static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
322{
323 int i;
324 X509 *issuer;
325 for (i = 0; i < sk_X509_num(sk); i++)
326 {
327 issuer = sk_X509_value(sk, i);
328 if (ctx->check_issued(ctx, x, issuer))
329 return issuer;
330 }
331 return NULL;
332}
333
334/* Given a possible certificate and issuer check them */
335
336static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
337{
338 int ret;
339 ret = X509_check_issued(issuer, x);
340 if (ret == X509_V_OK)
341 return 1;
342 /* If we haven't asked for issuer errors don't set ctx */
343 if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK))
344 return 0;
345
346 ctx->error = ret;
347 ctx->current_cert = x;
348 ctx->current_issuer = issuer;
349 if (ctx->verify_cb)
350 return ctx->verify_cb(0, ctx);
351 return 0;
352}
353
354/* Alternative lookup method: look from a STACK stored in other_ctx */
355
356static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
357{
358 *issuer = find_issuer(ctx, ctx->other_ctx, x);
359 if (*issuer)
360 {
361 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
362 return 1;
363 }
364 else
365 return 0;
366}
367
368
325/* Check a certificate chains extensions for consistency 369/* Check a certificate chains extensions for consistency
326 * with the supplied purpose 370 * with the supplied purpose
327 */ 371 */
@@ -334,32 +378,37 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
334 int i, ok=0; 378 int i, ok=0;
335 X509 *x; 379 X509 *x;
336 int (*cb)(); 380 int (*cb)();
337 cb=ctx->ctx->verify_cb; 381 cb=ctx->verify_cb;
338 if (cb == NULL) cb=null_callback; 382 if (cb == NULL) cb=null_callback;
339 /* Check all untrusted certificates */ 383 /* Check all untrusted certificates */
340 for(i = 0; i < ctx->last_untrusted; i++) { 384 for (i = 0; i < ctx->last_untrusted; i++)
385 {
341 x = sk_X509_value(ctx->chain, i); 386 x = sk_X509_value(ctx->chain, i);
342 if(!X509_check_purpose(x, ctx->purpose, i)) { 387 if (!X509_check_purpose(x, ctx->purpose, i))
343 if(i) ctx->error = X509_V_ERR_INVALID_CA; 388 {
344 else ctx->error = X509_V_ERR_INVALID_PURPOSE; 389 if (i)
390 ctx->error = X509_V_ERR_INVALID_CA;
391 else
392 ctx->error = X509_V_ERR_INVALID_PURPOSE;
345 ctx->error_depth = i; 393 ctx->error_depth = i;
346 ctx->current_cert = x; 394 ctx->current_cert = x;
347 ok=cb(0,ctx); 395 ok=cb(0,ctx);
348 if(!ok) goto end; 396 if (!ok) goto end;
349 } 397 }
350 /* Check pathlen */ 398 /* Check pathlen */
351 if((i > 1) && (x->ex_pathlen != -1) 399 if ((i > 1) && (x->ex_pathlen != -1)
352 && (i > (x->ex_pathlen + 1))) { 400 && (i > (x->ex_pathlen + 1)))
401 {
353 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; 402 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
354 ctx->error_depth = i; 403 ctx->error_depth = i;
355 ctx->current_cert = x; 404 ctx->current_cert = x;
356 ok=cb(0,ctx); 405 ok=cb(0,ctx);
357 if(!ok) goto end; 406 if (!ok) goto end;
407 }
358 } 408 }
359 }
360 ok = 1; 409 ok = 1;
361 end: 410 end:
362 return(ok); 411 return ok;
363#endif 412#endif
364} 413}
365 414
@@ -371,19 +420,22 @@ static int check_trust(X509_STORE_CTX *ctx)
371 int i, ok; 420 int i, ok;
372 X509 *x; 421 X509 *x;
373 int (*cb)(); 422 int (*cb)();
374 cb=ctx->ctx->verify_cb; 423 cb=ctx->verify_cb;
375 if (cb == NULL) cb=null_callback; 424 if (cb == NULL) cb=null_callback;
376/* For now just check the last certificate in the chain */ 425/* For now just check the last certificate in the chain */
377 i = sk_X509_num(ctx->chain) - 1; 426 i = sk_X509_num(ctx->chain) - 1;
378 x = sk_X509_value(ctx->chain, i); 427 x = sk_X509_value(ctx->chain, i);
379 ok = X509_check_trust(x, ctx->trust, 0); 428 ok = X509_check_trust(x, ctx->trust, 0);
380 if(ok == X509_TRUST_TRUSTED) return 1; 429 if (ok == X509_TRUST_TRUSTED)
430 return 1;
381 ctx->error_depth = sk_X509_num(ctx->chain) - 1; 431 ctx->error_depth = sk_X509_num(ctx->chain) - 1;
382 ctx->current_cert = x; 432 ctx->current_cert = x;
383 if(ok == X509_TRUST_REJECTED) ctx->error = X509_V_ERR_CERT_REJECTED; 433 if (ok == X509_TRUST_REJECTED)
384 else ctx->error = X509_V_ERR_CERT_UNTRUSTED; 434 ctx->error = X509_V_ERR_CERT_REJECTED;
435 else
436 ctx->error = X509_V_ERR_CERT_UNTRUSTED;
385 ok = cb(0, ctx); 437 ok = cb(0, ctx);
386 return(ok); 438 return ok;
387#endif 439#endif
388} 440}
389 441
@@ -392,17 +444,21 @@ static int internal_verify(X509_STORE_CTX *ctx)
392 int i,ok=0,n; 444 int i,ok=0,n;
393 X509 *xs,*xi; 445 X509 *xs,*xi;
394 EVP_PKEY *pkey=NULL; 446 EVP_PKEY *pkey=NULL;
447 time_t *ptime;
395 int (*cb)(); 448 int (*cb)();
396 449
397 cb=ctx->ctx->verify_cb; 450 cb=ctx->verify_cb;
398 if (cb == NULL) cb=null_callback; 451 if (cb == NULL) cb=null_callback;
399 452
400 n=sk_X509_num(ctx->chain); 453 n=sk_X509_num(ctx->chain);
401 ctx->error_depth=n-1; 454 ctx->error_depth=n-1;
402 n--; 455 n--;
403 xi=sk_X509_value(ctx->chain,n); 456 xi=sk_X509_value(ctx->chain,n);
404 if (X509_NAME_cmp(X509_get_subject_name(xi), 457 if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME)
405 X509_get_issuer_name(xi)) == 0) 458 ptime = &ctx->check_time;
459 else
460 ptime = NULL;
461 if (ctx->check_issued(ctx, xi, xi))
406 xs=xi; 462 xs=xi;
407 else 463 else
408 { 464 {
@@ -448,7 +504,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
448 EVP_PKEY_free(pkey); 504 EVP_PKEY_free(pkey);
449 pkey=NULL; 505 pkey=NULL;
450 506
451 i=X509_cmp_current_time(X509_get_notBefore(xs)); 507 i=X509_cmp_time(X509_get_notBefore(xs), ptime);
452 if (i == 0) 508 if (i == 0)
453 { 509 {
454 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 510 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
@@ -466,7 +522,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
466 xs->valid=1; 522 xs->valid=1;
467 } 523 }
468 524
469 i=X509_cmp_current_time(X509_get_notAfter(xs)); 525 i=X509_cmp_time(X509_get_notAfter(xs), ptime);
470 if (i == 0) 526 if (i == 0)
471 { 527 {
472 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; 528 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
@@ -499,13 +555,18 @@ static int internal_verify(X509_STORE_CTX *ctx)
499 } 555 }
500 ok=1; 556 ok=1;
501end: 557end:
502 return(ok); 558 return ok;
503 } 559 }
504 560
505int X509_cmp_current_time(ASN1_UTCTIME *ctm) 561int X509_cmp_current_time(ASN1_TIME *ctm)
562{
563 return X509_cmp_time(ctm, NULL);
564}
565
566int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
506 { 567 {
507 char *str; 568 char *str;
508 ASN1_UTCTIME atm; 569 ASN1_TIME atm;
509 time_t offset; 570 time_t offset;
510 char buff1[24],buff2[24],*p; 571 char buff1[24],buff2[24],*p;
511 int i,j; 572 int i,j;
@@ -513,14 +574,35 @@ int X509_cmp_current_time(ASN1_UTCTIME *ctm)
513 p=buff1; 574 p=buff1;
514 i=ctm->length; 575 i=ctm->length;
515 str=(char *)ctm->data; 576 str=(char *)ctm->data;
516 if ((i < 11) || (i > 17)) return(0); 577 if (ctm->type == V_ASN1_UTCTIME)
517 memcpy(p,str,10); 578 {
518 p+=10; 579 if ((i < 11) || (i > 17)) return 0;
519 str+=10; 580 memcpy(p,str,10);
581 p+=10;
582 str+=10;
583 }
584 else
585 {
586 if (i < 13) return 0;
587 memcpy(p,str,12);
588 p+=12;
589 str+=12;
590 }
520 591
521 if ((*str == 'Z') || (*str == '-') || (*str == '+')) 592 if ((*str == 'Z') || (*str == '-') || (*str == '+'))
522 { *(p++)='0'; *(p++)='0'; } 593 { *(p++)='0'; *(p++)='0'; }
523 else { *(p++)= *(str++); *(p++)= *(str++); } 594 else
595 {
596 *(p++)= *(str++);
597 *(p++)= *(str++);
598 /* Skip any fractional seconds... */
599 if (*str == '.')
600 {
601 str++;
602 while ((*str >= '0') && (*str <= '9')) str++;
603 }
604
605 }
524 *(p++)='Z'; 606 *(p++)='Z';
525 *(p++)='\0'; 607 *(p++)='\0';
526 608
@@ -529,39 +611,51 @@ int X509_cmp_current_time(ASN1_UTCTIME *ctm)
529 else 611 else
530 { 612 {
531 if ((*str != '+') && (str[5] != '-')) 613 if ((*str != '+') && (str[5] != '-'))
532 return(0); 614 return 0;
533 offset=((str[1]-'0')*10+(str[2]-'0'))*60; 615 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
534 offset+=(str[3]-'0')*10+(str[4]-'0'); 616 offset+=(str[3]-'0')*10+(str[4]-'0');
535 if (*str == '-') 617 if (*str == '-')
536 offset= -offset; 618 offset= -offset;
537 } 619 }
538 atm.type=V_ASN1_UTCTIME; 620 atm.type=ctm->type;
539 atm.length=sizeof(buff2); 621 atm.length=sizeof(buff2);
540 atm.data=(unsigned char *)buff2; 622 atm.data=(unsigned char *)buff2;
541 623
542 X509_gmtime_adj(&atm,-offset*60); 624 X509_time_adj(&atm,-offset*60, cmp_time);
543 625
544 i=(buff1[0]-'0')*10+(buff1[1]-'0'); 626 if (ctm->type == V_ASN1_UTCTIME)
545 if (i < 50) i+=100; /* cf. RFC 2459 */ 627 {
546 j=(buff2[0]-'0')*10+(buff2[1]-'0'); 628 i=(buff1[0]-'0')*10+(buff1[1]-'0');
547 if (j < 50) j+=100; 629 if (i < 50) i+=100; /* cf. RFC 2459 */
630 j=(buff2[0]-'0')*10+(buff2[1]-'0');
631 if (j < 50) j+=100;
548 632
549 if (i < j) return (-1); 633 if (i < j) return -1;
550 if (i > j) return (1); 634 if (i > j) return 1;
635 }
551 i=strcmp(buff1,buff2); 636 i=strcmp(buff1,buff2);
552 if (i == 0) /* wait a second then return younger :-) */ 637 if (i == 0) /* wait a second then return younger :-) */
553 return(-1); 638 return -1;
554 else 639 else
555 return(i); 640 return i;
556 } 641 }
557 642
558ASN1_UTCTIME *X509_gmtime_adj(ASN1_UTCTIME *s, long adj) 643ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
644{
645 return X509_time_adj(s, adj, NULL);
646}
647
648ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *in_tm)
559 { 649 {
560 time_t t; 650 time_t t;
561 651
562 time(&t); 652 if (in_tm) t = *in_tm;
653 else time(&t);
654
563 t+=adj; 655 t+=adj;
564 return(ASN1_UTCTIME_set(s,t)); 656 if (!s) return ASN1_TIME_set(s, t);
657 if (s->type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t);
658 return ASN1_GENERALIZEDTIME_set(s, t);
565 } 659 }
566 660
567int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) 661int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
@@ -569,7 +663,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
569 EVP_PKEY *ktmp=NULL,*ktmp2; 663 EVP_PKEY *ktmp=NULL,*ktmp2;
570 int i,j; 664 int i,j;
571 665
572 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return(1); 666 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
573 667
574 for (i=0; i<sk_X509_num(chain); i++) 668 for (i=0; i<sk_X509_num(chain); i++)
575 { 669 {
@@ -577,7 +671,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
577 if (ktmp == NULL) 671 if (ktmp == NULL)
578 { 672 {
579 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); 673 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
580 return(0); 674 return 0;
581 } 675 }
582 if (!EVP_PKEY_missing_parameters(ktmp)) 676 if (!EVP_PKEY_missing_parameters(ktmp))
583 break; 677 break;
@@ -590,7 +684,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
590 if (ktmp == NULL) 684 if (ktmp == NULL)
591 { 685 {
592 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); 686 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
593 return(0); 687 return 0;
594 } 688 }
595 689
596 /* first, populate the other certs */ 690 /* first, populate the other certs */
@@ -603,101 +697,31 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
603 697
604 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); 698 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
605 EVP_PKEY_free(ktmp); 699 EVP_PKEY_free(ktmp);
606 return(1); 700 return 1;
607 }
608
609int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
610 {
611 X509_OBJECT *obj,*r;
612 int ret=1;
613
614 if (x == NULL) return(0);
615 obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
616 if (obj == NULL)
617 {
618 X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
619 return(0);
620 }
621 obj->type=X509_LU_X509;
622 obj->data.x509=x;
623
624 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
625
626 X509_OBJECT_up_ref_count(obj);
627
628 r=(X509_OBJECT *)lh_insert(ctx->certs,obj);
629 if (r != NULL)
630 { /* oops, put it back */
631 lh_delete(ctx->certs,obj);
632 X509_OBJECT_free_contents(obj);
633 Free(obj);
634 lh_insert(ctx->certs,r);
635 X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
636 ret=0;
637 }
638
639 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
640
641 return(ret);
642 }
643
644int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
645 {
646 X509_OBJECT *obj,*r;
647 int ret=1;
648
649 if (x == NULL) return(0);
650 obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
651 if (obj == NULL)
652 {
653 X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
654 return(0);
655 }
656 obj->type=X509_LU_CRL;
657 obj->data.crl=x;
658
659 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
660
661 X509_OBJECT_up_ref_count(obj);
662
663 r=(X509_OBJECT *)lh_insert(ctx->certs,obj);
664 if (r != NULL)
665 { /* oops, put it back */
666 lh_delete(ctx->certs,obj);
667 X509_OBJECT_free_contents(obj);
668 Free(obj);
669 lh_insert(ctx->certs,r);
670 X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
671 ret=0;
672 }
673
674 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
675
676 return(ret);
677 } 701 }
678 702
679int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 703int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
680 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 704 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
681 { 705 {
682 x509_store_ctx_num++; 706 x509_store_ctx_num++;
683 return(CRYPTO_get_ex_new_index(x509_store_ctx_num-1, 707 return CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
684 &x509_store_ctx_method, 708 &x509_store_ctx_method,
685 argl,argp,new_func,dup_func,free_func)); 709 argl,argp,new_func,dup_func,free_func);
686 } 710 }
687 711
688int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) 712int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
689 { 713 {
690 return(CRYPTO_set_ex_data(&ctx->ex_data,idx,data)); 714 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
691 } 715 }
692 716
693void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) 717void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
694 { 718 {
695 return(CRYPTO_get_ex_data(&ctx->ex_data,idx)); 719 return CRYPTO_get_ex_data(&ctx->ex_data,idx);
696 } 720 }
697 721
698int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) 722int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
699 { 723 {
700 return(ctx->error); 724 return ctx->error;
701 } 725 }
702 726
703void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) 727void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
@@ -707,17 +731,17 @@ void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
707 731
708int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) 732int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
709 { 733 {
710 return(ctx->error_depth); 734 return ctx->error_depth;
711 } 735 }
712 736
713X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) 737X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
714 { 738 {
715 return(ctx->current_cert); 739 return ctx->current_cert;
716 } 740 }
717 741
718STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) 742STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
719 { 743 {
720 return(ctx->chain); 744 return ctx->chain;
721 } 745 }
722 746
723STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) 747STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
@@ -725,12 +749,13 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
725 int i; 749 int i;
726 X509 *x; 750 X509 *x;
727 STACK_OF(X509) *chain; 751 STACK_OF(X509) *chain;
728 if(!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; 752 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
729 for(i = 0; i < sk_X509_num(chain); i++) { 753 for (i = 0; i < sk_X509_num(chain); i++)
754 {
730 x = sk_X509_value(chain, i); 755 x = sk_X509_value(chain, i);
731 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 756 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
732 } 757 }
733 return(chain); 758 return chain;
734 } 759 }
735 760
736void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) 761void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
@@ -768,43 +793,123 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
768{ 793{
769 int idx; 794 int idx;
770 /* If purpose not set use default */ 795 /* If purpose not set use default */
771 if(!purpose) purpose = def_purpose; 796 if (!purpose) purpose = def_purpose;
772 /* If we have a purpose then check it is valid */ 797 /* If we have a purpose then check it is valid */
773 if(purpose) { 798 if (purpose)
799 {
774 X509_PURPOSE *ptmp; 800 X509_PURPOSE *ptmp;
775 idx = X509_PURPOSE_get_by_id(purpose); 801 idx = X509_PURPOSE_get_by_id(purpose);
776 if(idx == -1) { 802 if (idx == -1)
803 {
777 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 804 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
778 X509_R_UNKNOWN_PURPOSE_ID); 805 X509_R_UNKNOWN_PURPOSE_ID);
779 return 0; 806 return 0;
780 } 807 }
781 ptmp = X509_PURPOSE_get0(idx); 808 ptmp = X509_PURPOSE_get0(idx);
782 if(ptmp->trust == X509_TRUST_DEFAULT) { 809 if (ptmp->trust == X509_TRUST_DEFAULT)
810 {
783 idx = X509_PURPOSE_get_by_id(def_purpose); 811 idx = X509_PURPOSE_get_by_id(def_purpose);
784 if(idx == -1) { 812 if (idx == -1)
813 {
785 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 814 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
786 X509_R_UNKNOWN_PURPOSE_ID); 815 X509_R_UNKNOWN_PURPOSE_ID);
787 return 0; 816 return 0;
788 } 817 }
789 ptmp = X509_PURPOSE_get0(idx); 818 ptmp = X509_PURPOSE_get0(idx);
790 } 819 }
791 /* If trust not set then get from purpose default */ 820 /* If trust not set then get from purpose default */
792 if(!trust) trust = ptmp->trust; 821 if (!trust) trust = ptmp->trust;
793 } 822 }
794 if(trust) { 823 if (trust)
824 {
795 idx = X509_TRUST_get_by_id(trust); 825 idx = X509_TRUST_get_by_id(trust);
796 if(idx == -1) { 826 if (idx == -1)
827 {
797 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, 828 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
798 X509_R_UNKNOWN_TRUST_ID); 829 X509_R_UNKNOWN_TRUST_ID);
799 return 0; 830 return 0;
831 }
800 } 832 }
801 }
802 833
803 if(purpose) ctx->purpose = purpose; 834 if (purpose) ctx->purpose = purpose;
804 if(trust) ctx->trust = trust; 835 if (trust) ctx->trust = trust;
805 return 1; 836 return 1;
806} 837}
807 838
839X509_STORE_CTX *X509_STORE_CTX_new(void)
840{
841 X509_STORE_CTX *ctx;
842 ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
843 if (ctx) memset(ctx, 0, sizeof(X509_STORE_CTX));
844 return ctx;
845}
846
847void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
848{
849 X509_STORE_CTX_cleanup(ctx);
850 OPENSSL_free(ctx);
851}
852
853void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
854 STACK_OF(X509) *chain)
855 {
856 ctx->ctx=store;
857 ctx->current_method=0;
858 ctx->cert=x509;
859 ctx->untrusted=chain;
860 ctx->last_untrusted=0;
861 ctx->purpose=0;
862 ctx->trust=0;
863 ctx->check_time=0;
864 ctx->flags=0;
865 ctx->other_ctx=NULL;
866 ctx->valid=0;
867 ctx->chain=NULL;
868 ctx->depth=9;
869 ctx->error=0;
870 ctx->error_depth=0;
871 ctx->current_cert=NULL;
872 ctx->current_issuer=NULL;
873 ctx->check_issued = check_issued;
874 ctx->get_issuer = X509_STORE_CTX_get1_issuer;
875 ctx->verify_cb = store->verify_cb;
876 ctx->verify = store->verify;
877 ctx->cleanup = 0;
878 memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
879 }
880
881/* Set alternative lookup method: just a STACK of trusted certificates.
882 * This avoids X509_STORE nastiness where it isn't needed.
883 */
884
885void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
886{
887 ctx->other_ctx = sk;
888 ctx->get_issuer = get_issuer_sk;
889}
890
891void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
892 {
893 if (ctx->cleanup) ctx->cleanup(ctx);
894 if (ctx->chain != NULL)
895 {
896 sk_X509_pop_free(ctx->chain,X509_free);
897 ctx->chain=NULL;
898 }
899 CRYPTO_free_ex_data(x509_store_ctx_method,ctx,&(ctx->ex_data));
900 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
901 }
902
903void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags)
904 {
905 ctx->flags |= flags;
906 }
907
908void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t)
909 {
910 ctx->check_time = t;
911 ctx->flags |= X509_V_FLAG_USE_CHECK_TIME;
912 }
808 913
809IMPLEMENT_STACK_OF(X509) 914IMPLEMENT_STACK_OF(X509)
810IMPLEMENT_ASN1_SET_OF(X509) 915IMPLEMENT_ASN1_SET_OF(X509)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 18:33:54 +0000