1 files changed, 704 insertions, 0 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
new file mode 100644
index 0000000000..c1be91edba
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -0,0 +1,704 @@
+/* crypto/x509/x509_vfy.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#include <stdio.h>
+#include <time.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include "crypto.h"
+#include "cryptlib.h"
+#include "lhash.h"
+#include "buffer.h"
+#include "evp.h"
+#include "asn1.h"
+#include "x509.h"
+#include "objects.h"
+#include "pem.h"
+#ifndef NOPROTO
+static int null_callback(int ok,X509_STORE_CTX *e);
+static int internal_verify(X509_STORE_CTX *ctx);
+#else
+static int null_callback();
+static int internal_verify();
+#endif
+char *X509_version="X509 part of SSLeay 0.9.0b 29-Jun-1998";
+static STACK *x509_store_ctx_method=NULL;
+static int x509_store_ctx_num=0;
+#if 0
+static int x509_store_num=1;
+static STACK *x509_store_method=NULL;
+#endif
+static int null_callback(ok,e)
+int ok;
+X509_STORE_CTX *e;
+        {
+        return(ok);
+        }
+#if 0
+static int x509_subject_cmp(a,b)
+X509 **a,**b;
+        {
+        return(X509_subject_name_cmp(*a,*b));
+        }
+#endif
+int X509_verify_cert(ctx)
+X509_STORE_CTX *ctx;
+        {
+        X509 *x,*xtmp,*chain_ss=NULL;
+        X509_NAME *xn;
+        X509_OBJECT obj;
+        int depth,i,ok=0;
+        int num;
+        int (*cb)();
+        STACK *sktmp=NULL;
+        if (ctx->cert == NULL)
+                {
+                X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
+                return(-1);
+                }
+        cb=ctx->ctx->verify_cb;
+        if (cb == NULL) cb=null_callback;
+        /* first we make sure the chain we are going to build is
+         * present and that the first entry is in place */
+        if (ctx->chain == NULL)
+                {
+                if (    ((ctx->chain=sk_new_null()) == NULL) ||
+                        (!sk_push(ctx->chain,(char *)ctx->cert)))
+                        {
+                        X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+                        goto end;
+                        }
+                CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
+                ctx->last_untrusted=1;
+                }
+        /* We use a temporary so we can chop and hack at it */
+        if ((ctx->untrusted != NULL) && (sktmp=sk_dup(ctx->untrusted)) == NULL)
+                {
+                X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+                goto end;
+                }
+        num=sk_num(ctx->chain);
+        x=(X509 *)sk_value(ctx->chain,num-1);
+        depth=ctx->depth;
+        for (;;)
+                {
+                /* If we have enough, we break */
+                if (depth <= num) break;
+                /* If we are self signed, we break */
+                xn=X509_get_issuer_name(x);
+                if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
+                        break;
+                /* If we were passed a cert chain, use it first */
+                if (ctx->untrusted != NULL)
+                        {
+                        xtmp=X509_find_by_subject(sktmp,xn);
+                        if (xtmp != NULL)
+                                {
+                                if (!sk_push(ctx->chain,(char *)xtmp))
+                                        {
+                                        X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+                                        goto end;
+                                        }
+                                CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
+                                sk_delete_ptr(sktmp,(char *)xtmp);
+                                ctx->last_untrusted++;
+                                x=xtmp;
+                                num++;
+                                /* reparse the full chain for
+                                 * the next one */
+                                continue;
+                                }
+                        }
+                break;
+                }
+        /* at this point, chain should contain a list of untrusted
+         * certificates.  We now need to add at least one trusted one,
+         * if possible, otherwise we complain. */
+        i=sk_num(ctx->chain);
+        x=(X509 *)sk_value(ctx->chain,i-1);
+        if (X509_NAME_cmp(X509_get_subject_name(x),X509_get_issuer_name(x))
+                == 0)
+                {
+                /* we have a self signed certificate */
+                if (sk_num(ctx->chain) == 1)
+                        {
+                        ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
+                        ctx->current_cert=x;
+                        ctx->error_depth=i-1;
+                        ok=cb(0,ctx);
+                        if (!ok) goto end;
+                        }
+                else
+                        {
+                        /* worry more about this one elsewhere */
+                        chain_ss=(X509 *)sk_pop(ctx->chain);
+                        ctx->last_untrusted--;
+                        num--;
+                        x=(X509 *)sk_value(ctx->chain,num-1);
+                        }
+                }
+        /* We now lookup certs from the certificate store */
+        for (;;)
+                {
+                /* If we have enough, we break */
+                if (depth <= num) break;
+                /* If we are self signed, we break */
+                xn=X509_get_issuer_name(x);
+                if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
+                        break;
+                ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
+                if (ok != X509_LU_X509)
+                        {
+                        if (ok == X509_LU_RETRY)
+                                {
+                                X509_OBJECT_free_contents(&obj);
+                                X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY);
+                                return(ok);
+                                }
+                        else if (ok != X509_LU_FAIL)
+                                {
+                                X509_OBJECT_free_contents(&obj);
+                                /* not good :-(, break anyway */
+                                return(ok);
+                                }
+                        break;
+                        }
+                x=obj.data.x509;
+                if (!sk_push(ctx->chain,(char *)obj.data.x509))
+                        {
+                        X509_OBJECT_free_contents(&obj);
+                        X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+                        return(0);
+                        }
+                num++;
+                }
+        /* we now have our chain, lets check it... */
+        xn=X509_get_issuer_name(x);
+        if (X509_NAME_cmp(X509_get_subject_name(x),xn) != 0)
+                {
+                if ((chain_ss == NULL) || (X509_NAME_cmp(X509_get_subject_name(chain_ss),xn) != 0))
+                        {
+                        if (ctx->last_untrusted >= num)
+                                ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
+                        else
+                                ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
+                        ctx->current_cert=x;
+                        }
+                else
+                        {
+                        sk_push(ctx->chain,(char *)chain_ss);
+                        num++;
+                        ctx->last_untrusted=num;
+                        ctx->current_cert=chain_ss;
+                        ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
+                        chain_ss=NULL;
+                        }
+                ctx->error_depth=num-1;
+                ok=cb(0,ctx);
+                if (!ok) goto end;
+                }
+        /* We may as well copy down any DSA parameters that are required */
+        X509_get_pubkey_parameters(NULL,ctx->chain);
+        /* At this point, we have a chain and just need to verify it */
+        if (ctx->ctx->verify != NULL)
+                ok=ctx->ctx->verify(ctx);
+        else
+                ok=internal_verify(ctx);
+end:
+        if (sktmp != NULL) sk_free(sktmp);
+        if (chain_ss != NULL) X509_free(chain_ss);
+        return(ok);
+        }
+static int internal_verify(ctx)
+X509_STORE_CTX *ctx;
+        {
+        int i,ok=0,n;
+        X509 *xs,*xi;
+        EVP_PKEY *pkey=NULL;
+        int (*cb)();
+        cb=ctx->ctx->verify_cb;
+        if (cb == NULL) cb=null_callback;
+        n=sk_num(ctx->chain);
+        ctx->error_depth=n-1;
+        n--;
+        xi=(X509 *)sk_value(ctx->chain,n);
+        if (X509_NAME_cmp(X509_get_subject_name(xi),
+                X509_get_issuer_name(xi)) == 0)
+                xs=xi;
+        else
+                {
+                if (n <= 0)
+                        {
+                        ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
+                        ctx->current_cert=xi;
+                        ok=cb(0,ctx);
+                        goto end;
+                        }
+                else
+                        {
+                        n--;
+                        ctx->error_depth=n;
+                        xs=(X509 *)sk_value(ctx->chain,n);
+                        }
+                }
+/*      ctx->error=0;  not needed */
+        while (n >= 0)
+                {
+                ctx->error_depth=n;
+                if (!xs->valid)
+                        {
+                        if ((pkey=X509_get_pubkey(xi)) == NULL)
+                                {
+                                ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+                                ctx->current_cert=xi;
+                                ok=(*cb)(0,ctx);
+                                if (!ok) goto end;
+                                }
+                        if (X509_verify(xs,pkey) <= 0)
+                                {
+                                ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
+                                ctx->current_cert=xs;
+                                ok=(*cb)(0,ctx);
+                                if (!ok) goto end;
+                                }
+                        pkey=NULL;
+                        i=X509_cmp_current_time(X509_get_notBefore(xs));
+                        if (i == 0)
+                                {
+                                ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
+                                ctx->current_cert=xs;
+                                ok=(*cb)(0,ctx);
+                                if (!ok) goto end;
+                                }
+                        if (i > 0)
+                                {
+                                ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
+                                ctx->current_cert=xs;
+                                ok=(*cb)(0,ctx);
+                                if (!ok) goto end;
+                                }
+                        xs->valid=1;
+                        }
+                i=X509_cmp_current_time(X509_get_notAfter(xs));
+                if (i == 0)
+                        {
+                        ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
+                        ctx->current_cert=xs;
+                        ok=(*cb)(0,ctx);
+                        if (!ok) goto end;
+                        }
+                if (i < 0)
+                        {
+                        ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
+                        ctx->current_cert=xs;
+                        ok=(*cb)(0,ctx);
+                        if (!ok) goto end;
+                        }
+                /* CRL CHECK */
+                /* The last error (if any) is still in the error value */
+                ctx->current_cert=xs;
+                ok=(*cb)(1,ctx);
+                if (!ok) goto end;
+                n--;
+                if (n >= 0)
+                        {
+                        xi=xs;
+                        xs=(X509 *)sk_value(ctx->chain,n);
+                        }
+                }
+        ok=1;
+end:
+        return(ok);
+        }
+int X509_cmp_current_time(ctm)
+ASN1_UTCTIME *ctm;
+        {
+        char *str;
+        ASN1_UTCTIME atm;
+        time_t offset;
+        char buff1[24],buff2[24],*p;
+        int i,j;
+        p=buff1;
+        i=ctm->length;
+        str=(char *)ctm->data;
+        if ((i < 11) || (i > 17)) return(0);
+        memcpy(p,str,10);
+        p+=10;
+        str+=10;
+        if ((*str == 'Z') || (*str == '-') || (*str == '+'))
+                { *(p++)='0'; *(p++)='0'; }
+        else    { *(p++)= *(str++); *(p++)= *(str++); }
+        *(p++)='Z';
+        *(p++)='\0';
+        if (*str == 'Z')
+                offset=0;
+        else
+                {
+                if ((*str != '+') && (str[5] != '-'))
+                        return(0);
+                offset=((str[1]-'0')*10+(str[2]-'0'))*60;
+                offset+=(str[3]-'0')*10+(str[4]-'0');
+                if (*str == '-')
+                        offset=-offset;
+                }
+        atm.type=V_ASN1_UTCTIME;
+        atm.length=sizeof(buff2);
+        atm.data=(unsigned char *)buff2;
+        X509_gmtime_adj(&atm,-offset);
+        i=(buff1[0]-'0')*10+(buff1[1]-'0');
+        if (i < 70) i+=100;
+        j=(buff2[0]-'0')*10+(buff2[1]-'0');
+        if (j < 70) j+=100;
+        if (i < j) return (-1);
+        if (i > j) return (1);
+        i=strcmp(buff1,buff2);
+        if (i == 0) /* wait a second then return younger :-) */
+                return(-1);
+        else
+                return(i);
+        }
+ASN1_UTCTIME *X509_gmtime_adj(s, adj)
+ASN1_UTCTIME *s;
+long adj;
+        {
+        time_t t;
+        time(&t);
+        t+=adj;
+        return(ASN1_UTCTIME_set(s,t));
+        }
+int X509_get_pubkey_parameters(pkey,chain)
+EVP_PKEY *pkey;
+STACK *chain;
+        {
+        EVP_PKEY *ktmp=NULL,*ktmp2;
+        int i,j;
+        if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return(1);
+        for (i=0; i<sk_num(chain); i++)
+                {
+                ktmp=X509_get_pubkey((X509 *)sk_value(chain,i));
+                if (ktmp == NULL)
+                        {
+                        X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
+                        return(0);
+                        }
+                if (!EVP_PKEY_missing_parameters(ktmp))
+                        break;
+                else
+                        {
+                        ktmp=NULL;
+                        }
+                }
+        if (ktmp == NULL)
+                {
+                X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
+                return(0);
+                }
+        /* first, populate the other certs */
+        for (j=i-1; j >= 0; j--)
+                {
+                ktmp2=X509_get_pubkey((X509 *)sk_value(chain,j));
+                EVP_PKEY_copy_parameters(ktmp2,ktmp);
+                }
+        
+        if (pkey != NULL)
+                EVP_PKEY_copy_parameters(pkey,ktmp);
+        return(1);
+        }
+EVP_PKEY *X509_get_pubkey(x)
+X509 *x;
+        {
+        if ((x == NULL) || (x->cert_info == NULL))
+                return(NULL);
+        return(X509_PUBKEY_get(x->cert_info->key));
+        }
+int X509_check_private_key(x,k)
+X509 *x;
+EVP_PKEY *k;
+        {
+        EVP_PKEY *xk=NULL;
+        int ok=0;
+        xk=X509_get_pubkey(x);
+        if (xk->type != k->type) goto err;
+        switch (k->type)
+                {
+#ifndef NO_RSA
+        case EVP_PKEY_RSA:
+                if (BN_cmp(xk->pkey.rsa->n,k->pkey.rsa->n) != 0) goto err;
+                if (BN_cmp(xk->pkey.rsa->e,k->pkey.rsa->e) != 0) goto err;
+                break;
+#endif
+#ifndef NO_DSA
+        case EVP_PKEY_DSA:
+                if (BN_cmp(xk->pkey.dsa->pub_key,k->pkey.dsa->pub_key) != 0)
+                        goto err;
+                break;
+#endif
+#ifndef NO_DH
+        case EVP_PKEY_DH:
+                /* No idea */
+                goto err;
+#endif
+        default:
+                goto err;
+                }
+        ok=1;
+err:
+        return(ok);
+        }
+int X509_STORE_add_cert(ctx,x)
+X509_STORE *ctx;
+X509 *x;
+        {
+        X509_OBJECT *obj,*r;
+        int ret=1;
+        if (x == NULL) return(0);
+        obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
+        if (obj == NULL)
+                {
+                X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
+                return(0);
+                }
+        obj->type=X509_LU_X509;
+        obj->data.x509=x;
+        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+        X509_OBJECT_up_ref_count(obj);
+        r=(X509_OBJECT *)lh_insert(ctx->certs,(char *)obj);
+        if (r != NULL)
+                { /* oops, put it back */
+                lh_delete(ctx->certs,(char *)obj);
+                X509_OBJECT_free_contents(obj);
+                Free(obj);
+                lh_insert(ctx->certs,(char *)r);
+                X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
+                ret=0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+        return(ret);    
+        }
+int X509_STORE_add_crl(ctx,x)
+X509_STORE *ctx;
+X509_CRL *x;
+        {
+        X509_OBJECT *obj,*r;
+        int ret=1;
+        if (x == NULL) return(0);
+        obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
+        if (obj == NULL)
+                {
+                X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
+                return(0);
+                }
+        obj->type=X509_LU_CRL;
+        obj->data.crl=x;
+        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+        X509_OBJECT_up_ref_count(obj);
+        r=(X509_OBJECT *)lh_insert(ctx->certs,(char *)obj);
+        if (r != NULL)
+                { /* oops, put it back */
+                lh_delete(ctx->certs,(char *)obj);
+                X509_OBJECT_free_contents(obj);
+                Free(obj);
+                lh_insert(ctx->certs,(char *)r);
+                X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
+                ret=0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+        return(ret);    
+        }
+int X509_STORE_CTX_get_ex_new_index(argl,argp,new_func,dup_func,free_func)
+long argl;
+char *argp;
+int (*new_func)();
+int (*dup_func)();
+void (*free_func)();
+        {
+        x509_store_ctx_num++;
+        return(CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
+                &x509_store_ctx_method,
+                argl,argp,new_func,dup_func,free_func));
+        }
+int X509_STORE_CTX_set_ex_data(ctx,idx,data)
+X509_STORE_CTX *ctx;
+int idx;
+char *data;
+        {
+        return(CRYPTO_set_ex_data(&ctx->ex_data,idx,data));
+        }
+char *X509_STORE_CTX_get_ex_data(ctx,idx)
+X509_STORE_CTX *ctx;
+int idx;
+        {
+        return(CRYPTO_get_ex_data(&ctx->ex_data,idx));
+        }
+int X509_STORE_CTX_get_error(ctx)
+X509_STORE_CTX *ctx;
+        {
+        return(ctx->error);
+        }
+void X509_STORE_CTX_set_error(ctx,err)
+X509_STORE_CTX *ctx;
+int err;
+        {
+        ctx->error=err;
+        }
+int X509_STORE_CTX_get_error_depth(ctx)
+X509_STORE_CTX *ctx;
+        {
+        return(ctx->error_depth);
+        }
+X509 *X509_STORE_CTX_get_current_cert(ctx)
+X509_STORE_CTX *ctx;
+        {
+        return(ctx->current_cert);
+        }
+STACK *X509_STORE_CTX_get_chain(ctx)
+X509_STORE_CTX *ctx;
+        {
+        return(ctx->chain);
+        }
+void X509_STORE_CTX_set_cert(ctx,x)
+X509_STORE_CTX *ctx;
+X509 *x;
+        {
+        ctx->cert=x;
+        }
+void X509_STORE_CTX_set_chain(ctx,sk)
+X509_STORE_CTX *ctx;
+STACK *sk;
+        {
+        ctx->untrusted=sk;
+        }

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c new file mode 100644 index 0000000000..c1be91edba --- /dev/null +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -0,0 +1,704 @@
	1	/* crypto/x509/x509_vfy.c */
	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	3	* All rights reserved.
	4	*
	5	* This package is an SSL implementation written
	6	* by Eric Young (eay@cryptsoft.com).
	7	* The implementation was written so as to conform with Netscapes SSL.
	8	*
	9	* This library is free for commercial and non-commercial use as long as
	10	* the following conditions are aheared to. The following conditions
	11	* apply to all code found in this distribution, be it the RC4, RSA,
	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	13	* included with this distribution is covered by the same copyright terms
	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	15	*
	16	* Copyright remains Eric Young's, and as such any Copyright notices in
	17	* the code are not to be removed.
	18	* If this package is used in a product, Eric Young should be given attribution
	19	* as the author of the parts of the library used.
	20	* This can be in the form of a textual message at program startup or
	21	* in documentation (online or textual) provided with the package.
	22	*
	23	* Redistribution and use in source and binary forms, with or without
	24	* modification, are permitted provided that the following conditions
	25	* are met:
	26	* 1. Redistributions of source code must retain the copyright
	27	* notice, this list of conditions and the following disclaimer.
	28	* 2. Redistributions in binary form must reproduce the above copyright
	29	* notice, this list of conditions and the following disclaimer in the
	30	* documentation and/or other materials provided with the distribution.
	31	* 3. All advertising materials mentioning features or use of this software
	32	* must display the following acknowledgement:
	33	* "This product includes cryptographic software written by
	34	* Eric Young (eay@cryptsoft.com)"
	35	* The word 'cryptographic' can be left out if the rouines from the library
	36	* being used are not cryptographic related :-).
	37	* 4. If you include any Windows specific code (or a derivative thereof) from
	38	* the apps directory (application code) you must include an acknowledgement:
	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	40	*
	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
	52	*
	53	* The licence and distribution terms for any publically available version or
	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
	55	* copied and put under another distribution licence
	56	* [including the GNU Public Licence.]
	57	*/
	58
	59	#include <stdio.h>
	60	#include <time.h>
	61	#include <errno.h>
	62	#include <sys/types.h>
	63	#include <sys/stat.h>
	64
	65	#include "crypto.h"
	66	#include "cryptlib.h"
	67	#include "lhash.h"
	68	#include "buffer.h"
	69	#include "evp.h"
	70	#include "asn1.h"
	71	#include "x509.h"
	72	#include "objects.h"
	73	#include "pem.h"
	74
	75	#ifndef NOPROTO
	76	static int null_callback(int ok,X509_STORE_CTX *e);
	77	static int internal_verify(X509_STORE_CTX *ctx);
	78	#else
	79	static int null_callback();
	80	static int internal_verify();
	81	#endif
	82
	83	char *X509_version="X509 part of SSLeay 0.9.0b 29-Jun-1998";
	84	static STACK *x509_store_ctx_method=NULL;
	85	static int x509_store_ctx_num=0;
	86	#if 0
	87	static int x509_store_num=1;
	88	static STACK *x509_store_method=NULL;
	89	#endif
	90
	91	static int null_callback(ok,e)
	92	int ok;
	93	X509_STORE_CTX *e;
	94	{
	95	return(ok);
	96	}
	97
	98	#if 0
	99	static int x509_subject_cmp(a,b)
	100	X509 a,b;
	101	{
	102	return(X509_subject_name_cmp(a,b));
	103	}
	104	#endif
	105
	106	int X509_verify_cert(ctx)
	107	X509_STORE_CTX *ctx;
	108	{
	109	X509 x,xtmp,*chain_ss=NULL;
	110	X509_NAME *xn;
	111	X509_OBJECT obj;
	112	int depth,i,ok=0;
	113	int num;
	114	int (*cb)();
	115	STACK *sktmp=NULL;
	116
	117	if (ctx->cert == NULL)
	118	{
	119	X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
	120	return(-1);
	121	}
	122
	123	cb=ctx->ctx->verify_cb;
	124	if (cb == NULL) cb=null_callback;
	125
	126	/* first we make sure the chain we are going to build is
	127	* present and that the first entry is in place */
	128	if (ctx->chain == NULL)
	129	{
	130	if ( ((ctx->chain=sk_new_null()) == NULL) \|\|
	131	(!sk_push(ctx->chain,(char *)ctx->cert)))
	132	{
	133	X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
	134	goto end;
	135	}
	136	CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
	137	ctx->last_untrusted=1;
	138	}
	139
	140	/* We use a temporary so we can chop and hack at it */
	141	if ((ctx->untrusted != NULL) && (sktmp=sk_dup(ctx->untrusted)) == NULL)
	142	{
	143	X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
	144	goto end;
	145	}
	146
	147	num=sk_num(ctx->chain);
	148	x=(X509 *)sk_value(ctx->chain,num-1);
	149	depth=ctx->depth;
	150
	151
	152	for (;;)
	153	{
	154	/* If we have enough, we break */
	155	if (depth <= num) break;
	156
	157	/* If we are self signed, we break */
	158	xn=X509_get_issuer_name(x);
	159	if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
	160	break;
	161
	162	/* If we were passed a cert chain, use it first */
	163	if (ctx->untrusted != NULL)
	164	{
	165	xtmp=X509_find_by_subject(sktmp,xn);
	166	if (xtmp != NULL)
	167	{
	168	if (!sk_push(ctx->chain,(char *)xtmp))
	169	{
	170	X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
	171	goto end;
	172	}
	173	CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
	174	sk_delete_ptr(sktmp,(char *)xtmp);
	175	ctx->last_untrusted++;
	176	x=xtmp;
	177	num++;
	178	/* reparse the full chain for
	179	* the next one */
	180	continue;
	181	}
	182	}
	183	break;
	184	}
	185
	186	/* at this point, chain should contain a list of untrusted
	187	* certificates. We now need to add at least one trusted one,
	188	* if possible, otherwise we complain. */
	189
	190	i=sk_num(ctx->chain);
	191	x=(X509 *)sk_value(ctx->chain,i-1);
	192	if (X509_NAME_cmp(X509_get_subject_name(x),X509_get_issuer_name(x))
	193	== 0)
	194	{
	195	/* we have a self signed certificate */
	196	if (sk_num(ctx->chain) == 1)
	197	{
	198	ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
	199	ctx->current_cert=x;
	200	ctx->error_depth=i-1;
	201	ok=cb(0,ctx);
	202	if (!ok) goto end;
	203	}
	204	else
	205	{
	206	/* worry more about this one elsewhere */
	207	chain_ss=(X509 *)sk_pop(ctx->chain);
	208	ctx->last_untrusted--;
	209	num--;
	210	x=(X509 *)sk_value(ctx->chain,num-1);
	211	}
	212	}
	213
	214	/* We now lookup certs from the certificate store */
	215	for (;;)
	216	{
	217	/* If we have enough, we break */
	218	if (depth <= num) break;
	219
	220	/* If we are self signed, we break */
	221	xn=X509_get_issuer_name(x);
	222	if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
	223	break;
	224
	225	ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
	226	if (ok != X509_LU_X509)
	227	{
	228	if (ok == X509_LU_RETRY)
	229	{
	230	X509_OBJECT_free_contents(&obj);
	231	X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY);
	232	return(ok);
	233	}
	234	else if (ok != X509_LU_FAIL)
	235	{
	236	X509_OBJECT_free_contents(&obj);
	237	/* not good :-(, break anyway */
	238	return(ok);
	239	}
	240	break;
	241	}
	242	x=obj.data.x509;
	243	if (!sk_push(ctx->chain,(char *)obj.data.x509))
	244	{
	245	X509_OBJECT_free_contents(&obj);
	246	X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
	247	return(0);
	248	}
	249	num++;
	250	}
	251
	252	/* we now have our chain, lets check it... */
	253	xn=X509_get_issuer_name(x);
	254	if (X509_NAME_cmp(X509_get_subject_name(x),xn) != 0)
	255	{
	256	if ((chain_ss == NULL) \|\| (X509_NAME_cmp(X509_get_subject_name(chain_ss),xn) != 0))
	257	{
	258	if (ctx->last_untrusted >= num)
	259	ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
	260	else
	261	ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
	262	ctx->current_cert=x;
	263	}
	264	else
	265	{
	266
	267	sk_push(ctx->chain,(char *)chain_ss);
	268	num++;
	269	ctx->last_untrusted=num;
	270	ctx->current_cert=chain_ss;
	271	ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
	272	chain_ss=NULL;
	273	}
	274
	275	ctx->error_depth=num-1;
	276	ok=cb(0,ctx);
	277	if (!ok) goto end;
	278	}
	279
	280	/* We may as well copy down any DSA parameters that are required */
	281	X509_get_pubkey_parameters(NULL,ctx->chain);
	282
	283	/* At this point, we have a chain and just need to verify it */
	284	if (ctx->ctx->verify != NULL)
	285	ok=ctx->ctx->verify(ctx);
	286	else
	287	ok=internal_verify(ctx);
	288	end:
	289	if (sktmp != NULL) sk_free(sktmp);
	290	if (chain_ss != NULL) X509_free(chain_ss);
	291	return(ok);
	292	}
	293
	294	static int internal_verify(ctx)
	295	X509_STORE_CTX *ctx;
	296	{
	297	int i,ok=0,n;
	298	X509 xs,xi;
	299	EVP_PKEY *pkey=NULL;
	300	int (*cb)();
	301
	302	cb=ctx->ctx->verify_cb;
	303	if (cb == NULL) cb=null_callback;
	304
	305	n=sk_num(ctx->chain);
	306	ctx->error_depth=n-1;
	307	n--;
	308	xi=(X509 *)sk_value(ctx->chain,n);
	309	if (X509_NAME_cmp(X509_get_subject_name(xi),
	310	X509_get_issuer_name(xi)) == 0)
	311	xs=xi;
	312	else
	313	{
	314	if (n <= 0)
	315	{
	316	ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
	317	ctx->current_cert=xi;
	318	ok=cb(0,ctx);
	319	goto end;
	320	}
	321	else
	322	{
	323	n--;
	324	ctx->error_depth=n;
	325	xs=(X509 *)sk_value(ctx->chain,n);
	326	}
	327	}
	328
	329	/* ctx->error=0; not needed */
	330	while (n >= 0)
	331	{
	332	ctx->error_depth=n;
	333	if (!xs->valid)
	334	{
	335	if ((pkey=X509_get_pubkey(xi)) == NULL)
	336	{
	337	ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
	338	ctx->current_cert=xi;
	339	ok=(*cb)(0,ctx);
	340	if (!ok) goto end;
	341	}
	342	if (X509_verify(xs,pkey) <= 0)
	343	{
	344	ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
	345	ctx->current_cert=xs;
	346	ok=(*cb)(0,ctx);
	347	if (!ok) goto end;
	348	}
	349	pkey=NULL;
	350
	351	i=X509_cmp_current_time(X509_get_notBefore(xs));
	352	if (i == 0)
	353	{
	354	ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
	355	ctx->current_cert=xs;
	356	ok=(*cb)(0,ctx);
	357	if (!ok) goto end;
	358	}
	359	if (i > 0)
	360	{
	361	ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
	362	ctx->current_cert=xs;
	363	ok=(*cb)(0,ctx);
	364	if (!ok) goto end;
	365	}
	366	xs->valid=1;
	367	}
	368
	369	i=X509_cmp_current_time(X509_get_notAfter(xs));
	370	if (i == 0)
	371	{
	372	ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
	373	ctx->current_cert=xs;
	374	ok=(*cb)(0,ctx);
	375	if (!ok) goto end;
	376	}
	377
	378	if (i < 0)
	379	{
	380	ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
	381	ctx->current_cert=xs;
	382	ok=(*cb)(0,ctx);
	383	if (!ok) goto end;
	384	}
	385
	386	/* CRL CHECK */
	387
	388	/* The last error (if any) is still in the error value */
	389	ctx->current_cert=xs;
	390	ok=(*cb)(1,ctx);
	391	if (!ok) goto end;
	392
	393	n--;
	394	if (n >= 0)
	395	{
	396	xi=xs;
	397	xs=(X509 *)sk_value(ctx->chain,n);
	398	}
	399	}
	400	ok=1;
	401	end:
	402	return(ok);
	403	}
	404
	405	int X509_cmp_current_time(ctm)
	406	ASN1_UTCTIME *ctm;
	407	{
	408	char *str;
	409	ASN1_UTCTIME atm;
	410	time_t offset;
	411	char buff1[24],buff2[24],*p;
	412	int i,j;
	413
	414	p=buff1;
	415	i=ctm->length;
	416	str=(char *)ctm->data;
	417	if ((i < 11) \|\| (i > 17)) return(0);
	418	memcpy(p,str,10);
	419	p+=10;
	420	str+=10;
	421
	422	if ((str == 'Z') \|\| (str == '-') \|\| (*str == '+'))
	423	{ (p++)='0'; (p++)='0'; }
	424	else { (p++)= (str++); (p++)= (str++); }
	425	*(p++)='Z';
	426	*(p++)='\0';
	427
	428	if (*str == 'Z')
	429	offset=0;
	430	else
	431	{
	432	if ((*str != '+') && (str[5] != '-'))
	433	return(0);
	434	offset=((str[1]-'0')10+(str[2]-'0'))60;
	435	offset+=(str[3]-'0')*10+(str[4]-'0');
	436	if (*str == '-')
	437	offset=-offset;
	438	}
	439	atm.type=V_ASN1_UTCTIME;
	440	atm.length=sizeof(buff2);
	441	atm.data=(unsigned char *)buff2;
	442
	443	X509_gmtime_adj(&atm,-offset);
	444
	445	i=(buff1[0]-'0')*10+(buff1[1]-'0');
	446	if (i < 70) i+=100;
	447	j=(buff2[0]-'0')*10+(buff2[1]-'0');
	448	if (j < 70) j+=100;
	449
	450	if (i < j) return (-1);
	451	if (i > j) return (1);
	452	i=strcmp(buff1,buff2);
	453	if (i == 0) /* wait a second then return younger :-) */
	454	return(-1);
	455	else
	456	return(i);
	457	}
	458
	459	ASN1_UTCTIME *X509_gmtime_adj(s, adj)
	460	ASN1_UTCTIME *s;
	461	long adj;
	462	{
	463	time_t t;
	464
	465	time(&t);
	466	t+=adj;
	467	return(ASN1_UTCTIME_set(s,t));
	468	}
	469
	470	int X509_get_pubkey_parameters(pkey,chain)
	471	EVP_PKEY *pkey;
	472	STACK *chain;
	473	{
	474	EVP_PKEY ktmp=NULL,ktmp2;
	475	int i,j;
	476
	477	if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return(1);
	478
	479	for (i=0; i<sk_num(chain); i++)
	480	{
	481	ktmp=X509_get_pubkey((X509 *)sk_value(chain,i));
	482	if (ktmp == NULL)
	483	{
	484	X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
	485	return(0);
	486	}
	487	if (!EVP_PKEY_missing_parameters(ktmp))
	488	break;
	489	else
	490	{
	491	ktmp=NULL;
	492	}
	493	}
	494	if (ktmp == NULL)
	495	{
	496	X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
	497	return(0);
	498	}
	499
	500	/* first, populate the other certs */
	501	for (j=i-1; j >= 0; j--)
	502	{
	503	ktmp2=X509_get_pubkey((X509 *)sk_value(chain,j));
	504	EVP_PKEY_copy_parameters(ktmp2,ktmp);
	505	}
	506
	507	if (pkey != NULL)
	508	EVP_PKEY_copy_parameters(pkey,ktmp);
	509	return(1);
	510	}
	511
	512	EVP_PKEY *X509_get_pubkey(x)
	513	X509 *x;
	514	{
	515	if ((x == NULL) \|\| (x->cert_info == NULL))
	516	return(NULL);
	517	return(X509_PUBKEY_get(x->cert_info->key));
	518	}
	519
	520	int X509_check_private_key(x,k)
	521	X509 *x;
	522	EVP_PKEY *k;
	523	{
	524	EVP_PKEY *xk=NULL;
	525	int ok=0;
	526
	527	xk=X509_get_pubkey(x);
	528	if (xk->type != k->type) goto err;
	529	switch (k->type)
	530	{
	531	#ifndef NO_RSA
	532	case EVP_PKEY_RSA:
	533	if (BN_cmp(xk->pkey.rsa->n,k->pkey.rsa->n) != 0) goto err;
	534	if (BN_cmp(xk->pkey.rsa->e,k->pkey.rsa->e) != 0) goto err;
	535	break;
	536	#endif
	537	#ifndef NO_DSA
	538	case EVP_PKEY_DSA:
	539	if (BN_cmp(xk->pkey.dsa->pub_key,k->pkey.dsa->pub_key) != 0)
	540	goto err;
	541	break;
	542	#endif
	543	#ifndef NO_DH
	544	case EVP_PKEY_DH:
	545	/* No idea */
	546	goto err;
	547	#endif
	548	default:
	549	goto err;
	550	}
	551
	552	ok=1;
	553	err:
	554	return(ok);
	555	}
	556
	557	int X509_STORE_add_cert(ctx,x)
	558	X509_STORE *ctx;
	559	X509 *x;
	560	{
	561	X509_OBJECT obj,r;
	562	int ret=1;
	563
	564	if (x == NULL) return(0);
	565	obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
	566	if (obj == NULL)
	567	{
	568	X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
	569	return(0);
	570	}
	571	obj->type=X509_LU_X509;
	572	obj->data.x509=x;
	573
	574	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
	575
	576	X509_OBJECT_up_ref_count(obj);
	577
	578	r=(X509_OBJECT )lh_insert(ctx->certs,(char )obj);
	579	if (r != NULL)
	580	{ /* oops, put it back */
	581	lh_delete(ctx->certs,(char *)obj);
	582	X509_OBJECT_free_contents(obj);
	583	Free(obj);
	584	lh_insert(ctx->certs,(char *)r);
	585	X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
	586	ret=0;
	587	}
	588
	589	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
	590
	591	return(ret);
	592	}
	593
	594	int X509_STORE_add_crl(ctx,x)
	595	X509_STORE *ctx;
	596	X509_CRL *x;
	597	{
	598	X509_OBJECT obj,r;
	599	int ret=1;
	600
	601	if (x == NULL) return(0);
	602	obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
	603	if (obj == NULL)
	604	{
	605	X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
	606	return(0);
	607	}
	608	obj->type=X509_LU_CRL;
	609	obj->data.crl=x;
	610
	611	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
	612
	613	X509_OBJECT_up_ref_count(obj);
	614
	615	r=(X509_OBJECT )lh_insert(ctx->certs,(char )obj);
	616	if (r != NULL)
	617	{ /* oops, put it back */
	618	lh_delete(ctx->certs,(char *)obj);
	619	X509_OBJECT_free_contents(obj);
	620	Free(obj);
	621	lh_insert(ctx->certs,(char *)r);
	622	X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
	623	ret=0;
	624	}
	625
	626	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
	627
	628	return(ret);
	629	}
	630
	631	int X509_STORE_CTX_get_ex_new_index(argl,argp,new_func,dup_func,free_func)
	632	long argl;
	633	char *argp;
	634	int (*new_func)();
	635	int (*dup_func)();
	636	void (*free_func)();
	637	{
	638	x509_store_ctx_num++;
	639	return(CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
	640	&x509_store_ctx_method,
	641	argl,argp,new_func,dup_func,free_func));
	642	}
	643
	644	int X509_STORE_CTX_set_ex_data(ctx,idx,data)
	645	X509_STORE_CTX *ctx;
	646	int idx;
	647	char *data;
	648	{
	649	return(CRYPTO_set_ex_data(&ctx->ex_data,idx,data));
	650	}
	651
	652	char *X509_STORE_CTX_get_ex_data(ctx,idx)
	653	X509_STORE_CTX *ctx;
	654	int idx;
	655	{
	656	return(CRYPTO_get_ex_data(&ctx->ex_data,idx));
	657	}
	658
	659	int X509_STORE_CTX_get_error(ctx)
	660	X509_STORE_CTX *ctx;
	661	{
	662	return(ctx->error);
	663	}
	664
	665	void X509_STORE_CTX_set_error(ctx,err)
	666	X509_STORE_CTX *ctx;
	667	int err;
	668	{
	669	ctx->error=err;
	670	}
	671
	672	int X509_STORE_CTX_get_error_depth(ctx)
	673	X509_STORE_CTX *ctx;
	674	{
	675	return(ctx->error_depth);
	676	}
	677
	678	X509 *X509_STORE_CTX_get_current_cert(ctx)
	679	X509_STORE_CTX *ctx;
	680	{
	681	return(ctx->current_cert);
	682	}
	683
	684	STACK *X509_STORE_CTX_get_chain(ctx)
	685	X509_STORE_CTX *ctx;
	686	{
	687	return(ctx->chain);
	688	}
	689
	690	void X509_STORE_CTX_set_cert(ctx,x)
	691	X509_STORE_CTX *ctx;
	692	X509 *x;
	693	{
	694	ctx->cert=x;
	695	}
	696
	697	void X509_STORE_CTX_set_chain(ctx,sk)
	698	X509_STORE_CTX *ctx;
	699	STACK *sk;
	700	{
	701	ctx->untrusted=sk;
	702	}
	703
	704