summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libcrypto/x509/x509_internal.h5
-rw-r--r--src/lib/libcrypto/x509/x509_verify.c55
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c51
3 files changed, 33 insertions, 78 deletions
diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h
index f6ce78346e..7d3250d063 100644
--- a/src/lib/libcrypto/x509/x509_internal.h
+++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_internal.h,v 1.10 2021/08/28 07:49:00 beck Exp $ */ 1/* $OpenBSD: x509_internal.h,v 1.11 2021/08/28 15:22:42 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -96,8 +96,7 @@ X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x);
96int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, 96int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm,
97 int notafter); 97 int notafter);
98 98
99struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, 99struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc);
100 STACK_OF(X509) *roots);
101 100
102void x509_constraints_name_clear(struct x509_constraints_name *name); 101void x509_constraints_name_clear(struct x509_constraints_name *name);
103int x509_constraints_names_add(struct x509_constraints_names *names, 102int x509_constraints_names_add(struct x509_constraints_names *names,
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 3176e110ba..68dd2863a7 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_verify.c,v 1.43 2021/08/28 07:49:00 beck Exp $ */ 1/* $OpenBSD: x509_verify.c,v 1.44 2021/08/28 15:22:42 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -213,13 +213,6 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
213 if (!x509_verify_cert_cache_extensions(cert)) 213 if (!x509_verify_cert_cache_extensions(cert))
214 return 0; 214 return 0;
215 215
216 /* Check the provided roots */
217 for (i = 0; i < sk_X509_num(ctx->roots); i++) {
218 if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0)
219 return !full_chain ||
220 x509_verify_cert_self_signed(cert);
221 }
222
223 /* Check by lookup if we have a legacy xsc */ 216 /* Check by lookup if we have a legacy xsc */
224 if (ctx->xsc != NULL) { 217 if (ctx->xsc != NULL) {
225 if ((match = x509_vfy_lookup_cert_match(ctx->xsc, 218 if ((match = x509_vfy_lookup_cert_match(ctx->xsc,
@@ -228,6 +221,13 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
228 return !full_chain || 221 return !full_chain ||
229 x509_verify_cert_self_signed(cert); 222 x509_verify_cert_self_signed(cert);
230 } 223 }
224 } else {
225 /* Check the provided roots */
226 for (i = 0; i < sk_X509_num(ctx->roots); i++) {
227 if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0)
228 return !full_chain ||
229 x509_verify_cert_self_signed(cert);
230 }
231 } 231 }
232 232
233 return 0; 233 return 0;
@@ -611,17 +611,6 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
611 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 611 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
612 } 612 }
613 613
614 /* Check to see if we have a trusted root issuer. */
615 for (i = 0; i < sk_X509_num(ctx->roots); i++) {
616 candidate = sk_X509_value(ctx->roots, i);
617 if (x509_verify_potential_parent(ctx, candidate, cert)) {
618 is_root = !full_chain ||
619 x509_verify_cert_self_signed(candidate);
620 x509_verify_consider_candidate(ctx, cert,
621 cert_md, is_root, candidate, current_chain,
622 full_chain);
623 }
624 }
625 /* Check for legacy mode roots */ 614 /* Check for legacy mode roots */
626 if (ctx->xsc != NULL) { 615 if (ctx->xsc != NULL) {
627 if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) { 616 if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) {
@@ -639,6 +628,18 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
639 } 628 }
640 X509_free(candidate); 629 X509_free(candidate);
641 } 630 }
631 } else {
632 /* Check to see if we have a trusted root issuer. */
633 for (i = 0; i < sk_X509_num(ctx->roots); i++) {
634 candidate = sk_X509_value(ctx->roots, i);
635 if (x509_verify_potential_parent(ctx, candidate, cert)) {
636 is_root = !full_chain ||
637 x509_verify_cert_self_signed(candidate);
638 x509_verify_consider_candidate(ctx, cert,
639 cert_md, is_root, candidate, current_chain,
640 full_chain);
641 }
642 }
642 } 643 }
643 644
644 /* Check intermediates after checking roots */ 645 /* Check intermediates after checking roots */
@@ -933,7 +934,7 @@ x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert,
933} 934}
934 935
935struct x509_verify_ctx * 936struct x509_verify_ctx *
936x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots) 937x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc)
937{ 938{
938 struct x509_verify_ctx *ctx; 939 struct x509_verify_ctx *ctx;
939 size_t max_depth; 940 size_t max_depth;
@@ -941,7 +942,7 @@ x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots)
941 if (xsc == NULL) 942 if (xsc == NULL)
942 return NULL; 943 return NULL;
943 944
944 if ((ctx = x509_verify_ctx_new(roots)) == NULL) 945 if ((ctx = x509_verify_ctx_new(NULL)) == NULL)
945 return NULL; 946 return NULL;
946 947
947 ctx->xsc = xsc; 948 ctx->xsc = xsc;
@@ -969,14 +970,16 @@ x509_verify_ctx_new(STACK_OF(X509) *roots)
969{ 970{
970 struct x509_verify_ctx *ctx; 971 struct x509_verify_ctx *ctx;
971 972
972 if (roots == NULL)
973 return NULL;
974
975 if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL) 973 if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL)
976 return NULL; 974 return NULL;
977 975
978 if ((ctx->roots = X509_chain_up_ref(roots)) == NULL) 976 if (roots != NULL) {
979 goto err; 977 if ((ctx->roots = X509_chain_up_ref(roots)) == NULL)
978 goto err;
979 } else {
980 if ((ctx->roots = sk_X509_new_null()) == NULL)
981 goto err;
982 }
980 983
981 ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS; 984 ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS;
982 ctx->max_chains = X509_VERIFY_MAX_CHAINS; 985 ctx->max_chains = X509_VERIFY_MAX_CHAINS;
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 233c95c408..a161b330ae 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.87 2021/08/19 03:44:00 beck Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.88 2021/08/28 15:22:42 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -634,54 +634,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
634 634
635 /* Use the modern multi-chain verifier from x509_verify_cert */ 635 /* Use the modern multi-chain verifier from x509_verify_cert */
636 636
637 /* Find our trusted roots */ 637 if ((vctx = x509_verify_ctx_new_from_xsc(ctx)) != NULL) {
638 ctx->error = X509_V_ERR_OUT_OF_MEM;
639
640 if (ctx->get_issuer == get_issuer_sk) {
641 /*
642 * We are using the trusted stack method. so
643 * the roots are in the aptly named "ctx->other_ctx"
644 * pointer. (It could have been called "al")
645 */
646 if ((roots = X509_chain_up_ref(ctx->other_ctx)) == NULL)
647 return -1;
648 } else {
649 /*
650 * We have a X509_STORE and need to pull out the roots.
651 * Don't look Ethel...
652 */
653 STACK_OF(X509_OBJECT) *objs;
654 size_t i, good = 1;
655
656 if ((roots = sk_X509_new_null()) == NULL)
657 return -1;
658
659 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
660 if ((objs = X509_STORE_get0_objects(ctx->ctx)) == NULL)
661 good = 0;
662 for (i = 0; good && i < sk_X509_OBJECT_num(objs); i++) {
663 X509_OBJECT *obj;
664 X509 *root;
665 obj = sk_X509_OBJECT_value(objs, i);
666 if (obj->type != X509_LU_X509)
667 continue;
668 root = obj->data.x509;
669 if (X509_up_ref(root) == 0)
670 good = 0;
671 if (sk_X509_push(roots, root) == 0) {
672 X509_free(root);
673 good = 0;
674 }
675 }
676 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
677
678 if (!good) {
679 sk_X509_pop_free(roots, X509_free);
680 return -1;
681 }
682 }
683
684 if ((vctx = x509_verify_ctx_new_from_xsc(ctx, roots)) != NULL) {
685 ctx->error = X509_V_OK; /* Initialize to OK */ 638 ctx->error = X509_V_OK; /* Initialize to OK */
686 chain_count = x509_verify(vctx, NULL, NULL); 639 chain_count = x509_verify(vctx, NULL, NULL);
687 } 640 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-29 19:50:39 +0000