summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libcrypto/x509/x509_local.h8
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c52
2 files changed, 18 insertions, 42 deletions
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h
index 81efb690df..0312e6cac7 100644
--- a/src/lib/libcrypto/x509/x509_local.h
+++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_local.h,v 1.13 2023/12/22 09:40:14 tb Exp $ */ 1/* $OpenBSD: x509_local.h,v 1.14 2023/12/22 13:31:35 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2013. 3 * project 2013.
4 */ 4 */
@@ -336,12 +336,6 @@ struct x509_store_ctx_st {
336 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ 336 int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
337 int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ 337 int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
338 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ 338 int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
339 int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
340 int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
341 int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
342 int (*check_policy)(X509_STORE_CTX *ctx);
343 STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
344 STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
345 339
346 /* The following is built up */ 340 /* The following is built up */
347 int valid; /* if 0, rebuild chain */ 341 int valid; /* if 0, rebuild chain */
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 93fa2c2800..fb6c4167c1 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.129 2023/12/22 09:40:14 tb Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.130 2023/12/22 13:31:35 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -116,6 +116,9 @@
116 116
117#define CRL_SCORE_TIME_DELTA 0x002 117#define CRL_SCORE_TIME_DELTA 0x002
118 118
119static int x509_vfy_check_crl(X509_STORE_CTX *ctx, X509_CRL *crl);
120static int x509_vfy_cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
121
119static int null_callback(int ok, X509_STORE_CTX *e); 122static int null_callback(int ok, X509_STORE_CTX *e);
120static int check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer); 123static int check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer);
121static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, 124static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x,
@@ -123,9 +126,7 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x,
123static int check_chain_extensions(X509_STORE_CTX *ctx); 126static int check_chain_extensions(X509_STORE_CTX *ctx);
124static int check_name_constraints(X509_STORE_CTX *ctx); 127static int check_name_constraints(X509_STORE_CTX *ctx);
125static int check_trust(X509_STORE_CTX *ctx); 128static int check_trust(X509_STORE_CTX *ctx);
126static int check_revocation(X509_STORE_CTX *ctx);
127static int check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth); 129static int check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth);
128static int check_policy(X509_STORE_CTX *ctx);
129 130
130static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 131static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
131 unsigned int *preasons, X509_CRL *crl, X509 *x); 132 unsigned int *preasons, X509_CRL *crl, X509 *x);
@@ -564,7 +565,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
564 * Check revocation status: we do this after copying parameters because 565 * Check revocation status: we do this after copying parameters because
565 * they may be needed for CRL signature verification. 566 * they may be needed for CRL signature verification.
566 */ 567 */
567 ok = ctx->check_revocation(ctx); 568 ok = x509_vfy_check_revocation(ctx);
568 if (!ok) 569 if (!ok)
569 goto end; 570 goto end;
570 571
@@ -578,7 +579,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
578 579
579 /* If we get this far evaluate policies */ 580 /* If we get this far evaluate policies */
580 if (!bad_chain) 581 if (!bad_chain)
581 ok = ctx->check_policy(ctx); 582 ok = x509_vfy_check_policy(ctx);
582 583
583 end: 584 end:
584 /* Safety net, error returns must set ctx->error */ 585 /* Safety net, error returns must set ctx->error */
@@ -840,7 +841,7 @@ lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
840 size_t i; 841 size_t i;
841 842
842 /* Lookup all certs with matching subject name */ 843 /* Lookup all certs with matching subject name */
843 certs = ctx->lookup_certs(ctx, X509_get_subject_name(x)); 844 certs = X509_STORE_CTX_get1_certs(ctx, X509_get_subject_name(x));
844 if (certs == NULL) 845 if (certs == NULL)
845 return NULL; 846 return NULL;
846 847
@@ -863,8 +864,7 @@ lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
863X509 * 864X509 *
864x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) 865x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
865{ 866{
866 if (ctx->lookup_certs == NULL || ctx->store == NULL || 867 if (ctx->store == NULL || ctx->store->objs == NULL)
867 ctx->store->objs == NULL)
868 return NULL; 868 return NULL;
869 return lookup_cert_match(ctx, x); 869 return lookup_cert_match(ctx, x);
870} 870}
@@ -930,8 +930,8 @@ x509_vfy_check_trust(X509_STORE_CTX *ctx)
930 return check_trust(ctx); 930 return check_trust(ctx);
931} 931}
932 932
933static int 933int
934check_revocation(X509_STORE_CTX *ctx) 934x509_vfy_check_revocation(X509_STORE_CTX *ctx)
935{ 935{
936 int i, last, ok; 936 int i, last, ok;
937 937
@@ -953,12 +953,6 @@ check_revocation(X509_STORE_CTX *ctx)
953 return 1; 953 return 1;
954} 954}
955 955
956int
957x509_vfy_check_revocation(X509_STORE_CTX *ctx)
958{
959 return check_revocation(ctx);
960}
961
962static int 956static int
963check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth) 957check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth)
964{ 958{
@@ -983,15 +977,15 @@ check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth)
983 goto err; 977 goto err;
984 } 978 }
985 ctx->current_crl = crl; 979 ctx->current_crl = crl;
986 ok = ctx->check_crl(ctx, crl); 980 ok = x509_vfy_check_crl(ctx, crl);
987 if (!ok) 981 if (!ok)
988 goto err; 982 goto err;
989 983
990 if (dcrl) { 984 if (dcrl) {
991 ok = ctx->check_crl(ctx, dcrl); 985 ok = x509_vfy_check_crl(ctx, dcrl);
992 if (!ok) 986 if (!ok)
993 goto err; 987 goto err;
994 ok = ctx->cert_crl(ctx, dcrl, x); 988 ok = x509_vfy_cert_crl(ctx, dcrl, x);
995 if (!ok) 989 if (!ok)
996 goto err; 990 goto err;
997 } else 991 } else
@@ -999,7 +993,7 @@ check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth)
999 993
1000 /* Don't look in full CRL if delta reason is removefromCRL */ 994 /* Don't look in full CRL if delta reason is removefromCRL */
1001 if (ok != 2) { 995 if (ok != 2) {
1002 ok = ctx->cert_crl(ctx, crl, x); 996 ok = x509_vfy_cert_crl(ctx, crl, x);
1003 if (!ok) 997 if (!ok)
1004 goto err; 998 goto err;
1005 } 999 }
@@ -1553,7 +1547,7 @@ get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1553 goto done; 1547 goto done;
1554 1548
1555 /* Lookup CRLs from store */ 1549 /* Lookup CRLs from store */
1556 skcrl = ctx->lookup_crls(ctx, nm); 1550 skcrl = X509_STORE_CTX_get1_crls(ctx, nm);
1557 1551
1558 /* If no CRLs found and a near match from get_crl_sk use that */ 1552 /* If no CRLs found and a near match from get_crl_sk use that */
1559 if (!skcrl && crl) 1553 if (!skcrl && crl)
@@ -1580,7 +1574,7 @@ done:
1580 1574
1581/* Check CRL validity */ 1575/* Check CRL validity */
1582static int 1576static int
1583check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) 1577x509_vfy_check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1584{ 1578{
1585 X509 *issuer = NULL; 1579 X509 *issuer = NULL;
1586 EVP_PKEY *ikey = NULL; 1580 EVP_PKEY *ikey = NULL;
@@ -1683,7 +1677,7 @@ err:
1683 1677
1684/* Check certificate against CRL */ 1678/* Check certificate against CRL */
1685static int 1679static int
1686cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) 1680x509_vfy_cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1687{ 1681{
1688 int ok; 1682 int ok;
1689 X509_REVOKED *rev; 1683 X509_REVOKED *rev;
@@ -1750,12 +1744,6 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx)
1750 return 1; 1744 return 1;
1751} 1745}
1752 1746
1753static int
1754check_policy(X509_STORE_CTX *ctx)
1755{
1756 return x509_vfy_check_policy(ctx);
1757}
1758
1759/* 1747/*
1760 * Inform the verify callback of an error. 1748 * Inform the verify callback of an error.
1761 * 1749 *
@@ -2334,12 +2322,6 @@ X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *leaf,
2334 2322
2335 ctx->get_issuer = X509_STORE_CTX_get1_issuer; 2323 ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2336 ctx->check_issued = check_issued; 2324 ctx->check_issued = check_issued;
2337 ctx->check_revocation = check_revocation;
2338 ctx->check_crl = check_crl;
2339 ctx->cert_crl = cert_crl;
2340 ctx->check_policy = check_policy;
2341 ctx->lookup_certs = X509_STORE_CTX_get1_certs;
2342 ctx->lookup_crls = X509_STORE_CTX_get1_crls;
2343 2325
2344 ctx->param = X509_VERIFY_PARAM_new(); 2326 ctx->param = X509_VERIFY_PARAM_new();
2345 if (!ctx->param) { 2327 if (!ctx->param) {
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-02 22:00:26 +0000