From 7e187c94c34271d4b5fc5cb79fc0e129d0a63fa1 Mon Sep 17 00:00:00 2001 From: tedu <> Date: Fri, 18 Apr 2014 01:59:00 +0000 Subject: blunt force knf --- src/lib/libcrypto/x509/x509_vfy.c | 910 ++++++++++++++++---------------------- 1 file changed, 372 insertions(+), 538 deletions(-) (limited to 'src/lib/libcrypto/x509/x509_vfy.c') diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 077bfd8f2d..6e9dd7cc6a 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c @@ -139,19 +139,19 @@ const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; static int null_callback(int ok, X509_STORE_CTX *e) - { +{ return ok; - } +} #if 0 static int x509_subject_cmp(X509 **a, X509 **b) - { +{ return X509_subject_name_cmp(*a,*b); - } +} #endif int X509_verify_cert(X509_STORE_CTX *ctx) - { +{ X509 *x,*xtmp,*chain_ss=NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; @@ -159,43 +159,38 @@ int X509_verify_cert(X509_STORE_CTX *ctx) int num; int (*cb)(int xok,X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp=NULL; - if (ctx->cert == NULL) - { + if (ctx->cert == NULL) { X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; - } + } cb=ctx->verify_cb; /* first we make sure the chain we are going to build is * present and that the first entry is in place */ - if (ctx->chain == NULL) - { + if (ctx->chain == NULL) { if ( ((ctx->chain=sk_X509_new_null()) == NULL) || - (!sk_X509_push(ctx->chain,ctx->cert))) - { + (!sk_X509_push(ctx->chain,ctx->cert))) { X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); goto end; - } + } CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); ctx->last_untrusted=1; - } + } /* We use a temporary STACK so we can chop and hack at it */ if (ctx->untrusted != NULL - && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) - { + && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) { X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); goto end; - } + } num=sk_X509_num(ctx->chain); x=sk_X509_value(ctx->chain,num-1); depth=param->depth; - for (;;) - { + for (;;) { /* If we have enough, we break */ if (depth < num) break; /* FIXME: If this happens, we should take * note of it and, if appropriate, use the @@ -207,16 +202,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (ctx->check_issued(ctx, x,x)) break; /* If we were passed a cert chain, use it first */ - if (ctx->untrusted != NULL) - { + if (ctx->untrusted != NULL) { xtmp=find_issuer(ctx, sktmp,x); - if (xtmp != NULL) - { - if (!sk_X509_push(ctx->chain,xtmp)) - { + if (xtmp != NULL) { + if (!sk_X509_push(ctx->chain,xtmp)) { X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); goto end; - } + } CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); (void)sk_X509_delete_ptr(sktmp,xtmp); ctx->last_untrusted++; @@ -225,10 +217,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* reparse the full chain for * the next one */ continue; - } } - break; } + break; + } /* at this point, chain should contain a list of untrusted * certificates. We now need to add at least one trusted one, @@ -240,18 +232,15 @@ int X509_verify_cert(X509_STORE_CTX *ctx) i=sk_X509_num(ctx->chain); x=sk_X509_value(ctx->chain,i-1); - if (ctx->check_issued(ctx, x, x)) - { + if (ctx->check_issued(ctx, x, x)) { /* we have a self signed certificate */ - if (sk_X509_num(ctx->chain) == 1) - { + if (sk_X509_num(ctx->chain) == 1) { /* We have a single self signed certificate: see if * we can find it in the store. We must have an exact * match to avoid possible impersonation. */ ok = ctx->get_issuer(&xtmp, ctx, x); - if ((ok <= 0) || X509_cmp(x, xtmp)) - { + if ((ok <= 0) || X509_cmp(x, xtmp)) { ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; ctx->current_cert=x; ctx->error_depth=i-1; @@ -259,9 +248,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) bad_chain = 1; ok=cb(0,ctx); if (!ok) goto end; - } - else - { + } else { /* We have a match: replace certificate with store version * so we get any trust settings. */ @@ -269,21 +256,18 @@ int X509_verify_cert(X509_STORE_CTX *ctx) x = xtmp; (void)sk_X509_set(ctx->chain, i - 1, x); ctx->last_untrusted=0; - } } - else - { + } else { /* extract and save self signed certificate for later use */ chain_ss=sk_X509_pop(ctx->chain); ctx->last_untrusted--; num--; x=sk_X509_value(ctx->chain,num-1); - } } + } /* We now lookup certs from the certificate store */ - for (;;) - { + for (;;) { /* If we have enough, we break */ if (depth < num) break; @@ -296,30 +280,25 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (ok == 0) break; x = xtmp; - if (!sk_X509_push(ctx->chain,x)) - { + if (!sk_X509_push(ctx->chain,x)) { X509_free(xtmp); X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); return 0; - } - num++; } + num++; + } /* we now have our chain, lets check it... */ /* Is last certificate looked up self signed? */ - if (!ctx->check_issued(ctx,x,x)) - { - if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) - { + if (!ctx->check_issued(ctx,x,x)) { + if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { if (ctx->last_untrusted >= num) ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; else ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; ctx->current_cert=x; - } - else - { + } else { sk_X509_push(ctx->chain,chain_ss); num++; @@ -327,13 +306,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx) ctx->current_cert=chain_ss; ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; chain_ss=NULL; - } + } ctx->error_depth=num-1; bad_chain = 1; ok=cb(0,ctx); if (!ok) goto end; - } + } /* We have the chain complete: now we need to check its purpose */ ok = check_chain_extensions(ctx); @@ -381,15 +360,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) ok = ctx->check_policy(ctx); if(!ok) goto end; - if (0) - { + if (0) { end: X509_get_pubkey_parameters(NULL,ctx->chain); - } + } if (sktmp != NULL) sk_X509_free(sktmp); if (chain_ss != NULL) X509_free(chain_ss); return ok; - } +} /* Given a STACK_OF(X509) find the issuer of cert (if any) @@ -399,12 +377,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { int i; X509 *issuer; - for (i = 0; i < sk_X509_num(sk); i++) - { + for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); if (ctx->check_issued(ctx, x, issuer)) return issuer; - } + } return NULL; } @@ -431,12 +408,10 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { *issuer = find_issuer(ctx, ctx->other_ctx, x); - if (*issuer) - { + if (*issuer) { CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); return 1; - } - else + } else return 0; } @@ -469,13 +444,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) must_be_ca = -1; /* CRL path validation */ - if (ctx->parent) - { + if (ctx->parent) { allow_proxy_certs = 0; purpose = X509_PURPOSE_CRL_SIGN; - } - else - { + } else { allow_proxy_certs = !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); /* A hack to keep people who don't want to modify their @@ -483,96 +455,82 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) allow_proxy_certs = 1; purpose = ctx->param->purpose; - } + } /* Check all untrusted certificates */ - for (i = 0; i < ctx->last_untrusted; i++) - { + for (i = 0; i < ctx->last_untrusted; i++) { int ret; x = sk_X509_value(ctx->chain, i); if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (x->ex_flags & EXFLAG_CRITICAL)) - { + && (x->ex_flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } - if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) - { + } + if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } + } ret = X509_check_ca(x); - switch(must_be_ca) - { + switch(must_be_ca) { case -1: if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1) && (ret != 0)) - { + && (ret != 1) && (ret != 0)) { ret = 0; ctx->error = X509_V_ERR_INVALID_CA; - } - else + } else ret = 1; break; case 0: - if (ret != 0) - { + if (ret != 0) { ret = 0; ctx->error = X509_V_ERR_INVALID_NON_CA; - } - else + } else ret = 1; break; default: if ((ret == 0) || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) - { + && (ret != 1))) { ret = 0; ctx->error = X509_V_ERR_INVALID_CA; - } - else + } else ret = 1; break; - } - if (ret == 0) - { + } + if (ret == 0) { ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } - if (ctx->param->purpose > 0) - { + } + if (ctx->param->purpose > 0) { ret = X509_check_purpose(x, purpose, must_be_ca > 0); if ((ret == 0) || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) - { + && (ret != 1))) { ctx->error = X509_V_ERR_INVALID_PURPOSE; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } } + } /* Check pathlen if not self issued */ if ((i > 1) && !(x->ex_flags & EXFLAG_SI) && (x->ex_pathlen != -1) - && (plen > (x->ex_pathlen + proxy_path_length + 1))) - { + && (plen > (x->ex_pathlen + proxy_path_length + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } + } /* Increment path length if not self issued */ if (!(x->ex_flags & EXFLAG_SI)) plen++; @@ -580,23 +538,20 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) certificate must be another proxy certificate or a EE certificate. If not, the next certificate must be a CA certificate. */ - if (x->ex_flags & EXFLAG_PROXY) - { - if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) - { + if (x->ex_flags & EXFLAG_PROXY) { + if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } + } proxy_path_length++; must_be_ca = 0; - } - else + } else must_be_ca = 1; - } + } ok = 1; end: return ok; @@ -604,12 +559,11 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) } static int check_name_constraints(X509_STORE_CTX *ctx) - { +{ X509 *x; int i, j, rv; /* Check name constraints for all certificates */ - for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) - { + for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { x = sk_X509_value(ctx->chain, i); /* Ignore self issued certs unless last in chain */ if (i && (x->ex_flags & EXFLAG_SI)) @@ -619,25 +573,22 @@ static int check_name_constraints(X509_STORE_CTX *ctx) * speaking needed but if it includes constraints it is to be * assumed it expects them to be obeyed. */ - for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) - { + for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) { NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; - if (nc) - { + if (nc) { rv = NAME_CONSTRAINTS_check(x, nc); - if (rv != X509_V_OK) - { + if (rv != X509_V_OK) { ctx->error = rv; ctx->error_depth = i; ctx->current_cert = x; if (!ctx->verify_cb(0,ctx)) return 0; - } } } } - return 1; } + return 1; +} static int check_trust(X509_STORE_CTX *ctx) { @@ -666,30 +617,27 @@ static int check_trust(X509_STORE_CTX *ctx) } static int check_revocation(X509_STORE_CTX *ctx) - { +{ int i, last, ok; if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) return 1; if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) last = sk_X509_num(ctx->chain) - 1; - else - { + else { /* If checking CRL paths this isn't the EE certificate */ if (ctx->parent) return 1; last = 0; - } - for(i = 0; i <= last; i++) - { + } + for(i = 0; i <= last; i++) { ctx->error_depth = i; ok = check_cert(ctx); if (!ok) return ok; - } - return 1; } + return 1; +} -static int check_cert(X509_STORE_CTX *ctx) - { +static int check_cert(X509_STORE_CTX *ctx) { X509_CRL *crl = NULL, *dcrl = NULL; X509 *x; int ok, cnum; @@ -700,8 +648,7 @@ static int check_cert(X509_STORE_CTX *ctx) ctx->current_issuer = NULL; ctx->current_crl_score = 0; ctx->current_reasons = 0; - while (ctx->current_reasons != CRLDP_ALL_REASONS) - { + while (ctx->current_reasons != CRLDP_ALL_REASONS) { last_reasons = ctx->current_reasons; /* Try to retrieve relevant CRL */ if (ctx->get_crl) @@ -711,36 +658,32 @@ static int check_cert(X509_STORE_CTX *ctx) /* If error looking up CRL, nothing we can do except * notify callback */ - if(!ok) - { + if(!ok) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; ok = ctx->verify_cb(0, ctx); goto err; - } + } ctx->current_crl = crl; ok = ctx->check_crl(ctx, crl); if (!ok) goto err; - if (dcrl) - { + if (dcrl) { ok = ctx->check_crl(ctx, dcrl); if (!ok) goto err; ok = ctx->cert_crl(ctx, dcrl, x); if (!ok) goto err; - } - else + } else ok = 1; /* Don't look in full CRL if delta reason is removefromCRL */ - if (ok != 2) - { + if (ok != 2) { ok = ctx->cert_crl(ctx, crl, x); if (!ok) goto err; - } + } X509_CRL_free(crl); X509_CRL_free(dcrl); @@ -749,26 +692,25 @@ static int check_cert(X509_STORE_CTX *ctx) /* If reasons not updated we wont get anywhere by * another iteration, so exit loop. */ - if (last_reasons == ctx->current_reasons) - { + if (last_reasons == ctx->current_reasons) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; ok = ctx->verify_cb(0, ctx); goto err; - } } - err: + } +err: X509_CRL_free(crl); X509_CRL_free(dcrl); ctx->current_crl = NULL; return ok; - } +} /* Check CRL times against values in X509_STORE_CTX */ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) - { +{ time_t *ptime; int i; if (notify) @@ -779,80 +721,72 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) ptime = NULL; i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); - if (i == 0) - { + if (i == 0) { if (!notify) return 0; ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; if (!ctx->verify_cb(0, ctx)) return 0; - } + } - if (i > 0) - { + if (i > 0) { if (!notify) return 0; ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; if (!ctx->verify_cb(0, ctx)) return 0; - } + } - if(X509_CRL_get_nextUpdate(crl)) - { + if(X509_CRL_get_nextUpdate(crl)) { i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); - if (i == 0) - { + if (i == 0) { if (!notify) return 0; ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; if (!ctx->verify_cb(0, ctx)) return 0; - } + } /* Ignore expiry of base CRL is delta is valid */ - if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) - { + if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { if (!notify) return 0; ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; if (!ctx->verify_cb(0, ctx)) return 0; - } } + } if (notify) ctx->current_crl = NULL; return 1; - } +} static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 **pissuer, int *pscore, unsigned int *preasons, STACK_OF(X509_CRL) *crls) - { +{ int i, crl_score, best_score = *pscore; unsigned int reasons, best_reasons = 0; X509 *x = ctx->current_cert; X509_CRL *crl, *best_crl = NULL; X509 *crl_issuer = NULL, *best_crl_issuer = NULL; - for (i = 0; i < sk_X509_CRL_num(crls); i++) - { + for (i = 0; i < sk_X509_CRL_num(crls); i++) { crl = sk_X509_CRL_value(crls, i); reasons = *preasons; crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); - if (crl_score > best_score) - { + if (crl_score > best_score) { best_crl = crl; best_crl_issuer = crl_issuer; best_score = crl_score; best_reasons = reasons; - } } + } - if (best_crl) - { + if (best_crl) { if (*pcrl) X509_CRL_free(*pcrl); *pcrl = best_crl; @@ -860,49 +794,44 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, *pscore = best_score; *preasons = best_reasons; CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); - if (*pdcrl) - { + if (*pdcrl) { X509_CRL_free(*pdcrl); *pdcrl = NULL; - } - get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); } + get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); + } if (best_score >= CRL_SCORE_VALID) return 1; return 0; - } +} /* Compare two CRL extensions for delta checking purposes. They should be * both present or both absent. If both present all fields must be identical. */ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) - { +{ ASN1_OCTET_STRING *exta, *extb; int i; i = X509_CRL_get_ext_by_NID(a, nid, -1); - if (i >= 0) - { + if (i >= 0) { /* Can't have multiple occurrences */ if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) return 0; exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); - } - else + } else exta = NULL; i = X509_CRL_get_ext_by_NID(b, nid, -1); - if (i >= 0) - { + if (i >= 0) { if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) return 0; extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); - } - else + } else extb = NULL; if (!exta && !extb) @@ -916,12 +845,12 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) return 0; return 1; - } +} /* See if a base and delta are compatible */ static int check_delta_base(X509_CRL *delta, X509_CRL *base) - { +{ /* Delta CRL must be a delta */ if (!delta->base_crl_number) return 0; @@ -944,7 +873,7 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base) if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) return 1; return 0; - } +} /* For a given base CRL find a delta... maybe extend to delta scoring * or retrieve a chain of deltas... @@ -952,27 +881,25 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base) static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base, STACK_OF(X509_CRL) *crls) - { +{ X509_CRL *delta; int i; if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) return; if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) return; - for (i = 0; i < sk_X509_CRL_num(crls); i++) - { + for (i = 0; i < sk_X509_CRL_num(crls); i++) { delta = sk_X509_CRL_value(crls, i); - if (check_delta_base(delta, base)) - { + if (check_delta_base(delta, base)) { if (check_crl_time(ctx, delta, 0)) *pscore |= CRL_SCORE_TIME_DELTA; CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); *dcrl = delta; return; - } } - *dcrl = NULL; } + *dcrl = NULL; +} /* For a given CRL return how suitable it is for the supplied certificate 'x'. * The return value is a mask of several criteria. @@ -984,7 +911,7 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, X509_CRL *crl, X509 *x) - { +{ int crl_score = 0; unsigned int tmp_reasons = *preasons, crl_reasons; @@ -995,27 +922,22 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, if (crl->idp_flags & IDP_INVALID) return 0; /* Reason codes or indirect CRLs need extended CRL support */ - if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) - { + if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) { if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) return 0; - } - else if (crl->idp_flags & IDP_REASONS) - { + } else if (crl->idp_flags & IDP_REASONS) { /* If no new reasons reject */ if (!(crl->idp_reasons & ~tmp_reasons)) return 0; - } + } /* Don't process deltas at this stage */ else if (crl->base_crl_number) return 0; /* If issuer name doesn't match certificate need indirect CRL */ - if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) - { + if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) { if (!(crl->idp_flags & IDP_INDIRECT)) return 0; - } - else + } else crl_score |= CRL_SCORE_ISSUER_NAME; if (!(crl->flags & EXFLAG_CRITICAL)) @@ -1035,24 +957,23 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, /* Check cert for matching CRL distribution points */ - if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) - { + if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) { /* If no new reasons reject */ if (!(crl_reasons & ~tmp_reasons)) return 0; tmp_reasons |= crl_reasons; crl_score |= CRL_SCORE_SCOPE; - } + } *preasons = tmp_reasons; return crl_score; - } +} static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, int *pcrl_score) - { +{ X509 *crl_issuer = NULL; X509_NAME *cnm = X509_CRL_get_issuer(crl); int cidx = ctx->error_depth; @@ -1063,28 +984,24 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, crl_issuer = sk_X509_value(ctx->chain, cidx); - if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) - { - if (*pcrl_score & CRL_SCORE_ISSUER_NAME) - { + if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { + if (*pcrl_score & CRL_SCORE_ISSUER_NAME) { *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT; *pissuer = crl_issuer; return; - } } + } - for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) - { + for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) { crl_issuer = sk_X509_value(ctx->chain, cidx); if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) continue; - if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) - { + if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH; *pissuer = crl_issuer; return; - } } + } /* Anything else needs extended CRL support */ @@ -1094,19 +1011,17 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, /* Otherwise the CRL issuer is not on the path. Look for it in the * set of untrusted certificates. */ - for (i = 0; i < sk_X509_num(ctx->untrusted); i++) - { + for (i = 0; i < sk_X509_num(ctx->untrusted); i++) { crl_issuer = sk_X509_value(ctx->untrusted, i); if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) continue; - if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) - { + if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { *pissuer = crl_issuer; *pcrl_score |= CRL_SCORE_AKID; return; - } } } +} /* Check the path of a CRL issuer certificate. This creates a new * X509_STORE_CTX and populates it with most of the parameters from the @@ -1116,7 +1031,7 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, */ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) - { +{ X509_STORE_CTX crl_ctx; int ret; /* Don't allow recursive CRL path validation */ @@ -1144,7 +1059,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) err: X509_STORE_CTX_cleanup(&crl_ctx); return ret; - } +} /* RFC3280 says nothing about the relationship between CRL path * and certificate path, which could lead to situations where a @@ -1157,14 +1072,14 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, STACK_OF(X509) *crl_path) - { +{ X509 *cert_ta, *crl_ta; cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); if (!X509_cmp(cert_ta, crl_ta)) return 1; return 0; - } +} /* Check for match between two dist point names: three separate cases. * 1. Both are relative names and compare X509_NAME types. @@ -1175,125 +1090,110 @@ static int check_crl_chain(X509_STORE_CTX *ctx, static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) - { +{ X509_NAME *nm = NULL; GENERAL_NAMES *gens = NULL; GENERAL_NAME *gena, *genb; int i, j; if (!a || !b) return 1; - if (a->type == 1) - { + if (a->type == 1) { if (!a->dpname) return 0; /* Case 1: two X509_NAME */ - if (b->type == 1) - { + if (b->type == 1) { if (!b->dpname) return 0; if (!X509_NAME_cmp(a->dpname, b->dpname)) return 1; else return 0; - } + } /* Case 2: set name and GENERAL_NAMES appropriately */ nm = a->dpname; gens = b->name.fullname; - } - else if (b->type == 1) - { + } else if (b->type == 1) { if (!b->dpname) return 0; /* Case 2: set name and GENERAL_NAMES appropriately */ gens = a->name.fullname; nm = b->dpname; - } + } /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ - if (nm) - { - for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) - { + if (nm) { + for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { gena = sk_GENERAL_NAME_value(gens, i); if (gena->type != GEN_DIRNAME) continue; if (!X509_NAME_cmp(nm, gena->d.directoryName)) return 1; - } - return 0; } + return 0; + } /* Else case 3: two GENERAL_NAMES */ - for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) - { + for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) { gena = sk_GENERAL_NAME_value(a->name.fullname, i); - for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) - { + for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) { genb = sk_GENERAL_NAME_value(b->name.fullname, j); if (!GENERAL_NAME_cmp(gena, genb)) return 1; - } } + } return 0; - } +} static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) - { +{ int i; X509_NAME *nm = X509_CRL_get_issuer(crl); /* If no CRLissuer return is successful iff don't need a match */ if (!dp->CRLissuer) return !!(crl_score & CRL_SCORE_ISSUER_NAME); - for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) - { + for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); if (gen->type != GEN_DIRNAME) continue; if (!X509_NAME_cmp(gen->d.directoryName, nm)) return 1; - } - return 0; } + return 0; +} /* Check CRLDP and IDP */ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons) - { +{ int i; if (crl->idp_flags & IDP_ONLYATTR) return 0; - if (x->ex_flags & EXFLAG_CA) - { + if (x->ex_flags & EXFLAG_CA) { if (crl->idp_flags & IDP_ONLYUSER) return 0; - } - else - { + } else { if (crl->idp_flags & IDP_ONLYCA) return 0; - } + } *preasons = crl->idp_reasons; - for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) - { + for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); - if (crldp_check_crlissuer(dp, crl, crl_score)) - { + if (crldp_check_crlissuer(dp, crl, crl_score)) { if (!crl->idp || - idp_check_dp(dp->distpoint, crl->idp->distpoint)) - { + idp_check_dp(dp->distpoint, crl->idp->distpoint)) { *preasons &= dp->dp_reasons; return 1; - } } } + } if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) return 1; return 0; - } +} /* Retrieve CRL corresponding to current certificate. * If deltas enabled try to find a delta CRL too @@ -1301,7 +1201,7 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) - { +{ int ok; X509 *issuer = NULL; int crl_score = 0; @@ -1331,129 +1231,113 @@ static int get_crl_delta(X509_STORE_CTX *ctx, done: /* If we got any kind of CRL use it and return success */ - if (crl) - { + if (crl) { ctx->current_issuer = issuer; ctx->current_crl_score = crl_score; ctx->current_reasons = reasons; *pcrl = crl; *pdcrl = dcrl; return 1; - } + } return 0; - } +} /* Check CRL validity */ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) - { +{ X509 *issuer = NULL; EVP_PKEY *ikey = NULL; int ok = 0, chnum, cnum; cnum = ctx->error_depth; chnum = sk_X509_num(ctx->chain) - 1; /* if we have an alternative CRL issuer cert use that */ - if (ctx->current_issuer) + if (ctx->current_issuer) { issuer = ctx->current_issuer; - - /* Else find CRL issuer: if not last certificate then issuer - * is next certificate in chain. - */ - else if (cnum < chnum) + } else if (cnum < chnum) { + /* Else find CRL issuer: if not last certificate then issuer + * is next certificate in chain. + */ issuer = sk_X509_value(ctx->chain, cnum + 1); - else - { + } else { issuer = sk_X509_value(ctx->chain, chnum); /* If not self signed, can't check signature */ - if(!ctx->check_issued(ctx, issuer, issuer)) - { + if(!ctx->check_issued(ctx, issuer, issuer)) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } } + } - if(issuer) - { + if(issuer) { /* Skip most tests for deltas because they have already * been done */ - if (!crl->base_crl_number) - { + if (!crl->base_crl_number) { /* Check for cRLSign bit if keyUsage present */ if ((issuer->ex_flags & EXFLAG_KUSAGE) && - !(issuer->ex_kusage & KU_CRL_SIGN)) - { + !(issuer->ex_kusage & KU_CRL_SIGN)) { ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } + } - if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) - { + if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } + } - if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) - { - if (check_crl_path(ctx, ctx->current_issuer) <= 0) - { + if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { + if (check_crl_path(ctx, ctx->current_issuer) <= 0) { ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } } + } - if (crl->idp_flags & IDP_INVALID) - { + if (crl->idp_flags & IDP_INVALID) { ctx->error = X509_V_ERR_INVALID_EXTENSION; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } + } - } + } - if (!(ctx->current_crl_score & CRL_SCORE_TIME)) - { + if (!(ctx->current_crl_score & CRL_SCORE_TIME)) { ok = check_crl_time(ctx, crl, 1); if (!ok) goto err; - } + } /* Attempt to get issuer certificate public key */ ikey = X509_get_pubkey(issuer); - if(!ikey) - { + if(!ikey) { ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ok = ctx->verify_cb(0, ctx); if (!ok) goto err; - } - else - { + } else { /* Verify CRL signature */ - if(X509_CRL_verify(crl, ikey) <= 0) - { + if(X509_CRL_verify(crl, ikey) <= 0) { ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; ok = ctx->verify_cb(0, ctx); if (!ok) goto err; - } } } + } ok = 1; - err: +err: EVP_PKEY_free(ikey); return ok; - } +} /* Check certificate against CRL */ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) - { +{ int ok; X509_REVOKED *rev; /* The rules changed for this... previously if a CRL contained @@ -1462,51 +1346,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) * critical extension can change the meaning of CRL entries. */ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (crl->flags & EXFLAG_CRITICAL)) - { + && (crl->flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; ok = ctx->verify_cb(0, ctx); if(!ok) return 0; - } + } /* Look for serial number of certificate in CRL * If found make sure reason is not removeFromCRL. */ - if (X509_CRL_get0_by_cert(crl, &rev, x)) - { + if (X509_CRL_get0_by_cert(crl, &rev, x)) { if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) return 2; ctx->error = X509_V_ERR_CERT_REVOKED; ok = ctx->verify_cb(0, ctx); if (!ok) return 0; - } + } return 1; - } +} static int check_policy(X509_STORE_CTX *ctx) - { +{ int ret; if (ctx->parent) return 1; ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, ctx->param->policies, ctx->param->flags); - if (ret == 0) - { + if (ret == 0) { X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); return 0; - } + } /* Invalid or inconsistent extensions */ - if (ret == -1) - { + if (ret == -1) { /* Locate certificates with bad extensions and notify * callback. */ X509 *x; int i; - for (i = 1; i < sk_X509_num(ctx->chain); i++) - { + for (i = 1; i < sk_X509_num(ctx->chain); i++) { x = sk_X509_value(ctx->chain, i); if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) continue; @@ -1514,29 +1393,27 @@ static int check_policy(X509_STORE_CTX *ctx) ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; if(!ctx->verify_cb(0, ctx)) return 0; - } - return 1; } - if (ret == -2) - { + return 1; + } + if (ret == -2) { ctx->current_cert = NULL; ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; return ctx->verify_cb(0, ctx); - } + } - if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) - { + if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { ctx->current_cert = NULL; ctx->error = X509_V_OK; if (!ctx->verify_cb(2, ctx)) return 0; - } + } return 1; - } +} static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) - { +{ time_t *ptime; int i; @@ -1546,44 +1423,40 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) ptime = NULL; i=X509_cmp_time(X509_get_notBefore(x), ptime); - if (i == 0) - { + if (i == 0) { ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; - } + } - if (i > 0) - { + if (i > 0) { ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; - } + } i=X509_cmp_time(X509_get_notAfter(x), ptime); - if (i == 0) - { + if (i == 0) { ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; - } + } - if (i < 0) - { + if (i < 0) { ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; - } + } return 1; - } +} static int internal_verify(X509_STORE_CTX *ctx) - { +{ int ok=0,n; X509 *xs,*xi; EVP_PKEY *pkey=NULL; @@ -1598,55 +1471,45 @@ static int internal_verify(X509_STORE_CTX *ctx) if (ctx->check_issued(ctx, xi, xi)) xs=xi; - else - { - if (n <= 0) - { + else { + if (n <= 0) { ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; ctx->current_cert=xi; ok=cb(0,ctx); goto end; - } - else - { + } else { n--; ctx->error_depth=n; xs=sk_X509_value(ctx->chain,n); - } } + } /* ctx->error=0; not needed */ - while (n >= 0) - { + while (n >= 0) { ctx->error_depth=n; /* Skip signature check for self signed certificates unless * explicitly asked for. It doesn't add any security and * just wastes time. */ - if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) - { - if ((pkey=X509_get_pubkey(xi)) == NULL) - { + if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { + if ((pkey=X509_get_pubkey(xi)) == NULL) { ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ctx->current_cert=xi; ok=(*cb)(0,ctx); if (!ok) goto end; - } - else if (X509_verify(xs,pkey) <= 0) - { + } else if (X509_verify(xs,pkey) <= 0) { ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; ctx->current_cert=xs; ok=(*cb)(0,ctx); - if (!ok) - { + if (!ok) { EVP_PKEY_free(pkey); goto end; - } } + } EVP_PKEY_free(pkey); pkey=NULL; - } + } xs->valid = 1; @@ -1661,16 +1524,15 @@ static int internal_verify(X509_STORE_CTX *ctx) if (!ok) goto end; n--; - if (n >= 0) - { + if (n >= 0) { xi=xs; xs=sk_X509_value(ctx->chain,n); - } } + } ok=1; end: return ok; - } +} int X509_cmp_current_time(const ASN1_TIME *ctm) { @@ -1678,7 +1540,7 @@ int X509_cmp_current_time(const ASN1_TIME *ctm) } int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) - { +{ char *str; ASN1_TIME atm; long offset; @@ -1688,49 +1550,44 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) p=buff1; i=ctm->length; str=(char *)ctm->data; - if (ctm->type == V_ASN1_UTCTIME) - { + if (ctm->type == V_ASN1_UTCTIME) { if ((i < 11) || (i > 17)) return 0; memcpy(p,str,10); p+=10; str+=10; - } - else - { + } else { if (i < 13) return 0; memcpy(p,str,12); p+=12; str+=12; - } + } - if ((*str == 'Z') || (*str == '-') || (*str == '+')) - { *(p++)='0'; *(p++)='0'; } - else - { + if ((*str == 'Z') || (*str == '-') || (*str == '+')) { + *(p++)='0'; + *(p++)='0'; + } else { *(p++)= *(str++); *(p++)= *(str++); /* Skip any fractional seconds... */ - if (*str == '.') - { + if (*str == '.') { str++; while ((*str >= '0') && (*str <= '9')) str++; - } - } + + } *(p++)='Z'; *(p++)='\0'; if (*str == 'Z') offset=0; - else - { + else { if ((*str != '+') && (*str != '-')) return 0; offset=((str[1]-'0')*10+(str[2]-'0'))*60; offset+=(str[3]-'0')*10+(str[4]-'0'); if (*str == '-') offset= -offset; - } + } atm.type=ctm->type; atm.flags = 0; atm.length=sizeof(buff2); @@ -1739,8 +1596,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) if (X509_time_adj(&atm, offset*60, cmp_time) == NULL) return 0; - if (ctm->type == V_ASN1_UTCTIME) - { + if (ctm->type == V_ASN1_UTCTIME) { i=(buff1[0]-'0')*10+(buff1[1]-'0'); if (i < 50) i+=100; /* cf. RFC 2459 */ j=(buff2[0]-'0')*10+(buff2[1]-'0'); @@ -1748,13 +1604,13 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) if (i < j) return -1; if (i > j) return 1; - } + } i=strcmp(buff1,buff2); if (i == 0) /* wait a second then return younger :-) */ return -1; else return i; - } +} ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) { @@ -1762,168 +1618,161 @@ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) } ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) - { +{ return X509_time_adj_ex(s, 0, offset_sec, in_tm); - } +} ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_tm) - { +{ time_t t; if (in_tm) t = *in_tm; else time(&t); - if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) - { + if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) { if (s->type == V_ASN1_UTCTIME) return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); if (s->type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec); - } - return ASN1_TIME_adj(s, t, offset_day, offset_sec); } + return ASN1_TIME_adj(s, t, offset_day, offset_sec); +} int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) - { +{ EVP_PKEY *ktmp=NULL,*ktmp2; int i,j; if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; - for (i=0; i= 0; j--) - { + for (j=i-1; j >= 0; j--) { ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); EVP_PKEY_copy_parameters(ktmp2,ktmp); EVP_PKEY_free(ktmp2); - } + } if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); EVP_PKEY_free(ktmp); return 1; - } +} int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) - { +{ /* This function is (usually) called only once, by * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, new_func, dup_func, free_func); - } +} int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) - { +{ return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); - } +} void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) - { +{ return CRYPTO_get_ex_data(&ctx->ex_data,idx); - } +} int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) - { +{ return ctx->error; - } +} void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) - { +{ ctx->error=err; - } +} int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) - { +{ return ctx->error_depth; - } +} X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) - { +{ return ctx->current_cert; - } +} STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) - { +{ return ctx->chain; - } +} STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) - { +{ int i; X509 *x; STACK_OF(X509) *chain; if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; - for (i = 0; i < sk_X509_num(chain); i++) - { + for (i = 0; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); - } - return chain; } + return chain; +} X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) - { +{ return ctx->current_issuer; - } +} X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) - { +{ return ctx->current_crl; - } +} X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) - { +{ return ctx->parent; - } +} void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) - { +{ ctx->cert=x; - } +} void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) - { +{ ctx->untrusted=sk; - } +} void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) - { +{ ctx->crls=sk; - } +} int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) - { +{ return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); - } +} int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) - { +{ return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); - } +} /* This function is used to set the X509_STORE_CTX purpose and trust * values. This is intended to be used when another structure has its @@ -1942,41 +1791,35 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, /* If purpose not set use default */ if (!purpose) purpose = def_purpose; /* If we have a purpose then check it is valid */ - if (purpose) - { + if (purpose) { X509_PURPOSE *ptmp; idx = X509_PURPOSE_get_by_id(purpose); - if (idx == -1) - { + if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_PURPOSE_ID); return 0; - } + } ptmp = X509_PURPOSE_get0(idx); - if (ptmp->trust == X509_TRUST_DEFAULT) - { + if (ptmp->trust == X509_TRUST_DEFAULT) { idx = X509_PURPOSE_get_by_id(def_purpose); - if (idx == -1) - { + if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_PURPOSE_ID); return 0; - } - ptmp = X509_PURPOSE_get0(idx); } + ptmp = X509_PURPOSE_get0(idx); + } /* If trust not set then get from purpose default */ if (!trust) trust = ptmp->trust; - } - if (trust) - { + } + if (trust) { idx = X509_TRUST_get_by_id(trust); - if (idx == -1) - { + if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_TRUST_ID); return 0; - } } + } if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; if (trust && !ctx->param->trust) ctx->param->trust = trust; @@ -1987,11 +1830,10 @@ X509_STORE_CTX *X509_STORE_CTX_new(void) { X509_STORE_CTX *ctx; ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX)); - if (!ctx) - { + if (!ctx) { X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); return NULL; - } + } memset(ctx, 0, sizeof(X509_STORE_CTX)); return ctx; } @@ -2004,7 +1846,7 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx) int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain) - { +{ int ret = 1; ctx->ctx=store; ctx->current_method=0; @@ -2028,11 +1870,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->param = X509_VERIFY_PARAM_new(); - if (!ctx->param) - { + if (!ctx->param) { X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); return 0; - } + } /* Inherit callbacks and flags from X509_STORE if not set * use defaults. @@ -2044,23 +1885,20 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, else ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; - if (store) - { + if (store) { ctx->verify_cb = store->verify_cb; ctx->cleanup = store->cleanup; - } - else + } else ctx->cleanup = 0; if (ret) ret = X509_VERIFY_PARAM_inherit(ctx->param, X509_VERIFY_PARAM_lookup("default")); - if (ret == 0) - { + if (ret == 0) { X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); return 0; - } + } if (store && store->check_issued) ctx->check_issued = store->check_issued; @@ -2120,14 +1958,13 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, * corresponding "new" here and remove this bogus initialisation. */ /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, - &(ctx->ex_data))) - { + &(ctx->ex_data))) { free(ctx); X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); return 0; - } - return 1; } + return 1; +} /* Set alternative lookup method: just a STACK of trusted certificates. * This avoids X509_STORE nastiness where it isn't needed. @@ -2140,79 +1977,76 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) } void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) - { +{ if (ctx->cleanup) ctx->cleanup(ctx); - if (ctx->param != NULL) - { + if (ctx->param != NULL) { if (ctx->parent == NULL) X509_VERIFY_PARAM_free(ctx->param); ctx->param=NULL; - } - if (ctx->tree != NULL) - { + } + if (ctx->tree != NULL) { X509_policy_tree_free(ctx->tree); ctx->tree=NULL; - } - if (ctx->chain != NULL) - { + } + if (ctx->chain != NULL) { sk_X509_pop_free(ctx->chain,X509_free); ctx->chain=NULL; - } + } CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); - } +} void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) - { +{ X509_VERIFY_PARAM_set_depth(ctx->param, depth); - } +} void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) - { +{ X509_VERIFY_PARAM_set_flags(ctx->param, flags); - } +} void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) - { +{ X509_VERIFY_PARAM_set_time(ctx->param, t); - } +} void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)) - { +{ ctx->verify_cb=verify_cb; - } +} X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) - { +{ return ctx->tree; - } +} int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) - { +{ return ctx->explicit_policy; - } +} int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) - { +{ const X509_VERIFY_PARAM *param; param = X509_VERIFY_PARAM_lookup(name); if (!param) return 0; return X509_VERIFY_PARAM_inherit(ctx->param, param); - } +} X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) - { +{ return ctx->param; - } +} void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) - { +{ if (ctx->param) X509_VERIFY_PARAM_free(ctx->param); ctx->param = param; - } +} IMPLEMENT_STACK_OF(X509) IMPLEMENT_ASN1_SET_OF(X509) -- cgit v1.2.3-55-g6feb