diff options
| author | Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> | 2017-09-13 12:09:40 -0700 |
|---|---|---|
| committer | Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> | 2017-09-13 12:09:40 -0700 |
| commit | b6f94dbeacfc6f0a507413096189304c58dbe66c (patch) | |
| tree | bce8c7db22209078618294c51d95a0c033aec7d9 /Cryptlib/OpenSSL/crypto/x509 | |
| parent | 25f7fd1fb389a5f6356f353d16c5ead80dac6bbc (diff) | |
| download | efi-boot-shim-upstream/13_git1505328970.9c1c35c5.tar.gz efi-boot-shim-upstream/13_git1505328970.9c1c35c5.zip | |
New upstream version 13~git1505328970.9c1c35c5upstream/13_git1505328970.9c1c35c5
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/x509')
37 files changed, 2834 insertions, 6129 deletions
diff --git a/Cryptlib/OpenSSL/crypto/x509/by_dir.c b/Cryptlib/OpenSSL/crypto/x509/by_dir.c deleted file mode 100644 index f3a1f054..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/by_dir.c +++ /dev/null @@ -1,388 +0,0 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include <time.h> -#include <errno.h> - -#include "internal/cryptlib.h" - -#ifndef NO_SYS_TYPES_H -# include <sys/types.h> -#endif -#ifndef OPENSSL_NO_POSIX_IO -# include <sys/stat.h> -#endif - - -#include <openssl/lhash.h> -#include <openssl/x509.h> -#include "internal/x509_int.h" -#include "x509_lcl.h" - -struct lookup_dir_hashes_st { - unsigned long hash; - int suffix; -}; - -struct lookup_dir_entry_st { - char *dir; - int dir_type; - STACK_OF(BY_DIR_HASH) *hashes; -}; - -typedef struct lookup_dir_st { - BUF_MEM *buffer; - STACK_OF(BY_DIR_ENTRY) *dirs; - CRYPTO_RWLOCK *lock; -} BY_DIR; - -static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, - char **ret); -static int new_dir(X509_LOOKUP *lu); -static void free_dir(X509_LOOKUP *lu); -static int add_cert_dir(BY_DIR *ctx, const char *dir, int type); -static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, - X509_NAME *name, X509_OBJECT *ret); -static X509_LOOKUP_METHOD x509_dir_lookup = { - "Load certs from files in a directory", - new_dir, /* new */ - free_dir, /* free */ - NULL, /* init */ - NULL, /* shutdown */ - dir_ctrl, /* ctrl */ - get_cert_by_subject, /* get_by_subject */ - NULL, /* get_by_issuer_serial */ - NULL, /* get_by_fingerprint */ - NULL, /* get_by_alias */ -}; - -X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void) -{ - return (&x509_dir_lookup); -} - -static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, - char **retp) -{ - int ret = 0; - BY_DIR *ld; - char *dir = NULL; - - ld = (BY_DIR *)ctx->method_data; - - switch (cmd) { - case X509_L_ADD_DIR: - if (argl == X509_FILETYPE_DEFAULT) { - dir = (char *)getenv(X509_get_default_cert_dir_env()); - if (dir) - ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); - else - ret = add_cert_dir(ld, X509_get_default_cert_dir(), - X509_FILETYPE_PEM); - if (!ret) { - X509err(X509_F_DIR_CTRL, X509_R_LOADING_CERT_DIR); - } - } else - ret = add_cert_dir(ld, argp, (int)argl); - break; - } - return (ret); -} - -static int new_dir(X509_LOOKUP *lu) -{ - BY_DIR *a; - - if ((a = OPENSSL_malloc(sizeof(*a))) == NULL) - return 0; - if ((a->buffer = BUF_MEM_new()) == NULL) { - OPENSSL_free(a); - return 0; - } - a->dirs = NULL; - a->lock = CRYPTO_THREAD_lock_new(); - if (a->lock == NULL) { - BUF_MEM_free(a->buffer); - OPENSSL_free(a); - return 0; - } - lu->method_data = (char *)a; - return 1; -} - -static void by_dir_hash_free(BY_DIR_HASH *hash) -{ - OPENSSL_free(hash); -} - -static int by_dir_hash_cmp(const BY_DIR_HASH *const *a, - const BY_DIR_HASH *const *b) -{ - if ((*a)->hash > (*b)->hash) - return 1; - if ((*a)->hash < (*b)->hash) - return -1; - return 0; -} - -static void by_dir_entry_free(BY_DIR_ENTRY *ent) -{ - OPENSSL_free(ent->dir); - sk_BY_DIR_HASH_pop_free(ent->hashes, by_dir_hash_free); - OPENSSL_free(ent); -} - -static void free_dir(X509_LOOKUP *lu) -{ - BY_DIR *a; - - a = (BY_DIR *)lu->method_data; - sk_BY_DIR_ENTRY_pop_free(a->dirs, by_dir_entry_free); - BUF_MEM_free(a->buffer); - CRYPTO_THREAD_lock_free(a->lock); - OPENSSL_free(a); -} - -static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) -{ - const char *s, *p; - - if (dir == NULL || !*dir) { - X509err(X509_F_ADD_CERT_DIR, X509_R_INVALID_DIRECTORY); - return 0; - } - - s = dir; - p = s; - do { - if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0')) { - BY_DIR_ENTRY *ent; - int j; - size_t len; - const char *ss = s; - s = p + 1; - len = p - ss; - if (len == 0) - continue; - for (j = 0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++) { - ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j); - if (strlen(ent->dir) == len && - strncmp(ent->dir, ss, len) == 0) - break; - } - if (j < sk_BY_DIR_ENTRY_num(ctx->dirs)) - continue; - if (ctx->dirs == NULL) { - ctx->dirs = sk_BY_DIR_ENTRY_new_null(); - if (!ctx->dirs) { - X509err(X509_F_ADD_CERT_DIR, ERR_R_MALLOC_FAILURE); - return 0; - } - } - ent = OPENSSL_malloc(sizeof(*ent)); - if (ent == NULL) - return 0; - ent->dir_type = type; - ent->hashes = sk_BY_DIR_HASH_new(by_dir_hash_cmp); - ent->dir = OPENSSL_strndup(ss, len); - if (ent->dir == NULL || ent->hashes == NULL) { - by_dir_entry_free(ent); - return 0; - } - if (!sk_BY_DIR_ENTRY_push(ctx->dirs, ent)) { - by_dir_entry_free(ent); - return 0; - } - } - } while (*p++ != '\0'); - return 1; -} - -static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, - X509_NAME *name, X509_OBJECT *ret) -{ - BY_DIR *ctx; - union { - X509 st_x509; - X509_CRL crl; - } data; - int ok = 0; - int i, j, k; - unsigned long h; - BUF_MEM *b = NULL; - X509_OBJECT stmp, *tmp; - const char *postfix = ""; - - if (name == NULL) - return (0); - - stmp.type = type; - if (type == X509_LU_X509) { - data.st_x509.cert_info.subject = name; - stmp.data.x509 = &data.st_x509; - postfix = ""; - } else if (type == X509_LU_CRL) { - data.crl.crl.issuer = name; - stmp.data.crl = &data.crl; - postfix = "r"; - } else { - X509err(X509_F_GET_CERT_BY_SUBJECT, X509_R_WRONG_LOOKUP_TYPE); - goto finish; - } - - if ((b = BUF_MEM_new()) == NULL) { - X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_BUF_LIB); - goto finish; - } - - ctx = (BY_DIR *)xl->method_data; - - h = X509_NAME_hash(name); - for (i = 0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++) { - BY_DIR_ENTRY *ent; - int idx; - BY_DIR_HASH htmp, *hent; - ent = sk_BY_DIR_ENTRY_value(ctx->dirs, i); - j = strlen(ent->dir) + 1 + 8 + 6 + 1 + 1; - if (!BUF_MEM_grow(b, j)) { - X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE); - goto finish; - } - if (type == X509_LU_CRL && ent->hashes) { - htmp.hash = h; - CRYPTO_THREAD_read_lock(ctx->lock); - idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp); - if (idx >= 0) { - hent = sk_BY_DIR_HASH_value(ent->hashes, idx); - k = hent->suffix; - } else { - hent = NULL; - k = 0; - } - CRYPTO_THREAD_unlock(ctx->lock); - } else { - k = 0; - hent = NULL; - } - for (;;) { - char c = '/'; -#ifdef OPENSSL_SYS_VMS - c = ent->dir[strlen(ent->dir) - 1]; - if (c != ':' && c != '>' && c != ']') { - /* - * If no separator is present, we assume the directory - * specifier is a logical name, and add a colon. We really - * should use better VMS routines for merging things like - * this, but this will do for now... -- Richard Levitte - */ - c = ':'; - } else { - c = '\0'; - } -#endif - if (c == '\0') { - /* - * This is special. When c == '\0', no directory separator - * should be added. - */ - BIO_snprintf(b->data, b->max, - "%s%08lx.%s%d", ent->dir, h, postfix, k); - } else { - BIO_snprintf(b->data, b->max, - "%s%c%08lx.%s%d", ent->dir, c, h, postfix, k); - } -#ifndef OPENSSL_NO_POSIX_IO -# ifdef _WIN32 -# define stat _stat -# endif - { - struct stat st; - if (stat(b->data, &st) < 0) - break; - } -#endif - /* found one. */ - if (type == X509_LU_X509) { - if ((X509_load_cert_file(xl, b->data, ent->dir_type)) == 0) - break; - } else if (type == X509_LU_CRL) { - if ((X509_load_crl_file(xl, b->data, ent->dir_type)) == 0) - break; - } - /* else case will caught higher up */ - k++; - } - - /* - * we have added it to the cache so now pull it out again - */ - CRYPTO_THREAD_write_lock(ctx->lock); - j = sk_X509_OBJECT_find(xl->store_ctx->objs, &stmp); - if (j != -1) - tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j); - else - tmp = NULL; - CRYPTO_THREAD_unlock(ctx->lock); - - /* If a CRL, update the last file suffix added for this */ - - if (type == X509_LU_CRL) { - CRYPTO_THREAD_write_lock(ctx->lock); - /* - * Look for entry again in case another thread added an entry - * first. - */ - if (!hent) { - htmp.hash = h; - idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp); - if (idx >= 0) - hent = sk_BY_DIR_HASH_value(ent->hashes, idx); - } - if (!hent) { - hent = OPENSSL_malloc(sizeof(*hent)); - if (hent == NULL) { - CRYPTO_THREAD_unlock(ctx->lock); - X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE); - ok = 0; - goto finish; - } - hent->hash = h; - hent->suffix = k; - if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) { - CRYPTO_THREAD_unlock(ctx->lock); - OPENSSL_free(hent); - ok = 0; - goto finish; - } - } else if (hent->suffix < k) { - hent->suffix = k; - } - - CRYPTO_THREAD_unlock(ctx->lock); - - } - - if (tmp != NULL) { - ok = 1; - ret->type = tmp->type; - memcpy(&ret->data, &tmp->data, sizeof(ret->data)); - /* - * If we were going to up the reference count, we would need to - * do it on a perl 'type' basis - */ - /*- CRYPTO_add(&tmp->data.x509->references,1, - CRYPTO_LOCK_X509);*/ - goto finish; - } - } - finish: - BUF_MEM_free(b); - return (ok); -} diff --git a/Cryptlib/OpenSSL/crypto/x509/by_file.c b/Cryptlib/OpenSSL/crypto/x509/by_file.c deleted file mode 100644 index 4376bed8..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/by_file.c +++ /dev/null @@ -1,221 +0,0 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include <time.h> -#include <errno.h> - -#include "internal/cryptlib.h" -#include <openssl/lhash.h> -#include <openssl/buffer.h> -#include <openssl/x509.h> -#include <openssl/pem.h> -#include "x509_lcl.h" - -static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, - long argl, char **ret); -static X509_LOOKUP_METHOD x509_file_lookup = { - "Load file into cache", - NULL, /* new */ - NULL, /* free */ - NULL, /* init */ - NULL, /* shutdown */ - by_file_ctrl, /* ctrl */ - NULL, /* get_by_subject */ - NULL, /* get_by_issuer_serial */ - NULL, /* get_by_fingerprint */ - NULL, /* get_by_alias */ -}; - -X509_LOOKUP_METHOD *X509_LOOKUP_file(void) -{ - return (&x509_file_lookup); -} - -static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, - long argl, char **ret) -{ - int ok = 0; - char *file; - - switch (cmd) { - case X509_L_FILE_LOAD: - if (argl == X509_FILETYPE_DEFAULT) { - file = (char *)getenv(X509_get_default_cert_file_env()); - if (file) - ok = (X509_load_cert_crl_file(ctx, file, - X509_FILETYPE_PEM) != 0); - - else - ok = (X509_load_cert_crl_file - (ctx, X509_get_default_cert_file(), - X509_FILETYPE_PEM) != 0); - - if (!ok) { - X509err(X509_F_BY_FILE_CTRL, X509_R_LOADING_DEFAULTS); - } - } else { - if (argl == X509_FILETYPE_PEM) - ok = (X509_load_cert_crl_file(ctx, argp, - X509_FILETYPE_PEM) != 0); - else - ok = (X509_load_cert_file(ctx, argp, (int)argl) != 0); - } - break; - } - return (ok); -} - -int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type) -{ - int ret = 0; - BIO *in = NULL; - int i, count = 0; - X509 *x = NULL; - - if (file == NULL) - return (1); - in = BIO_new(BIO_s_file()); - - if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) { - X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_SYS_LIB); - goto err; - } - - if (type == X509_FILETYPE_PEM) { - for (;;) { - x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); - if (x == NULL) { - if ((ERR_GET_REASON(ERR_peek_last_error()) == - PEM_R_NO_START_LINE) && (count > 0)) { - ERR_clear_error(); - break; - } else { - X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_PEM_LIB); - goto err; - } - } - i = X509_STORE_add_cert(ctx->store_ctx, x); - if (!i) - goto err; - count++; - X509_free(x); - x = NULL; - } - ret = count; - } else if (type == X509_FILETYPE_ASN1) { - x = d2i_X509_bio(in, NULL); - if (x == NULL) { - X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_ASN1_LIB); - goto err; - } - i = X509_STORE_add_cert(ctx->store_ctx, x); - if (!i) - goto err; - ret = i; - } else { - X509err(X509_F_X509_LOAD_CERT_FILE, X509_R_BAD_X509_FILETYPE); - goto err; - } - err: - X509_free(x); - BIO_free(in); - return (ret); -} - -int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type) -{ - int ret = 0; - BIO *in = NULL; - int i, count = 0; - X509_CRL *x = NULL; - - if (file == NULL) - return (1); - in = BIO_new(BIO_s_file()); - - if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) { - X509err(X509_F_X509_LOAD_CRL_FILE, ERR_R_SYS_LIB); - goto err; - } - - if (type == X509_FILETYPE_PEM) { - for (;;) { - x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); - if (x == NULL) { - if ((ERR_GET_REASON(ERR_peek_last_error()) == - PEM_R_NO_START_LINE) && (count > 0)) { - ERR_clear_error(); - break; - } else { - X509err(X509_F_X509_LOAD_CRL_FILE, ERR_R_PEM_LIB); - goto err; - } - } - i = X509_STORE_add_crl(ctx->store_ctx, x); - if (!i) - goto err; - count++; - X509_CRL_free(x); - x = NULL; - } - ret = count; - } else if (type == X509_FILETYPE_ASN1) { - x = d2i_X509_CRL_bio(in, NULL); - if (x == NULL) { - X509err(X509_F_X509_LOAD_CRL_FILE, ERR_R_ASN1_LIB); - goto err; - } - i = X509_STORE_add_crl(ctx->store_ctx, x); - if (!i) - goto err; - ret = i; - } else { - X509err(X509_F_X509_LOAD_CRL_FILE, X509_R_BAD_X509_FILETYPE); - goto err; - } - err: - X509_CRL_free(x); - BIO_free(in); - return (ret); -} - -int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type) -{ - STACK_OF(X509_INFO) *inf; - X509_INFO *itmp; - BIO *in; - int i, count = 0; - if (type != X509_FILETYPE_PEM) - return X509_load_cert_file(ctx, file, type); - in = BIO_new_file(file, "r"); - if (!in) { - X509err(X509_F_X509_LOAD_CERT_CRL_FILE, ERR_R_SYS_LIB); - return 0; - } - inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); - BIO_free(in); - if (!inf) { - X509err(X509_F_X509_LOAD_CERT_CRL_FILE, ERR_R_PEM_LIB); - return 0; - } - for (i = 0; i < sk_X509_INFO_num(inf); i++) { - itmp = sk_X509_INFO_value(inf, i); - if (itmp->x509) { - X509_STORE_add_cert(ctx->store_ctx, itmp->x509); - count++; - } - if (itmp->crl) { - X509_STORE_add_crl(ctx->store_ctx, itmp->crl); - count++; - } - } - sk_X509_INFO_pop_free(inf, X509_INFO_free); - return count; -} diff --git a/Cryptlib/OpenSSL/crypto/x509/t_crl.c b/Cryptlib/OpenSSL/crypto/x509/t_crl.c deleted file mode 100644 index f3ca6db8..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/t_crl.c +++ /dev/null @@ -1,89 +0,0 @@ -/* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include "internal/cryptlib.h" -#include <openssl/buffer.h> -#include <openssl/bn.h> -#include <openssl/objects.h> -#include <openssl/x509.h> -#include <openssl/x509v3.h> - -#ifndef OPENSSL_NO_STDIO -int X509_CRL_print_fp(FILE *fp, X509_CRL *x) -{ - BIO *b; - int ret; - - if ((b = BIO_new(BIO_s_file())) == NULL) { - X509err(X509_F_X509_CRL_PRINT_FP, ERR_R_BUF_LIB); - return (0); - } - BIO_set_fp(b, fp, BIO_NOCLOSE); - ret = X509_CRL_print(b, x); - BIO_free(b); - return (ret); -} -#endif - -int X509_CRL_print(BIO *out, X509_CRL *x) -{ - STACK_OF(X509_REVOKED) *rev; - X509_REVOKED *r; - const X509_ALGOR *sig_alg; - const ASN1_BIT_STRING *sig; - long l; - int i; - char *p; - - BIO_printf(out, "Certificate Revocation List (CRL):\n"); - l = X509_CRL_get_version(x); - if (l >= 0 && l <= 1) - BIO_printf(out, "%8sVersion %ld (0x%lx)\n", "", l + 1, (unsigned long)l); - else - BIO_printf(out, "%8sVersion unknown (%ld)\n", "", l); - X509_CRL_get0_signature(x, &sig, &sig_alg); - X509_signature_print(out, sig_alg, NULL); - p = X509_NAME_oneline(X509_CRL_get_issuer(x), NULL, 0); - BIO_printf(out, "%8sIssuer: %s\n", "", p); - OPENSSL_free(p); - BIO_printf(out, "%8sLast Update: ", ""); - ASN1_TIME_print(out, X509_CRL_get0_lastUpdate(x)); - BIO_printf(out, "\n%8sNext Update: ", ""); - if (X509_CRL_get0_nextUpdate(x)) - ASN1_TIME_print(out, X509_CRL_get0_nextUpdate(x)); - else - BIO_printf(out, "NONE"); - BIO_printf(out, "\n"); - - X509V3_extensions_print(out, "CRL extensions", - X509_CRL_get0_extensions(x), 0, 8); - - rev = X509_CRL_get_REVOKED(x); - - if (sk_X509_REVOKED_num(rev) > 0) - BIO_printf(out, "Revoked Certificates:\n"); - else - BIO_printf(out, "No Revoked Certificates.\n"); - - for (i = 0; i < sk_X509_REVOKED_num(rev); i++) { - r = sk_X509_REVOKED_value(rev, i); - BIO_printf(out, " Serial Number: "); - i2a_ASN1_INTEGER(out, X509_REVOKED_get0_serialNumber(r)); - BIO_printf(out, "\n Revocation Date: "); - ASN1_TIME_print(out, X509_REVOKED_get0_revocationDate(r)); - BIO_printf(out, "\n"); - X509V3_extensions_print(out, "CRL entry extensions", - X509_REVOKED_get0_extensions(r), 0, 8); - } - X509_signature_print(out, sig_alg, sig); - - return 1; - -} diff --git a/Cryptlib/OpenSSL/crypto/x509/t_req.c b/Cryptlib/OpenSSL/crypto/x509/t_req.c deleted file mode 100644 index 77ce8108..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/t_req.c +++ /dev/null @@ -1,198 +0,0 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include "internal/cryptlib.h" -#include <openssl/buffer.h> -#include <openssl/bn.h> -#include <openssl/objects.h> -#include <openssl/x509.h> -#include <openssl/x509v3.h> -#include <openssl/rsa.h> -#include <openssl/dsa.h> - -#ifndef OPENSSL_NO_STDIO -int X509_REQ_print_fp(FILE *fp, X509_REQ *x) -{ - BIO *b; - int ret; - - if ((b = BIO_new(BIO_s_file())) == NULL) { - X509err(X509_F_X509_REQ_PRINT_FP, ERR_R_BUF_LIB); - return (0); - } - BIO_set_fp(b, fp, BIO_NOCLOSE); - ret = X509_REQ_print(b, x); - BIO_free(b); - return (ret); -} -#endif - -int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, - unsigned long cflag) -{ - long l; - int i; - EVP_PKEY *pkey; - STACK_OF(X509_EXTENSION) *exts; - char mlch = ' '; - int nmindent = 0; - - if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { - mlch = '\n'; - nmindent = 12; - } - - if (nmflags == X509_FLAG_COMPAT) - nmindent = 16; - - if (!(cflag & X509_FLAG_NO_HEADER)) { - if (BIO_write(bp, "Certificate Request:\n", 21) <= 0) - goto err; - if (BIO_write(bp, " Data:\n", 10) <= 0) - goto err; - } - if (!(cflag & X509_FLAG_NO_VERSION)) { - l = X509_REQ_get_version(x); - if (l >= 0 && l <= 2) { - if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, (unsigned long)l) <= 0) - goto err; - } else { - if (BIO_printf(bp, "%8sVersion: Unknown (%ld)\n", "", l) <= 0) - goto err; - } - } - if (!(cflag & X509_FLAG_NO_SUBJECT)) { - if (BIO_printf(bp, " Subject:%c", mlch) <= 0) - goto err; - if (X509_NAME_print_ex(bp, X509_REQ_get_subject_name(x), - nmindent, nmflags) < 0) - goto err; - if (BIO_write(bp, "\n", 1) <= 0) - goto err; - } - if (!(cflag & X509_FLAG_NO_PUBKEY)) { - X509_PUBKEY *xpkey; - ASN1_OBJECT *koid; - if (BIO_write(bp, " Subject Public Key Info:\n", 33) <= 0) - goto err; - if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0) - goto err; - xpkey = X509_REQ_get_X509_PUBKEY(x); - X509_PUBKEY_get0_param(&koid, NULL, NULL, NULL, xpkey); - if (i2a_ASN1_OBJECT(bp, koid) <= 0) - goto err; - if (BIO_puts(bp, "\n") <= 0) - goto err; - - pkey = X509_REQ_get0_pubkey(x); - if (pkey == NULL) { - BIO_printf(bp, "%12sUnable to load Public Key\n", ""); - ERR_print_errors(bp); - } else { - EVP_PKEY_print_public(bp, pkey, 16, NULL); - } - } - - if (!(cflag & X509_FLAG_NO_ATTRIBUTES)) { - /* may not be */ - if (BIO_printf(bp, "%8sAttributes:\n", "") <= 0) - goto err; - - if (X509_REQ_get_attr_count(x) == 0) { - if (BIO_printf(bp, "%12sa0:00\n", "") <= 0) - goto err; - } else { - for (i = 0; i < X509_REQ_get_attr_count(x); i++) { - ASN1_TYPE *at; - X509_ATTRIBUTE *a; - ASN1_BIT_STRING *bs = NULL; - ASN1_OBJECT *aobj; - int j, type = 0, count = 1, ii = 0; - - a = X509_REQ_get_attr(x, i); - aobj = X509_ATTRIBUTE_get0_object(a); - if (X509_REQ_extension_nid(OBJ_obj2nid(aobj))) - continue; - if (BIO_printf(bp, "%12s", "") <= 0) - goto err; - if ((j = i2a_ASN1_OBJECT(bp, aobj)) > 0) { - ii = 0; - count = X509_ATTRIBUTE_count(a); - get_next: - at = X509_ATTRIBUTE_get0_type(a, ii); - type = at->type; - bs = at->value.asn1_string; - } - for (j = 25 - j; j > 0; j--) - if (BIO_write(bp, " ", 1) != 1) - goto err; - if (BIO_puts(bp, ":") <= 0) - goto err; - if ((type == V_ASN1_PRINTABLESTRING) || - (type == V_ASN1_T61STRING) || - (type == V_ASN1_UTF8STRING) || - (type == V_ASN1_IA5STRING)) { - if (BIO_write(bp, (char *)bs->data, bs->length) - != bs->length) - goto err; - BIO_puts(bp, "\n"); - } else { - BIO_puts(bp, "unable to print attribute\n"); - } - if (++ii < count) - goto get_next; - } - } - } - if (!(cflag & X509_FLAG_NO_EXTENSIONS)) { - exts = X509_REQ_get_extensions(x); - if (exts) { - BIO_printf(bp, "%8sRequested Extensions:\n", ""); - for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { - ASN1_OBJECT *obj; - X509_EXTENSION *ex; - int critical; - ex = sk_X509_EXTENSION_value(exts, i); - if (BIO_printf(bp, "%12s", "") <= 0) - goto err; - obj = X509_EXTENSION_get_object(ex); - i2a_ASN1_OBJECT(bp, obj); - critical = X509_EXTENSION_get_critical(ex); - if (BIO_printf(bp, ": %s\n", critical ? "critical" : "") <= 0) - goto err; - if (!X509V3_EXT_print(bp, ex, cflag, 16)) { - BIO_printf(bp, "%16s", ""); - ASN1_STRING_print(bp, X509_EXTENSION_get_data(ex)); - } - if (BIO_write(bp, "\n", 1) <= 0) - goto err; - } - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - } - } - - if (!(cflag & X509_FLAG_NO_SIGDUMP)) { - const X509_ALGOR *sig_alg; - const ASN1_BIT_STRING *sig; - X509_REQ_get0_signature(x, &sig, &sig_alg); - if (!X509_signature_print(bp, sig_alg, sig)) - goto err; - } - - return (1); - err: - X509err(X509_F_X509_REQ_PRINT_EX, ERR_R_BUF_LIB); - return (0); -} - -int X509_REQ_print(BIO *bp, X509_REQ *x) -{ - return X509_REQ_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT); -} diff --git a/Cryptlib/OpenSSL/crypto/x509/t_x509.c b/Cryptlib/OpenSSL/crypto/x509/t_x509.c deleted file mode 100644 index eb65d887..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/t_x509.c +++ /dev/null @@ -1,376 +0,0 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include "internal/cryptlib.h" -#include <openssl/buffer.h> -#include <openssl/bn.h> -#include <openssl/objects.h> -#include <openssl/x509.h> -#include <openssl/x509v3.h> -#include "internal/asn1_int.h" - -#ifndef OPENSSL_NO_STDIO -int X509_print_fp(FILE *fp, X509 *x) -{ - return X509_print_ex_fp(fp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT); -} - -int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag, - unsigned long cflag) -{ - BIO *b; - int ret; - - if ((b = BIO_new(BIO_s_file())) == NULL) { - X509err(X509_F_X509_PRINT_EX_FP, ERR_R_BUF_LIB); - return (0); - } - BIO_set_fp(b, fp, BIO_NOCLOSE); - ret = X509_print_ex(b, x, nmflag, cflag); - BIO_free(b); - return (ret); -} -#endif - -int X509_print(BIO *bp, X509 *x) -{ - return X509_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT); -} - -int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, - unsigned long cflag) -{ - long l; - int ret = 0, i; - char *m = NULL, mlch = ' '; - int nmindent = 0; - ASN1_INTEGER *bs; - EVP_PKEY *pkey = NULL; - const char *neg; - - if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { - mlch = '\n'; - nmindent = 12; - } - - if (nmflags == X509_FLAG_COMPAT) - nmindent = 16; - - if (!(cflag & X509_FLAG_NO_HEADER)) { - if (BIO_write(bp, "Certificate:\n", 13) <= 0) - goto err; - if (BIO_write(bp, " Data:\n", 10) <= 0) - goto err; - } - if (!(cflag & X509_FLAG_NO_VERSION)) { - l = X509_get_version(x); - if (l >= 0 && l <= 2) { - if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, (unsigned long)l) <= 0) - goto err; - } else { - if (BIO_printf(bp, "%8sVersion: Unknown (%ld)\n", "", l) <= 0) - goto err; - } - } - if (!(cflag & X509_FLAG_NO_SERIAL)) { - - if (BIO_write(bp, " Serial Number:", 22) <= 0) - goto err; - - bs = X509_get_serialNumber(x); - if (bs->length <= (int)sizeof(long)) { - ERR_set_mark(); - l = ASN1_INTEGER_get(bs); - ERR_pop_to_mark(); - } else { - l = -1; - } - if (l != -1) { - unsigned long ul; - if (bs->type == V_ASN1_NEG_INTEGER) { - ul = 0 - (unsigned long)l; - neg = "-"; - } else { - ul = l; - neg = ""; - } - if (BIO_printf(bp, " %s%lu (%s0x%lx)\n", neg, ul, neg, ul) <= 0) - goto err; - } else { - neg = (bs->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : ""; - if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) - goto err; - - for (i = 0; i < bs->length; i++) { - if (BIO_printf(bp, "%02x%c", bs->data[i], - ((i + 1 == bs->length) ? '\n' : ':')) <= 0) - goto err; - } - } - - } - - if (!(cflag & X509_FLAG_NO_SIGNAME)) { - const X509_ALGOR *tsig_alg = X509_get0_tbs_sigalg(x); - if (X509_signature_print(bp, tsig_alg, NULL) <= 0) - goto err; - } - - if (!(cflag & X509_FLAG_NO_ISSUER)) { - if (BIO_printf(bp, " Issuer:%c", mlch) <= 0) - goto err; - if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), nmindent, nmflags) - < 0) - goto err; - if (BIO_write(bp, "\n", 1) <= 0) - goto err; - } - if (!(cflag & X509_FLAG_NO_VALIDITY)) { - if (BIO_write(bp, " Validity\n", 17) <= 0) - goto err; - if (BIO_write(bp, " Not Before: ", 24) <= 0) - goto err; - if (!ASN1_TIME_print(bp, X509_get0_notBefore(x))) - goto err; - if (BIO_write(bp, "\n Not After : ", 25) <= 0) - goto err; - if (!ASN1_TIME_print(bp, X509_get0_notAfter(x))) - goto err; - if (BIO_write(bp, "\n", 1) <= 0) - goto err; - } - if (!(cflag & X509_FLAG_NO_SUBJECT)) { - if (BIO_printf(bp, " Subject:%c", mlch) <= 0) - goto err; - if (X509_NAME_print_ex - (bp, X509_get_subject_name(x), nmindent, nmflags) < 0) - goto err; - if (BIO_write(bp, "\n", 1) <= 0) - goto err; - } - if (!(cflag & X509_FLAG_NO_PUBKEY)) { - X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x); - ASN1_OBJECT *xpoid; - X509_PUBKEY_get0_param(&xpoid, NULL, NULL, NULL, xpkey); - if (BIO_write(bp, " Subject Public Key Info:\n", 33) <= 0) - goto err; - if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0) - goto err; - if (i2a_ASN1_OBJECT(bp, xpoid) <= 0) - goto err; - if (BIO_puts(bp, "\n") <= 0) - goto err; - - pkey = X509_get0_pubkey(x); - if (pkey == NULL) { - BIO_printf(bp, "%12sUnable to load Public Key\n", ""); - ERR_print_errors(bp); - } else { - EVP_PKEY_print_public(bp, pkey, 16, NULL); - } - } - - if (!(cflag & X509_FLAG_NO_IDS)) { - const ASN1_BIT_STRING *iuid, *suid; - X509_get0_uids(x, &iuid, &suid); - if (iuid != NULL) { - if (BIO_printf(bp, "%8sIssuer Unique ID: ", "") <= 0) - goto err; - if (!X509_signature_dump(bp, iuid, 12)) - goto err; - } - if (suid != NULL) { - if (BIO_printf(bp, "%8sSubject Unique ID: ", "") <= 0) - goto err; - if (!X509_signature_dump(bp, suid, 12)) - goto err; - } - } - - if (!(cflag & X509_FLAG_NO_EXTENSIONS)) - X509V3_extensions_print(bp, "X509v3 extensions", - X509_get0_extensions(x), cflag, 8); - - if (!(cflag & X509_FLAG_NO_SIGDUMP)) { - const X509_ALGOR *sig_alg; - const ASN1_BIT_STRING *sig; - X509_get0_signature(&sig, &sig_alg, x); - if (X509_signature_print(bp, sig_alg, sig) <= 0) - goto err; - } - if (!(cflag & X509_FLAG_NO_AUX)) { - if (!X509_aux_print(bp, x, 0)) - goto err; - } - ret = 1; - err: - OPENSSL_free(m); - return (ret); -} - -int X509_ocspid_print(BIO *bp, X509 *x) -{ - unsigned char *der = NULL; - unsigned char *dertmp; - int derlen; - int i; - unsigned char SHA1md[SHA_DIGEST_LENGTH]; - ASN1_BIT_STRING *keybstr; - X509_NAME *subj; - - /* - * display the hash of the subject as it would appear in OCSP requests - */ - if (BIO_printf(bp, " Subject OCSP hash: ") <= 0) - goto err; - subj = X509_get_subject_name(x); - derlen = i2d_X509_NAME(subj, NULL); - if ((der = dertmp = OPENSSL_malloc(derlen)) == NULL) - goto err; - i2d_X509_NAME(subj, &dertmp); - - if (!EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL)) - goto err; - for (i = 0; i < SHA_DIGEST_LENGTH; i++) { - if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0) - goto err; - } - OPENSSL_free(der); - der = NULL; - - /* - * display the hash of the public key as it would appear in OCSP requests - */ - if (BIO_printf(bp, "\n Public key OCSP hash: ") <= 0) - goto err; - - keybstr = X509_get0_pubkey_bitstr(x); - - if (keybstr == NULL) - goto err; - - if (!EVP_Digest(ASN1_STRING_get0_data(keybstr), - ASN1_STRING_length(keybstr), SHA1md, NULL, EVP_sha1(), - NULL)) - goto err; - for (i = 0; i < SHA_DIGEST_LENGTH; i++) { - if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0) - goto err; - } - BIO_printf(bp, "\n"); - - return (1); - err: - OPENSSL_free(der); - return (0); -} - -int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent) -{ - const unsigned char *s; - int i, n; - - n = sig->length; - s = sig->data; - for (i = 0; i < n; i++) { - if ((i % 18) == 0) { - if (BIO_write(bp, "\n", 1) <= 0) - return 0; - if (BIO_indent(bp, indent, indent) <= 0) - return 0; - } - if (BIO_printf(bp, "%02x%s", s[i], ((i + 1) == n) ? "" : ":") <= 0) - return 0; - } - if (BIO_write(bp, "\n", 1) != 1) - return 0; - - return 1; -} - -int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg, - const ASN1_STRING *sig) -{ - int sig_nid; - if (BIO_puts(bp, " Signature Algorithm: ") <= 0) - return 0; - if (i2a_ASN1_OBJECT(bp, sigalg->algorithm) <= 0) - return 0; - - sig_nid = OBJ_obj2nid(sigalg->algorithm); - if (sig_nid != NID_undef) { - int pkey_nid, dig_nid; - const EVP_PKEY_ASN1_METHOD *ameth; - if (OBJ_find_sigid_algs(sig_nid, &dig_nid, &pkey_nid)) { - ameth = EVP_PKEY_asn1_find(NULL, pkey_nid); - if (ameth && ameth->sig_print) - return ameth->sig_print(bp, sigalg, sig, 9, 0); - } - } - if (sig) - return X509_signature_dump(bp, sig, 9); - else if (BIO_puts(bp, "\n") <= 0) - return 0; - return 1; -} - -int X509_aux_print(BIO *out, X509 *x, int indent) -{ - char oidstr[80], first; - STACK_OF(ASN1_OBJECT) *trust, *reject; - const unsigned char *alias, *keyid; - int keyidlen; - int i; - if (X509_trusted(x) == 0) - return 1; - trust = X509_get0_trust_objects(x); - reject = X509_get0_reject_objects(x); - if (trust) { - first = 1; - BIO_printf(out, "%*sTrusted Uses:\n%*s", indent, "", indent + 2, ""); - for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) { - if (!first) - BIO_puts(out, ", "); - else - first = 0; - OBJ_obj2txt(oidstr, sizeof oidstr, - sk_ASN1_OBJECT_value(trust, i), 0); - BIO_puts(out, oidstr); - } - BIO_puts(out, "\n"); - } else - BIO_printf(out, "%*sNo Trusted Uses.\n", indent, ""); - if (reject) { - first = 1; - BIO_printf(out, "%*sRejected Uses:\n%*s", indent, "", indent + 2, ""); - for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) { - if (!first) - BIO_puts(out, ", "); - else - first = 0; - OBJ_obj2txt(oidstr, sizeof oidstr, - sk_ASN1_OBJECT_value(reject, i), 0); - BIO_puts(out, oidstr); - } - BIO_puts(out, "\n"); - } else - BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); - alias = X509_alias_get0(x, NULL); - if (alias) - BIO_printf(out, "%*sAlias: %s\n", indent, "", alias); - keyid = X509_keyid_get0(x, &keyidlen); - if (keyid) { - BIO_printf(out, "%*sKey Id: ", indent, ""); - for (i = 0; i < keyidlen; i++) - BIO_printf(out, "%s%02X", i ? ":" : "", keyid[i]); - BIO_write(out, "\n", 1); - } - return 1; -} diff --git a/Cryptlib/OpenSSL/crypto/x509/vpm_int.h b/Cryptlib/OpenSSL/crypto/x509/vpm_int.h new file mode 100644 index 00000000..9c55defc --- /dev/null +++ b/Cryptlib/OpenSSL/crypto/x509/vpm_int.h @@ -0,0 +1,70 @@ +/* vpm_int.h */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project + * 2013. + */ +/* ==================================================================== + * Copyright (c) 2013 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +/* internal only structure to hold additional X509_VERIFY_PARAM data */ + +struct X509_VERIFY_PARAM_ID_st { + STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */ + unsigned int hostflags; /* Flags to control matching features */ + char *peername; /* Matching hostname in peer certificate */ + char *email; /* If not NULL email address to match */ + size_t emaillen; + unsigned char *ip; /* If not NULL IP address to match */ + size_t iplen; /* Length of IP address */ +}; diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_att.c b/Cryptlib/OpenSSL/crypto/x509/x509_att.c index 15f0e4fc..25010753 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_att.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_att.c @@ -1,21 +1,69 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_att.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> #include <openssl/stack.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/asn1.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> #include <openssl/x509v3.h> -#include "x509_lcl.h" int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x) { @@ -25,15 +73,16 @@ int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x) int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid, int lastpos) { - const ASN1_OBJECT *obj = OBJ_nid2obj(nid); + ASN1_OBJECT *obj; + obj = OBJ_nid2obj(nid); if (obj == NULL) return (-2); return (X509at_get_attr_by_OBJ(x, obj, lastpos)); } int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, - const ASN1_OBJECT *obj, int lastpos) + ASN1_OBJECT *obj, int lastpos) { int n; X509_ATTRIBUTE *ex; @@ -97,8 +146,10 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x, err: X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_MALLOC_FAILURE); err2: - X509_ATTRIBUTE_free(new_attr); - sk_X509_ATTRIBUTE_free(sk); + if (new_attr != NULL) + X509_ATTRIBUTE_free(new_attr); + if (sk != NULL) + sk_X509_ATTRIBUTE_free(sk); return (NULL); } @@ -150,7 +201,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) } void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x, - const ASN1_OBJECT *obj, int lastpos, int type) + ASN1_OBJECT *obj, int lastpos, int type) { int i; X509_ATTRIBUTE *at; @@ -239,7 +290,7 @@ int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj) return (0); ASN1_OBJECT_free(attr->object); attr->object = OBJ_dup(obj); - return attr->object != NULL; + return (1); } int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, @@ -259,12 +310,15 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, } atype = stmp->type; } else if (len != -1) { - if ((stmp = ASN1_STRING_type_new(attrtype)) == NULL) + if (!(stmp = ASN1_STRING_type_new(attrtype))) goto err; if (!ASN1_STRING_set(stmp, data, len)) goto err; atype = attrtype; } + if (!(attr->value.set = sk_ASN1_TYPE_new_null())) + goto err; + attr->single = 0; /* * This is a bit naughty because the attribute should really have at * least one value but some types use and zero length SET and require @@ -274,7 +328,7 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, ASN1_STRING_free(stmp); return 1; } - if ((ttmp = ASN1_TYPE_new()) == NULL) + if (!(ttmp = ASN1_TYPE_new())) goto err; if ((len == -1) && !(attrtype & MBSTRING_FLAG)) { if (!ASN1_TYPE_set1(ttmp, attrtype, data)) @@ -283,7 +337,7 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, ASN1_TYPE_set(ttmp, atype, stmp); stmp = NULL; } - if (!sk_ASN1_TYPE_push(attr->set, ttmp)) + if (!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err; return 1; err: @@ -293,11 +347,13 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, return 0; } -int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr) +int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr) { - if (attr == NULL) - return 0; - return sk_ASN1_TYPE_num(attr->set); + if (!attr->single) + return sk_ASN1_TYPE_num(attr->value.set); + if (attr->value.single) + return 1; + return 0; } ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr) @@ -324,6 +380,11 @@ void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx) { if (attr == NULL) + return (NULL); + if (idx >= X509_ATTRIBUTE_count(attr)) return NULL; - return sk_ASN1_TYPE_value(attr->set, idx); + if (!attr->single) + return sk_ASN1_TYPE_value(attr->value.set, idx); + else + return attr->value.single; } diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c b/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c index 01056356..49c71b91 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c @@ -1,29 +1,77 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_cmp.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> #include <ctype.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/asn1.h> #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/x509v3.h> -#include "internal/x509_int.h" int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) { int i; - const X509_CINF *ai, *bi; + X509_CINF *ai, *bi; - ai = &a->cert_info; - bi = &b->cert_info; - i = ASN1_INTEGER_cmp(&ai->serialNumber, &bi->serialNumber); + ai = a->cert_info; + bi = b->cert_info; + i = M_ASN1_INTEGER_cmp(ai->serialNumber, bi->serialNumber); if (i) return (i); return (X509_NAME_cmp(ai->issuer, bi->issuer)); @@ -33,97 +81,94 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) unsigned long X509_issuer_and_serial_hash(X509 *a) { unsigned long ret = 0; - EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + EVP_MD_CTX ctx; unsigned char md[16]; char *f; - if (ctx == NULL) + EVP_MD_CTX_init(&ctx); + f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0); + if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) goto err; - f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0); - if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) - goto err; - if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f))) + if (!EVP_DigestUpdate(&ctx, (unsigned char *)f, strlen(f))) goto err; OPENSSL_free(f); if (!EVP_DigestUpdate - (ctx, (unsigned char *)a->cert_info.serialNumber.data, - (unsigned long)a->cert_info.serialNumber.length)) + (&ctx, (unsigned char *)a->cert_info->serialNumber->data, + (unsigned long)a->cert_info->serialNumber->length)) goto err; - if (!EVP_DigestFinal_ex(ctx, &(md[0]), NULL)) + if (!EVP_DigestFinal_ex(&ctx, &(md[0]), NULL)) goto err; ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) ) & 0xffffffffL; err: - EVP_MD_CTX_free(ctx); + EVP_MD_CTX_cleanup(&ctx); return (ret); } #endif int X509_issuer_name_cmp(const X509 *a, const X509 *b) { - return (X509_NAME_cmp(a->cert_info.issuer, b->cert_info.issuer)); + return (X509_NAME_cmp(a->cert_info->issuer, b->cert_info->issuer)); } int X509_subject_name_cmp(const X509 *a, const X509 *b) { - return (X509_NAME_cmp(a->cert_info.subject, b->cert_info.subject)); + return (X509_NAME_cmp(a->cert_info->subject, b->cert_info->subject)); } int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) { - return (X509_NAME_cmp(a->crl.issuer, b->crl.issuer)); + return (X509_NAME_cmp(a->crl->issuer, b->crl->issuer)); } +#ifndef OPENSSL_NO_SHA int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) { return memcmp(a->sha1_hash, b->sha1_hash, 20); } +#endif -X509_NAME *X509_get_issuer_name(const X509 *a) +X509_NAME *X509_get_issuer_name(X509 *a) { - return (a->cert_info.issuer); + return (a->cert_info->issuer); } unsigned long X509_issuer_name_hash(X509 *x) { - return (X509_NAME_hash(x->cert_info.issuer)); + return (X509_NAME_hash(x->cert_info->issuer)); } #ifndef OPENSSL_NO_MD5 unsigned long X509_issuer_name_hash_old(X509 *x) { - return (X509_NAME_hash_old(x->cert_info.issuer)); + return (X509_NAME_hash_old(x->cert_info->issuer)); } #endif -X509_NAME *X509_get_subject_name(const X509 *a) +X509_NAME *X509_get_subject_name(X509 *a) { - return (a->cert_info.subject); + return (a->cert_info->subject); } ASN1_INTEGER *X509_get_serialNumber(X509 *a) { - return &a->cert_info.serialNumber; -} - -const ASN1_INTEGER *X509_get0_serialNumber(const X509 *a) -{ - return &a->cert_info.serialNumber; + return (a->cert_info->serialNumber); } unsigned long X509_subject_name_hash(X509 *x) { - return (X509_NAME_hash(x->cert_info.subject)); + return (X509_NAME_hash(x->cert_info->subject)); } #ifndef OPENSSL_NO_MD5 unsigned long X509_subject_name_hash_old(X509 *x) { - return (X509_NAME_hash_old(x->cert_info.subject)); + return (X509_NAME_hash_old(x->cert_info->subject)); } #endif +#ifndef OPENSSL_NO_SHA /* * Compare two certificates: they must be identical for this to work. NB: * Although "cmp" operations are generally prototyped to take "const" @@ -143,16 +188,16 @@ int X509_cmp(const X509 *a, const X509 *b) if (rv) return rv; /* Check for match against stored encoding too */ - if (!a->cert_info.enc.modified && !b->cert_info.enc.modified) { - if (a->cert_info.enc.len < b->cert_info.enc.len) - return -1; - if (a->cert_info.enc.len > b->cert_info.enc.len) - return 1; - return memcmp(a->cert_info.enc.enc, b->cert_info.enc.enc, - a->cert_info.enc.len); + if (!a->cert_info->enc.modified && !b->cert_info->enc.modified) { + rv = (int)(a->cert_info->enc.len - b->cert_info->enc.len); + if (rv) + return rv; + return memcmp(a->cert_info->enc.enc, b->cert_info->enc.enc, + a->cert_info->enc.len); } return rv; } +#endif int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { @@ -206,23 +251,21 @@ unsigned long X509_NAME_hash(X509_NAME *x) unsigned long X509_NAME_hash_old(X509_NAME *x) { - EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); + EVP_MD_CTX md_ctx; unsigned long ret = 0; unsigned char md[16]; - if (md_ctx == NULL) - return ret; - /* Make sure X509_NAME structure contains valid cached encoding */ i2d_X509_NAME(x, NULL); - EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - if (EVP_DigestInit_ex(md_ctx, EVP_md5(), NULL) - && EVP_DigestUpdate(md_ctx, x->bytes->data, x->bytes->length) - && EVP_DigestFinal_ex(md_ctx, md, NULL)) + EVP_MD_CTX_init(&md_ctx); + EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL) + && EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length) + && EVP_DigestFinal_ex(&md_ctx, md, NULL)) ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) ) & 0xffffffffL; - EVP_MD_CTX_free(md_ctx); + EVP_MD_CTX_cleanup(&md_ctx); return (ret); } @@ -233,13 +276,15 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name, ASN1_INTEGER *serial) { int i; + X509_CINF cinf; X509 x, *x509 = NULL; if (!sk) return NULL; - x.cert_info.serialNumber = *serial; - x.cert_info.issuer = name; + x.cert_info = &cinf; + cinf.serialNumber = serial; + cinf.issuer = name; for (i = 0; i < sk_X509_num(sk); i++) { x509 = sk_X509_value(sk, i); @@ -262,26 +307,26 @@ X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name) return (NULL); } -EVP_PKEY *X509_get0_pubkey(const X509 *x) +EVP_PKEY *X509_get_pubkey(X509 *x) { - if (x == NULL) - return NULL; - return X509_PUBKEY_get0(x->cert_info.key); + if ((x == NULL) || (x->cert_info == NULL)) + return (NULL); + return (X509_PUBKEY_get(x->cert_info->key)); } -EVP_PKEY *X509_get_pubkey(X509 *x) +ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x) { - if (x == NULL) + if (!x) return NULL; - return X509_PUBKEY_get(x->cert_info.key); + return x->cert_info->key->public_key; } -int X509_check_private_key(const X509 *x, const EVP_PKEY *k) +int X509_check_private_key(X509 *x, EVP_PKEY *k) { - const EVP_PKEY *xk; + EVP_PKEY *xk; int ret; - xk = X509_get0_pubkey(x); + xk = X509_get_pubkey(x); if (xk) ret = EVP_PKEY_cmp(xk, k); @@ -300,6 +345,8 @@ int X509_check_private_key(const X509 *x, const EVP_PKEY *k) case -2: X509err(X509_F_X509_CHECK_PRIVATE_KEY, X509_R_UNKNOWN_KEY_TYPE); } + if (xk) + EVP_PKEY_free(xk); if (ret > 0) return 1; return 0; @@ -317,8 +364,8 @@ static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags) { const EC_GROUP *grp = NULL; int curve_nid; - if (pkey && EVP_PKEY_id(pkey) == EVP_PKEY_EC) - grp = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey)); + if (pkey && pkey->type == EVP_PKEY_EC) + grp = EC_KEY_get0_group(pkey->pkey.ec); if (!grp) return X509_V_ERR_SUITE_B_INVALID_ALGORITHM; curve_nid = EC_GROUP_get_curve_name(grp); @@ -348,12 +395,11 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain, unsigned long flags) { int rv, i, sign_nid; - EVP_PKEY *pk; - unsigned long tflags = flags; - + EVP_PKEY *pk = NULL; + unsigned long tflags; if (!(flags & X509_V_FLAG_SUITEB_128_LOS)) return X509_V_OK; - + tflags = flags; /* If no EE certificate passed in must be first in chain */ if (x == NULL) { x = sk_X509_value(chain, 0); @@ -361,17 +407,6 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain, } else i = 0; - pk = X509_get0_pubkey(x); - - /* - * With DANE-EE(3) success, or DANE-EE(3)/PKIX-EE(1) failure we don't build - * a chain all, just report trust success or failure, but must also report - * Suite-B errors if applicable. This is indicated via a NULL chain - * pointer. All we need to do is check the leaf key algorithm. - */ - if (chain == NULL) - return check_suite_b(pk, -1, &tflags); - if (X509_get_version(x) != 2) { rv = X509_V_ERR_SUITE_B_INVALID_VERSION; /* Correct error depth */ @@ -379,6 +414,7 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain, goto end; } + pk = X509_get_pubkey(x); /* Check EE key only */ rv = check_suite_b(pk, -1, &tflags); if (rv != X509_V_OK) { @@ -393,7 +429,8 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain, rv = X509_V_ERR_SUITE_B_INVALID_VERSION; goto end; } - pk = X509_get0_pubkey(x); + EVP_PKEY_free(pk); + pk = X509_get_pubkey(x); rv = check_suite_b(pk, sign_nid, &tflags); if (rv != X509_V_OK) goto end; @@ -402,6 +439,8 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain, /* Final check: root CA signature */ rv = check_suite_b(pk, X509_get_signature_nid(x), &tflags); end: + if (pk) + EVP_PKEY_free(pk); if (rv != X509_V_OK) { /* Invalid signature or LOS errors are for previous cert */ if ((rv == X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM @@ -409,7 +448,7 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain, i--; /* * If we have LOS error and flags changed then we are signing P-384 - * with P-256. Use more meaningful error. + * with P-256. Use more meaninggul error. */ if (rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED && flags != tflags) rv = X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256; @@ -424,7 +463,7 @@ int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags) int sign_nid; if (!(flags & X509_V_FLAG_SUITEB_128_LOS)) return X509_V_OK; - sign_nid = OBJ_obj2nid(crl->crl.sig_alg.algorithm); + sign_nid = OBJ_obj2nid(crl->crl->sig_alg->algorithm); return check_suite_b(pk, sign_nid, &flags); } @@ -453,7 +492,7 @@ STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain) ret = sk_X509_dup(chain); for (i = 0; i < sk_X509_num(ret); i++) { X509 *x = sk_X509_value(ret, i); - X509_up_ref(x); + CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); } return ret; } diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_d2.c b/Cryptlib/OpenSSL/crypto/x509/x509_d2.c index cb03dbfa..50ca2a6d 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_d2.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_d2.c @@ -1,17 +1,67 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_d2.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/crypto.h> #include <openssl/x509.h> +#ifndef OPENSSL_NO_STDIO int X509_STORE_set_default_paths(X509_STORE *ctx) { X509_LOOKUP *lookup; @@ -55,3 +105,5 @@ int X509_STORE_load_locations(X509_STORE *ctx, const char *file, return (0); return (1); } + +#endif diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_def.c b/Cryptlib/OpenSSL/crypto/x509/x509_def.c index d11358e3..25c55375 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_def.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_def.c @@ -1,14 +1,63 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_def.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/crypto.h> #include <openssl/x509.h> diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_err.c b/Cryptlib/OpenSSL/crypto/x509/x509_err.c index 3f4b8ef0..a2a8e1b0 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_err.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_err.c @@ -1,11 +1,62 @@ -/* - * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_err.c */ +/* ==================================================================== + * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +/* + * NOTE: this file was auto generated by the mkerr.pl script: any changes + * made to it will be overwritten when the script next updates this file, + * only reason strings will be preserved. */ #include <stdio.h> @@ -19,14 +70,12 @@ # define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason) static ERR_STRING_DATA X509_str_functs[] = { - {ERR_FUNC(X509_F_ADD_CERT_DIR), "add_cert_dir"}, - {ERR_FUNC(X509_F_BUILD_CHAIN), "build_chain"}, - {ERR_FUNC(X509_F_BY_FILE_CTRL), "by_file_ctrl"}, - {ERR_FUNC(X509_F_CHECK_NAME_CONSTRAINTS), "check_name_constraints"}, - {ERR_FUNC(X509_F_CHECK_POLICY), "check_policy"}, - {ERR_FUNC(X509_F_DANE_I2D), "dane_i2d"}, - {ERR_FUNC(X509_F_DIR_CTRL), "dir_ctrl"}, - {ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT), "get_cert_by_subject"}, + {ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"}, + {ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"}, + {ERR_FUNC(X509_F_CHECK_NAME_CONSTRAINTS), "CHECK_NAME_CONSTRAINTS"}, + {ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"}, + {ERR_FUNC(X509_F_DIR_CTRL), "DIR_CTRL"}, + {ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT), "GET_CERT_BY_SUBJECT"}, {ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_DECODE), "NETSCAPE_SPKI_b64_decode"}, {ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_ENCODE), "NETSCAPE_SPKI_b64_encode"}, {ERR_FUNC(X509_F_X509AT_ADD1_ATTR), "X509at_add1_attr"}, @@ -60,10 +109,8 @@ static ERR_STRING_DATA X509_str_functs[] = { "X509_NAME_ENTRY_set_object"}, {ERR_FUNC(X509_F_X509_NAME_ONELINE), "X509_NAME_oneline"}, {ERR_FUNC(X509_F_X509_NAME_PRINT), "X509_NAME_print"}, - {ERR_FUNC(X509_F_X509_OBJECT_NEW), "X509_OBJECT_new"}, {ERR_FUNC(X509_F_X509_PRINT_EX_FP), "X509_print_ex_fp"}, - {ERR_FUNC(X509_F_X509_PUBKEY_DECODE), "x509_pubkey_decode"}, - {ERR_FUNC(X509_F_X509_PUBKEY_GET0), "X509_PUBKEY_get0"}, + {ERR_FUNC(X509_F_X509_PUBKEY_GET), "X509_PUBKEY_get"}, {ERR_FUNC(X509_F_X509_PUBKEY_SET), "X509_PUBKEY_set"}, {ERR_FUNC(X509_F_X509_REQ_CHECK_PRIVATE_KEY), "X509_REQ_check_private_key"}, @@ -87,7 +134,6 @@ static ERR_STRING_DATA X509_str_functs[] = { static ERR_STRING_DATA X509_str_reasons[] = { {ERR_REASON(X509_R_AKID_MISMATCH), "akid mismatch"}, - {ERR_REASON(X509_R_BAD_SELECTOR), "bad selector"}, {ERR_REASON(X509_R_BAD_X509_FILETYPE), "bad x509 filetype"}, {ERR_REASON(X509_R_BASE64_DECODE_ERROR), "base64 decode error"}, {ERR_REASON(X509_R_CANT_CHECK_DH_KEY), "cant check dh key"}, @@ -95,6 +141,7 @@ static ERR_STRING_DATA X509_str_reasons[] = { "cert already in hash table"}, {ERR_REASON(X509_R_CRL_ALREADY_DELTA), "crl already delta"}, {ERR_REASON(X509_R_CRL_VERIFY_FAILURE), "crl verify failure"}, + {ERR_REASON(X509_R_ERR_ASN1_LIB), "err asn1 lib"}, {ERR_REASON(X509_R_IDP_MISMATCH), "idp mismatch"}, {ERR_REASON(X509_R_INVALID_DIRECTORY), "invalid directory"}, {ERR_REASON(X509_R_INVALID_FIELD_NAME), "invalid field name"}, @@ -129,7 +176,7 @@ static ERR_STRING_DATA X509_str_reasons[] = { #endif -int ERR_load_X509_strings(void) +void ERR_load_X509_strings(void) { #ifndef OPENSSL_NO_ERR @@ -138,5 +185,4 @@ int ERR_load_X509_strings(void) ERR_load_strings(0, X509_str_reasons); } #endif - return 1; } diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_ext.c b/Cryptlib/OpenSSL/crypto/x509/x509_ext.c index 3bbb0a6b..fb4e311d 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_ext.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_ext.c @@ -1,139 +1,186 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_ext.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> #include <openssl/stack.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/asn1.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> -#include "internal/x509_int.h" #include <openssl/x509v3.h> -int X509_CRL_get_ext_count(const X509_CRL *x) +int X509_CRL_get_ext_count(X509_CRL *x) { - return (X509v3_get_ext_count(x->crl.extensions)); + return (X509v3_get_ext_count(x->crl->extensions)); } -int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos) +int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos) { - return (X509v3_get_ext_by_NID(x->crl.extensions, nid, lastpos)); + return (X509v3_get_ext_by_NID(x->crl->extensions, nid, lastpos)); } -int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, const ASN1_OBJECT *obj, - int lastpos) +int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos) { - return (X509v3_get_ext_by_OBJ(x->crl.extensions, obj, lastpos)); + return (X509v3_get_ext_by_OBJ(x->crl->extensions, obj, lastpos)); } -int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos) +int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos) { - return (X509v3_get_ext_by_critical(x->crl.extensions, crit, lastpos)); + return (X509v3_get_ext_by_critical(x->crl->extensions, crit, lastpos)); } -X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc) +X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc) { - return (X509v3_get_ext(x->crl.extensions, loc)); + return (X509v3_get_ext(x->crl->extensions, loc)); } X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc) { - return (X509v3_delete_ext(x->crl.extensions, loc)); + return (X509v3_delete_ext(x->crl->extensions, loc)); } -void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx) +void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx) { - return X509V3_get_d2i(x->crl.extensions, nid, crit, idx); + return X509V3_get_d2i(x->crl->extensions, nid, crit, idx); } int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit, unsigned long flags) { - return X509V3_add1_i2d(&x->crl.extensions, nid, value, crit, flags); + return X509V3_add1_i2d(&x->crl->extensions, nid, value, crit, flags); } int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc) { - return (X509v3_add_ext(&(x->crl.extensions), ex, loc) != NULL); + return (X509v3_add_ext(&(x->crl->extensions), ex, loc) != NULL); } -int X509_get_ext_count(const X509 *x) +int X509_get_ext_count(X509 *x) { - return (X509v3_get_ext_count(x->cert_info.extensions)); + return (X509v3_get_ext_count(x->cert_info->extensions)); } -int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos) +int X509_get_ext_by_NID(X509 *x, int nid, int lastpos) { - return (X509v3_get_ext_by_NID(x->cert_info.extensions, nid, lastpos)); + return (X509v3_get_ext_by_NID(x->cert_info->extensions, nid, lastpos)); } -int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, int lastpos) +int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos) { - return (X509v3_get_ext_by_OBJ(x->cert_info.extensions, obj, lastpos)); + return (X509v3_get_ext_by_OBJ(x->cert_info->extensions, obj, lastpos)); } -int X509_get_ext_by_critical(const X509 *x, int crit, int lastpos) +int X509_get_ext_by_critical(X509 *x, int crit, int lastpos) { return (X509v3_get_ext_by_critical - (x->cert_info.extensions, crit, lastpos)); + (x->cert_info->extensions, crit, lastpos)); } -X509_EXTENSION *X509_get_ext(const X509 *x, int loc) +X509_EXTENSION *X509_get_ext(X509 *x, int loc) { - return (X509v3_get_ext(x->cert_info.extensions, loc)); + return (X509v3_get_ext(x->cert_info->extensions, loc)); } X509_EXTENSION *X509_delete_ext(X509 *x, int loc) { - return (X509v3_delete_ext(x->cert_info.extensions, loc)); + return (X509v3_delete_ext(x->cert_info->extensions, loc)); } int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc) { - return (X509v3_add_ext(&(x->cert_info.extensions), ex, loc) != NULL); + return (X509v3_add_ext(&(x->cert_info->extensions), ex, loc) != NULL); } -void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx) +void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx) { - return X509V3_get_d2i(x->cert_info.extensions, nid, crit, idx); + return X509V3_get_d2i(x->cert_info->extensions, nid, crit, idx); } int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, unsigned long flags) { - return X509V3_add1_i2d(&x->cert_info.extensions, nid, value, crit, + return X509V3_add1_i2d(&x->cert_info->extensions, nid, value, crit, flags); } -int X509_REVOKED_get_ext_count(const X509_REVOKED *x) +int X509_REVOKED_get_ext_count(X509_REVOKED *x) { return (X509v3_get_ext_count(x->extensions)); } -int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, int lastpos) +int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos) { return (X509v3_get_ext_by_NID(x->extensions, nid, lastpos)); } -int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, const ASN1_OBJECT *obj, +int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj, int lastpos) { return (X509v3_get_ext_by_OBJ(x->extensions, obj, lastpos)); } -int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, int crit, int lastpos) +int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos) { return (X509v3_get_ext_by_critical(x->extensions, crit, lastpos)); } -X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc) +X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc) { return (X509v3_get_ext(x->extensions, loc)); } @@ -148,7 +195,7 @@ int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc) return (X509v3_add_ext(&(x->extensions), ex, loc) != NULL); } -void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *x, int nid, int *crit, int *idx) +void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx) { return X509V3_get_d2i(x->extensions, nid, crit, idx); } @@ -158,3 +205,7 @@ int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit, { return X509V3_add1_i2d(&x->extensions, nid, value, crit, flags); } + +IMPLEMENT_STACK_OF(X509_EXTENSION) + +IMPLEMENT_ASN1_SET_OF(X509_EXTENSION) diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_lcl.h b/Cryptlib/OpenSSL/crypto/x509/x509_lcl.h deleted file mode 100644 index 40bd102f..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/x509_lcl.h +++ /dev/null @@ -1,142 +0,0 @@ -/* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * This structure holds all parameters associated with a verify operation by - * including an X509_VERIFY_PARAM structure in related structures the - * parameters used can be customized - */ - -struct X509_VERIFY_PARAM_st { - char *name; - time_t check_time; /* Time to use */ - uint32_t inh_flags; /* Inheritance flags */ - unsigned long flags; /* Various verify flags */ - int purpose; /* purpose to check untrusted certificates */ - int trust; /* trust setting to check */ - int depth; /* Verify depth */ - int auth_level; /* Security level for chain verification */ - STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */ - /* Peer identity details */ - STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */ - unsigned int hostflags; /* Flags to control matching features */ - char *peername; /* Matching hostname in peer certificate */ - char *email; /* If not NULL email address to match */ - size_t emaillen; - unsigned char *ip; /* If not NULL IP address to match */ - size_t iplen; /* Length of IP address */ -}; - -/* No error callback if depth < 0 */ -int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth); - -/* a sequence of these are used */ -struct x509_attributes_st { - ASN1_OBJECT *object; - STACK_OF(ASN1_TYPE) *set; -}; - -struct X509_extension_st { - ASN1_OBJECT *object; - ASN1_BOOLEAN critical; - ASN1_OCTET_STRING value; -}; - -/* - * Method to handle CRL access. In general a CRL could be very large (several - * Mb) and can consume large amounts of resources if stored in memory by - * multiple processes. This method allows general CRL operations to be - * redirected to more efficient callbacks: for example a CRL entry database. - */ - -#define X509_CRL_METHOD_DYNAMIC 1 - -struct x509_crl_method_st { - int flags; - int (*crl_init) (X509_CRL *crl); - int (*crl_free) (X509_CRL *crl); - int (*crl_lookup) (X509_CRL *crl, X509_REVOKED **ret, - ASN1_INTEGER *ser, X509_NAME *issuer); - int (*crl_verify) (X509_CRL *crl, EVP_PKEY *pk); -}; - -struct x509_lookup_method_st { - const char *name; - int (*new_item) (X509_LOOKUP *ctx); - void (*free) (X509_LOOKUP *ctx); - int (*init) (X509_LOOKUP *ctx); - int (*shutdown) (X509_LOOKUP *ctx); - int (*ctrl) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl, - char **ret); - int (*get_by_subject) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - X509_NAME *name, X509_OBJECT *ret); - int (*get_by_issuer_serial) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - X509_NAME *name, ASN1_INTEGER *serial, - X509_OBJECT *ret); - int (*get_by_fingerprint) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - const unsigned char *bytes, int len, - X509_OBJECT *ret); - int (*get_by_alias) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - const char *str, int len, X509_OBJECT *ret); -}; - -/* This is the functions plus an instance of the local variables. */ -struct x509_lookup_st { - int init; /* have we been started */ - int skip; /* don't use us. */ - X509_LOOKUP_METHOD *method; /* the functions */ - char *method_data; /* method data */ - X509_STORE *store_ctx; /* who owns us */ -}; - -/* - * This is used to hold everything. It is used for all certificate - * validation. Once we have a certificate chain, the 'verify' function is - * then called to actually check the cert chain. - */ -struct x509_store_st { - /* The following is a cache of trusted certs */ - int cache; /* if true, stash any hits */ - STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */ - /* These are external lookup methods */ - STACK_OF(X509_LOOKUP) *get_cert_methods; - X509_VERIFY_PARAM *param; - /* Callbacks for various operations */ - /* called to verify a certificate */ - int (*verify) (X509_STORE_CTX *ctx); - /* error callback */ - int (*verify_cb) (int ok, X509_STORE_CTX *ctx); - /* get issuers cert from ctx */ - int (*get_issuer) (X509 **issuer, X509_STORE_CTX *ctx, X509 *x); - /* check issued */ - int (*check_issued) (X509_STORE_CTX *ctx, X509 *x, X509 *issuer); - /* Check revocation status of chain */ - int (*check_revocation) (X509_STORE_CTX *ctx); - /* retrieve CRL */ - int (*get_crl) (X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); - /* Check CRL validity */ - int (*check_crl) (X509_STORE_CTX *ctx, X509_CRL *crl); - /* Check certificate against CRL */ - int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); - /* Check policy status of the chain */ - int (*check_policy) (X509_STORE_CTX *ctx); - STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm); - STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm); - int (*cleanup) (X509_STORE_CTX *ctx); - CRYPTO_EX_DATA ex_data; - int references; - CRYPTO_RWLOCK *lock; -}; - -typedef struct lookup_dir_hashes_st BY_DIR_HASH; -typedef struct lookup_dir_entry_st BY_DIR_ENTRY; -DEFINE_STACK_OF(BY_DIR_HASH) -DEFINE_STACK_OF(BY_DIR_ENTRY) -typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY; -DEFINE_STACK_OF(STACK_OF_X509_NAME_ENTRY) diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_lu.c b/Cryptlib/OpenSSL/crypto/x509/x509_lu.c index 952cbfb3..50120a4d 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_lu.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_lu.c @@ -1,29 +1,80 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_lu.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/lhash.h> #include <openssl/x509.h> -#include "internal/x509_int.h" #include <openssl/x509v3.h> -#include "x509_lcl.h" X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) { X509_LOOKUP *ret; - ret = OPENSSL_zalloc(sizeof(*ret)); + ret = (X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP)); if (ret == NULL) return NULL; + ret->init = 0; + ret->skip = 0; ret->method = method; + ret->method_data = NULL; + ret->store_ctx = NULL; if ((method->new_item != NULL) && !method->new_item(ret)) { OPENSSL_free(ret); return NULL; @@ -40,16 +91,6 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx) OPENSSL_free(ctx); } -int X509_STORE_lock(X509_STORE *s) -{ - return CRYPTO_THREAD_write_lock(s->lock); -} - -int X509_STORE_unlock(X509_STORE *s) -{ - return CRYPTO_THREAD_unlock(s->lock); -} - int X509_LOOKUP_init(X509_LOOKUP *ctx) { if (ctx->method == NULL) @@ -81,39 +122,38 @@ int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, return 1; } -int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - X509_NAME *name, X509_OBJECT *ret) +int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, + X509_OBJECT *ret) { if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL)) - return 0; + return X509_LU_FAIL; if (ctx->skip) return 0; return ctx->method->get_by_subject(ctx, type, name, ret); } -int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - X509_NAME *name, ASN1_INTEGER *serial, - X509_OBJECT *ret) +int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name, + ASN1_INTEGER *serial, X509_OBJECT *ret) { if ((ctx->method == NULL) || (ctx->method->get_by_issuer_serial == NULL)) - return 0; + return X509_LU_FAIL; return ctx->method->get_by_issuer_serial(ctx, type, name, serial, ret); } -int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - const unsigned char *bytes, int len, +int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, + unsigned char *bytes, int len, X509_OBJECT *ret) { if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL)) - return 0; + return X509_LU_FAIL; return ctx->method->get_by_fingerprint(ctx, type, bytes, len, ret); } -int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, - const char *str, int len, X509_OBJECT *ret) +int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len, + X509_OBJECT *ret) { if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL)) - return 0; + return X509_LU_FAIL; return ctx->method->get_by_alias(ctx, type, str, len, ret); } @@ -143,33 +183,35 @@ X509_STORE *X509_STORE_new(void) { X509_STORE *ret; - if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) + if ((ret = (X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL) return NULL; - if ((ret->objs = sk_X509_OBJECT_new(x509_object_cmp)) == NULL) - goto err; + ret->objs = sk_X509_OBJECT_new(x509_object_cmp); ret->cache = 1; - if ((ret->get_cert_methods = sk_X509_LOOKUP_new_null()) == NULL) - goto err; + ret->get_cert_methods = sk_X509_LOOKUP_new_null(); + ret->verify = 0; + ret->verify_cb = 0; if ((ret->param = X509_VERIFY_PARAM_new()) == NULL) - goto err; - - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) - goto err; + return NULL; - ret->lock = CRYPTO_THREAD_lock_new(); - if (ret->lock == NULL) - goto err; + ret->get_issuer = 0; + ret->check_issued = 0; + ret->check_revocation = 0; + ret->get_crl = 0; + ret->check_crl = 0; + ret->cert_crl = 0; + ret->lookup_certs = 0; + ret->lookup_crls = 0; + ret->cleanup = 0; + + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) { + sk_X509_OBJECT_free(ret->objs); + OPENSSL_free(ret); + return NULL; + } ret->references = 1; return ret; - -err: - X509_VERIFY_PARAM_free(ret->param); - sk_X509_OBJECT_free(ret->objs); - sk_X509_LOOKUP_free(ret->get_cert_methods); - OPENSSL_free(ret); - return NULL; } static void cleanup(X509_OBJECT *a) @@ -196,11 +238,18 @@ void X509_STORE_free(X509_STORE *vfy) if (vfy == NULL) return; - CRYPTO_atomic_add(&vfy->references, -1, &i, vfy->lock); - REF_PRINT_COUNT("X509_STORE", vfy); + i = CRYPTO_add(&vfy->references, -1, CRYPTO_LOCK_X509_STORE); +#ifdef REF_PRINT + REF_PRINT("X509_STORE", vfy); +#endif if (i > 0) return; - REF_ASSERT_ISNT(i < 0); +#ifdef REF_CHECK + if (i < 0) { + fprintf(stderr, "X509_STORE_free, bad reference count\n"); + abort(); /* ok */ + } +#endif sk = vfy->get_cert_methods; for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) { @@ -212,23 +261,11 @@ void X509_STORE_free(X509_STORE *vfy) sk_X509_OBJECT_pop_free(vfy->objs, cleanup); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data); - X509_VERIFY_PARAM_free(vfy->param); - CRYPTO_THREAD_lock_free(vfy->lock); + if (vfy->param) + X509_VERIFY_PARAM_free(vfy->param); OPENSSL_free(vfy); } -int X509_STORE_up_ref(X509_STORE *vfy) -{ - int i; - - if (CRYPTO_atomic_add(&vfy->references, 1, &i, vfy->lock) <= 0) - return 0; - - REF_PRINT_COUNT("X509_STORE", a); - REF_ASSERT_ISNT(i < 2); - return ((i > 1) ? 1 : 0); -} - X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) { int i; @@ -257,46 +294,39 @@ X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) } } -X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs, - X509_LOOKUP_TYPE type, - X509_NAME *name) -{ - X509_OBJECT *ret = X509_OBJECT_new(); - - if (ret == NULL) - return NULL; - if (!X509_STORE_CTX_get_by_subject(vs, type, name, ret)) { - X509_OBJECT_free(ret); - return NULL; - } - return ret; -} - -int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, - X509_NAME *name, X509_OBJECT *ret) +int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, + X509_OBJECT *ret) { X509_STORE *ctx = vs->ctx; X509_LOOKUP *lu; X509_OBJECT stmp, *tmp; int i, j; - CRYPTO_THREAD_write_lock(ctx->lock); + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); - CRYPTO_THREAD_unlock(ctx->lock); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); if (tmp == NULL || type == X509_LU_CRL) { - for (i = 0; i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) { + for (i = vs->current_method; + i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) { lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i); j = X509_LOOKUP_by_subject(lu, type, name, &stmp); - if (j) { + if (j < 0) { + vs->current_method = j; + return j; + } else if (j) { tmp = &stmp; break; } } + vs->current_method = 0; if (tmp == NULL) return 0; } +/*- if (ret->data.ptr != NULL) + X509_OBJECT_free_contents(ret); */ + ret->type = tmp->type; ret->data.ptr = tmp->data.ptr; @@ -308,34 +338,32 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) { X509_OBJECT *obj; - int ret = 1, added = 1; + int ret = 1; if (x == NULL) return 0; - obj = X509_OBJECT_new(); - if (obj == NULL) + obj = (X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); + if (obj == NULL) { + X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE); return 0; + } obj->type = X509_LU_X509; obj->data.x509 = x; - X509_OBJECT_up_ref_count(obj); - CRYPTO_THREAD_write_lock(ctx->lock); + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); + + X509_OBJECT_up_ref_count(obj); if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { + X509_OBJECT_free_contents(obj); + OPENSSL_free(obj); X509err(X509_F_X509_STORE_ADD_CERT, X509_R_CERT_ALREADY_IN_HASH_TABLE); ret = 0; - } else { - added = sk_X509_OBJECT_push(ctx->objs, obj); - ret = added != 0; - } - - CRYPTO_THREAD_unlock(ctx->lock); + } else + sk_X509_OBJECT_push(ctx->objs, obj); - if (!ret) /* obj not pushed */ - X509_OBJECT_free(obj); - if (!added) /* on push failure */ - X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return ret; } @@ -343,89 +371,50 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) { X509_OBJECT *obj; - int ret = 1, added = 1; + int ret = 1; if (x == NULL) return 0; - obj = X509_OBJECT_new(); - if (obj == NULL) + obj = (X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); + if (obj == NULL) { + X509err(X509_F_X509_STORE_ADD_CRL, ERR_R_MALLOC_FAILURE); return 0; + } obj->type = X509_LU_CRL; obj->data.crl = x; - X509_OBJECT_up_ref_count(obj); - CRYPTO_THREAD_write_lock(ctx->lock); + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); + + X509_OBJECT_up_ref_count(obj); if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { + X509_OBJECT_free_contents(obj); + OPENSSL_free(obj); X509err(X509_F_X509_STORE_ADD_CRL, X509_R_CERT_ALREADY_IN_HASH_TABLE); ret = 0; - } else { - added = sk_X509_OBJECT_push(ctx->objs, obj); - ret = added != 0; - } + } else + sk_X509_OBJECT_push(ctx->objs, obj); - CRYPTO_THREAD_unlock(ctx->lock); - - if (!ret) /* obj not pushed */ - X509_OBJECT_free(obj); - if (!added) /* on push failure */ - X509err(X509_F_X509_STORE_ADD_CRL, ERR_R_MALLOC_FAILURE); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return ret; } -int X509_OBJECT_up_ref_count(X509_OBJECT *a) +void X509_OBJECT_up_ref_count(X509_OBJECT *a) { switch (a->type) { - default: - break; case X509_LU_X509: - return X509_up_ref(a->data.x509); + CRYPTO_add(&a->data.x509->references, 1, CRYPTO_LOCK_X509); + break; case X509_LU_CRL: - return X509_CRL_up_ref(a->data.crl); - } - return 1; -} - -X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a) -{ - if (a == NULL || a->type != X509_LU_X509) - return NULL; - return a->data.x509; -} - -X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a) -{ - if (a == NULL || a->type != X509_LU_CRL) - return NULL; - return a->data.crl; -} - -X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a) -{ - return a->type; -} - -X509_OBJECT *X509_OBJECT_new() -{ - X509_OBJECT *ret = OPENSSL_zalloc(sizeof(*ret)); - - if (ret == NULL) { - X509err(X509_F_X509_OBJECT_NEW, ERR_R_MALLOC_FAILURE); - return NULL; + CRYPTO_add(&a->data.crl->references, 1, CRYPTO_LOCK_X509_CRL); + break; } - ret->type = X509_LU_NONE; - return ret; } - -void X509_OBJECT_free(X509_OBJECT *a) +void X509_OBJECT_free_contents(X509_OBJECT *a) { - if (a == NULL) - return; switch (a->type) { - default: - break; case X509_LU_X509: X509_free(a->data.x509); break; @@ -433,26 +422,29 @@ void X509_OBJECT_free(X509_OBJECT *a) X509_CRL_free(a->data.crl); break; } - OPENSSL_free(a); } -static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, +static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name, int *pnmatch) { X509_OBJECT stmp; X509 x509_s; + X509_CINF cinf_s; X509_CRL crl_s; + X509_CRL_INFO crl_info_s; int idx; stmp.type = type; switch (type) { case X509_LU_X509: stmp.data.x509 = &x509_s; - x509_s.cert_info.subject = name; + x509_s.cert_info = &cinf_s; + cinf_s.subject = name; break; case X509_LU_CRL: stmp.data.crl = &crl_s; - crl_s.crl.issuer = name; + crl_s.crl = &crl_info_s; + crl_info_s.issuer = name; break; default: /* abort(); */ @@ -475,15 +467,14 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, return idx; } -int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, +int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name) { return x509_object_idx_cnt(h, type, name, NULL); } X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, - X509_LOOKUP_TYPE type, - X509_NAME *name) + int type, X509_NAME *name) { int idx; idx = X509_OBJECT_idx_by_subject(h, type, name); @@ -492,78 +483,73 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, return sk_X509_OBJECT_value(h, idx); } -STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v) -{ - return v->objs; -} - -STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) +STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) { int i, idx, cnt; - STACK_OF(X509) *sk = NULL; + STACK_OF(X509) *sk; X509 *x; X509_OBJECT *obj; - - CRYPTO_THREAD_write_lock(ctx->ctx->lock); + sk = sk_X509_new_null(); + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); if (idx < 0) { /* * Nothing found in cache: do lookup to possibly add new objects to * cache */ - X509_OBJECT *xobj = X509_OBJECT_new(); - - CRYPTO_THREAD_unlock(ctx->ctx->lock); - if (xobj == NULL) - return NULL; - if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, nm, xobj)) { - X509_OBJECT_free(xobj); + X509_OBJECT xobj; + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) { + sk_X509_free(sk); return NULL; } - X509_OBJECT_free(xobj); - CRYPTO_THREAD_write_lock(ctx->ctx->lock); + X509_OBJECT_free_contents(&xobj); + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); if (idx < 0) { - CRYPTO_THREAD_unlock(ctx->ctx->lock); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + sk_X509_free(sk); return NULL; } } - - sk = sk_X509_new_null(); for (i = 0; i < cnt; i++, idx++) { obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); x = obj->data.x509; - X509_up_ref(x); + CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); if (!sk_X509_push(sk, x)) { - CRYPTO_THREAD_unlock(ctx->ctx->lock); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); X509_free(x); sk_X509_pop_free(sk, X509_free); return NULL; } } - CRYPTO_THREAD_unlock(ctx->ctx->lock); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return sk; + } -STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) +STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) { int i, idx, cnt; - STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null(); + STACK_OF(X509_CRL) *sk; X509_CRL *x; - X509_OBJECT *obj, *xobj = X509_OBJECT_new(); - - /* Always do lookup to possibly add new CRLs to cache */ - if (sk == NULL || xobj == NULL || - !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) { - X509_OBJECT_free(xobj); + X509_OBJECT *obj, xobj; + sk = sk_X509_CRL_new_null(); + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); + + /* + * Always do lookup to possibly add new CRLs to cache + */ + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) { sk_X509_CRL_free(sk); return NULL; } - X509_OBJECT_free(xobj); - CRYPTO_THREAD_write_lock(ctx->ctx->lock); + X509_OBJECT_free_contents(&xobj); + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt); if (idx < 0) { - CRYPTO_THREAD_unlock(ctx->ctx->lock); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); sk_X509_CRL_free(sk); return NULL; } @@ -571,15 +557,15 @@ STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) for (i = 0; i < cnt; i++, idx++) { obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); x = obj->data.crl; - X509_CRL_up_ref(x); + CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); if (!sk_X509_CRL_push(sk, x)) { - CRYPTO_THREAD_unlock(ctx->ctx->lock); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); X509_CRL_free(x); sk_X509_CRL_pop_free(sk, X509_CRL_free); return NULL; } } - CRYPTO_THREAD_unlock(ctx->ctx->lock); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return sk; } @@ -625,32 +611,32 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { X509_NAME *xn; - X509_OBJECT *obj = X509_OBJECT_new(), *pobj = NULL; + X509_OBJECT obj, *pobj; int i, ok, idx, ret; - - if (obj == NULL) - return -1; - *issuer = NULL; xn = X509_get_issuer_name(x); - ok = X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, obj); - if (ok != 1) { - X509_OBJECT_free(obj); + ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj); + if (ok != X509_LU_X509) { + if (ok == X509_LU_RETRY) { + X509_OBJECT_free_contents(&obj); + X509err(X509_F_X509_STORE_CTX_GET1_ISSUER, X509_R_SHOULD_RETRY); + return -1; + } else if (ok != X509_LU_FAIL) { + X509_OBJECT_free_contents(&obj); + /* not good :-(, break anyway */ + return -1; + } return 0; } /* If certificate matches all OK */ - if (ctx->check_issued(ctx, x, obj->data.x509)) { - if (x509_check_cert_time(ctx, obj->data.x509, -1)) { - *issuer = obj->data.x509; - X509_up_ref(*issuer); - X509_OBJECT_free(obj); - return 1; - } + if (ctx->check_issued(ctx, x, obj.data.x509)) { + *issuer = obj.data.x509; + return 1; } - X509_OBJECT_free(obj); + X509_OBJECT_free_contents(&obj); /* Else find index of first cert accepted by 'check_issued' */ ret = 0; - CRYPTO_THREAD_write_lock(ctx->ctx->lock); + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn); if (idx != -1) { /* should be true as we've had at least one * match */ @@ -664,22 +650,13 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) break; if (ctx->check_issued(ctx, x, pobj->data.x509)) { *issuer = pobj->data.x509; + X509_OBJECT_up_ref_count(pobj); ret = 1; - /* - * If times check, exit with match, - * otherwise keep looking. Leave last - * match in issuer so we return nearest - * match if no certificate time is OK. - */ - - if (x509_check_cert_time(ctx, *issuer, -1)) - break; + break; } } } - CRYPTO_THREAD_unlock(ctx->ctx->lock); - if (*issuer) - X509_up_ref(*issuer); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return ret; } @@ -709,153 +686,25 @@ int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param) return X509_VERIFY_PARAM_set1(ctx->param, param); } -X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx) -{ - return ctx->param; -} - -void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify) -{ - ctx->verify = verify; -} - -X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx) -{ - return ctx->verify; -} - void X509_STORE_set_verify_cb(X509_STORE *ctx, - X509_STORE_CTX_verify_cb verify_cb) + int (*verify_cb) (int, X509_STORE_CTX *)) { ctx->verify_cb = verify_cb; } -X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx) -{ - return ctx->verify_cb; -} - -void X509_STORE_set_get_issuer(X509_STORE *ctx, - X509_STORE_CTX_get_issuer_fn get_issuer) -{ - ctx->get_issuer = get_issuer; -} - -X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *ctx) -{ - return ctx->get_issuer; -} - -void X509_STORE_set_check_issued(X509_STORE *ctx, - X509_STORE_CTX_check_issued_fn check_issued) -{ - ctx->check_issued = check_issued; -} - -X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE *ctx) -{ - return ctx->check_issued; -} - -void X509_STORE_set_check_revocation(X509_STORE *ctx, - X509_STORE_CTX_check_revocation_fn check_revocation) -{ - ctx->check_revocation = check_revocation; -} - -X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(X509_STORE *ctx) -{ - return ctx->check_revocation; -} - -void X509_STORE_set_get_crl(X509_STORE *ctx, - X509_STORE_CTX_get_crl_fn get_crl) -{ - ctx->get_crl = get_crl; -} - -X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE *ctx) -{ - return ctx->get_crl; -} - -void X509_STORE_set_check_crl(X509_STORE *ctx, - X509_STORE_CTX_check_crl_fn check_crl) -{ - ctx->check_crl = check_crl; -} - -X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE *ctx) -{ - return ctx->check_crl; -} - -void X509_STORE_set_cert_crl(X509_STORE *ctx, - X509_STORE_CTX_cert_crl_fn cert_crl) +void X509_STORE_set_lookup_crls_cb(X509_STORE *ctx, + STACK_OF(X509_CRL) *(*cb) (X509_STORE_CTX + *ctx, + X509_NAME *nm)) { - ctx->cert_crl = cert_crl; -} - -X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx) -{ - return ctx->cert_crl; -} - -void X509_STORE_set_check_policy(X509_STORE *ctx, - X509_STORE_CTX_check_policy_fn check_policy) -{ - ctx->check_policy = check_policy; -} - -X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(X509_STORE *ctx) -{ - return ctx->check_policy; -} - -void X509_STORE_set_lookup_certs(X509_STORE *ctx, - X509_STORE_CTX_lookup_certs_fn lookup_certs) -{ - ctx->lookup_certs = lookup_certs; -} - -X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE *ctx) -{ - return ctx->lookup_certs; -} - -void X509_STORE_set_lookup_crls(X509_STORE *ctx, - X509_STORE_CTX_lookup_crls_fn lookup_crls) -{ - ctx->lookup_crls = lookup_crls; -} - -X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx) -{ - return ctx->lookup_crls; -} - -void X509_STORE_set_cleanup(X509_STORE *ctx, - X509_STORE_CTX_cleanup_fn ctx_cleanup) -{ - ctx->cleanup = ctx_cleanup; -} - -X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE *ctx) -{ - return ctx->cleanup; -} - -int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data) -{ - return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); -} - -void *X509_STORE_get_ex_data(X509_STORE *ctx, int idx) -{ - return CRYPTO_get_ex_data(&ctx->ex_data, idx); + ctx->lookup_crls = cb; } X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx) { return ctx->ctx; } + +IMPLEMENT_STACK_OF(X509_LOOKUP) + +IMPLEMENT_STACK_OF(X509_OBJECT) diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_obj.c b/Cryptlib/OpenSSL/crypto/x509/x509_obj.c index 55dc778b..0a839f3e 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_obj.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_obj.c @@ -1,30 +1,78 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_obj.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/lhash.h> #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/buffer.h> -#include "internal/x509_int.h" /* * Limit to ensure we don't overflow: much greater than - * anything encountered in practice. + * anything enountered in practice. */ #define NAME_ONELINE_MAX (1024 * 1024) -char *X509_NAME_oneline(const X509_NAME *a, char *buf, int len) +char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) { - const X509_NAME_ENTRY *ne; + X509_NAME_ENTRY *ne; int i; int n, lold, l, l1, l2, num, j, type; const char *s; @@ -35,7 +83,7 @@ char *X509_NAME_oneline(const X509_NAME *a, char *buf, int len) int gs_doit[4]; char tmp_buf[80]; #ifdef CHARSET_EBCDIC - unsigned char ebcdic_buf[1024]; + char ebcdic_buf[1024]; #endif if (buf == NULL) { diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_r2x.c b/Cryptlib/OpenSSL/crypto/x509/x509_r2x.c index 3d72787d..2879569e 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_r2x.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_r2x.c @@ -1,19 +1,67 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_r2x.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/bn.h> #include <openssl/evp.h> #include <openssl/asn1.h> #include <openssl/x509.h> -#include "internal/x509_int.h" #include <openssl/objects.h> #include <openssl/buffer.h> @@ -23,6 +71,7 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) X509_CINF *xi = NULL; X509_NAME *xn; EVP_PKEY *pubkey = NULL; + int res; if ((ret = X509_new()) == NULL) { X509err(X509_F_X509_REQ_TO_X509, ERR_R_MALLOC_FAILURE); @@ -30,10 +79,10 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) } /* duplicate the request */ - xi = &ret->cert_info; + xi = ret->cert_info; - if (sk_X509_ATTRIBUTE_num(r->req_info.attributes) != 0) { - if ((xi->version = ASN1_INTEGER_new()) == NULL) + if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0) { + if ((xi->version = M_ASN1_INTEGER_new()) == NULL) goto err; if (!ASN1_INTEGER_set(xi->version, 2)) goto err; @@ -47,21 +96,22 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) if (X509_set_issuer_name(ret, xn) == 0) goto err; - if (X509_gmtime_adj(xi->validity.notBefore, 0) == NULL) + if (X509_gmtime_adj(xi->validity->notBefore, 0) == NULL) goto err; - if (X509_gmtime_adj(xi->validity.notAfter, (long)60 * 60 * 24 * days) == + if (X509_gmtime_adj(xi->validity->notAfter, (long)60 * 60 * 24 * days) == NULL) goto err; - pubkey = X509_REQ_get0_pubkey(r); - if (pubkey == NULL || !X509_set_pubkey(ret, pubkey)) - goto err; + pubkey = X509_REQ_get_pubkey(r); + res = X509_set_pubkey(ret, pubkey); + EVP_PKEY_free(pubkey); - if (!X509_sign(ret, pkey, EVP_md5())) + if (!res || !X509_sign(ret, pkey, EVP_md5())) goto err; - return ret; - + if (0) { err: - X509_free(ret); - return NULL; + X509_free(ret); + ret = NULL; + } + return (ret); } diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_req.c b/Cryptlib/OpenSSL/crypto/x509/x509_req.c index 7b88dbcd..01795f4b 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_req.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_req.c @@ -1,20 +1,68 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_req.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/bn.h> #include <openssl/evp.h> #include <openssl/asn1.h> #include <openssl/asn1t.h> #include <openssl/x509.h> -#include "internal/x509_int.h" #include <openssl/objects.h> #include <openssl/buffer.h> #include <openssl/pem.h> @@ -32,10 +80,10 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) goto err; } - ri = &ret->req_info; + ri = ret->req_info; ri->version->length = 1; - ri->version->data = OPENSSL_malloc(1); + ri->version->data = (unsigned char *)OPENSSL_malloc(1); if (ri->version->data == NULL) goto err; ri->version->data[0] = 0; /* version == 0 */ @@ -43,10 +91,11 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x))) goto err; - pktmp = X509_get0_pubkey(x); + pktmp = X509_get_pubkey(x); if (pktmp == NULL) goto err; i = X509_REQ_set_pubkey(ret, pktmp); + EVP_PKEY_free(pktmp); if (!i) goto err; @@ -62,21 +111,9 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req) { - if (req == NULL) + if ((req == NULL) || (req->req_info == NULL)) return (NULL); - return (X509_PUBKEY_get(req->req_info.pubkey)); -} - -EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *req) -{ - if (req == NULL) - return NULL; - return (X509_PUBKEY_get0(req->req_info.pubkey)); -} - -X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *req) -{ - return req->req_info.pubkey; + return (X509_PUBKEY_get(req->req_info->pubkey)); } int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) @@ -98,13 +135,13 @@ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) break; case -2: #ifndef OPENSSL_NO_EC - if (EVP_PKEY_id(k) == EVP_PKEY_EC) { + if (k->type == EVP_PKEY_EC) { X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB); break; } #endif #ifndef OPENSSL_NO_DH - if (EVP_PKEY_id(k) == EVP_PKEY_DH) { + if (k->type == EVP_PKEY_DH) { /* No idea */ X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, X509_R_CANT_CHECK_DH_KEY); @@ -157,14 +194,17 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) int idx, *pnid; const unsigned char *p; - if ((req == NULL) || !ext_nids) + if ((req == NULL) || (req->req_info == NULL) || !ext_nids) return (NULL); for (pnid = ext_nids; *pnid != NID_undef; pnid++) { idx = X509_REQ_get_attr_by_NID(req, *pnid, -1); if (idx == -1) continue; attr = X509_REQ_get_attr(req, idx); - ext = X509_ATTRIBUTE_get0_type(attr, 0); + if (attr->single) + ext = attr->value.single; + else if (sk_ASN1_TYPE_num(attr->value.set)) + ext = sk_ASN1_TYPE_value(attr->value.set, 0); break; } if (!ext || (ext->type != V_ASN1_SEQUENCE)) @@ -183,17 +223,37 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts, int nid) { - int extlen; - int rv = 0; - unsigned char *ext = NULL; + ASN1_TYPE *at = NULL; + X509_ATTRIBUTE *attr = NULL; + if (!(at = ASN1_TYPE_new()) || !(at->value.sequence = ASN1_STRING_new())) + goto err; + + at->type = V_ASN1_SEQUENCE; /* Generate encoding of extensions */ - extlen = ASN1_item_i2d((ASN1_VALUE *)exts, &ext, - ASN1_ITEM_rptr(X509_EXTENSIONS)); - if (extlen <= 0) - return 0; - rv = X509_REQ_add1_attr_by_NID(req, nid, V_ASN1_SEQUENCE, ext, extlen); - OPENSSL_free(ext); - return rv; + at->value.sequence->length = + ASN1_item_i2d((ASN1_VALUE *)exts, + &at->value.sequence->data, + ASN1_ITEM_rptr(X509_EXTENSIONS)); + if (!(attr = X509_ATTRIBUTE_new())) + goto err; + if (!(attr->value.set = sk_ASN1_TYPE_new_null())) + goto err; + if (!sk_ASN1_TYPE_push(attr->value.set, at)) + goto err; + at = NULL; + attr->single = 0; + attr->object = OBJ_nid2obj(nid); + if (!req->req_info->attributes) { + if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null())) + goto err; + } + if (!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) + goto err; + return 1; + err: + X509_ATTRIBUTE_free(attr); + ASN1_TYPE_free(at); + return 0; } /* This is the normal usage: use the "official" OID */ @@ -206,33 +266,33 @@ int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts) int X509_REQ_get_attr_count(const X509_REQ *req) { - return X509at_get_attr_count(req->req_info.attributes); + return X509at_get_attr_count(req->req_info->attributes); } int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos) { - return X509at_get_attr_by_NID(req->req_info.attributes, nid, lastpos); + return X509at_get_attr_by_NID(req->req_info->attributes, nid, lastpos); } -int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj, +int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj, int lastpos) { - return X509at_get_attr_by_OBJ(req->req_info.attributes, obj, lastpos); + return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos); } X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc) { - return X509at_get_attr(req->req_info.attributes, loc); + return X509at_get_attr(req->req_info->attributes, loc); } X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc) { - return X509at_delete_attr(req->req_info.attributes, loc); + return X509at_delete_attr(req->req_info->attributes, loc); } int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr) { - if (X509at_add1_attr(&req->req_info.attributes, attr)) + if (X509at_add1_attr(&req->req_info->attributes, attr)) return 1; return 0; } @@ -241,7 +301,7 @@ int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, const ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len) { - if (X509at_add1_attr_by_OBJ(&req->req_info.attributes, obj, + if (X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj, type, bytes, len)) return 1; return 0; @@ -251,7 +311,7 @@ int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, int type, const unsigned char *bytes, int len) { - if (X509at_add1_attr_by_NID(&req->req_info.attributes, nid, + if (X509at_add1_attr_by_NID(&req->req_info->attributes, nid, type, bytes, len)) return 1; return 0; @@ -261,38 +321,8 @@ int X509_REQ_add1_attr_by_txt(X509_REQ *req, const char *attrname, int type, const unsigned char *bytes, int len) { - if (X509at_add1_attr_by_txt(&req->req_info.attributes, attrname, + if (X509at_add1_attr_by_txt(&req->req_info->attributes, attrname, type, bytes, len)) return 1; return 0; } - -long X509_REQ_get_version(const X509_REQ *req) -{ - return ASN1_INTEGER_get(req->req_info.version); -} - -X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req) -{ - return req->req_info.subject; -} - -void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig, - const X509_ALGOR **palg) -{ - if (psig != NULL) - *psig = req->signature; - if (palg != NULL) - *palg = &req->sig_alg; -} - -int X509_REQ_get_signature_nid(const X509_REQ *req) -{ - return OBJ_obj2nid(req->sig_alg.algorithm); -} - -int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp) -{ - req->req_info.enc.modified = 1; - return i2d_X509_REQ_INFO(&req->req_info, pp); -} diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_set.c b/Cryptlib/OpenSSL/crypto/x509/x509_set.c index c0ea4188..5b802bd6 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_set.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_set.c @@ -1,34 +1,82 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_set.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/asn1.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> -#include "internal/x509_int.h" int X509_set_version(X509 *x, long version) { if (x == NULL) return (0); if (version == 0) { - ASN1_INTEGER_free(x->cert_info.version); - x->cert_info.version = NULL; + M_ASN1_INTEGER_free(x->cert_info->version); + x->cert_info->version = NULL; return (1); } - if (x->cert_info.version == NULL) { - if ((x->cert_info.version = ASN1_INTEGER_new()) == NULL) + if (x->cert_info->version == NULL) { + if ((x->cert_info->version = M_ASN1_INTEGER_new()) == NULL) return (0); } - return (ASN1_INTEGER_set(x->cert_info.version, version)); + return (ASN1_INTEGER_set(x->cert_info->version, version)); } int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) @@ -36,124 +84,69 @@ int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) ASN1_INTEGER *in; if (x == NULL) - return 0; - in = &x->cert_info.serialNumber; - if (in != serial) - return ASN1_STRING_copy(in, serial); - return 1; + return (0); + in = x->cert_info->serialNumber; + if (in != serial) { + in = M_ASN1_INTEGER_dup(serial); + if (in != NULL) { + M_ASN1_INTEGER_free(x->cert_info->serialNumber); + x->cert_info->serialNumber = in; + } + } + return (in != NULL); } int X509_set_issuer_name(X509 *x, X509_NAME *name) { - if (x == NULL) + if ((x == NULL) || (x->cert_info == NULL)) return (0); - return (X509_NAME_set(&x->cert_info.issuer, name)); + return (X509_NAME_set(&x->cert_info->issuer, name)); } int X509_set_subject_name(X509 *x, X509_NAME *name) { - if (x == NULL) + if ((x == NULL) || (x->cert_info == NULL)) return (0); - return (X509_NAME_set(&x->cert_info.subject, name)); + return (X509_NAME_set(&x->cert_info->subject, name)); } -int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm) +int X509_set_notBefore(X509 *x, const ASN1_TIME *tm) { ASN1_TIME *in; - in = *ptm; + + if ((x == NULL) || (x->cert_info->validity == NULL)) + return (0); + in = x->cert_info->validity->notBefore; if (in != tm) { - in = ASN1_STRING_dup(tm); + in = M_ASN1_TIME_dup(tm); if (in != NULL) { - ASN1_TIME_free(*ptm); - *ptm = in; + M_ASN1_TIME_free(x->cert_info->validity->notBefore); + x->cert_info->validity->notBefore = in; } } return (in != NULL); } -int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm) +int X509_set_notAfter(X509 *x, const ASN1_TIME *tm) { - if (x == NULL) - return 0; - return x509_set1_time(&x->cert_info.validity.notBefore, tm); -} + ASN1_TIME *in; -int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm) -{ - if (x == NULL) - return 0; - return x509_set1_time(&x->cert_info.validity.notAfter, tm); + if ((x == NULL) || (x->cert_info->validity == NULL)) + return (0); + in = x->cert_info->validity->notAfter; + if (in != tm) { + in = M_ASN1_TIME_dup(tm); + if (in != NULL) { + M_ASN1_TIME_free(x->cert_info->validity->notAfter); + x->cert_info->validity->notAfter = in; + } + } + return (in != NULL); } int X509_set_pubkey(X509 *x, EVP_PKEY *pkey) { - if (x == NULL) + if ((x == NULL) || (x->cert_info == NULL)) return (0); - return (X509_PUBKEY_set(&(x->cert_info.key), pkey)); -} - -int X509_up_ref(X509 *x) -{ - int i; - - if (CRYPTO_atomic_add(&x->references, 1, &i, x->lock) <= 0) - return 0; - - REF_PRINT_COUNT("X509", x); - REF_ASSERT_ISNT(i < 2); - return ((i > 1) ? 1 : 0); -} - -long X509_get_version(const X509 *x) -{ - return ASN1_INTEGER_get(x->cert_info.version); -} - -const ASN1_TIME *X509_get0_notBefore(const X509 *x) -{ - return x->cert_info.validity.notBefore; -} - -const ASN1_TIME *X509_get0_notAfter(const X509 *x) -{ - return x->cert_info.validity.notAfter; -} - -ASN1_TIME *X509_getm_notBefore(const X509 *x) -{ - return x->cert_info.validity.notBefore; -} - -ASN1_TIME *X509_getm_notAfter(const X509 *x) -{ - return x->cert_info.validity.notAfter; -} - -int X509_get_signature_type(const X509 *x) -{ - return EVP_PKEY_type(OBJ_obj2nid(x->sig_alg.algorithm)); -} - -X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x) -{ - return x->cert_info.key; -} - -const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x) -{ - return x->cert_info.extensions; -} - -void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid, - const ASN1_BIT_STRING **psuid) -{ - if (piuid != NULL) - *piuid = x->cert_info.issuerUID; - if (psuid != NULL) - *psuid = x->cert_info.subjectUID; -} - -const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x) -{ - return &x->cert_info.signature; + return (X509_PUBKEY_set(&(x->cert_info->key), pkey)); } diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_trs.c b/Cryptlib/OpenSSL/crypto/x509/x509_trs.c index a9bb88d1..11e07634 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_trs.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_trs.c @@ -1,16 +1,65 @@ +/* x509_trs.c */ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project + * 1999. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html */ #include <stdio.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/x509v3.h> -#include "internal/x509_int.h" static int tr_cmp(const X509_TRUST *const *a, const X509_TRUST *const *b); static void trtable_free(X509_TRUST *p); @@ -45,7 +94,9 @@ static X509_TRUST trstandard[] = { {X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL} }; -#define X509_TRUST_COUNT OSSL_NELEM(trstandard) +#define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST)) + +IMPLEMENT_STACK_OF(X509_TRUST) static STACK_OF(X509_TRUST) *trtable = NULL; @@ -66,11 +117,16 @@ int X509_check_trust(X509 *x, int id, int flags) { X509_TRUST *pt; int idx; - + if (id == -1) + return 1; /* We get this as a default value */ - if (id == X509_TRUST_DEFAULT) - return obj_trust(NID_anyExtendedKeyUsage, x, - flags | X509_TRUST_DO_SS_COMPAT); + if (id == 0) { + int rv; + rv = obj_trust(NID_anyExtendedKeyUsage, x, 0); + if (rv != X509_TRUST_UNTRUSTED) + return rv; + return trust_compat(NULL, x, 0); + } idx = X509_TRUST_get_by_id(id); if (idx == -1) return default_trust(id, x, flags); @@ -120,7 +176,7 @@ int X509_TRUST_set(int *t, int trust) } int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), - const char *name, int arg1, void *arg2) + char *name, int arg1, void *arg2) { int idx; X509_TRUST *trtmp; @@ -134,7 +190,7 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), idx = X509_TRUST_get_by_id(id); /* Need a new entry */ if (idx == -1) { - if ((trtmp = OPENSSL_malloc(sizeof(*trtmp))) == NULL) { + if (!(trtmp = OPENSSL_malloc(sizeof(X509_TRUST)))) { X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); return 0; } @@ -146,9 +202,9 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), if (trtmp->flags & X509_TRUST_DYNAMIC_NAME) OPENSSL_free(trtmp->name); /* dup supplied name */ - if ((trtmp->name = OPENSSL_strdup(name)) == NULL) { + if (!(trtmp->name = BUF_strdup(name))) { X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); - goto err; + return 0; } /* Keep the dynamic flag of existing entry */ trtmp->flags &= X509_TRUST_DYNAMIC; @@ -162,23 +218,16 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), /* If its a new entry manage the dynamic table */ if (idx == -1) { - if (trtable == NULL - && (trtable = sk_X509_TRUST_new(tr_cmp)) == NULL) { + if (!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); - goto err;; + return 0; } if (!sk_X509_TRUST_push(trtable, trtmp)) { X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); - goto err; + return 0; } } return 1; - err: - if (idx == -1) { - OPENSSL_free(trtmp->name); - OPENSSL_free(trtmp); - } - return 0; } static void trtable_free(X509_TRUST *p) @@ -194,53 +243,50 @@ static void trtable_free(X509_TRUST *p) void X509_TRUST_cleanup(void) { + unsigned int i; + for (i = 0; i < X509_TRUST_COUNT; i++) + trtable_free(trstandard + i); sk_X509_TRUST_pop_free(trtable, trtable_free); trtable = NULL; } -int X509_TRUST_get_flags(const X509_TRUST *xp) +int X509_TRUST_get_flags(X509_TRUST *xp) { return xp->flags; } -char *X509_TRUST_get0_name(const X509_TRUST *xp) +char *X509_TRUST_get0_name(X509_TRUST *xp) { return xp->name; } -int X509_TRUST_get_trust(const X509_TRUST *xp) +int X509_TRUST_get_trust(X509_TRUST *xp) { return xp->trust; } static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) { + if (x->aux && (x->aux->trust || x->aux->reject)) + return obj_trust(trust->arg1, x, flags); /* - * Declare the chain verified if the desired trust OID is not rejected in - * any auxiliary trust info for this certificate, and the OID is either - * expressly trusted, or else either "anyEKU" is trusted, or the - * certificate is self-signed. + * we don't have any trust settings: for compatibility we return trusted + * if it is self signed */ - flags |= X509_TRUST_DO_SS_COMPAT | X509_TRUST_OK_ANY_EKU; - return obj_trust(trust->arg1, x, flags); + return trust_compat(trust, x, flags); } static int trust_1oid(X509_TRUST *trust, X509 *x, int flags) { - /* - * Declare the chain verified only if the desired trust OID is not - * rejected and is expressly trusted. Neither "anyEKU" nor "compat" - * trust in self-signed certificates apply. - */ - flags &= ~(X509_TRUST_DO_SS_COMPAT | X509_TRUST_OK_ANY_EKU); - return obj_trust(trust->arg1, x, flags); + if (x->aux) + return obj_trust(trust->arg1, x, flags); + return X509_TRUST_UNTRUSTED; } static int trust_compat(X509_TRUST *trust, X509 *x, int flags) { - /* Call for side-effect of computing hash and caching extensions */ X509_check_purpose(x, -1, 0); - if ((flags & X509_TRUST_NO_SS_COMPAT) == 0 && x->ex_flags & EXFLAG_SS) + if (x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED; else return X509_TRUST_UNTRUSTED; @@ -248,51 +294,25 @@ static int trust_compat(X509_TRUST *trust, X509 *x, int flags) static int obj_trust(int id, X509 *x, int flags) { - X509_CERT_AUX *ax = x->aux; + ASN1_OBJECT *obj; int i; - - if (ax && ax->reject) { + X509_CERT_AUX *ax; + ax = x->aux; + if (!ax) + return X509_TRUST_UNTRUSTED; + if (ax->reject) { for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { - ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->reject, i); - int nid = OBJ_obj2nid(obj); - - if (nid == id || (nid == NID_anyExtendedKeyUsage && - (flags & X509_TRUST_OK_ANY_EKU))) + obj = sk_ASN1_OBJECT_value(ax->reject, i); + if (OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED; } } - - if (ax && ax->trust) { + if (ax->trust) { for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { - ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->trust, i); - int nid = OBJ_obj2nid(obj); - - if (nid == id || (nid == NID_anyExtendedKeyUsage && - (flags & X509_TRUST_OK_ANY_EKU))) + obj = sk_ASN1_OBJECT_value(ax->trust, i); + if (OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED; } - /* - * Reject when explicit trust EKU are set and none match. - * - * Returning untrusted is enough for for full chains that end in - * self-signed roots, because when explicit trust is specified it - * suppresses the default blanket trust of self-signed objects. - * - * But for partial chains, this is not enough, because absent a similar - * trust-self-signed policy, non matching EKUs are indistinguishable - * from lack of EKU constraints. - * - * Therefore, failure to match any trusted purpose must trigger an - * explicit reject. - */ - return X509_TRUST_REJECTED; } - - if ((flags & X509_TRUST_DO_SS_COMPAT) == 0) - return X509_TRUST_UNTRUSTED; - - /* - * Not rejected, and there is no list of accepted uses, try compat. - */ - return trust_compat(NULL, x, flags); + return X509_TRUST_UNTRUSTED; } diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_txt.c b/Cryptlib/OpenSSL/crypto/x509/x509_txt.c index 66e5fcd0..35db0955 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_txt.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_txt.c @@ -1,17 +1,66 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_txt.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> #include <time.h> #include <errno.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/lhash.h> #include <openssl/buffer.h> #include <openssl/evp.h> @@ -21,11 +70,11 @@ const char *X509_verify_cert_error_string(long n) { + static char buf[100]; + switch ((int)n) { case X509_V_OK: return ("ok"); - case X509_V_ERR_UNSPECIFIED: - return ("unspecified certificate verification error"); case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: return ("unable to get issuer certificate"); case X509_V_ERR_UNABLE_TO_GET_CRL: @@ -42,10 +91,10 @@ const char *X509_verify_cert_error_string(long n) return ("CRL signature failure"); case X509_V_ERR_CERT_NOT_YET_VALID: return ("certificate is not yet valid"); - case X509_V_ERR_CERT_HAS_EXPIRED: - return ("certificate has expired"); case X509_V_ERR_CRL_NOT_YET_VALID: return ("CRL is not yet valid"); + case X509_V_ERR_CERT_HAS_EXPIRED: + return ("certificate has expired"); case X509_V_ERR_CRL_HAS_EXPIRED: return ("CRL has expired"); case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: @@ -72,14 +121,23 @@ const char *X509_verify_cert_error_string(long n) return ("certificate revoked"); case X509_V_ERR_INVALID_CA: return ("invalid CA certificate"); + case X509_V_ERR_INVALID_NON_CA: + return ("invalid non-CA certificate (has CA markings)"); case X509_V_ERR_PATH_LENGTH_EXCEEDED: return ("path length constraint exceeded"); + case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: + return ("proxy path length constraint exceeded"); + case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: + return + ("proxy certificates not allowed, please set the appropriate flag"); case X509_V_ERR_INVALID_PURPOSE: return ("unsupported certificate purpose"); case X509_V_ERR_CERT_UNTRUSTED: return ("certificate not trusted"); case X509_V_ERR_CERT_REJECTED: return ("certificate rejected"); + case X509_V_ERR_APPLICATION_VERIFICATION: + return ("application verification failure"); case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: return ("subject issuer mismatch"); case X509_V_ERR_AKID_SKID_MISMATCH: @@ -94,17 +152,10 @@ const char *X509_verify_cert_error_string(long n) return ("unhandled critical extension"); case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: return ("key usage does not include CRL signing"); - case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: - return ("unhandled critical CRL extension"); - case X509_V_ERR_INVALID_NON_CA: - return ("invalid non-CA certificate (has CA markings)"); - case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: - return ("proxy path length constraint exceeded"); case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: return ("key usage does not include digital signature"); - case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: - return - ("proxy certificates not allowed, please set the appropriate flag"); + case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: + return ("unhandled critical CRL extension"); case X509_V_ERR_INVALID_EXTENSION: return ("invalid or inconsistent certificate extension"); case X509_V_ERR_INVALID_POLICY_EXTENSION: @@ -117,14 +168,13 @@ const char *X509_verify_cert_error_string(long n) return ("Unsupported extension feature"); case X509_V_ERR_UNNESTED_RESOURCE: return ("RFC 3779 resource not subset of parent's resources"); + case X509_V_ERR_PERMITTED_VIOLATION: return ("permitted subtree violation"); case X509_V_ERR_EXCLUDED_VIOLATION: return ("excluded subtree violation"); case X509_V_ERR_SUBTREE_MINMAX: return ("name constraints minimum and maximum not supported"); - case X509_V_ERR_APPLICATION_VERIFICATION: - return ("application verification failure"); case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: return ("unsupported name constraint type"); case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: @@ -133,8 +183,7 @@ const char *X509_verify_cert_error_string(long n) return ("unsupported or invalid name syntax"); case X509_V_ERR_CRL_PATH_VALIDATION_ERROR: return ("CRL path validation error"); - case X509_V_ERR_PATH_LOOP: - return ("Path Loop"); + case X509_V_ERR_SUITE_B_INVALID_VERSION: return ("Suite B: certificate version invalid"); case X509_V_ERR_SUITE_B_INVALID_ALGORITHM: @@ -147,31 +196,23 @@ const char *X509_verify_cert_error_string(long n) return ("Suite B: curve not allowed for this LOS"); case X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256: return ("Suite B: cannot sign P-384 with P-256"); + case X509_V_ERR_HOSTNAME_MISMATCH: return ("Hostname mismatch"); case X509_V_ERR_EMAIL_MISMATCH: return ("Email address mismatch"); case X509_V_ERR_IP_ADDRESS_MISMATCH: return ("IP address mismatch"); - case X509_V_ERR_DANE_NO_MATCH: - return ("No matching DANE TLSA records"); - case X509_V_ERR_EE_KEY_TOO_SMALL: - return ("EE certificate key too weak"); - case X509_V_ERR_CA_KEY_TOO_SMALL: - return ("CA certificate key too weak"); - case X509_V_ERR_CA_MD_TOO_WEAK: - return ("CA signature digest algorithm too weak"); + case X509_V_ERR_INVALID_CALL: return ("Invalid certificate verification context"); case X509_V_ERR_STORE_LOOKUP: return ("Issuer certificate lookup error"); - case X509_V_ERR_NO_VALID_SCTS: - return ("Certificate Transparency required, but no valid SCTs found"); case X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION: return ("proxy subject name violation"); default: - /* Printing an error number into a static buffer is not thread-safe */ - return ("unknown certificate verification error"); + BIO_snprintf(buf, sizeof buf, "error number %ld", n); + return (buf); } } diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_v3.c b/Cryptlib/OpenSSL/crypto/x509/x509_v3.c index ad126efe..4a03445a 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_v3.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_v3.c @@ -1,21 +1,69 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_v3.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> #include <openssl/stack.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/asn1.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> #include <openssl/x509v3.h> -#include "x509_lcl.h" int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) { @@ -36,7 +84,7 @@ int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, } int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, - const ASN1_OBJECT *obj, int lastpos) + ASN1_OBJECT *obj, int lastpos) { int n; X509_EXTENSION *ex; @@ -127,8 +175,10 @@ STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, err: X509err(X509_F_X509V3_ADD_EXT, ERR_R_MALLOC_FAILURE); err2: - X509_EXTENSION_free(new_ex); - sk_X509_EXTENSION_free(sk); + if (new_ex != NULL) + X509_EXTENSION_free(new_ex); + if (sk != NULL) + sk_X509_EXTENSION_free(sk); return (NULL); } @@ -151,7 +201,7 @@ X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, } X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, - const ASN1_OBJECT *obj, int crit, + ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data) { X509_EXTENSION *ret; @@ -181,13 +231,13 @@ X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, return (NULL); } -int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj) +int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj) { if ((ex == NULL) || (obj == NULL)) return (0); ASN1_OBJECT_free(ex->object); ex->object = OBJ_dup(obj); - return ex->object != NULL; + return (1); } int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) @@ -204,7 +254,7 @@ int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) if (ex == NULL) return (0); - i = ASN1_OCTET_STRING_set(&ex->value, data->data, data->length); + i = M_ASN1_OCTET_STRING_set(ex->value, data->data, data->length); if (!i) return (0); return (1); @@ -221,10 +271,10 @@ ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex) { if (ex == NULL) return (NULL); - return &ex->value; + return (ex->value); } -int X509_EXTENSION_get_critical(const X509_EXTENSION *ex) +int X509_EXTENSION_get_critical(X509_EXTENSION *ex) { if (ex == NULL) return (0); diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c index ebc44240..5bf3f07a 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c @@ -1,18 +1,66 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_vfy.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> #include <time.h> #include <errno.h> -#include <limits.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/crypto.h> #include <openssl/lhash.h> #include <openssl/buffer.h> @@ -21,9 +69,7 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> #include <openssl/objects.h> -#include <internal/dane.h> -#include <internal/x509_int.h> -#include "x509_lcl.h" +#include "vpm_int.h" /* CRL score values */ @@ -63,23 +109,16 @@ #define CRL_SCORE_TIME_DELTA 0x002 -static int build_chain(X509_STORE_CTX *ctx); -static int verify_chain(X509_STORE_CTX *ctx); -static int dane_verify(X509_STORE_CTX *ctx); static int null_callback(int ok, X509_STORE_CTX *e); static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); static int check_chain_extensions(X509_STORE_CTX *ctx); static int check_name_constraints(X509_STORE_CTX *ctx); static int check_id(X509_STORE_CTX *ctx); -static int check_trust(X509_STORE_CTX *ctx, int num_untrusted); +static int check_trust(X509_STORE_CTX *ctx); static int check_revocation(X509_STORE_CTX *ctx); static int check_cert(X509_STORE_CTX *ctx); static int check_policy(X509_STORE_CTX *ctx); -static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); -static int check_dane_issuer(X509_STORE_CTX *ctx, int depth); -static int check_key_level(X509_STORE_CTX *ctx, X509 *cert); -static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert); static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, X509_CRL *crl, X509 *x); @@ -98,20 +137,22 @@ static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *crl_path); static int internal_verify(X509_STORE_CTX *ctx); +const char X509_version[] = "X.509" OPENSSL_VERSION_PTEXT; static int null_callback(int ok, X509_STORE_CTX *e) { return ok; } +#if 0 +static int x509_subject_cmp(X509 **a, X509 **b) +{ + return X509_subject_name_cmp(*a, *b); +} +#endif /* Return 1 is a certificate is self signed */ static int cert_self_signed(X509 *x) { - /* - * FIXME: x509v3_cache_extensions() needs to detect more failures and not - * set EXFLAG_SET when that happens. Especially, if the failures are - * parse errors, rather than memory pressure! - */ X509_check_purpose(x, -1, 0); if (x->ex_flags & EXFLAG_SS) return 1; @@ -137,128 +178,30 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) break; } if (i < sk_X509_num(certs)) - X509_up_ref(xtmp); + CRYPTO_add(&xtmp->references, 1, CRYPTO_LOCK_X509); else xtmp = NULL; sk_X509_pop_free(certs, X509_free); return xtmp; } -/*- - * Inform the verify callback of an error. - * If B<x> is not NULL it is the error cert, otherwise use the chain cert at - * B<depth>. - * If B<err> is not X509_V_OK, that's the error value, otherwise leave - * unchanged (presumably set by the caller). - * - * Returns 0 to abort verification with an error, non-zero to continue. - */ -static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err) -{ - ctx->error_depth = depth; - ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth); - if (err != X509_V_OK) - ctx->error = err; - return ctx->verify_cb(0, ctx); -} - -/*- - * Inform the verify callback of an error, CRL-specific variant. Here, the - * error depth and certificate are already set, we just specify the error - * number. - * - * Returns 0 to abort verification with an error, non-zero to continue. - */ -static int verify_cb_crl(X509_STORE_CTX *ctx, int err) -{ - ctx->error = err; - return ctx->verify_cb(0, ctx); -} - -static int check_auth_level(X509_STORE_CTX *ctx) -{ - int i; - int num = sk_X509_num(ctx->chain); - - if (ctx->param->auth_level <= 0) - return 1; - - for (i = 0; i < num; ++i) { - X509 *cert = sk_X509_value(ctx->chain, i); - - /* - * We've already checked the security of the leaf key, so here we only - * check the security of issuer keys. - */ - if (i > 0 && !check_key_level(ctx, cert) && - verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL) == 0) - return 0; - /* - * We also check the signature algorithm security of all certificates - * except those of the trust anchor at index num-1. - */ - if (i < num - 1 && !check_sig_level(ctx, cert) && - verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK) == 0) - return 0; - } - return 1; -} - -static int verify_chain(X509_STORE_CTX *ctx) -{ - int err; - int ok; - - /* - * Before either returning with an error, or continuing with CRL checks, - * instantiate chain public key parameters. - */ - if ((ok = build_chain(ctx)) == 0 || - (ok = check_chain_extensions(ctx)) == 0 || - (ok = check_auth_level(ctx)) == 0 || - (ok = check_name_constraints(ctx)) == 0 || - (ok = check_id(ctx)) == 0 || 1) - X509_get_pubkey_parameters(NULL, ctx->chain); - if (ok == 0 || (ok = ctx->check_revocation(ctx)) == 0) - return ok; - - err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain, - ctx->param->flags); - if (err != X509_V_OK) { - if ((ok = verify_cb_cert(ctx, NULL, ctx->error_depth, err)) == 0) - return ok; - } - - /* Verify chain signatures and expiration times */ - ok = (ctx->verify != NULL) ? ctx->verify(ctx) : internal_verify(ctx); - if (!ok) - return ok; - -#ifndef OPENSSL_NO_RFC3779 - /* RFC 3779 path validation, now that CRL check has been done */ - if ((ok = X509v3_asid_validate_path(ctx)) == 0) - return ok; - if ((ok = X509v3_addr_validate_path(ctx)) == 0) - return ok; -#endif - - /* If we get this far evaluate policies */ - if (ctx->param->flags & X509_V_FLAG_POLICY_CHECK) - ok = ctx->check_policy(ctx); - return ok; -} - int X509_verify_cert(X509_STORE_CTX *ctx) { - SSL_DANE *dane = ctx->dane; - int ret; + X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; + int bad_chain = 0; + X509_VERIFY_PARAM *param = ctx->param; + int depth, i, ok = 0; + int num, j, retry; + int (*cb) (int xok, X509_STORE_CTX *xctx); + STACK_OF(X509) *sktmp = NULL; + int trust = X509_TRUST_UNTRUSTED; + int err; if (ctx->cert == NULL) { X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); ctx->error = X509_V_ERR_INVALID_CALL; return -1; } - if (ctx->chain != NULL) { /* * This X509_STORE_CTX has already been used to verify a cert. We @@ -269,6 +212,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) return -1; } + cb = ctx->verify_cb; + /* * first we make sure the chain we are going to build is present and that * the first entry is in place @@ -277,48 +222,332 @@ int X509_verify_cert(X509_STORE_CTX *ctx) (!sk_X509_push(ctx->chain, ctx->cert))) { X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); ctx->error = X509_V_ERR_OUT_OF_MEM; - return -1; + ok = -1; + goto err; } - X509_up_ref(ctx->cert); - ctx->num_untrusted = 1; + CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); + ctx->last_untrusted = 1; - /* If the peer's public key is too weak, we can stop early. */ - if (!check_key_level(ctx, ctx->cert) && - !verify_cb_cert(ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL)) - return 0; + /* We use a temporary STACK so we can chop and hack at it */ + if (ctx->untrusted != NULL + && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; + ok = -1; + goto err; + } - if (DANETLS_ENABLED(dane)) - ret = dane_verify(ctx); - else - ret = verify_chain(ctx); + num = sk_X509_num(ctx->chain); + x = sk_X509_value(ctx->chain, num - 1); + depth = param->depth; + + for (;;) { + /* If we have enough, we break */ + if (depth < num) + break; /* FIXME: If this happens, we should take + * note of it and, if appropriate, use the + * X509_V_ERR_CERT_CHAIN_TOO_LONG error code + * later. */ + + /* If we are self signed, we break */ + if (cert_self_signed(x)) + break; + /* + * If asked see if we can find issuer in trusted store first + */ + if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) { + ok = ctx->get_issuer(&xtmp, ctx, x); + if (ok < 0) { + ctx->error = X509_V_ERR_STORE_LOOKUP; + goto err; + } + /* + * If successful for now free up cert so it will be picked up + * again later. + */ + if (ok > 0) { + X509_free(xtmp); + break; + } + } + + /* If we were passed a cert chain, use it first */ + if (ctx->untrusted != NULL) { + xtmp = find_issuer(ctx, sktmp, x); + if (xtmp != NULL) { + if (!sk_X509_push(ctx->chain, xtmp)) { + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; + ok = -1; + goto err; + } + CRYPTO_add(&xtmp->references, 1, CRYPTO_LOCK_X509); + (void)sk_X509_delete_ptr(sktmp, xtmp); + ctx->last_untrusted++; + x = xtmp; + num++; + /* + * reparse the full chain for the next one + */ + continue; + } + } + break; + } + + /* Remember how many untrusted certs we have */ + j = num; + /* + * at this point, chain should contain a list of untrusted certificates. + * We now need to add at least one trusted one, if possible, otherwise we + * complain. + */ + + do { + /* + * Examine last certificate in chain and see if it is self signed. + */ + i = sk_X509_num(ctx->chain); + x = sk_X509_value(ctx->chain, i - 1); + if (cert_self_signed(x)) { + /* we have a self signed certificate */ + if (sk_X509_num(ctx->chain) == 1) { + /* + * We have a single self signed certificate: see if we can + * find it in the store. We must have an exact match to avoid + * possible impersonation. + */ + ok = ctx->get_issuer(&xtmp, ctx, x); + if ((ok <= 0) || X509_cmp(x, xtmp)) { + ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; + ctx->current_cert = x; + ctx->error_depth = i - 1; + if (ok == 1) + X509_free(xtmp); + bad_chain = 1; + ok = cb(0, ctx); + if (!ok) + goto err; + } else { + /* + * We have a match: replace certificate with store + * version so we get any trust settings. + */ + X509_free(x); + x = xtmp; + (void)sk_X509_set(ctx->chain, i - 1, x); + ctx->last_untrusted = 0; + } + } else { + /* + * extract and save self signed certificate for later use + */ + chain_ss = sk_X509_pop(ctx->chain); + ctx->last_untrusted--; + num--; + j--; + x = sk_X509_value(ctx->chain, num - 1); + } + } + /* We now lookup certs from the certificate store */ + for (;;) { + /* If we have enough, we break */ + if (depth < num) + break; + /* If we are self signed, we break */ + if (cert_self_signed(x)) + break; + ok = ctx->get_issuer(&xtmp, ctx, x); + + if (ok < 0) { + ctx->error = X509_V_ERR_STORE_LOOKUP; + goto err; + } + if (ok == 0) + break; + x = xtmp; + if (!sk_X509_push(ctx->chain, x)) { + X509_free(xtmp); + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; + ok = -1; + goto err; + } + num++; + } + + /* we now have our chain, lets check it... */ + if ((trust = check_trust(ctx)) == X509_TRUST_REJECTED) { + /* Callback already issued */ + ok = 0; + goto err; + } + + /* + * If it's not explicitly trusted then check if there is an alternative + * chain that could be used. We only do this if we haven't already + * checked via TRUSTED_FIRST and the user hasn't switched off alternate + * chain checking + */ + retry = 0; + if (trust != X509_TRUST_TRUSTED + && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) + && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { + while (j-- > 1) { + xtmp2 = sk_X509_value(ctx->chain, j - 1); + ok = ctx->get_issuer(&xtmp, ctx, xtmp2); + if (ok < 0) { + ctx->error = X509_V_ERR_STORE_LOOKUP; + goto err; + } + /* Check if we found an alternate chain */ + if (ok > 0) { + /* + * Free up the found cert we'll add it again later + */ + X509_free(xtmp); + + /* + * Dump all the certs above this point - we've found an + * alternate chain + */ + while (num > j) { + xtmp = sk_X509_pop(ctx->chain); + X509_free(xtmp); + num--; + } + ctx->last_untrusted = sk_X509_num(ctx->chain); + retry = 1; + break; + } + } + } + } while (retry); + + /* + * If not explicitly trusted then indicate error unless it's a single + * self signed certificate in which case we've indicated an error already + * and set bad_chain == 1 + */ + if (trust != X509_TRUST_TRUSTED && !bad_chain) { + if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { + if (ctx->last_untrusted >= num) + ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; + else + ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; + ctx->current_cert = x; + } else { + + sk_X509_push(ctx->chain, chain_ss); + num++; + ctx->last_untrusted = num; + ctx->current_cert = chain_ss; + ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; + chain_ss = NULL; + } + + ctx->error_depth = num - 1; + bad_chain = 1; + ok = cb(0, ctx); + if (!ok) + goto err; + } + + /* We have the chain complete: now we need to check its purpose */ + ok = check_chain_extensions(ctx); + + if (!ok) + goto err; + + /* Check name constraints */ + + ok = check_name_constraints(ctx); + + if (!ok) + goto err; + + ok = check_id(ctx); + + if (!ok) + goto err; + + /* We may as well copy down any DSA parameters that are required */ + X509_get_pubkey_parameters(NULL, ctx->chain); /* - * Safety-net. If we are returning an error, we must also set ctx->error, - * so that the chain is not considered verified should the error be ignored - * (e.g. TLS with SSL_VERIFY_NONE). + * Check revocation status: we do this after copying parameters because + * they may be needed for CRL signature verification. */ - if (ret <= 0 && ctx->error == X509_V_OK) + + ok = ctx->check_revocation(ctx); + if (!ok) + goto err; + + err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain, + ctx->param->flags); + if (err != X509_V_OK) { + ctx->error = err; + ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth); + ok = cb(0, ctx); + if (!ok) + goto err; + } + + /* At this point, we have a chain and need to verify it */ + if (ctx->verify != NULL) + ok = ctx->verify(ctx); + else + ok = internal_verify(ctx); + if (!ok) + goto err; + +#ifndef OPENSSL_NO_RFC3779 + /* RFC 3779 path validation, now that CRL check has been done */ + ok = v3_asid_validate_path(ctx); + if (!ok) + goto err; + ok = v3_addr_validate_path(ctx); + if (!ok) + goto err; +#endif + + /* If we get this far evaluate policies */ + if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) + ok = ctx->check_policy(ctx); + if (!ok) + goto err; + if (0) { + err: + /* Ensure we return an error */ + if (ok > 0) + ok = 0; + X509_get_pubkey_parameters(NULL, ctx->chain); + } + if (sktmp != NULL) + sk_X509_free(sktmp); + if (chain_ss != NULL) + X509_free(chain_ss); + + /* Safety net, error returns must set ctx->error */ + if (ok <= 0 && ctx->error == X509_V_OK) ctx->error = X509_V_ERR_UNSPECIFIED; - return ret; + return ok; } /* * Given a STACK_OF(X509) find the issuer of cert (if any) */ + static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { int i; - X509 *issuer, *rv = NULL; - + X509 *issuer; for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); - if (ctx->check_issued(ctx, x, issuer)) { - rv = issuer; - if (x509_check_cert_time(ctx, rv, -1)) - break; - } + if (ctx->check_issued(ctx, x, issuer)) + return issuer; } - return rv; + return NULL; } /* Given a possible certificate and issuer check them */ @@ -326,25 +555,17 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { int ret; - if (x == issuer) - return cert_self_signed(x); ret = X509_check_issued(issuer, x); - if (ret == X509_V_OK) { - int i; - X509 *ch; - /* Special case: single self signed certificate */ - if (cert_self_signed(x) && sk_X509_num(ctx->chain) == 1) - return 1; - for (i = 0; i < sk_X509_num(ctx->chain); i++) { - ch = sk_X509_value(ctx->chain, i); - if (ch == issuer || !X509_cmp(ch, issuer)) { - ret = X509_V_ERR_PATH_LOOP; - break; - } - } - } + if (ret == X509_V_OK) + return 1; + /* If we haven't asked for issuer errors don't set ctx */ + if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) + return 0; - return (ret == X509_V_OK); + ctx->error = ret; + ctx->current_cert = x; + ctx->current_issuer = issuer; + return ctx->verify_cb(0, ctx); } /* Alternative lookup method: look from a STACK stored in other_ctx */ @@ -353,83 +574,12 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { *issuer = find_issuer(ctx, ctx->other_ctx, x); if (*issuer) { - X509_up_ref(*issuer); + CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509); return 1; } else return 0; } -static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, X509_NAME *nm) -{ - STACK_OF(X509) *sk = NULL; - X509 *x; - int i; - for (i = 0; i < sk_X509_num(ctx->other_ctx); i++) { - x = sk_X509_value(ctx->other_ctx, i); - if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) { - if (sk == NULL) - sk = sk_X509_new_null(); - if (sk == NULL || sk_X509_push(sk, x) == 0) { - sk_X509_pop_free(sk, X509_free); - return NULL; - } - X509_up_ref(x); - } - } - return sk; -} - -/* - * Check EE or CA certificate purpose. For trusted certificates explicit local - * auxiliary trust can be used to override EKU-restrictions. - */ -static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth, - int must_be_ca) -{ - int tr_ok = X509_TRUST_UNTRUSTED; - - /* - * For trusted certificates we want to see whether any auxiliary trust - * settings trump the purpose constraints. - * - * This is complicated by the fact that the trust ordinals in - * ctx->param->trust are entirely independent of the purpose ordinals in - * ctx->param->purpose! - * - * What connects them is their mutual initialization via calls from - * X509_STORE_CTX_set_default() into X509_VERIFY_PARAM_lookup() which sets - * related values of both param->trust and param->purpose. It is however - * typically possible to infer associated trust values from a purpose value - * via the X509_PURPOSE API. - * - * Therefore, we can only check for trust overrides when the purpose we're - * checking is the same as ctx->param->purpose and ctx->param->trust is - * also set. - */ - if (depth >= ctx->num_untrusted && purpose == ctx->param->purpose) - tr_ok = X509_check_trust(x, ctx->param->trust, X509_TRUST_NO_SS_COMPAT); - - switch (tr_ok) { - case X509_TRUST_TRUSTED: - return 1; - case X509_TRUST_REJECTED: - break; - default: - switch (X509_check_purpose(x, purpose, must_be_ca > 0)) { - case 1: - return 1; - case 0: - break; - default: - if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) == 0) - return 1; - } - break; - } - - return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE); -} - /* * Check a certificate chains extensions for consistency with the supplied * purpose @@ -437,12 +587,16 @@ static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth, static int check_chain_extensions(X509_STORE_CTX *ctx) { - int i, must_be_ca, plen = 0; +#ifdef OPENSSL_NO_CHAIN_VERIFY + return 1; +#else + int i, ok = 0, must_be_ca, plen = 0; X509 *x; + int (*cb) (int xok, X509_STORE_CTX *xctx); int proxy_path_length = 0; int purpose; int allow_proxy_certs; - int num = sk_X509_num(ctx->chain); + cb = ctx->verify_cb; /*- * must_be_ca can have 1 of 3 values: @@ -462,22 +616,35 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) } else { allow_proxy_certs = ! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); + /* + * A hack to keep people who don't want to modify their software + * happy + */ + if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) + allow_proxy_certs = 1; purpose = ctx->param->purpose; } - for (i = 0; i < num; i++) { + /* Check all untrusted certificates */ + for (i = 0; i < ctx->last_untrusted; i++) { int ret; x = sk_X509_value(ctx->chain, i); if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) && (x->ex_flags & EXFLAG_CRITICAL)) { - if (!verify_cb_cert(ctx, x, i, - X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION)) - return 0; + ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; + ctx->error_depth = i; + ctx->current_cert = x; + ok = cb(0, ctx); + if (!ok) + goto end; } if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { - if (!verify_cb_cert(ctx, x, i, - X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED)) - return 0; + ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; + ctx->error_depth = i; + ctx->current_cert = x; + ok = cb(0, ctx); + if (!ok) + goto end; } ret = X509_check_ca(x); switch (must_be_ca) { @@ -497,9 +664,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ret = 1; break; default: - /* X509_V_FLAG_X509_STRICT is implicit for intermediate CAs */ if ((ret == 0) - || ((i + 1 < num || ctx->param->flags & X509_V_FLAG_X509_STRICT) + || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && (ret != 1))) { ret = 0; ctx->error = X509_V_ERR_INVALID_CA; @@ -507,17 +673,36 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ret = 1; break; } - if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK)) - return 0; - /* check_purpose() makes the callback as needed */ - if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca)) - return 0; + if (ret == 0) { + ctx->error_depth = i; + ctx->current_cert = x; + ok = cb(0, ctx); + if (!ok) + goto end; + } + if (ctx->param->purpose > 0) { + ret = X509_check_purpose(x, purpose, must_be_ca > 0); + if ((ret == 0) + || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1))) { + ctx->error = X509_V_ERR_INVALID_PURPOSE; + ctx->error_depth = i; + ctx->current_cert = x; + ok = cb(0, ctx); + if (!ok) + goto end; + } + } /* Check pathlen if not self issued */ if ((i > 1) && !(x->ex_flags & EXFLAG_SI) && (x->ex_pathlen != -1) && (plen > (x->ex_pathlen + proxy_path_length + 1))) { - if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED)) - return 0; + ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; + ctx->error_depth = i; + ctx->current_cert = x; + ok = cb(0, ctx); + if (!ok) + goto end; } /* Increment path length if not self issued */ if (!(x->ex_flags & EXFLAG_SI)) @@ -541,9 +726,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) */ if (x->ex_pcpathlen != -1) { if (proxy_path_length > x->ex_pcpathlen) { - if (!verify_cb_cert(ctx, x, i, - X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED)) - return 0; + ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; + ctx->error_depth = i; + ctx->current_cert = x; + ok = cb(0, ctx); + if (!ok) + goto end; } proxy_path_length = x->ex_pcpathlen; } @@ -552,18 +740,19 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) } else must_be_ca = 1; } - return 1; + ok = 1; + end: + return ok; +#endif } static int check_name_constraints(X509_STORE_CTX *ctx) { - int i; - + X509 *x; + int i, j, rv; /* Check name constraints for all certificates */ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { - X509 *x = sk_X509_value(ctx->chain, i); - int j; - + x = sk_X509_value(ctx->chain, i); /* Ignore self issued certs unless last in chain */ if (i && (x->ex_flags & EXFLAG_SI)) continue; @@ -602,10 +791,8 @@ static int check_name_constraints(X509_STORE_CTX *ctx) * Check that the last subject component isn't part of a * multivalued RDN */ - if (X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject, - last_object_loc)) - == X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject, - last_object_loc - 1))) { + if (X509_NAME_get_entry(tmpsubject, last_object_loc)->set + == X509_NAME_get_entry(tmpsubject, last_object_loc - 1)->set) { err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; goto proxy_name_done; } @@ -635,9 +822,13 @@ static int check_name_constraints(X509_STORE_CTX *ctx) X509_NAME_free(tmpsubject); proxy_name_done: - if (err != X509_V_OK - && !verify_cb_cert(ctx, x, i, err)) - return 0; + if (err != X509_V_OK) { + ctx->error = err; + ctx->error_depth = i; + ctx->current_cert = x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } } /* @@ -648,21 +839,19 @@ static int check_name_constraints(X509_STORE_CTX *ctx) */ for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) { NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; - if (nc) { - int rv = NAME_CONSTRAINTS_check(x, nc); - - /* If EE certificate check commonName too */ - if (rv == X509_V_OK && i == 0) - rv = NAME_CONSTRAINTS_check_CN(x, nc); - + rv = NAME_CONSTRAINTS_check(x, nc); switch (rv) { case X509_V_OK: - break; + continue; case X509_V_ERR_OUT_OF_MEM: + ctx->error = rv; return 0; default: - if (!verify_cb_cert(ctx, x, i, rv)) + ctx->error = rv; + ctx->error_depth = i; + ctx->current_cert = x; + if (!ctx->verify_cb(0, ctx)) return 0; break; } @@ -674,22 +863,25 @@ static int check_name_constraints(X509_STORE_CTX *ctx) static int check_id_error(X509_STORE_CTX *ctx, int errcode) { - return verify_cb_cert(ctx, ctx->cert, 0, errcode); + ctx->error = errcode; + ctx->current_cert = ctx->cert; + ctx->error_depth = 0; + return ctx->verify_cb(0, ctx); } -static int check_hosts(X509 *x, X509_VERIFY_PARAM *vpm) +static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id) { int i; - int n = sk_OPENSSL_STRING_num(vpm->hosts); + int n = sk_OPENSSL_STRING_num(id->hosts); char *name; - if (vpm->peername != NULL) { - OPENSSL_free(vpm->peername); - vpm->peername = NULL; + if (id->peername != NULL) { + OPENSSL_free(id->peername); + id->peername = NULL; } for (i = 0; i < n; ++i) { - name = sk_OPENSSL_STRING_value(vpm->hosts, i); - if (X509_check_host(x, name, 0, vpm->hostflags, &vpm->peername) > 0) + name = sk_OPENSSL_STRING_value(id->hosts, i); + if (X509_check_host(x, name, 0, id->hostflags, &id->peername) > 0) return 1; } return n == 0; @@ -698,95 +890,65 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM *vpm) static int check_id(X509_STORE_CTX *ctx) { X509_VERIFY_PARAM *vpm = ctx->param; + X509_VERIFY_PARAM_ID *id = vpm->id; X509 *x = ctx->cert; - if (vpm->hosts && check_hosts(x, vpm) <= 0) { + if (id->hosts && check_hosts(x, id) <= 0) { if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) return 0; } - if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) { + if (id->email && X509_check_email(x, id->email, id->emaillen, 0) <= 0) { if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH)) return 0; } - if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) { + if (id->ip && X509_check_ip(x, id->ip, id->iplen, 0) <= 0) { if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH)) return 0; } return 1; } -static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) +static int check_trust(X509_STORE_CTX *ctx) { - int i; + int i, ok; X509 *x = NULL; - X509 *mx; - SSL_DANE *dane = ctx->dane; - int num = sk_X509_num(ctx->chain); - int trust; - - /* - * Check for a DANE issuer at depth 1 or greater, if it is a DANE-TA(2) - * match, we're done, otherwise we'll merely record the match depth. - */ - if (DANETLS_HAS_TA(dane) && num_untrusted > 0 && num_untrusted < num) { - switch (trust = check_dane_issuer(ctx, num_untrusted)) { - case X509_TRUST_TRUSTED: - case X509_TRUST_REJECTED: - return trust; - } - } - - /* - * Check trusted certificates in chain at depth num_untrusted and up. - * Note, that depths 0..num_untrusted-1 may also contain trusted - * certificates, but the caller is expected to have already checked those, - * and wants to incrementally check just any added since. - */ - for (i = num_untrusted; i < num; i++) { + int (*cb) (int xok, X509_STORE_CTX *xctx); + cb = ctx->verify_cb; + /* Check all trusted certificates in chain */ + for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) { x = sk_X509_value(ctx->chain, i); - trust = X509_check_trust(x, ctx->param->trust, 0); + ok = X509_check_trust(x, ctx->param->trust, 0); /* If explicitly trusted return trusted */ - if (trust == X509_TRUST_TRUSTED) - goto trusted; - if (trust == X509_TRUST_REJECTED) - goto rejected; + if (ok == X509_TRUST_TRUSTED) + return X509_TRUST_TRUSTED; + /* + * If explicitly rejected notify callback and reject if not + * overridden. + */ + if (ok == X509_TRUST_REJECTED) { + ctx->error_depth = i; + ctx->current_cert = x; + ctx->error = X509_V_ERR_CERT_REJECTED; + ok = cb(0, ctx); + if (!ok) + return X509_TRUST_REJECTED; + } } - /* - * If we are looking at a trusted certificate, and accept partial chains, - * the chain is PKIX trusted. + * If we accept partial chains and have at least one trusted certificate + * return success. */ - if (num_untrusted < num) { - if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) - goto trusted; - return X509_TRUST_UNTRUSTED; - } - - if (num_untrusted == num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { - /* - * Last-resort call with no new trusted certificates, check the leaf - * for a direct trust store match. - */ - i = 0; - x = sk_X509_value(ctx->chain, i); + if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { + X509 *mx; + if (ctx->last_untrusted < sk_X509_num(ctx->chain)) + return X509_TRUST_TRUSTED; + x = sk_X509_value(ctx->chain, 0); mx = lookup_cert_match(ctx, x); - if (!mx) - return X509_TRUST_UNTRUSTED; - - /* - * Check explicit auxiliary trust/reject settings. If none are set, - * we'll accept X509_TRUST_UNTRUSTED when not self-signed. - */ - trust = X509_check_trust(mx, ctx->param->trust, 0); - if (trust == X509_TRUST_REJECTED) { - X509_free(mx); - goto rejected; + if (mx) { + (void)sk_X509_set(ctx->chain, 0, mx); + X509_free(x); + ctx->last_untrusted = 0; + return X509_TRUST_TRUSTED; } - - /* Replace leaf with trusted match */ - (void) sk_X509_set(ctx->chain, 0, mx); - X509_free(x); - ctx->num_untrusted = 0; - goto trusted; } /* @@ -794,26 +956,11 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) * standard (no issuer cert) etc errors to be indicated. */ return X509_TRUST_UNTRUSTED; - - rejected: - if (!verify_cb_cert(ctx, x, i, X509_V_ERR_CERT_REJECTED)) - return X509_TRUST_REJECTED; - return X509_TRUST_UNTRUSTED; - - trusted: - if (!DANETLS_ENABLED(dane)) - return X509_TRUST_TRUSTED; - if (dane->pdpth < 0) - dane->pdpth = num_untrusted; - /* With DANE, PKIX alone is not trusted until we have both */ - if (dane->mdpth >= 0) - return X509_TRUST_TRUSTED; - return X509_TRUST_UNTRUSTED; } static int check_revocation(X509_STORE_CTX *ctx) { - int i = 0, last = 0, ok = 0; + int i, last, ok; if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) return 1; if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) @@ -836,21 +983,19 @@ static int check_revocation(X509_STORE_CTX *ctx) static int check_cert(X509_STORE_CTX *ctx) { X509_CRL *crl = NULL, *dcrl = NULL; - int ok = 0; - int cnum = ctx->error_depth; - X509 *x = sk_X509_value(ctx->chain, cnum); - + X509 *x; + int ok, cnum; + unsigned int last_reasons; + cnum = ctx->error_depth; + x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; ctx->current_issuer = NULL; ctx->current_crl_score = 0; ctx->current_reasons = 0; - if (x->ex_flags & EXFLAG_PROXY) return 1; - while (ctx->current_reasons != CRLDP_ALL_REASONS) { - unsigned int last_reasons = ctx->current_reasons; - + last_reasons = ctx->current_reasons; /* Try to retrieve relevant CRL */ if (ctx->get_crl) ok = ctx->get_crl(ctx, &crl, x); @@ -860,21 +1005,22 @@ static int check_cert(X509_STORE_CTX *ctx) * If error looking up CRL, nothing we can do except notify callback */ if (!ok) { - ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL); - goto done; + ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; + ok = ctx->verify_cb(0, ctx); + goto err; } ctx->current_crl = crl; ok = ctx->check_crl(ctx, crl); if (!ok) - goto done; + goto err; if (dcrl) { ok = ctx->check_crl(ctx, dcrl); if (!ok) - goto done; + goto err; ok = ctx->cert_crl(ctx, dcrl, x); if (!ok) - goto done; + goto err; } else ok = 1; @@ -882,7 +1028,7 @@ static int check_cert(X509_STORE_CTX *ctx) if (ok != 2) { ok = ctx->cert_crl(ctx, crl, x); if (!ok) - goto done; + goto err; } X509_CRL_free(crl); @@ -890,20 +1036,22 @@ static int check_cert(X509_STORE_CTX *ctx) crl = NULL; dcrl = NULL; /* - * If reasons not updated we won't get anywhere by another iteration, + * If reasons not updated we wont get anywhere by another iteration, * so exit loop. */ if (last_reasons == ctx->current_reasons) { - ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL); - goto done; + ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; + ok = ctx->verify_cb(0, ctx); + goto err; } } - done: + err: X509_CRL_free(crl); X509_CRL_free(dcrl); ctx->current_crl = NULL; return ok; + } /* Check CRL times against values in X509_STORE_CTX */ @@ -912,7 +1060,6 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { time_t *ptime; int i; - if (notify) ctx->current_crl = crl; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) @@ -922,35 +1069,39 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) else ptime = NULL; - i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime); + i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); if (i == 0) { if (!notify) return 0; - if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD)) + ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; + if (!ctx->verify_cb(0, ctx)) return 0; } if (i > 0) { if (!notify) return 0; - if (!verify_cb_crl(ctx, X509_V_ERR_CRL_NOT_YET_VALID)) + ctx->error = X509_V_ERR_CRL_NOT_YET_VALID; + if (!ctx->verify_cb(0, ctx)) return 0; } - if (X509_CRL_get0_nextUpdate(crl)) { - i = X509_cmp_time(X509_CRL_get0_nextUpdate(crl), ptime); + if (X509_CRL_get_nextUpdate(crl)) { + i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); if (i == 0) { if (!notify) return 0; - if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD)) + ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; + if (!ctx->verify_cb(0, ctx)) return 0; } /* Ignore expiry of base CRL is delta is valid */ if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { if (!notify) return 0; - if (!verify_cb_crl(ctx, X509_V_ERR_CRL_HAS_EXPIRED)) + ctx->error = X509_V_ERR_CRL_HAS_EXPIRED; + if (!ctx->verify_cb(0, ctx)) return 0; } } @@ -980,8 +1131,8 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, /* If current CRL is equivalent use it if it is newer */ if (crl_score == best_score && best_crl != NULL) { int day, sec; - if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl), - X509_CRL_get0_lastUpdate(crl)) == 0) + if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl), + X509_CRL_get_lastUpdate(crl)) == 0) continue; /* * ASN1_TIME_diff never returns inconsistent signs for |day| @@ -997,14 +1148,17 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, } if (best_crl) { - X509_CRL_free(*pcrl); + if (*pcrl) + X509_CRL_free(*pcrl); *pcrl = best_crl; *pissuer = best_crl_issuer; *pscore = best_score; *preasons = best_reasons; - X509_CRL_up_ref(best_crl); - X509_CRL_free(*pdcrl); - *pdcrl = NULL; + CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); + if (*pdcrl) { + X509_CRL_free(*pdcrl); + *pdcrl = NULL; + } get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); } @@ -1100,7 +1254,7 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, if (check_delta_base(delta, base)) { if (check_crl_time(ctx, delta, 0)) *pscore |= CRL_SCORE_TIME_DELTA; - X509_CRL_up_ref(delta); + CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); *dcrl = delta; return; } @@ -1242,7 +1396,6 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) { X509_STORE_CTX crl_ctx; int ret; - /* Don't allow recursive CRL path validation */ if (ctx->parent) return 0; @@ -1258,10 +1411,12 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) /* Verify CRL issuer */ ret = X509_verify_cert(&crl_ctx); + if (ret <= 0) goto err; /* Check chain is acceptable */ + ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); err: X509_STORE_CTX_cleanup(&crl_ctx); @@ -1418,10 +1573,10 @@ static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL *crl = NULL, *dcrl = NULL; STACK_OF(X509_CRL) *skcrl; X509_NAME *nm = X509_get_issuer_name(x); - reasons = ctx->current_reasons; ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, ctx->crls); + if (ok) goto done; @@ -1438,6 +1593,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx, sk_X509_CRL_pop_free(skcrl, X509_CRL_free); done: + /* If we got any kind of CRL use it and return success */ if (crl) { ctx->current_issuer = issuer; @@ -1447,6 +1603,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx, *pdcrl = dcrl; return 1; } + return 0; } @@ -1455,12 +1612,13 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) { X509 *issuer = NULL; EVP_PKEY *ikey = NULL; - int cnum = ctx->error_depth; - int chnum = sk_X509_num(ctx->chain) - 1; - + int ok = 0, chnum, cnum; + cnum = ctx->error_depth; + chnum = sk_X509_num(ctx->chain) - 1; /* if we have an alternative CRL issuer cert use that */ if (ctx->current_issuer) issuer = ctx->current_issuer; + /* * Else find CRL issuer: if not last certificate then issuer is next * certificate in chain. @@ -1470,85 +1628,121 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) else { issuer = sk_X509_value(ctx->chain, chnum); /* If not self signed, can't check signature */ - if (!ctx->check_issued(ctx, issuer, issuer) && - !verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER)) - return 0; + if (!ctx->check_issued(ctx, issuer, issuer)) { + ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } } - if (issuer == NULL) - return 1; + if (issuer) { + /* + * Skip most tests for deltas because they have already been done + */ + if (!crl->base_crl_number) { + /* Check for cRLSign bit if keyUsage present */ + if ((issuer->ex_flags & EXFLAG_KUSAGE) && + !(issuer->ex_kusage & KU_CRL_SIGN)) { + ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } - /* - * Skip most tests for deltas because they have already been done - */ - if (!crl->base_crl_number) { - /* Check for cRLSign bit if keyUsage present */ - if ((issuer->ex_flags & EXFLAG_KUSAGE) && - !(issuer->ex_kusage & KU_CRL_SIGN) && - !verify_cb_crl(ctx, X509_V_ERR_KEYUSAGE_NO_CRL_SIGN)) - return 0; + if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { + ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } - if (!(ctx->current_crl_score & CRL_SCORE_SCOPE) && - !verify_cb_crl(ctx, X509_V_ERR_DIFFERENT_CRL_SCOPE)) - return 0; + if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { + if (check_crl_path(ctx, ctx->current_issuer) <= 0) { + ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } + } - if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH) && - check_crl_path(ctx, ctx->current_issuer) <= 0 && - !verify_cb_crl(ctx, X509_V_ERR_CRL_PATH_VALIDATION_ERROR)) - return 0; + if (crl->idp_flags & IDP_INVALID) { + ctx->error = X509_V_ERR_INVALID_EXTENSION; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } - if ((crl->idp_flags & IDP_INVALID) && - !verify_cb_crl(ctx, X509_V_ERR_INVALID_EXTENSION)) - return 0; - } + } - if (!(ctx->current_crl_score & CRL_SCORE_TIME) && - !check_crl_time(ctx, crl, 1)) - return 0; + if (!(ctx->current_crl_score & CRL_SCORE_TIME)) { + ok = check_crl_time(ctx, crl, 1); + if (!ok) + goto err; + } - /* Attempt to get issuer certificate public key */ - ikey = X509_get0_pubkey(issuer); + /* Attempt to get issuer certificate public key */ + ikey = X509_get_pubkey(issuer); - if (!ikey && - !verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) - return 0; + if (!ikey) { + ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } else { + int rv; + rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags); + if (rv != X509_V_OK) { + ctx->error = rv; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } + /* Verify CRL signature */ + if (X509_CRL_verify(crl, ikey) <= 0) { + ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } + } + } - if (ikey) { - int rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags); + ok = 1; - if (rv != X509_V_OK && !verify_cb_crl(ctx, rv)) - return 0; - /* Verify CRL signature */ - if (X509_CRL_verify(crl, ikey) <= 0 && - !verify_cb_crl(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE)) - return 0; - } - return 1; + err: + EVP_PKEY_free(ikey); + return ok; } /* Check certificate against CRL */ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { + int ok; X509_REVOKED *rev; - /* * The rules changed for this... previously if a CRL contained unhandled * critical extensions it could still be used to indicate a certificate - * was revoked. This has since been changed since critical extensions can + * was revoked. This has since been changed since critical extension can * change the meaning of CRL entries. */ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (crl->flags & EXFLAG_CRITICAL) && - !verify_cb_crl(ctx, X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION)) - return 0; + && (crl->flags & EXFLAG_CRITICAL)) { + ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; + ok = ctx->verify_cb(0, ctx); + if (!ok) + return 0; + } /* - * Look for serial number of certificate in CRL. If found, make sure - * reason is not removeFromCRL. + * Look for serial number of certificate in CRL If found make sure reason + * is not removeFromCRL. */ if (X509_CRL_get0_by_cert(crl, &rev, x)) { if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) return 2; - if (!verify_cb_crl(ctx, X509_V_ERR_CERT_REVOKED)) + ctx->error = X509_V_ERR_CERT_REVOKED; + ok = ctx->verify_cb(0, ctx); + if (!ok) return 0; } @@ -1558,60 +1752,38 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) static int check_policy(X509_STORE_CTX *ctx) { int ret; - if (ctx->parent) return 1; - /* - * With DANE, the trust anchor might be a bare public key, not a - * certificate! In that case our chain does not have the trust anchor - * certificate as a top-most element. This comports well with RFC5280 - * chain verification, since there too, the trust anchor is not part of the - * chain to be verified. In particular, X509_policy_check() does not look - * at the TA cert, but assumes that it is present as the top-most chain - * element. We therefore temporarily push a NULL cert onto the chain if it - * was verified via a bare public key, and pop it off right after the - * X509_policy_check() call. - */ - if (ctx->bare_ta_signed && !sk_X509_push(ctx->chain, NULL)) { - X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; - } ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, ctx->param->policies, ctx->param->flags); - if (ctx->bare_ta_signed) - sk_X509_pop(ctx->chain); - - if (ret == X509_PCY_TREE_INTERNAL) { + if (ret == 0) { X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE); ctx->error = X509_V_ERR_OUT_OF_MEM; return 0; } /* Invalid or inconsistent extensions */ - if (ret == X509_PCY_TREE_INVALID) { + if (ret == -1) { + /* + * Locate certificates with bad extensions and notify callback. + */ + X509 *x; int i; - - /* Locate certificates with bad extensions and notify callback. */ for (i = 1; i < sk_X509_num(ctx->chain); i++) { - X509 *x = sk_X509_value(ctx->chain, i); - + x = sk_X509_value(ctx->chain, i); if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) continue; - if (!verify_cb_cert(ctx, x, i, - X509_V_ERR_INVALID_POLICY_EXTENSION)) + ctx->current_cert = x; + ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; + if (!ctx->verify_cb(0, ctx)) return 0; } return 1; } - if (ret == X509_PCY_TREE_FAILURE) { + if (ret == -2) { ctx->current_cert = NULL; ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; return ctx->verify_cb(0, ctx); } - if (ret != X509_PCY_TREE_VALID) { - X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR); - return 0; - } if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { ctx->current_cert = NULL; @@ -1628,14 +1800,7 @@ static int check_policy(X509_STORE_CTX *ctx) return 1; } -/*- - * Check certificate validity times. - * If depth >= 0, invoke verification callbacks on error, otherwise just return - * the validation status. - * - * Return 1 on success, 0 otherwise. - */ -int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) +static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { time_t *ptime; int i; @@ -1647,42 +1812,52 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) else ptime = NULL; - i = X509_cmp_time(X509_get0_notBefore(x), ptime); - if (i >= 0 && depth < 0) - return 0; - if (i == 0 && !verify_cb_cert(ctx, x, depth, - X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD)) - return 0; - if (i > 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID)) - return 0; + i = X509_cmp_time(X509_get_notBefore(x), ptime); + if (i == 0) { + ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; + ctx->current_cert = x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + if (i > 0) { + ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; + ctx->current_cert = x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + i = X509_cmp_time(X509_get_notAfter(x), ptime); + if (i == 0) { + ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; + ctx->current_cert = x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + if (i < 0) { + ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; + ctx->current_cert = x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } - i = X509_cmp_time(X509_get0_notAfter(x), ptime); - if (i <= 0 && depth < 0) - return 0; - if (i == 0 && !verify_cb_cert(ctx, x, depth, - X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD)) - return 0; - if (i < 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_HAS_EXPIRED)) - return 0; return 1; } static int internal_verify(X509_STORE_CTX *ctx) { - int n = sk_X509_num(ctx->chain) - 1; - X509 *xi = sk_X509_value(ctx->chain, n); - X509 *xs; + int ok = 0, n; + X509 *xs, *xi; + EVP_PKEY *pkey = NULL; + int (*cb) (int xok, X509_STORE_CTX *xctx); - /* - * With DANE-verified bare public key TA signatures, it remains only to - * check the timestamps of the top certificate. We report the issuer as - * NULL, since all we have is a bare key. - */ - if (ctx->bare_ta_signed) { - xs = xi; - xi = NULL; - goto check_cert; - } + cb = ctx->verify_cb; + + n = sk_X509_num(ctx->chain); + ctx->error_depth = n - 1; + n--; + xi = sk_X509_value(ctx->chain, n); if (ctx->check_issued(ctx, xi, xi)) xs = xi; @@ -1691,60 +1866,72 @@ static int internal_verify(X509_STORE_CTX *ctx) xs = xi; goto check_cert; } - if (n <= 0) - return verify_cb_cert(ctx, xi, 0, - X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE); - n--; - ctx->error_depth = n; - xs = sk_X509_value(ctx->chain, n); + if (n <= 0) { + ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; + ctx->current_cert = xi; + ok = cb(0, ctx); + goto end; + } else { + n--; + ctx->error_depth = n; + xs = sk_X509_value(ctx->chain, n); + } } - /* - * Do not clear ctx->error=0, it must be "sticky", only the user's callback - * is allowed to reset errors (at its own peril). - */ +/* ctx->error=0; not needed */ while (n >= 0) { - EVP_PKEY *pkey; + ctx->error_depth = n; /* - * Skip signature check for self signed certificates unless explicitly - * asked for. It doesn't add any security and just wastes time. If - * the issuer's public key is unusable, report the issuer certificate - * and its depth (rather than the depth of the subject). + * Skip signature check for self signed certificates unless + * explicitly asked for. It doesn't add any security and just wastes + * time. */ - if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { - if ((pkey = X509_get0_pubkey(xi)) == NULL) { - if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, - X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) - return 0; + if (!xs->valid + && (xs != xi + || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { + if ((pkey = X509_get_pubkey(xi)) == NULL) { + ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; + ctx->current_cert = xi; + ok = (*cb) (0, ctx); + if (!ok) + goto end; } else if (X509_verify(xs, pkey) <= 0) { - if (!verify_cb_cert(ctx, xs, n, - X509_V_ERR_CERT_SIGNATURE_FAILURE)) - return 0; + ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE; + ctx->current_cert = xs; + ok = (*cb) (0, ctx); + if (!ok) { + EVP_PKEY_free(pkey); + goto end; + } } + EVP_PKEY_free(pkey); + pkey = NULL; } + xs->valid = 1; + check_cert: - /* Calls verify callback as needed */ - if (!x509_check_cert_time(ctx, xs, n)) - return 0; + ok = check_cert_time(ctx, xs); + if (!ok) + goto end; - /* - * Signal success at this depth. However, the previous error (if any) - * is retained. - */ + /* The last error (if any) is still in the error value */ ctx->current_issuer = xi; ctx->current_cert = xs; - ctx->error_depth = n; - if (!ctx->verify_cb(1, ctx)) - return 0; + ok = (*cb) (1, ctx); + if (!ok) + goto end; - if (--n >= 0) { + n--; + if (n >= 0) { xi = xs; xs = sk_X509_value(ctx->chain, n); } } - return 1; + ok = 1; + end: + return ok; } int X509_cmp_current_time(const ASN1_TIME *ctm) @@ -1907,7 +2094,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) return 1; for (i = 0; i < sk_X509_num(chain); i++) { - ktmp = X509_get0_pubkey(sk_X509_value(chain, i)); + ktmp = X509_get_pubkey(sk_X509_value(chain, i)); if (ktmp == NULL) { X509err(X509_F_X509_GET_PUBKEY_PARAMETERS, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); @@ -1915,6 +2102,10 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) } if (!EVP_PKEY_missing_parameters(ktmp)) break; + else { + EVP_PKEY_free(ktmp); + ktmp = NULL; + } } if (ktmp == NULL) { X509err(X509_F_X509_GET_PUBKEY_PARAMETERS, @@ -1924,12 +2115,14 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) /* first, populate the other certs */ for (j = i - 1; j >= 0; j--) { - ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j)); + ktmp2 = X509_get_pubkey(sk_X509_value(chain, j)); EVP_PKEY_copy_parameters(ktmp2, ktmp); + EVP_PKEY_free(ktmp2); } if (pkey != NULL) EVP_PKEY_copy_parameters(pkey, ktmp); + EVP_PKEY_free(ktmp); return 1; } @@ -1978,15 +2171,15 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, } /* Create new CRL */ crl = X509_CRL_new(); - if (crl == NULL || !X509_CRL_set_version(crl, 1)) + if (!crl || !X509_CRL_set_version(crl, 1)) goto memerr; /* Set issuer name */ if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer))) goto memerr; - if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer))) + if (!X509_CRL_set_lastUpdate(crl, X509_CRL_get_lastUpdate(newer))) goto memerr; - if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer))) + if (!X509_CRL_set_nextUpdate(crl, X509_CRL_get_nextUpdate(newer))) goto memerr; /* Set base CRL number: must be critical */ @@ -2017,7 +2210,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, * Add only if not also in base. TODO: need something cleverer here * for some more complex CRLs covering multiple CAs. */ - if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) { + if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) { rvtmp = X509_REVOKED_dup(rvn); if (!rvtmp) goto memerr; @@ -2036,10 +2229,24 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, memerr: X509err(X509_F_X509_CRL_DIFF, ERR_R_MALLOC_FAILURE); - X509_CRL_free(crl); + if (crl) + X509_CRL_free(crl); return NULL; } +int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func) +{ + /* + * This function is (usually) called only once, by + * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). + */ + return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, + new_func, dup_func, free_func); +} + int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) { return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); @@ -2065,22 +2272,12 @@ int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) return ctx->error_depth; } -void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth) -{ - ctx->error_depth = depth; -} - X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) { return ctx->current_cert; } -void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x) -{ - ctx->current_cert = x; -} - -STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx) +STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) { return ctx->chain; } @@ -2112,6 +2309,11 @@ void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) ctx->cert = x; } +void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +{ + ctx->untrusted = sk; +} + void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) { ctx->crls = sk; @@ -2119,20 +2321,11 @@ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) { - /* - * XXX: Why isn't this function always used to set the associated trust? - * Should there even be a VPM->trust field at all? Or should the trust - * always be inferred from the purpose by X509_STORE_CTX_init(). - */ return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); } int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) { - /* - * XXX: See above, this function would only be needed when the default - * trust for the purpose needs an override in a corner case. - */ return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); } @@ -2166,11 +2359,6 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, ptmp = X509_PURPOSE_get0(idx); if (ptmp->trust == X509_TRUST_DEFAULT) { idx = X509_PURPOSE_get_by_id(def_purpose); - /* - * XXX: In the two callers above def_purpose is always 0, which is - * not a known value, so idx will always be -1. How is the - * X509_TRUST_DEFAULT case actually supposed to be handled? - */ if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_PURPOSE_ID); @@ -2200,20 +2388,20 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, X509_STORE_CTX *X509_STORE_CTX_new(void) { - X509_STORE_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); - - if (ctx == NULL) { + X509_STORE_CTX *ctx; + ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); + if (!ctx) { X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE); return NULL; } + memset(ctx, 0, sizeof(X509_STORE_CTX)); return ctx; } void X509_STORE_CTX_free(X509_STORE_CTX *ctx) { - if (ctx == NULL) + if (!ctx) return; - X509_STORE_CTX_cleanup(ctx); OPENSSL_free(ctx); } @@ -2222,12 +2410,12 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain) { int ret = 1; - ctx->ctx = store; + ctx->current_method = 0; ctx->cert = x509; ctx->untrusted = chain; ctx->crls = NULL; - ctx->num_untrusted = 0; + ctx->last_untrusted = 0; ctx->other_ctx = NULL; ctx->valid = 0; ctx->chain = NULL; @@ -2241,17 +2429,39 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->current_reasons = 0; ctx->tree = NULL; ctx->parent = NULL; - ctx->dane = NULL; - ctx->bare_ta_signed = 0; /* Zero ex_data to make sure we're cleanup-safe */ memset(&ctx->ex_data, 0, sizeof(ctx->ex_data)); - /* store->cleanup is always 0 in OpenSSL, if set must be idempotent */ + ctx->param = X509_VERIFY_PARAM_new(); + if (!ctx->param) { + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); + return 0; + } + + /* + * Inherit callbacks and flags from X509_STORE if not set use defaults. + */ if (store) - ctx->cleanup = store->cleanup; + ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); else + ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE; + + if (store) { + ctx->verify_cb = store->verify_cb; + /* Seems to always be 0 in OpenSSL, else must be idempotent */ + ctx->cleanup = store->cleanup; + } else ctx->cleanup = 0; + if (ret) + ret = X509_VERIFY_PARAM_inherit(ctx->param, + X509_VERIFY_PARAM_lookup("default")); + + if (ret == 0) { + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); + goto err; + } + if (store && store->check_issued) ctx->check_issued = store->check_issued; else @@ -2292,55 +2502,17 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, else ctx->cert_crl = cert_crl; - if (store && store->check_policy) - ctx->check_policy = store->check_policy; - else - ctx->check_policy = check_policy; - if (store && store->lookup_certs) ctx->lookup_certs = store->lookup_certs; else - ctx->lookup_certs = X509_STORE_CTX_get1_certs; + ctx->lookup_certs = X509_STORE_get1_certs; if (store && store->lookup_crls) ctx->lookup_crls = store->lookup_crls; else - ctx->lookup_crls = X509_STORE_CTX_get1_crls; - - ctx->param = X509_VERIFY_PARAM_new(); - if (ctx->param == NULL) { - X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); - goto err; - } - - /* - * Inherit callbacks and flags from X509_STORE if not set use defaults. - */ - if (store) - ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); - else - ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE; - - if (ret) - ret = X509_VERIFY_PARAM_inherit(ctx->param, - X509_VERIFY_PARAM_lookup("default")); - - if (ret == 0) { - X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); - goto err; - } - - /* - * XXX: For now, continue to inherit trust from VPM, but infer from the - * purpose if this still yields the default value. - */ - if (ctx->param->trust == X509_TRUST_DEFAULT) { - int idx = X509_PURPOSE_get_by_id(ctx->param->purpose); - X509_PURPOSE *xp = X509_PURPOSE_get0(idx); + ctx->lookup_crls = X509_STORE_get1_crls; - if (xp != NULL) - ctx->param->trust = X509_PURPOSE_get_trust(xp); - } + ctx->check_policy = check_policy; if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &ctx->ex_data)) @@ -2360,11 +2532,11 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, * Set alternative lookup method: just a STACK of trusted certificates. This * avoids X509_STORE nastiness where it isn't needed. */ -void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) + +void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { ctx->other_ctx = sk; ctx->get_issuer = get_issuer_sk; - ctx->lookup_certs = lookup_certs_sk; } void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) @@ -2385,12 +2557,16 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) X509_VERIFY_PARAM_free(ctx->param); ctx->param = NULL; } - X509_policy_tree_free(ctx->tree); - ctx->tree = NULL; - sk_X509_pop_free(ctx->chain, X509_free); - ctx->chain = NULL; + if (ctx->tree != NULL) { + X509_policy_tree_free(ctx->tree); + ctx->tree = NULL; + } + if (ctx->chain != NULL) { + sk_X509_pop_free(ctx->chain, X509_free); + ctx->chain = NULL; + } CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); - memset(&ctx->ex_data, 0, sizeof(ctx->ex_data)); + memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA)); } void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) @@ -2409,99 +2585,12 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, X509_VERIFY_PARAM_set_time(ctx->param, t); } -X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) -{ - return ctx->cert; -} - -STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) -{ - return ctx->untrusted; -} - -void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) -{ - ctx->untrusted = sk; -} - -void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) -{ - sk_X509_pop_free(ctx->chain, X509_free); - ctx->chain = sk; -} - void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, - X509_STORE_CTX_verify_cb verify_cb) + int (*verify_cb) (int, X509_STORE_CTX *)) { ctx->verify_cb = verify_cb; } -X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx) -{ - return ctx->verify_cb; -} - -void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, - X509_STORE_CTX_verify_fn verify) -{ - ctx->verify = verify; -} - -X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx) -{ - return ctx->verify; -} - -X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx) -{ - return ctx->get_issuer; -} - -X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx) -{ - return ctx->check_issued; -} - -X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx) -{ - return ctx->check_revocation; -} - -X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx) -{ - return ctx->get_crl; -} - -X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx) -{ - return ctx->check_crl; -} - -X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx) -{ - return ctx->cert_crl; -} - -X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx) -{ - return ctx->check_policy; -} - -X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx) -{ - return ctx->lookup_certs; -} - -X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx) -{ - return ctx->lookup_crls; -} - -X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx) -{ - return ctx->cleanup; -} - X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) { return ctx->tree; @@ -2512,11 +2601,6 @@ int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) return ctx->explicit_policy; } -int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx) -{ - return ctx->num_untrusted; -} - int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) { const X509_VERIFY_PARAM *param; @@ -2533,743 +2617,17 @@ X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) { - X509_VERIFY_PARAM_free(ctx->param); + if (ctx->param) + X509_VERIFY_PARAM_free(ctx->param); ctx->param = param; } -void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane) -{ - ctx->dane = dane; -} +IMPLEMENT_STACK_OF(X509) -static unsigned char *dane_i2d( - X509 *cert, - uint8_t selector, - unsigned int *i2dlen) -{ - unsigned char *buf = NULL; - int len; +IMPLEMENT_ASN1_SET_OF(X509) - /* - * Extract ASN.1 DER form of certificate or public key. - */ - switch (selector) { - case DANETLS_SELECTOR_CERT: - len = i2d_X509(cert, &buf); - break; - case DANETLS_SELECTOR_SPKI: - len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf); - break; - default: - X509err(X509_F_DANE_I2D, X509_R_BAD_SELECTOR); - return NULL; - } +IMPLEMENT_STACK_OF(X509_NAME) - if (len < 0 || buf == NULL) { - X509err(X509_F_DANE_I2D, ERR_R_MALLOC_FAILURE); - return NULL; - } +IMPLEMENT_STACK_OF(X509_ATTRIBUTE) - *i2dlen = (unsigned int)len; - return buf; -} - -#define DANETLS_NONE 256 /* impossible uint8_t */ - -static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth) -{ - SSL_DANE *dane = ctx->dane; - unsigned usage = DANETLS_NONE; - unsigned selector = DANETLS_NONE; - unsigned ordinal = DANETLS_NONE; - unsigned mtype = DANETLS_NONE; - unsigned char *i2dbuf = NULL; - unsigned int i2dlen = 0; - unsigned char mdbuf[EVP_MAX_MD_SIZE]; - unsigned char *cmpbuf = NULL; - unsigned int cmplen = 0; - int i; - int recnum; - int matched = 0; - danetls_record *t = NULL; - uint32_t mask; - - mask = (depth == 0) ? DANETLS_EE_MASK : DANETLS_TA_MASK; - - /* - * The trust store is not applicable with DANE-TA(2) - */ - if (depth >= ctx->num_untrusted) - mask &= DANETLS_PKIX_MASK; - - /* - * If we've previously matched a PKIX-?? record, no need to test any - * further PKIX-?? records, it remains to just build the PKIX chain. - * Had the match been a DANE-?? record, we'd be done already. - */ - if (dane->mdpth >= 0) - mask &= ~DANETLS_PKIX_MASK; - - /*- - * https://tools.ietf.org/html/rfc7671#section-5.1 - * https://tools.ietf.org/html/rfc7671#section-5.2 - * https://tools.ietf.org/html/rfc7671#section-5.3 - * https://tools.ietf.org/html/rfc7671#section-5.4 - * - * We handle DANE-EE(3) records first as they require no chain building - * and no expiration or hostname checks. We also process digests with - * higher ordinals first and ignore lower priorities except Full(0) which - * is always processed (last). If none match, we then process PKIX-EE(1). - * - * NOTE: This relies on DANE usages sorting before the corresponding PKIX - * usages in SSL_dane_tlsa_add(), and also on descending sorting of digest - * priorities. See twin comment in ssl/ssl_lib.c. - * - * We expect that most TLSA RRsets will have just a single usage, so we - * don't go out of our way to cache multiple selector-specific i2d buffers - * across usages, but if the selector happens to remain the same as switch - * usages, that's OK. Thus, a set of "3 1 1", "3 0 1", "1 1 1", "1 0 1", - * records would result in us generating each of the certificate and public - * key DER forms twice, but more typically we'd just see multiple "3 1 1" - * or multiple "3 0 1" records. - * - * As soon as we find a match at any given depth, we stop, because either - * we've matched a DANE-?? record and the peer is authenticated, or, after - * exhausting all DANE-?? records, we've matched a PKIX-?? record, which is - * sufficient for DANE, and what remains to do is ordinary PKIX validation. - */ - recnum = (dane->umask & mask) ? sk_danetls_record_num(dane->trecs) : 0; - for (i = 0; matched == 0 && i < recnum; ++i) { - t = sk_danetls_record_value(dane->trecs, i); - if ((DANETLS_USAGE_BIT(t->usage) & mask) == 0) - continue; - if (t->usage != usage) { - usage = t->usage; - - /* Reset digest agility for each usage/selector pair */ - mtype = DANETLS_NONE; - ordinal = dane->dctx->mdord[t->mtype]; - } - if (t->selector != selector) { - selector = t->selector; - - /* Update per-selector state */ - OPENSSL_free(i2dbuf); - i2dbuf = dane_i2d(cert, selector, &i2dlen); - if (i2dbuf == NULL) - return -1; - - /* Reset digest agility for each usage/selector pair */ - mtype = DANETLS_NONE; - ordinal = dane->dctx->mdord[t->mtype]; - } else if (t->mtype != DANETLS_MATCHING_FULL) { - /*- - * Digest agility: - * - * <https://tools.ietf.org/html/rfc7671#section-9> - * - * For a fixed selector, after processing all records with the - * highest mtype ordinal, ignore all mtypes with lower ordinals - * other than "Full". - */ - if (dane->dctx->mdord[t->mtype] < ordinal) - continue; - } - - /* - * Each time we hit a (new selector or) mtype, re-compute the relevant - * digest, more complex caching is not worth the code space. - */ - if (t->mtype != mtype) { - const EVP_MD *md = dane->dctx->mdevp[mtype = t->mtype]; - cmpbuf = i2dbuf; - cmplen = i2dlen; - - if (md != NULL) { - cmpbuf = mdbuf; - if (!EVP_Digest(i2dbuf, i2dlen, cmpbuf, &cmplen, md, 0)) { - matched = -1; - break; - } - } - } - - /* - * Squirrel away the certificate and depth if we have a match. Any - * DANE match is dispositive, but with PKIX we still need to build a - * full chain. - */ - if (cmplen == t->dlen && - memcmp(cmpbuf, t->data, cmplen) == 0) { - if (DANETLS_USAGE_BIT(usage) & DANETLS_DANE_MASK) - matched = 1; - if (matched || dane->mdpth < 0) { - dane->mdpth = depth; - dane->mtlsa = t; - OPENSSL_free(dane->mcert); - dane->mcert = cert; - X509_up_ref(cert); - } - break; - } - } - - /* Clear the one-element DER cache */ - OPENSSL_free(i2dbuf); - return matched; -} - -static int check_dane_issuer(X509_STORE_CTX *ctx, int depth) -{ - SSL_DANE *dane = ctx->dane; - int matched = 0; - X509 *cert; - - if (!DANETLS_HAS_TA(dane) || depth == 0) - return X509_TRUST_UNTRUSTED; - - /* - * Record any DANE trust-anchor matches, for the first depth to test, if - * there's one at that depth. (This'll be false for length 1 chains looking - * for an exact match for the leaf certificate). - */ - cert = sk_X509_value(ctx->chain, depth); - if (cert != NULL && (matched = dane_match(ctx, cert, depth)) < 0) - return X509_TRUST_REJECTED; - if (matched > 0) { - ctx->num_untrusted = depth - 1; - return X509_TRUST_TRUSTED; - } - - return X509_TRUST_UNTRUSTED; -} - -static int check_dane_pkeys(X509_STORE_CTX *ctx) -{ - SSL_DANE *dane = ctx->dane; - danetls_record *t; - int num = ctx->num_untrusted; - X509 *cert = sk_X509_value(ctx->chain, num - 1); - int recnum = sk_danetls_record_num(dane->trecs); - int i; - - for (i = 0; i < recnum; ++i) { - t = sk_danetls_record_value(dane->trecs, i); - if (t->usage != DANETLS_USAGE_DANE_TA || - t->selector != DANETLS_SELECTOR_SPKI || - t->mtype != DANETLS_MATCHING_FULL || - X509_verify(cert, t->spki) <= 0) - continue; - - /* Clear any PKIX-?? matches that failed to extend to a full chain */ - X509_free(dane->mcert); - dane->mcert = NULL; - - /* Record match via a bare TA public key */ - ctx->bare_ta_signed = 1; - dane->mdpth = num - 1; - dane->mtlsa = t; - - /* Prune any excess chain certificates */ - num = sk_X509_num(ctx->chain); - for (; num > ctx->num_untrusted; --num) - X509_free(sk_X509_pop(ctx->chain)); - - return X509_TRUST_TRUSTED; - } - - return X509_TRUST_UNTRUSTED; -} - -static void dane_reset(SSL_DANE *dane) -{ - /* - * Reset state to verify another chain, or clear after failure. - */ - X509_free(dane->mcert); - dane->mcert = NULL; - dane->mtlsa = NULL; - dane->mdpth = -1; - dane->pdpth = -1; -} - -static int check_leaf_suiteb(X509_STORE_CTX *ctx, X509 *cert) -{ - int err = X509_chain_check_suiteb(NULL, cert, NULL, ctx->param->flags); - - if (err == X509_V_OK) - return 1; - return verify_cb_cert(ctx, cert, 0, err); -} - -static int dane_verify(X509_STORE_CTX *ctx) -{ - X509 *cert = ctx->cert; - SSL_DANE *dane = ctx->dane; - int matched; - int done; - - dane_reset(dane); - - /*- - * When testing the leaf certificate, if we match a DANE-EE(3) record, - * dane_match() returns 1 and we're done. If however we match a PKIX-EE(1) - * record, the match depth and matching TLSA record are recorded, but the - * return value is 0, because we still need to find a PKIX trust-anchor. - * Therefore, when DANE authentication is enabled (required), we're done - * if: - * + matched < 0, internal error. - * + matched == 1, we matched a DANE-EE(3) record - * + matched == 0, mdepth < 0 (no PKIX-EE match) and there are no - * DANE-TA(2) or PKIX-TA(0) to test. - */ - matched = dane_match(ctx, ctx->cert, 0); - done = matched != 0 || (!DANETLS_HAS_TA(dane) && dane->mdpth < 0); - - if (done) - X509_get_pubkey_parameters(NULL, ctx->chain); - - if (matched > 0) { - /* Callback invoked as needed */ - if (!check_leaf_suiteb(ctx, cert)) - return 0; - /* Callback invoked as needed */ - if ((dane->flags & DANE_FLAG_NO_DANE_EE_NAMECHECKS) == 0 && - !check_id(ctx)) - return 0; - /* Bypass internal_verify(), issue depth 0 success callback */ - ctx->error_depth = 0; - ctx->current_cert = cert; - return ctx->verify_cb(1, ctx); - } - - if (matched < 0) { - ctx->error_depth = 0; - ctx->current_cert = cert; - ctx->error = X509_V_ERR_OUT_OF_MEM; - return -1; - } - - if (done) { - /* Fail early, TA-based success is not possible */ - if (!check_leaf_suiteb(ctx, cert)) - return 0; - return verify_cb_cert(ctx, cert, 0, X509_V_ERR_DANE_NO_MATCH); - } - - /* - * Chain verification for usages 0/1/2. TLSA record matching of depth > 0 - * certificates happens in-line with building the rest of the chain. - */ - return verify_chain(ctx); -} - -/* Get issuer, without duplicate suppression */ -static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert) -{ - STACK_OF(X509) *saved_chain = ctx->chain; - int ok; - - ctx->chain = NULL; - ok = ctx->get_issuer(issuer, ctx, cert); - ctx->chain = saved_chain; - - return ok; -} - -static int build_chain(X509_STORE_CTX *ctx) -{ - SSL_DANE *dane = ctx->dane; - int num = sk_X509_num(ctx->chain); - X509 *cert = sk_X509_value(ctx->chain, num - 1); - int ss = cert_self_signed(cert); - STACK_OF(X509) *sktmp = NULL; - unsigned int search; - int may_trusted = 0; - int may_alternate = 0; - int trust = X509_TRUST_UNTRUSTED; - int alt_untrusted = 0; - int depth; - int ok = 0; - int i; - - /* Our chain starts with a single untrusted element. */ - OPENSSL_assert(num == 1 && ctx->num_untrusted == num); - -#define S_DOUNTRUSTED (1 << 0) /* Search untrusted chain */ -#define S_DOTRUSTED (1 << 1) /* Search trusted store */ -#define S_DOALTERNATE (1 << 2) /* Retry with pruned alternate chain */ - /* - * Set up search policy, untrusted if possible, trusted-first if enabled. - * If we're doing DANE and not doing PKIX-TA/PKIX-EE, we never look in the - * trust_store, otherwise we might look there first. If not trusted-first, - * and alternate chains are not disabled, try building an alternate chain - * if no luck with untrusted first. - */ - search = (ctx->untrusted != NULL) ? S_DOUNTRUSTED : 0; - if (DANETLS_HAS_PKIX(dane) || !DANETLS_HAS_DANE(dane)) { - if (search == 0 || ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) - search |= S_DOTRUSTED; - else if (!(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) - may_alternate = 1; - may_trusted = 1; - } - - /* - * Shallow-copy the stack of untrusted certificates (with TLS, this is - * typically the content of the peer's certificate message) so can make - * multiple passes over it, while free to remove elements as we go. - */ - if (ctx->untrusted && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { - X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; - } - - /* - * If we got any "DANE-TA(2) Cert(0) Full(0)" trust-anchors from DNS, add - * them to our working copy of the untrusted certificate stack. Since the - * caller of X509_STORE_CTX_init() may have provided only a leaf cert with - * no corresponding stack of untrusted certificates, we may need to create - * an empty stack first. [ At present only the ssl library provides DANE - * support, and ssl_verify_cert_chain() always provides a non-null stack - * containing at least the leaf certificate, but we must be prepared for - * this to change. ] - */ - if (DANETLS_ENABLED(dane) && dane->certs != NULL) { - if (sktmp == NULL && (sktmp = sk_X509_new_null()) == NULL) { - X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; - } - for (i = 0; i < sk_X509_num(dane->certs); ++i) { - if (!sk_X509_push(sktmp, sk_X509_value(dane->certs, i))) { - sk_X509_free(sktmp); - X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; - } - } - } - - /* - * Still absurdly large, but arithmetically safe, a lower hard upper bound - * might be reasonable. - */ - if (ctx->param->depth > INT_MAX/2) - ctx->param->depth = INT_MAX/2; - - /* - * Try to Extend the chain until we reach an ultimately trusted issuer. - * Build chains up to one longer the limit, later fail if we hit the limit, - * with an X509_V_ERR_CERT_CHAIN_TOO_LONG error code. - */ - depth = ctx->param->depth + 1; - - while (search != 0) { - X509 *x; - X509 *xtmp = NULL; - - /* - * Look in the trust store if enabled for first lookup, or we've run - * out of untrusted issuers and search here is not disabled. When we - * reach the depth limit, we stop extending the chain, if by that point - * we've not found a trust-anchor, any trusted chain would be too long. - * - * The error reported to the application verify callback is at the - * maximal valid depth with the current certificate equal to the last - * not ultimately-trusted issuer. For example, with verify_depth = 0, - * the callback will report errors at depth=1 when the immediate issuer - * of the leaf certificate is not a trust anchor. No attempt will be - * made to locate an issuer for that certificate, since such a chain - * would be a-priori too long. - */ - if ((search & S_DOTRUSTED) != 0) { - i = num = sk_X509_num(ctx->chain); - if ((search & S_DOALTERNATE) != 0) { - /* - * As high up the chain as we can, look for an alternative - * trusted issuer of an untrusted certificate that currently - * has an untrusted issuer. We use the alt_untrusted variable - * to track how far up the chain we find the first match. It - * is only if and when we find a match, that we prune the chain - * and reset ctx->num_untrusted to the reduced count of - * untrusted certificates. While we're searching for such a - * match (which may never be found), it is neither safe nor - * wise to preemptively modify either the chain or - * ctx->num_untrusted. - * - * Note, like ctx->num_untrusted, alt_untrusted is a count of - * untrusted certificates, not a "depth". - */ - i = alt_untrusted; - } - x = sk_X509_value(ctx->chain, i-1); - - ok = (depth < num) ? 0 : get_issuer(&xtmp, ctx, x); - - if (ok < 0) { - trust = X509_TRUST_REJECTED; - ctx->error = X509_V_ERR_STORE_LOOKUP; - search = 0; - continue; - } - - if (ok > 0) { - /* - * Alternative trusted issuer for a mid-chain untrusted cert? - * Pop the untrusted cert's successors and retry. We might now - * be able to complete a valid chain via the trust store. Note - * that despite the current trust-store match we might still - * fail complete the chain to a suitable trust-anchor, in which - * case we may prune some more untrusted certificates and try - * again. Thus the S_DOALTERNATE bit may yet be turned on - * again with an even shorter untrusted chain! - * - * If in the process we threw away our matching PKIX-TA trust - * anchor, reset DANE trust. We might find a suitable trusted - * certificate among the ones from the trust store. - */ - if ((search & S_DOALTERNATE) != 0) { - OPENSSL_assert(num > i && i > 0 && ss == 0); - search &= ~S_DOALTERNATE; - for (; num > i; --num) - X509_free(sk_X509_pop(ctx->chain)); - ctx->num_untrusted = num; - - if (DANETLS_ENABLED(dane) && - dane->mdpth >= ctx->num_untrusted) { - dane->mdpth = -1; - X509_free(dane->mcert); - dane->mcert = NULL; - } - if (DANETLS_ENABLED(dane) && - dane->pdpth >= ctx->num_untrusted) - dane->pdpth = -1; - } - - /* - * Self-signed untrusted certificates get replaced by their - * trusted matching issuer. Otherwise, grow the chain. - */ - if (ss == 0) { - if (!sk_X509_push(ctx->chain, x = xtmp)) { - X509_free(xtmp); - X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); - trust = X509_TRUST_REJECTED; - ctx->error = X509_V_ERR_OUT_OF_MEM; - search = 0; - continue; - } - ss = cert_self_signed(x); - } else if (num == ctx->num_untrusted) { - /* - * We have a self-signed certificate that has the same - * subject name (and perhaps keyid and/or serial number) as - * a trust-anchor. We must have an exact match to avoid - * possible impersonation via key substitution etc. - */ - if (X509_cmp(x, xtmp) != 0) { - /* Self-signed untrusted mimic. */ - X509_free(xtmp); - ok = 0; - } else { - X509_free(x); - ctx->num_untrusted = --num; - (void) sk_X509_set(ctx->chain, num, x = xtmp); - } - } - - /* - * We've added a new trusted certificate to the chain, recheck - * trust. If not done, and not self-signed look deeper. - * Whether or not we're doing "trusted first", we no longer - * look for untrusted certificates from the peer's chain. - * - * At this point ctx->num_trusted and num must reflect the - * correct number of untrusted certificates, since the DANE - * logic in check_trust() depends on distinguishing CAs from - * "the wire" from CAs from the trust store. In particular, the - * certificate at depth "num" should be the new trusted - * certificate with ctx->num_untrusted <= num. - */ - if (ok) { - OPENSSL_assert(ctx->num_untrusted <= num); - search &= ~S_DOUNTRUSTED; - switch (trust = check_trust(ctx, num)) { - case X509_TRUST_TRUSTED: - case X509_TRUST_REJECTED: - search = 0; - continue; - } - if (ss == 0) - continue; - } - } - - /* - * No dispositive decision, and either self-signed or no match, if - * we were doing untrusted-first, and alt-chains are not disabled, - * do that, by repeatedly losing one untrusted element at a time, - * and trying to extend the shorted chain. - */ - if ((search & S_DOUNTRUSTED) == 0) { - /* Continue search for a trusted issuer of a shorter chain? */ - if ((search & S_DOALTERNATE) != 0 && --alt_untrusted > 0) - continue; - /* Still no luck and no fallbacks left? */ - if (!may_alternate || (search & S_DOALTERNATE) != 0 || - ctx->num_untrusted < 2) - break; - /* Search for a trusted issuer of a shorter chain */ - search |= S_DOALTERNATE; - alt_untrusted = ctx->num_untrusted - 1; - ss = 0; - } - } - - /* - * Extend chain with peer-provided certificates - */ - if ((search & S_DOUNTRUSTED) != 0) { - num = sk_X509_num(ctx->chain); - OPENSSL_assert(num == ctx->num_untrusted); - x = sk_X509_value(ctx->chain, num-1); - - /* - * Once we run out of untrusted issuers, we stop looking for more - * and start looking only in the trust store if enabled. - */ - xtmp = (ss || depth < num) ? NULL : find_issuer(ctx, sktmp, x); - if (xtmp == NULL) { - search &= ~S_DOUNTRUSTED; - if (may_trusted) - search |= S_DOTRUSTED; - continue; - } - - /* Drop this issuer from future consideration */ - (void) sk_X509_delete_ptr(sktmp, xtmp); - - if (!sk_X509_push(ctx->chain, xtmp)) { - X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); - trust = X509_TRUST_REJECTED; - ctx->error = X509_V_ERR_OUT_OF_MEM; - search = 0; - continue; - } - - X509_up_ref(x = xtmp); - ++ctx->num_untrusted; - ss = cert_self_signed(xtmp); - - /* - * Check for DANE-TA trust of the topmost untrusted certificate. - */ - switch (trust = check_dane_issuer(ctx, ctx->num_untrusted - 1)) { - case X509_TRUST_TRUSTED: - case X509_TRUST_REJECTED: - search = 0; - continue; - } - } - } - sk_X509_free(sktmp); - - /* - * Last chance to make a trusted chain, either bare DANE-TA public-key - * signers, or else direct leaf PKIX trust. - */ - num = sk_X509_num(ctx->chain); - if (num <= depth) { - if (trust == X509_TRUST_UNTRUSTED && DANETLS_HAS_DANE_TA(dane)) - trust = check_dane_pkeys(ctx); - if (trust == X509_TRUST_UNTRUSTED && num == ctx->num_untrusted) - trust = check_trust(ctx, num); - } - - switch (trust) { - case X509_TRUST_TRUSTED: - return 1; - case X509_TRUST_REJECTED: - /* Callback already issued */ - return 0; - case X509_TRUST_UNTRUSTED: - default: - num = sk_X509_num(ctx->chain); - if (num > depth) - return verify_cb_cert(ctx, NULL, num-1, - X509_V_ERR_CERT_CHAIN_TOO_LONG); - if (DANETLS_ENABLED(dane) && - (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0)) - return verify_cb_cert(ctx, NULL, num-1, X509_V_ERR_DANE_NO_MATCH); - if (ss && sk_X509_num(ctx->chain) == 1) - return verify_cb_cert(ctx, NULL, num-1, - X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT); - if (ss) - return verify_cb_cert(ctx, NULL, num-1, - X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN); - if (ctx->num_untrusted < num) - return verify_cb_cert(ctx, NULL, num-1, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT); - return verify_cb_cert(ctx, NULL, num-1, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY); - } -} - -static const int minbits_table[] = { 80, 112, 128, 192, 256 }; -static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table); - -/* - * Check whether the public key of ``cert`` meets the security level of - * ``ctx``. - * - * Returns 1 on success, 0 otherwise. - */ -static int check_key_level(X509_STORE_CTX *ctx, X509 *cert) -{ - EVP_PKEY *pkey = X509_get0_pubkey(cert); - int level = ctx->param->auth_level; - - /* Unsupported or malformed keys are not secure */ - if (pkey == NULL) - return 0; - - if (level <= 0) - return 1; - if (level > NUM_AUTH_LEVELS) - level = NUM_AUTH_LEVELS; - - return EVP_PKEY_security_bits(pkey) >= minbits_table[level - 1]; -} - -/* - * Check whether the signature digest algorithm of ``cert`` meets the security - * level of ``ctx``. Should not be checked for trust anchors (whether - * self-signed or otherwise). - * - * Returns 1 on success, 0 otherwise. - */ -static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) -{ - int nid = X509_get_signature_nid(cert); - int mdnid = NID_undef; - int secbits = -1; - int level = ctx->param->auth_level; - - if (level <= 0) - return 1; - if (level > NUM_AUTH_LEVELS) - level = NUM_AUTH_LEVELS; - - /* Lookup signature algorithm digest */ - if (nid && OBJ_find_sigid_algs(nid, &mdnid, NULL)) { - const EVP_MD *md; - - /* Assume 4 bits of collision resistance for each hash octet */ - if (mdnid != NID_undef && (md = EVP_get_digestbynid(mdnid)) != NULL) - secbits = EVP_MD_size(md) * 4; - } - - return secbits >= minbits_table[level - 1]; -} +IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE) diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c b/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c index b5067220..1ac15a88 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c @@ -1,23 +1,72 @@ +/* x509_vpm.c */ /* - * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project + * 2004. + */ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html */ #include <stdio.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/crypto.h> #include <openssl/lhash.h> #include <openssl/buffer.h> #include <openssl/x509.h> #include <openssl/x509v3.h> -#include "internal/x509_int.h" -#include "x509_lcl.h" +#include "vpm_int.h" /* X509_VERIFY_PARAM functions */ @@ -34,7 +83,9 @@ static void str_free(char *s) OPENSSL_free(s); } -static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode, +#define string_stack_free(sk) sk_OPENSSL_STRING_pop_free(sk, str_free) + +static int int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode, const char *name, size_t namelen) { char *copy; @@ -50,28 +101,28 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode, if (namelen > 0 && name[namelen - 1] == '\0') --namelen; - if (mode == SET_HOST) { - sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free); - vpm->hosts = NULL; + if (mode == SET_HOST && id->hosts) { + string_stack_free(id->hosts); + id->hosts = NULL; } if (name == NULL || namelen == 0) return 1; - copy = OPENSSL_strndup(name, namelen); + copy = BUF_strndup(name, namelen); if (copy == NULL) return 0; - if (vpm->hosts == NULL && - (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) { + if (id->hosts == NULL && + (id->hosts = sk_OPENSSL_STRING_new_null()) == NULL) { OPENSSL_free(copy); return 0; } - if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) { + if (!sk_OPENSSL_STRING_push(id->hosts, copy)) { OPENSSL_free(copy); - if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) { - sk_OPENSSL_STRING_free(vpm->hosts); - vpm->hosts = NULL; + if (sk_OPENSSL_STRING_num(id->hosts) == 0) { + sk_OPENSSL_STRING_free(id->hosts); + id->hosts = NULL; } return 0; } @@ -81,48 +132,75 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode, static void x509_verify_param_zero(X509_VERIFY_PARAM *param) { + X509_VERIFY_PARAM_ID *paramid; if (!param) return; param->name = NULL; param->purpose = 0; - param->trust = X509_TRUST_DEFAULT; + param->trust = 0; /* * param->inh_flags = X509_VP_FLAG_DEFAULT; */ param->inh_flags = 0; param->flags = 0; param->depth = -1; - param->auth_level = -1; /* -1 means unset, 0 is explicit */ - sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); - param->policies = NULL; - sk_OPENSSL_STRING_pop_free(param->hosts, str_free); - param->hosts = NULL; - OPENSSL_free(param->peername); - param->peername = NULL; - OPENSSL_free(param->email); - param->email = NULL; - param->emaillen = 0; - OPENSSL_free(param->ip); - param->ip = NULL; - param->iplen = 0; + if (param->policies) { + sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); + param->policies = NULL; + } + paramid = param->id; + if (paramid->hosts) { + string_stack_free(paramid->hosts); + paramid->hosts = NULL; + } + if (paramid->peername) + OPENSSL_free(paramid->peername); + paramid->peername = NULL; + if (paramid->email) { + OPENSSL_free(paramid->email); + paramid->email = NULL; + paramid->emaillen = 0; + } + if (paramid->ip) { + OPENSSL_free(paramid->ip); + paramid->ip = NULL; + paramid->iplen = 0; + } } X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) { X509_VERIFY_PARAM *param; + X509_VERIFY_PARAM_ID *paramid; - param = OPENSSL_zalloc(sizeof(*param)); - if (param == NULL) + param = OPENSSL_malloc(sizeof *param); + if (!param) return NULL; + memset(param, 0, sizeof(*param)); + + paramid = OPENSSL_malloc(sizeof(*paramid)); + if (!paramid) { + OPENSSL_free(param); + return NULL; + } + memset(paramid, 0, sizeof(*paramid)); + /* Exotic platforms may have non-zero bit representation of NULL */ + paramid->hosts = NULL; + paramid->peername = NULL; + paramid->email = NULL; + paramid->ip = NULL; + + param->id = paramid; x509_verify_param_zero(param); return param; } void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) { - if (!param) + if (param == NULL) return; x509_verify_param_zero(param); + OPENSSL_free(param->id); OPENSSL_free(param); } @@ -164,6 +242,11 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) (to_overwrite || \ ((src->field != def) && (to_default || (dest->field == def)))) +/* As above but for ID fields */ + +#define test_x509_verify_param_copy_id(idf, def) \ + test_x509_verify_param_copy(id->idf, def) + /* Macro to test and copy a field if necessary */ #define x509_verify_param_copy(field, def) \ @@ -175,8 +258,10 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, { unsigned long inh_flags; int to_default, to_overwrite; + X509_VERIFY_PARAM_ID *id; if (!src) return 1; + id = src->id; inh_flags = dest->inh_flags | src->inh_flags; if (inh_flags & X509_VP_FLAG_ONCE) @@ -196,9 +281,8 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, to_overwrite = 0; x509_verify_param_copy(purpose, 0); - x509_verify_param_copy(trust, X509_TRUST_DEFAULT); + x509_verify_param_copy(trust, 0); x509_verify_param_copy(depth, -1); - x509_verify_param_copy(auth_level, -1); /* If overwrite or check time not set, copy across */ @@ -219,25 +303,27 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, } /* Copy the host flags if and only if we're copying the host list */ - if (test_x509_verify_param_copy(hosts, NULL)) { - sk_OPENSSL_STRING_pop_free(dest->hosts, str_free); - dest->hosts = NULL; - if (src->hosts) { - dest->hosts = - sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free); - if (dest->hosts == NULL) + if (test_x509_verify_param_copy_id(hosts, NULL)) { + if (dest->id->hosts) { + string_stack_free(dest->id->hosts); + dest->id->hosts = NULL; + } + if (id->hosts) { + dest->id->hosts = + sk_OPENSSL_STRING_deep_copy(id->hosts, str_copy, str_free); + if (dest->id->hosts == NULL) return 0; - dest->hostflags = src->hostflags; + dest->id->hostflags = id->hostflags; } } - if (test_x509_verify_param_copy(email, NULL)) { - if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen)) + if (test_x509_verify_param_copy_id(email, NULL)) { + if (!X509_VERIFY_PARAM_set1_email(dest, id->email, id->emaillen)) return 0; } - if (test_x509_verify_param_copy(ip, NULL)) { - if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen)) + if (test_x509_verify_param_copy_id(ip, NULL)) { + if (!X509_VERIFY_PARAM_set1_ip(dest, id->ip, id->iplen)) return 0; } @@ -260,27 +346,30 @@ static int int_x509_param_set1(char **pdest, size_t *pdestlen, { void *tmp; if (src) { - if (srclen == 0) + if (srclen == 0) { + tmp = BUF_strdup(src); srclen = strlen(src); - - tmp = OPENSSL_memdup(src, srclen); - if (tmp == NULL) + } else + tmp = BUF_memdup(src, srclen); + if (!tmp) return 0; } else { tmp = NULL; srclen = 0; } - OPENSSL_free(*pdest); + if (*pdest) + OPENSSL_free(*pdest); *pdest = tmp; - if (pdestlen != NULL) + if (pdestlen) *pdestlen = srclen; return 1; } int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) { - OPENSSL_free(param->name); - param->name = OPENSSL_strdup(name); + if (param->name) + OPENSSL_free(param->name); + param->name = BUF_strdup(name); if (param->name) return 1; return 0; @@ -306,17 +395,6 @@ unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) return param->flags; } -uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param) -{ - return param->inh_flags; -} - -int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, uint32_t flags) -{ - param->inh_flags = flags; - return 1; -} - int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) { return X509_PURPOSE_set(¶m->purpose, purpose); @@ -332,16 +410,6 @@ void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) param->depth = depth; } -void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level) -{ - param->auth_level = auth_level; -} - -time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param) -{ - return param->check_time; -} - void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) { param->check_time = t; @@ -366,10 +434,10 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, { int i; ASN1_OBJECT *oid, *doid; - if (!param) return 0; - sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); + if (param->policies) + sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); if (!policies) { param->policies = NULL; @@ -397,48 +465,30 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const char *name, size_t namelen) { - return int_x509_param_set_hosts(param, SET_HOST, name, namelen); + return int_x509_param_set_hosts(param->id, SET_HOST, name, namelen); } int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, const char *name, size_t namelen) { - return int_x509_param_set_hosts(param, ADD_HOST, name, namelen); + return int_x509_param_set_hosts(param->id, ADD_HOST, name, namelen); } void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags) { - param->hostflags = flags; + param->id->hostflags = flags; } char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param) { - return param->peername; -} - -/* - * Move peername from one param structure to another, freeing any name present - * at the target. If the source is a NULL parameter structure, free and zero - * the target peername. - */ -void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *to, - X509_VERIFY_PARAM *from) -{ - char *peername = (from != NULL) ? from->peername : NULL; - - if (to->peername != peername) { - OPENSSL_free(to->peername); - to->peername = peername; - } - if (from) - from->peername = NULL; + return param->id->peername; } int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email, size_t emaillen) { - return int_x509_param_set1(¶m->email, ¶m->emaillen, + return int_x509_param_set1(¶m->id->email, ¶m->id->emaillen, email, emaillen); } @@ -447,7 +497,7 @@ int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, { if (iplen != 0 && iplen != 4 && iplen != 16) return 0; - return int_x509_param_set1((char **)¶m->ip, ¶m->iplen, + return int_x509_param_set1((char **)¶m->id->ip, ¶m->id->iplen, (char *)ip, iplen); } @@ -467,17 +517,14 @@ int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) return param->depth; } -int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param) -{ - return param->auth_level; -} - const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) { return param->name; } -#define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0 +static X509_VERIFY_PARAM_ID _empty_id = { NULL, 0U, NULL, NULL, 0, NULL, 0 }; + +#define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id /* * Default verify parameters: these are used for various applications and can @@ -490,11 +537,10 @@ static const X509_VERIFY_PARAM default_table[] = { "default", /* X509 default parameters */ 0, /* Check time */ 0, /* internal flags */ - X509_V_FLAG_TRUSTED_FIRST, /* flags */ + 0, /* flags */ 0, /* purpose */ 0, /* trust */ 100, /* depth */ - -1, /* auth_level */ NULL, /* policies */ vpm_empty_id}, { @@ -505,7 +551,6 @@ static const X509_VERIFY_PARAM default_table[] = { X509_PURPOSE_SMIME_SIGN, /* purpose */ X509_TRUST_EMAIL, /* trust */ -1, /* depth */ - -1, /* auth_level */ NULL, /* policies */ vpm_empty_id}, { @@ -516,7 +561,6 @@ static const X509_VERIFY_PARAM default_table[] = { X509_PURPOSE_SMIME_SIGN, /* purpose */ X509_TRUST_EMAIL, /* trust */ -1, /* depth */ - -1, /* auth_level */ NULL, /* policies */ vpm_empty_id}, { @@ -527,7 +571,6 @@ static const X509_VERIFY_PARAM default_table[] = { X509_PURPOSE_SSL_CLIENT, /* purpose */ X509_TRUST_SSL_CLIENT, /* trust */ -1, /* depth */ - -1, /* auth_level */ NULL, /* policies */ vpm_empty_id}, { @@ -538,7 +581,6 @@ static const X509_VERIFY_PARAM default_table[] = { X509_PURPOSE_SSL_SERVER, /* purpose */ X509_TRUST_SSL_SERVER, /* trust */ -1, /* depth */ - -1, /* auth_level */ NULL, /* policies */ vpm_empty_id} }; @@ -563,9 +605,9 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) { int idx; X509_VERIFY_PARAM *ptmp; - if (param_table == NULL) { + if (!param_table) { param_table = sk_X509_VERIFY_PARAM_new(param_cmp); - if (param_table == NULL) + if (!param_table) return 0; } else { idx = sk_X509_VERIFY_PARAM_find(param_table, param); @@ -582,7 +624,7 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) int X509_VERIFY_PARAM_get_count(void) { - int num = OSSL_NELEM(default_table); + int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM); if (param_table) num += sk_X509_VERIFY_PARAM_num(param_table); return num; @@ -590,7 +632,7 @@ int X509_VERIFY_PARAM_get_count(void) const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id) { - int num = OSSL_NELEM(default_table); + int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM); if (id < num) return default_table + id; return sk_X509_VERIFY_PARAM_value(param_table, id - num); @@ -607,11 +649,14 @@ const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) if (idx != -1) return sk_X509_VERIFY_PARAM_value(param_table, idx); } - return OBJ_bsearch_table(&pm, default_table, OSSL_NELEM(default_table)); + return OBJ_bsearch_table(&pm, default_table, + sizeof(default_table) / + sizeof(X509_VERIFY_PARAM)); } void X509_VERIFY_PARAM_table_cleanup(void) { - sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free); + if (param_table) + sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free); param_table = NULL; } diff --git a/Cryptlib/OpenSSL/crypto/x509/x509cset.c b/Cryptlib/OpenSSL/crypto/x509/x509cset.c index 20578596..24ca35b5 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509cset.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509cset.c @@ -1,50 +1,119 @@ +/* crypto/x509/x509cset.c */ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project + * 2001. + */ +/* ==================================================================== + * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html */ #include <stdio.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/asn1.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> -#include "internal/x509_int.h" int X509_CRL_set_version(X509_CRL *x, long version) { if (x == NULL) return (0); - if (x->crl.version == NULL) { - if ((x->crl.version = ASN1_INTEGER_new()) == NULL) + if (x->crl->version == NULL) { + if ((x->crl->version = M_ASN1_INTEGER_new()) == NULL) return (0); } - return (ASN1_INTEGER_set(x->crl.version, version)); + return (ASN1_INTEGER_set(x->crl->version, version)); } int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name) { - if (x == NULL) + if ((x == NULL) || (x->crl == NULL)) return (0); - return (X509_NAME_set(&x->crl.issuer, name)); + return (X509_NAME_set(&x->crl->issuer, name)); } -int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) +int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) { + ASN1_TIME *in; + if (x == NULL) - return 0; - return x509_set1_time(&x->crl.lastUpdate, tm); + return (0); + in = x->crl->lastUpdate; + if (in != tm) { + in = M_ASN1_TIME_dup(tm); + if (in != NULL) { + M_ASN1_TIME_free(x->crl->lastUpdate); + x->crl->lastUpdate = in; + } + } + return (in != NULL); } -int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) +int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) { + ASN1_TIME *in; + if (x == NULL) - return 0; - return x509_set1_time(&x->crl.nextUpdate, tm); + return (0); + in = x->crl->nextUpdate; + if (in != tm) { + in = M_ASN1_TIME_dup(tm); + if (in != NULL) { + M_ASN1_TIME_free(x->crl->nextUpdate); + x->crl->nextUpdate = in; + } + } + return (in != NULL); } int X509_CRL_sort(X509_CRL *c) @@ -54,88 +123,15 @@ int X509_CRL_sort(X509_CRL *c) /* * sort the data so it will be written in serial number order */ - sk_X509_REVOKED_sort(c->crl.revoked); - for (i = 0; i < sk_X509_REVOKED_num(c->crl.revoked); i++) { - r = sk_X509_REVOKED_value(c->crl.revoked, i); + sk_X509_REVOKED_sort(c->crl->revoked); + for (i = 0; i < sk_X509_REVOKED_num(c->crl->revoked); i++) { + r = sk_X509_REVOKED_value(c->crl->revoked, i); r->sequence = i; } - c->crl.enc.modified = 1; + c->crl->enc.modified = 1; return 1; } -int X509_CRL_up_ref(X509_CRL *crl) -{ - int i; - - if (CRYPTO_atomic_add(&crl->references, 1, &i, crl->lock) <= 0) - return 0; - - REF_PRINT_COUNT("X509_CRL", crl); - REF_ASSERT_ISNT(i < 2); - return ((i > 1) ? 1 : 0); -} - -long X509_CRL_get_version(const X509_CRL *crl) -{ - return ASN1_INTEGER_get(crl->crl.version); -} - -const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl) -{ - return crl->crl.lastUpdate; -} - -const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl) -{ - return crl->crl.nextUpdate; -} - -#if OPENSSL_API_COMPAT < 0x10100000L -ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl) -{ - return crl->crl.lastUpdate; -} - -ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl) -{ - return crl->crl.nextUpdate; -} -#endif - -X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl) -{ - return crl->crl.issuer; -} - -const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl) -{ - return crl->crl.extensions; -} - -STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl) -{ - return crl->crl.revoked; -} - -void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, - const X509_ALGOR **palg) -{ - if (psig != NULL) - *psig = &crl->signature; - if (palg != NULL) - *palg = &crl->sig_alg; -} - -int X509_CRL_get_signature_nid(const X509_CRL *crl) -{ - return OBJ_obj2nid(crl->sig_alg.algorithm); -} - -const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *x) -{ - return x->revocationDate; -} - int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) { ASN1_TIME *in; @@ -144,39 +140,28 @@ int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) return (0); in = x->revocationDate; if (in != tm) { - in = ASN1_STRING_dup(tm); + in = M_ASN1_TIME_dup(tm); if (in != NULL) { - ASN1_TIME_free(x->revocationDate); + M_ASN1_TIME_free(x->revocationDate); x->revocationDate = in; } } return (in != NULL); } -const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *x) -{ - return &x->serialNumber; -} - int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial) { ASN1_INTEGER *in; if (x == NULL) return (0); - in = &x->serialNumber; - if (in != serial) - return ASN1_STRING_copy(in, serial); - return 1; -} - -const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r) -{ - return r->extensions; -} - -int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) -{ - crl->crl.enc.modified = 1; - return i2d_X509_CRL_INFO(&crl->crl, pp); + in = x->serialNumber; + if (in != serial) { + in = M_ASN1_INTEGER_dup(serial); + if (in != NULL) { + M_ASN1_INTEGER_free(x->serialNumber); + x->serialNumber = in; + } + } + return (in != NULL); } diff --git a/Cryptlib/OpenSSL/crypto/x509/x509name.c b/Cryptlib/OpenSSL/crypto/x509/x509name.c index 919d8c1e..6ea601f9 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509name.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509name.c @@ -1,20 +1,68 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509name.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> #include <openssl/stack.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/asn1.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> -#include "internal/x509_int.h" int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len) { @@ -26,11 +74,11 @@ int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len) return (X509_NAME_get_text_by_OBJ(name, obj, buf, len)); } -int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf, +int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf, int len) { int i; - const ASN1_STRING *data; + ASN1_STRING *data; i = X509_NAME_get_index_by_OBJ(name, obj, -1); if (i < 0) @@ -44,7 +92,7 @@ int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf return (i); } -int X509_NAME_entry_count(const X509_NAME *name) +int X509_NAME_entry_count(X509_NAME *name) { if (name == NULL) return (0); @@ -61,8 +109,8 @@ int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos) return (X509_NAME_get_index_by_OBJ(name, obj, lastpos)); } -/* NOTE: you should be passing -1, not 0 as lastpos */ -int X509_NAME_get_index_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int lastpos) +/* NOTE: you should be passsing -1, not 0 as lastpos */ +int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int lastpos) { int n; X509_NAME_ENTRY *ne; @@ -82,7 +130,7 @@ int X509_NAME_get_index_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int last return (-1); } -X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc) +X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc) { if (name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc || loc < 0) @@ -130,8 +178,8 @@ X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc) return (ret); } -int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type, - const unsigned char *bytes, int len, int loc, +int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, + unsigned char *bytes, int len, int loc, int set) { X509_NAME_ENTRY *ne; @@ -145,7 +193,7 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type } int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, - const unsigned char *bytes, int len, int loc, + unsigned char *bytes, int len, int loc, int set) { X509_NAME_ENTRY *ne; @@ -176,7 +224,7 @@ int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, * if set is -1, append to previous set, 0 'a new one', and 1, prepend to the * guy we are about to stomp on. */ -int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, +int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc, int set) { X509_NAME_ENTRY *new_name = NULL; @@ -214,11 +262,7 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, inc = (set == 0) ? 1 : 0; } - /* - * X509_NAME_ENTRY_dup is ASN1 generated code, that can't be easily - * const'ified; harmless cast as dup() don't modify its input. - */ - if ((new_name = X509_NAME_ENTRY_dup((X509_NAME_ENTRY *)ne)) == NULL) + if ((new_name = X509_NAME_ENTRY_dup(ne)) == NULL) goto err; new_name->set = set; if (!sk_X509_NAME_ENTRY_insert(sk, new_name, loc)) { @@ -232,7 +276,8 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, } return (1); err: - X509_NAME_ENTRY_free(new_name); + if (new_name != NULL) + X509_NAME_ENTRY_free(new_name); return (0); } @@ -257,8 +302,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, } X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, - int type, - const unsigned char *bytes, + int type, unsigned char *bytes, int len) { ASN1_OBJECT *obj; @@ -275,7 +319,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, } X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, - const ASN1_OBJECT *obj, int type, + ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len) { @@ -301,7 +345,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, return (NULL); } -int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, const ASN1_OBJECT *obj) +int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj) { if ((ne == NULL) || (obj == NULL)) { X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT, @@ -338,21 +382,16 @@ int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, return (1); } -ASN1_OBJECT *X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne) +ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne) { if (ne == NULL) return (NULL); return (ne->object); } -ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne) +ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne) { if (ne == NULL) return (NULL); return (ne->value); } - -int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) -{ - return ne->set; -} diff --git a/Cryptlib/OpenSSL/crypto/x509/x509rset.c b/Cryptlib/OpenSSL/crypto/x509/x509rset.c index 6dee297a..80e273e6 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509rset.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509rset.c @@ -1,40 +1,85 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509rset.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/asn1.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> -#include "internal/x509_int.h" int X509_REQ_set_version(X509_REQ *x, long version) { if (x == NULL) return (0); - x->req_info.enc.modified = 1; - return (ASN1_INTEGER_set(x->req_info.version, version)); + return (ASN1_INTEGER_set(x->req_info->version, version)); } int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name) { - if (x == NULL) + if ((x == NULL) || (x->req_info == NULL)) return (0); - x->req_info.enc.modified = 1; - return (X509_NAME_set(&x->req_info.subject, name)); + return (X509_NAME_set(&x->req_info->subject, name)); } int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey) { - if (x == NULL) + if ((x == NULL) || (x->req_info == NULL)) return (0); - x->req_info.enc.modified = 1; - return (X509_PUBKEY_set(&x->req_info.pubkey, pkey)); + return (X509_PUBKEY_set(&x->req_info->pubkey, pkey)); } diff --git a/Cryptlib/OpenSSL/crypto/x509/x509spki.c b/Cryptlib/OpenSSL/crypto/x509/x509spki.c index b142485d..5ae5d30a 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509spki.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509spki.c @@ -1,14 +1,64 @@ +/* x509spki.c */ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project + * 1999. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html */ #include <stdio.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/x509.h> int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey) @@ -35,7 +85,7 @@ NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, int len) NETSCAPE_SPKI *spki; if (len <= 0) len = strlen(str); - if ((spki_der = OPENSSL_malloc(len + 1)) == NULL) { + if (!(spki_der = OPENSSL_malloc(len + 1))) { X509err(X509_F_NETSCAPE_SPKI_B64_DECODE, ERR_R_MALLOC_FAILURE); return NULL; } @@ -61,10 +111,10 @@ char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki) der_len = i2d_NETSCAPE_SPKI(spki, NULL); der_spki = OPENSSL_malloc(der_len); b64_str = OPENSSL_malloc(der_len * 2); - if (der_spki == NULL || b64_str == NULL) { - X509err(X509_F_NETSCAPE_SPKI_B64_ENCODE, ERR_R_MALLOC_FAILURE); + if (!der_spki || !b64_str) { OPENSSL_free(der_spki); OPENSSL_free(b64_str); + X509err(X509_F_NETSCAPE_SPKI_B64_ENCODE, ERR_R_MALLOC_FAILURE); return NULL; } p = der_spki; diff --git a/Cryptlib/OpenSSL/crypto/x509/x509type.c b/Cryptlib/OpenSSL/crypto/x509/x509type.c index aca83552..9219f753 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509type.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509type.c @@ -1,35 +1,84 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509type.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/x509.h> -int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey) +int X509_certificate_type(X509 *x, EVP_PKEY *pkey) { - const EVP_PKEY *pk; + EVP_PKEY *pk; int ret = 0, i; if (x == NULL) return (0); if (pkey == NULL) - pk = X509_get0_pubkey(x); + pk = X509_get_pubkey(x); else pk = pkey; if (pk == NULL) return (0); - switch (EVP_PKEY_id(pk)) { + switch (pk->type) { case EVP_PKEY_RSA: ret = EVP_PK_RSA | EVP_PKT_SIGN; /* if (!sign only extension) */ @@ -44,16 +93,15 @@ int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey) case EVP_PKEY_DH: ret = EVP_PK_DH | EVP_PKT_EXCH; break; + case NID_id_GostR3410_94: case NID_id_GostR3410_2001: - case NID_id_GostR3410_2012_256: - case NID_id_GostR3410_2012_512: ret = EVP_PKT_EXCH | EVP_PKT_SIGN; break; default: break; } - i = X509_get_signature_nid(x); + i = OBJ_obj2nid(x->sig_alg->algorithm); if (i && OBJ_find_sigid_algs(i, NULL, &i)) { switch (i) { @@ -73,5 +121,7 @@ int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey) } } + if (pkey == NULL) + EVP_PKEY_free(pk); return (ret); } diff --git a/Cryptlib/OpenSSL/crypto/x509/x_all.c b/Cryptlib/OpenSSL/crypto/x509/x_all.c index 124dd2d2..0f26c546 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x_all.c +++ b/Cryptlib/OpenSSL/crypto/x509/x_all.c @@ -1,113 +1,159 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x_all.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include <stdio.h> #include <openssl/stack.h> -#include "internal/cryptlib.h" +#include "cryptlib.h" #include <openssl/buffer.h> #include <openssl/asn1.h> #include <openssl/evp.h> #include <openssl/x509.h> -#include "internal/x509_int.h" #include <openssl/ocsp.h> -#include <openssl/rsa.h> -#include <openssl/dsa.h> -#include <openssl/x509v3.h> +#ifndef OPENSSL_NO_RSA +# include <openssl/rsa.h> +#endif +#ifndef OPENSSL_NO_DSA +# include <openssl/dsa.h> +#endif int X509_verify(X509 *a, EVP_PKEY *r) { - if (X509_ALGOR_cmp(&a->sig_alg, &a->cert_info.signature)) + if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature)) return 0; - return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), &a->sig_alg, - &a->signature, &a->cert_info, r)); + return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), a->sig_alg, + a->signature, a->cert_info, r)); } int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r) { return (ASN1_item_verify(ASN1_ITEM_rptr(X509_REQ_INFO), - &a->sig_alg, a->signature, &a->req_info, r)); + a->sig_alg, a->signature, a->req_info, r)); } int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) { return (ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC), - &a->sig_algor, a->signature, a->spkac, r)); + a->sig_algor, a->signature, a->spkac, r)); } int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { - x->cert_info.enc.modified = 1; - return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, - &x->sig_alg, &x->signature, &x->cert_info, pkey, - md)); + x->cert_info->enc.modified = 1; + return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature, + x->sig_alg, x->signature, x->cert_info, pkey, md)); } int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) { - x->cert_info.enc.modified = 1; + x->cert_info->enc.modified = 1; return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF), - &x->cert_info.signature, - &x->sig_alg, &x->signature, &x->cert_info, ctx); + x->cert_info->signature, + x->sig_alg, x->signature, x->cert_info, ctx); } -#ifndef OPENSSL_NO_OCSP int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert) { return OCSP_REQ_CTX_nbio_d2i(rctx, (ASN1_VALUE **)pcert, ASN1_ITEM_rptr(X509)); } -#endif int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) { - return (ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, - x->signature, &x->req_info, pkey, md)); + return (ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), x->sig_alg, NULL, + x->signature, x->req_info, pkey, md)); } int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) { return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO), - &x->sig_alg, NULL, x->signature, &x->req_info, + x->sig_alg, NULL, x->signature, x->req_info, ctx); } int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) { - x->crl.enc.modified = 1; - return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg, - &x->sig_alg, &x->signature, &x->crl, pkey, md)); + x->crl->enc.modified = 1; + return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), x->crl->sig_alg, + x->sig_alg, x->signature, x->crl, pkey, md)); } int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) { - x->crl.enc.modified = 1; + x->crl->enc.modified = 1; return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO), - &x->crl.sig_alg, &x->sig_alg, &x->signature, - &x->crl, ctx); + x->crl->sig_alg, x->sig_alg, x->signature, + x->crl, ctx); } -#ifndef OPENSSL_NO_OCSP int X509_CRL_http_nbio(OCSP_REQ_CTX *rctx, X509_CRL **pcrl) { return OCSP_REQ_CTX_nbio_d2i(rctx, (ASN1_VALUE **)pcrl, ASN1_ITEM_rptr(X509_CRL)); } -#endif int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) { - return (ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL, + return (ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor, NULL, x->signature, x->spkac, pkey, md)); } -#ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_FP_API X509 *d2i_X509_fp(FILE *fp, X509 **x509) { return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509), fp, x509); @@ -129,7 +175,7 @@ int i2d_X509_bio(BIO *bp, X509 *x509) return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509), bp, x509); } -#ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_FP_API X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl) { return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl); @@ -151,7 +197,7 @@ int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl) return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl); } -#ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_FP_API PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7) { return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS7), fp, p7); @@ -173,7 +219,7 @@ int i2d_PKCS7_bio(BIO *bp, PKCS7 *p7) return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS7), bp, p7); } -#ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_FP_API X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req) { return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_REQ), fp, req); @@ -197,7 +243,7 @@ int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req) #ifndef OPENSSL_NO_RSA -# ifndef OPENSSL_NO_STDIO +# ifndef OPENSSL_NO_FP_API RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa) { return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa); @@ -263,7 +309,7 @@ int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa) #endif #ifndef OPENSSL_NO_DSA -# ifndef OPENSSL_NO_STDIO +# ifndef OPENSSL_NO_FP_API DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa) { return ASN1_d2i_fp_of(DSA, DSA_new, d2i_DSAPrivateKey, fp, dsa); @@ -308,7 +354,7 @@ int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa) #endif #ifndef OPENSSL_NO_EC -# ifndef OPENSSL_NO_STDIO +# ifndef OPENSSL_NO_FP_API EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey) { return ASN1_d2i_fp_of(EC_KEY, EC_KEY_new, d2i_EC_PUBKEY, fp, eckey); @@ -363,13 +409,6 @@ int X509_pubkey_digest(const X509 *data, const EVP_MD *type, int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { - if (type == EVP_sha1() && (data->ex_flags & EXFLAG_SET) != 0) { - /* Asking for SHA1 and we already computed it. */ - if (len != NULL) - *len = sizeof(data->sha1_hash); - memcpy(md, data->sha1_hash, sizeof(data->sha1_hash)); - return 1; - } return (ASN1_item_digest (ASN1_ITEM_rptr(X509), type, (char *)data, md, len)); } @@ -377,13 +416,6 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md, int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { - if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0) { - /* Asking for SHA1; always computed in CRL d2i. */ - if (len != NULL) - *len = sizeof(data->sha1_hash); - memcpy(md, data->sha1_hash, sizeof(data->sha1_hash)); - return 1; - } return (ASN1_item_digest (ASN1_ITEM_rptr(X509_CRL), type, (char *)data, md, len)); } @@ -410,7 +442,7 @@ int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, (char *)data, md, len)); } -#ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_FP_API X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8) { return ASN1_d2i_fp_of(X509_SIG, X509_SIG_new, d2i_X509_SIG, fp, p8); @@ -432,7 +464,7 @@ int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8) return ASN1_i2d_bio_of(X509_SIG, i2d_X509_SIG, bp, p8); } -#ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_FP_API PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf) { diff --git a/Cryptlib/OpenSSL/crypto/x509/x_attrib.c b/Cryptlib/OpenSSL/crypto/x509/x_attrib.c deleted file mode 100644 index 35f4aeef..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/x_attrib.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include "internal/cryptlib.h" -#include <openssl/objects.h> -#include <openssl/asn1t.h> -#include <openssl/x509.h> -#include "x509_lcl.h" - -/*- - * X509_ATTRIBUTE: this has the following form: - * - * typedef struct x509_attributes_st - * { - * ASN1_OBJECT *object; - * STACK_OF(ASN1_TYPE) *set; - * } X509_ATTRIBUTE; - * - */ - -ASN1_SEQUENCE(X509_ATTRIBUTE) = { - ASN1_SIMPLE(X509_ATTRIBUTE, object, ASN1_OBJECT), - ASN1_SET_OF(X509_ATTRIBUTE, set, ASN1_ANY) -} ASN1_SEQUENCE_END(X509_ATTRIBUTE) - -IMPLEMENT_ASN1_FUNCTIONS(X509_ATTRIBUTE) -IMPLEMENT_ASN1_DUP_FUNCTION(X509_ATTRIBUTE) - -X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value) -{ - X509_ATTRIBUTE *ret = NULL; - ASN1_TYPE *val = NULL; - - if ((ret = X509_ATTRIBUTE_new()) == NULL) - return (NULL); - ret->object = OBJ_nid2obj(nid); - if ((val = ASN1_TYPE_new()) == NULL) - goto err; - if (!sk_ASN1_TYPE_push(ret->set, val)) - goto err; - - ASN1_TYPE_set(val, atrtype, value); - return (ret); - err: - X509_ATTRIBUTE_free(ret); - ASN1_TYPE_free(val); - return (NULL); -} diff --git a/Cryptlib/OpenSSL/crypto/x509/x_crl.c b/Cryptlib/OpenSSL/crypto/x509/x_crl.c deleted file mode 100644 index dbed850b..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/x_crl.c +++ /dev/null @@ -1,459 +0,0 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include "internal/cryptlib.h" -#include <openssl/asn1t.h> -#include <openssl/x509.h> -#include "internal/x509_int.h" -#include <openssl/x509v3.h> -#include "x509_lcl.h" - -static int X509_REVOKED_cmp(const X509_REVOKED *const *a, - const X509_REVOKED *const *b); -static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp); - -ASN1_SEQUENCE(X509_REVOKED) = { - ASN1_EMBED(X509_REVOKED,serialNumber, ASN1_INTEGER), - ASN1_SIMPLE(X509_REVOKED,revocationDate, ASN1_TIME), - ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION) -} ASN1_SEQUENCE_END(X509_REVOKED) - -static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r); -static int def_crl_lookup(X509_CRL *crl, - X509_REVOKED **ret, ASN1_INTEGER *serial, - X509_NAME *issuer); - -static X509_CRL_METHOD int_crl_meth = { - 0, - 0, 0, - def_crl_lookup, - def_crl_verify -}; - -static const X509_CRL_METHOD *default_crl_method = &int_crl_meth; - -/* - * The X509_CRL_INFO structure needs a bit of customisation. Since we cache - * the original encoding the signature won't be affected by reordering of the - * revoked field. - */ -static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, - void *exarg) -{ - X509_CRL_INFO *a = (X509_CRL_INFO *)*pval; - - if (!a || !a->revoked) - return 1; - switch (operation) { - /* - * Just set cmp function here. We don't sort because that would - * affect the output of X509_CRL_print(). - */ - case ASN1_OP_D2I_POST: - (void)sk_X509_REVOKED_set_cmp_func(a->revoked, X509_REVOKED_cmp); - break; - } - return 1; -} - - -ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = { - ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER), - ASN1_EMBED(X509_CRL_INFO, sig_alg, X509_ALGOR), - ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME), - ASN1_SIMPLE(X509_CRL_INFO, lastUpdate, ASN1_TIME), - ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME), - ASN1_SEQUENCE_OF_OPT(X509_CRL_INFO, revoked, X509_REVOKED), - ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0) -} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO) - -/* - * Set CRL entry issuer according to CRL certificate issuer extension. Check - * for unhandled critical CRL entry extensions. - */ - -static int crl_set_issuers(X509_CRL *crl) -{ - - int i, j; - GENERAL_NAMES *gens, *gtmp; - STACK_OF(X509_REVOKED) *revoked; - - revoked = X509_CRL_get_REVOKED(crl); - - gens = NULL; - for (i = 0; i < sk_X509_REVOKED_num(revoked); i++) { - X509_REVOKED *rev = sk_X509_REVOKED_value(revoked, i); - STACK_OF(X509_EXTENSION) *exts; - ASN1_ENUMERATED *reason; - X509_EXTENSION *ext; - gtmp = X509_REVOKED_get_ext_d2i(rev, - NID_certificate_issuer, &j, NULL); - if (!gtmp && (j != -1)) { - crl->flags |= EXFLAG_INVALID; - return 1; - } - - if (gtmp) { - gens = gtmp; - if (!crl->issuers) { - crl->issuers = sk_GENERAL_NAMES_new_null(); - if (!crl->issuers) - return 0; - } - if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) - return 0; - } - rev->issuer = gens; - - reason = X509_REVOKED_get_ext_d2i(rev, NID_crl_reason, &j, NULL); - if (!reason && (j != -1)) { - crl->flags |= EXFLAG_INVALID; - return 1; - } - - if (reason) { - rev->reason = ASN1_ENUMERATED_get(reason); - ASN1_ENUMERATED_free(reason); - } else - rev->reason = CRL_REASON_NONE; - - /* Check for critical CRL entry extensions */ - - exts = rev->extensions; - - for (j = 0; j < sk_X509_EXTENSION_num(exts); j++) { - ext = sk_X509_EXTENSION_value(exts, j); - if (X509_EXTENSION_get_critical(ext)) { - if (OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_certificate_issuer) - continue; - crl->flags |= EXFLAG_CRITICAL; - break; - } - } - - } - - return 1; - -} - -/* - * The X509_CRL structure needs a bit of customisation. Cache some extensions - * and hash of the whole CRL. - */ -static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, - void *exarg) -{ - X509_CRL *crl = (X509_CRL *)*pval; - STACK_OF(X509_EXTENSION) *exts; - X509_EXTENSION *ext; - int idx; - - switch (operation) { - case ASN1_OP_NEW_POST: - crl->idp = NULL; - crl->akid = NULL; - crl->flags = 0; - crl->idp_flags = 0; - crl->idp_reasons = CRLDP_ALL_REASONS; - crl->meth = default_crl_method; - crl->meth_data = NULL; - crl->issuers = NULL; - crl->crl_number = NULL; - crl->base_crl_number = NULL; - break; - - case ASN1_OP_D2I_POST: - X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL); - crl->idp = X509_CRL_get_ext_d2i(crl, - NID_issuing_distribution_point, NULL, - NULL); - if (crl->idp) - setup_idp(crl, crl->idp); - - crl->akid = X509_CRL_get_ext_d2i(crl, - NID_authority_key_identifier, NULL, - NULL); - - crl->crl_number = X509_CRL_get_ext_d2i(crl, - NID_crl_number, NULL, NULL); - - crl->base_crl_number = X509_CRL_get_ext_d2i(crl, - NID_delta_crl, NULL, - NULL); - /* Delta CRLs must have CRL number */ - if (crl->base_crl_number && !crl->crl_number) - crl->flags |= EXFLAG_INVALID; - - /* - * See if we have any unhandled critical CRL extensions and indicate - * this in a flag. We only currently handle IDP so anything else - * critical sets the flag. This code accesses the X509_CRL structure - * directly: applications shouldn't do this. - */ - - exts = crl->crl.extensions; - - for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) { - int nid; - ext = sk_X509_EXTENSION_value(exts, idx); - nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext)); - if (nid == NID_freshest_crl) - crl->flags |= EXFLAG_FRESHEST; - if (X509_EXTENSION_get_critical(ext)) { - /* We handle IDP and deltas */ - if ((nid == NID_issuing_distribution_point) - || (nid == NID_authority_key_identifier) - || (nid == NID_delta_crl)) - continue; - crl->flags |= EXFLAG_CRITICAL; - break; - } - } - - if (!crl_set_issuers(crl)) - return 0; - - if (crl->meth->crl_init) { - if (crl->meth->crl_init(crl) == 0) - return 0; - } - - crl->flags |= EXFLAG_SET; - break; - - case ASN1_OP_FREE_POST: - if (crl->meth->crl_free) { - if (!crl->meth->crl_free(crl)) - return 0; - } - AUTHORITY_KEYID_free(crl->akid); - ISSUING_DIST_POINT_free(crl->idp); - ASN1_INTEGER_free(crl->crl_number); - ASN1_INTEGER_free(crl->base_crl_number); - sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free); - break; - } - return 1; -} - -/* Convert IDP into a more convenient form */ - -static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) -{ - int idp_only = 0; - /* Set various flags according to IDP */ - crl->idp_flags |= IDP_PRESENT; - if (idp->onlyuser > 0) { - idp_only++; - crl->idp_flags |= IDP_ONLYUSER; - } - if (idp->onlyCA > 0) { - idp_only++; - crl->idp_flags |= IDP_ONLYCA; - } - if (idp->onlyattr > 0) { - idp_only++; - crl->idp_flags |= IDP_ONLYATTR; - } - - if (idp_only > 1) - crl->idp_flags |= IDP_INVALID; - - if (idp->indirectCRL > 0) - crl->idp_flags |= IDP_INDIRECT; - - if (idp->onlysomereasons) { - crl->idp_flags |= IDP_REASONS; - if (idp->onlysomereasons->length > 0) - crl->idp_reasons = idp->onlysomereasons->data[0]; - if (idp->onlysomereasons->length > 1) - crl->idp_reasons |= (idp->onlysomereasons->data[1] << 8); - crl->idp_reasons &= CRLDP_ALL_REASONS; - } - - DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl)); -} - -ASN1_SEQUENCE_ref(X509_CRL, crl_cb) = { - ASN1_EMBED(X509_CRL, crl, X509_CRL_INFO), - ASN1_EMBED(X509_CRL, sig_alg, X509_ALGOR), - ASN1_EMBED(X509_CRL, signature, ASN1_BIT_STRING) -} ASN1_SEQUENCE_END_ref(X509_CRL, X509_CRL) - -IMPLEMENT_ASN1_FUNCTIONS(X509_REVOKED) - -IMPLEMENT_ASN1_DUP_FUNCTION(X509_REVOKED) - -IMPLEMENT_ASN1_FUNCTIONS(X509_CRL_INFO) - -IMPLEMENT_ASN1_FUNCTIONS(X509_CRL) - -IMPLEMENT_ASN1_DUP_FUNCTION(X509_CRL) - -static int X509_REVOKED_cmp(const X509_REVOKED *const *a, - const X509_REVOKED *const *b) -{ - return (ASN1_STRING_cmp((ASN1_STRING *)&(*a)->serialNumber, - (ASN1_STRING *)&(*b)->serialNumber)); -} - -int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) -{ - X509_CRL_INFO *inf; - inf = &crl->crl; - if (inf->revoked == NULL) - inf->revoked = sk_X509_REVOKED_new(X509_REVOKED_cmp); - if (inf->revoked == NULL || !sk_X509_REVOKED_push(inf->revoked, rev)) { - ASN1err(ASN1_F_X509_CRL_ADD0_REVOKED, ERR_R_MALLOC_FAILURE); - return 0; - } - inf->enc.modified = 1; - return 1; -} - -int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *r) -{ - if (crl->meth->crl_verify) - return crl->meth->crl_verify(crl, r); - return 0; -} - -int X509_CRL_get0_by_serial(X509_CRL *crl, - X509_REVOKED **ret, ASN1_INTEGER *serial) -{ - if (crl->meth->crl_lookup) - return crl->meth->crl_lookup(crl, ret, serial, NULL); - return 0; -} - -int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x) -{ - if (crl->meth->crl_lookup) - return crl->meth->crl_lookup(crl, ret, - X509_get_serialNumber(x), - X509_get_issuer_name(x)); - return 0; -} - -static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r) -{ - return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO), - &crl->sig_alg, &crl->signature, &crl->crl, r)); -} - -static int crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm, - X509_REVOKED *rev) -{ - int i; - - if (!rev->issuer) { - if (!nm) - return 1; - if (!X509_NAME_cmp(nm, X509_CRL_get_issuer(crl))) - return 1; - return 0; - } - - if (!nm) - nm = X509_CRL_get_issuer(crl); - - for (i = 0; i < sk_GENERAL_NAME_num(rev->issuer); i++) { - GENERAL_NAME *gen = sk_GENERAL_NAME_value(rev->issuer, i); - if (gen->type != GEN_DIRNAME) - continue; - if (!X509_NAME_cmp(nm, gen->d.directoryName)) - return 1; - } - return 0; - -} - -static int def_crl_lookup(X509_CRL *crl, - X509_REVOKED **ret, ASN1_INTEGER *serial, - X509_NAME *issuer) -{ - X509_REVOKED rtmp, *rev; - int idx; - rtmp.serialNumber = *serial; - /* - * Sort revoked into serial number order if not already sorted. Do this - * under a lock to avoid race condition. - */ - if (!sk_X509_REVOKED_is_sorted(crl->crl.revoked)) { - CRYPTO_THREAD_write_lock(crl->lock); - sk_X509_REVOKED_sort(crl->crl.revoked); - CRYPTO_THREAD_unlock(crl->lock); - } - idx = sk_X509_REVOKED_find(crl->crl.revoked, &rtmp); - if (idx < 0) - return 0; - /* Need to look for matching name */ - for (; idx < sk_X509_REVOKED_num(crl->crl.revoked); idx++) { - rev = sk_X509_REVOKED_value(crl->crl.revoked, idx); - if (ASN1_INTEGER_cmp(&rev->serialNumber, serial)) - return 0; - if (crl_revoked_issuer_match(crl, issuer, rev)) { - if (ret) - *ret = rev; - if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) - return 2; - return 1; - } - } - return 0; -} - -void X509_CRL_set_default_method(const X509_CRL_METHOD *meth) -{ - if (meth == NULL) - default_crl_method = &int_crl_meth; - else - default_crl_method = meth; -} - -X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init) (X509_CRL *crl), - int (*crl_free) (X509_CRL *crl), - int (*crl_lookup) (X509_CRL *crl, - X509_REVOKED **ret, - ASN1_INTEGER *ser, - X509_NAME *issuer), - int (*crl_verify) (X509_CRL *crl, - EVP_PKEY *pk)) -{ - X509_CRL_METHOD *m; - m = OPENSSL_malloc(sizeof(*m)); - if (m == NULL) - return NULL; - m->crl_init = crl_init; - m->crl_free = crl_free; - m->crl_lookup = crl_lookup; - m->crl_verify = crl_verify; - m->flags = X509_CRL_METHOD_DYNAMIC; - return m; -} - -void X509_CRL_METHOD_free(X509_CRL_METHOD *m) -{ - if (m == NULL || !(m->flags & X509_CRL_METHOD_DYNAMIC)) - return; - OPENSSL_free(m); -} - -void X509_CRL_set_meth_data(X509_CRL *crl, void *dat) -{ - crl->meth_data = dat; -} - -void *X509_CRL_get_meth_data(X509_CRL *crl) -{ - return crl->meth_data; -} diff --git a/Cryptlib/OpenSSL/crypto/x509/x_exten.c b/Cryptlib/OpenSSL/crypto/x509/x_exten.c deleted file mode 100644 index f10f4a4d..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/x_exten.c +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stddef.h> -#include <openssl/x509.h> -#include <openssl/asn1.h> -#include <openssl/asn1t.h> -#include "x509_lcl.h" - -ASN1_SEQUENCE(X509_EXTENSION) = { - ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT), - ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN), - ASN1_EMBED(X509_EXTENSION, value, ASN1_OCTET_STRING) -} ASN1_SEQUENCE_END(X509_EXTENSION) - -ASN1_ITEM_TEMPLATE(X509_EXTENSIONS) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Extension, X509_EXTENSION) -ASN1_ITEM_TEMPLATE_END(X509_EXTENSIONS) - -IMPLEMENT_ASN1_FUNCTIONS(X509_EXTENSION) -IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(X509_EXTENSIONS, X509_EXTENSIONS, X509_EXTENSIONS) -IMPLEMENT_ASN1_DUP_FUNCTION(X509_EXTENSION) diff --git a/Cryptlib/OpenSSL/crypto/x509/x_name.c b/Cryptlib/OpenSSL/crypto/x509/x_name.c deleted file mode 100644 index 97d735f8..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/x_name.c +++ /dev/null @@ -1,557 +0,0 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include <ctype.h> -#include "internal/cryptlib.h" -#include <openssl/asn1t.h> -#include <openssl/x509.h> -#include "internal/x509_int.h" -#include "internal/asn1_int.h" -#include "x509_lcl.h" - -/* - * Maximum length of X509_NAME: much larger than anything we should - * ever see in practice. - */ - -#define X509_NAME_MAX (1024 * 1024) - -static int x509_name_ex_d2i(ASN1_VALUE **val, - const unsigned char **in, long len, - const ASN1_ITEM *it, - int tag, int aclass, char opt, ASN1_TLC *ctx); - -static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, - const ASN1_ITEM *it, int tag, int aclass); -static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it); -static void x509_name_ex_free(ASN1_VALUE **val, const ASN1_ITEM *it); - -static int x509_name_encode(X509_NAME *a); -static int x509_name_canon(X509_NAME *a); -static int asn1_string_canon(ASN1_STRING *out, const ASN1_STRING *in); -static int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) * intname, - unsigned char **in); - -static int x509_name_ex_print(BIO *out, ASN1_VALUE **pval, - int indent, - const char *fname, const ASN1_PCTX *pctx); - -ASN1_SEQUENCE(X509_NAME_ENTRY) = { - ASN1_SIMPLE(X509_NAME_ENTRY, object, ASN1_OBJECT), - ASN1_SIMPLE(X509_NAME_ENTRY, value, ASN1_PRINTABLE) -} ASN1_SEQUENCE_END(X509_NAME_ENTRY) - -IMPLEMENT_ASN1_FUNCTIONS(X509_NAME_ENTRY) -IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME_ENTRY) - -/* - * For the "Name" type we need a SEQUENCE OF { SET OF X509_NAME_ENTRY } so - * declare two template wrappers for this - */ - -ASN1_ITEM_TEMPLATE(X509_NAME_ENTRIES) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF, 0, RDNS, X509_NAME_ENTRY) -static_ASN1_ITEM_TEMPLATE_END(X509_NAME_ENTRIES) - -ASN1_ITEM_TEMPLATE(X509_NAME_INTERNAL) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Name, X509_NAME_ENTRIES) -static_ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL) - -/* - * Normally that's where it would end: we'd have two nested STACK structures - * representing the ASN1. Unfortunately X509_NAME uses a completely different - * form and caches encodings so we have to process the internal form and - * convert to the external form. - */ - -static const ASN1_EXTERN_FUNCS x509_name_ff = { - NULL, - x509_name_ex_new, - x509_name_ex_free, - 0, /* Default clear behaviour is OK */ - x509_name_ex_d2i, - x509_name_ex_i2d, - x509_name_ex_print -}; - -IMPLEMENT_EXTERN_ASN1(X509_NAME, V_ASN1_SEQUENCE, x509_name_ff) - -IMPLEMENT_ASN1_FUNCTIONS(X509_NAME) - -IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME) - -static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it) -{ - X509_NAME *ret = OPENSSL_zalloc(sizeof(*ret)); - - if (ret == NULL) - goto memerr; - if ((ret->entries = sk_X509_NAME_ENTRY_new_null()) == NULL) - goto memerr; - if ((ret->bytes = BUF_MEM_new()) == NULL) - goto memerr; - ret->modified = 1; - *val = (ASN1_VALUE *)ret; - return 1; - - memerr: - ASN1err(ASN1_F_X509_NAME_EX_NEW, ERR_R_MALLOC_FAILURE); - if (ret) { - sk_X509_NAME_ENTRY_free(ret->entries); - OPENSSL_free(ret); - } - return 0; -} - -static void x509_name_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it) -{ - X509_NAME *a; - - if (!pval || !*pval) - return; - a = (X509_NAME *)*pval; - - BUF_MEM_free(a->bytes); - sk_X509_NAME_ENTRY_pop_free(a->entries, X509_NAME_ENTRY_free); - OPENSSL_free(a->canon_enc); - OPENSSL_free(a); - *pval = NULL; -} - -static void local_sk_X509_NAME_ENTRY_free(STACK_OF(X509_NAME_ENTRY) *ne) -{ - sk_X509_NAME_ENTRY_free(ne); -} - -static void local_sk_X509_NAME_ENTRY_pop_free(STACK_OF(X509_NAME_ENTRY) *ne) -{ - sk_X509_NAME_ENTRY_pop_free(ne, X509_NAME_ENTRY_free); -} - -static int x509_name_ex_d2i(ASN1_VALUE **val, - const unsigned char **in, long len, - const ASN1_ITEM *it, int tag, int aclass, - char opt, ASN1_TLC *ctx) -{ - const unsigned char *p = *in, *q; - union { - STACK_OF(STACK_OF_X509_NAME_ENTRY) *s; - ASN1_VALUE *a; - } intname = { - NULL - }; - union { - X509_NAME *x; - ASN1_VALUE *a; - } nm = { - NULL - }; - int i, j, ret; - STACK_OF(X509_NAME_ENTRY) *entries; - X509_NAME_ENTRY *entry; - if (len > X509_NAME_MAX) - len = X509_NAME_MAX; - q = p; - - /* Get internal representation of Name */ - ret = ASN1_item_ex_d2i(&intname.a, - &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL), - tag, aclass, opt, ctx); - - if (ret <= 0) - return ret; - - if (*val) - x509_name_ex_free(val, NULL); - if (!x509_name_ex_new(&nm.a, NULL)) - goto err; - /* We've decoded it: now cache encoding */ - if (!BUF_MEM_grow(nm.x->bytes, p - q)) - goto err; - memcpy(nm.x->bytes->data, q, p - q); - - /* Convert internal representation to X509_NAME structure */ - for (i = 0; i < sk_STACK_OF_X509_NAME_ENTRY_num(intname.s); i++) { - entries = sk_STACK_OF_X509_NAME_ENTRY_value(intname.s, i); - for (j = 0; j < sk_X509_NAME_ENTRY_num(entries); j++) { - entry = sk_X509_NAME_ENTRY_value(entries, j); - entry->set = i; - if (!sk_X509_NAME_ENTRY_push(nm.x->entries, entry)) - goto err; - sk_X509_NAME_ENTRY_set(entries, j, NULL); - } - } - ret = x509_name_canon(nm.x); - if (!ret) - goto err; - sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s, - local_sk_X509_NAME_ENTRY_free); - nm.x->modified = 0; - *val = nm.a; - *in = p; - return ret; - - err: - if (nm.x != NULL) - X509_NAME_free(nm.x); - sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s, - local_sk_X509_NAME_ENTRY_pop_free); - ASN1err(ASN1_F_X509_NAME_EX_D2I, ERR_R_NESTED_ASN1_ERROR); - return 0; -} - -static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, - const ASN1_ITEM *it, int tag, int aclass) -{ - int ret; - X509_NAME *a = (X509_NAME *)*val; - if (a->modified) { - ret = x509_name_encode(a); - if (ret < 0) - return ret; - ret = x509_name_canon(a); - if (ret < 0) - return ret; - } - ret = a->bytes->length; - if (out != NULL) { - memcpy(*out, a->bytes->data, ret); - *out += ret; - } - return ret; -} - -static int x509_name_encode(X509_NAME *a) -{ - union { - STACK_OF(STACK_OF_X509_NAME_ENTRY) *s; - ASN1_VALUE *a; - } intname = { - NULL - }; - int len; - unsigned char *p; - STACK_OF(X509_NAME_ENTRY) *entries = NULL; - X509_NAME_ENTRY *entry; - int i, set = -1; - intname.s = sk_STACK_OF_X509_NAME_ENTRY_new_null(); - if (!intname.s) - goto memerr; - for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) { - entry = sk_X509_NAME_ENTRY_value(a->entries, i); - if (entry->set != set) { - entries = sk_X509_NAME_ENTRY_new_null(); - if (!entries) - goto memerr; - if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname.s, entries)) { - sk_X509_NAME_ENTRY_free(entries); - goto memerr; - } - set = entry->set; - } - if (!sk_X509_NAME_ENTRY_push(entries, entry)) - goto memerr; - } - len = ASN1_item_ex_i2d(&intname.a, NULL, - ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); - if (!BUF_MEM_grow(a->bytes, len)) - goto memerr; - p = (unsigned char *)a->bytes->data; - ASN1_item_ex_i2d(&intname.a, - &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); - sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s, - local_sk_X509_NAME_ENTRY_free); - a->modified = 0; - return len; - memerr: - sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s, - local_sk_X509_NAME_ENTRY_free); - ASN1err(ASN1_F_X509_NAME_ENCODE, ERR_R_MALLOC_FAILURE); - return -1; -} - -static int x509_name_ex_print(BIO *out, ASN1_VALUE **pval, - int indent, - const char *fname, const ASN1_PCTX *pctx) -{ - if (X509_NAME_print_ex(out, (const X509_NAME *)*pval, - indent, pctx->nm_flags) <= 0) - return 0; - return 2; -} - -/* - * This function generates the canonical encoding of the Name structure. In - * it all strings are converted to UTF8, leading, trailing and multiple - * spaces collapsed, converted to lower case and the leading SEQUENCE header - * removed. In future we could also normalize the UTF8 too. By doing this - * comparison of Name structures can be rapidly performed by just using - * memcmp() of the canonical encoding. By omitting the leading SEQUENCE name - * constraints of type dirName can also be checked with a simple memcmp(). - */ - -static int x509_name_canon(X509_NAME *a) -{ - unsigned char *p; - STACK_OF(STACK_OF_X509_NAME_ENTRY) *intname = NULL; - STACK_OF(X509_NAME_ENTRY) *entries = NULL; - X509_NAME_ENTRY *entry, *tmpentry = NULL; - int i, set = -1, ret = 0, len; - - OPENSSL_free(a->canon_enc); - a->canon_enc = NULL; - /* Special case: empty X509_NAME => null encoding */ - if (sk_X509_NAME_ENTRY_num(a->entries) == 0) { - a->canon_enclen = 0; - return 1; - } - intname = sk_STACK_OF_X509_NAME_ENTRY_new_null(); - if (!intname) - goto err; - for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) { - entry = sk_X509_NAME_ENTRY_value(a->entries, i); - if (entry->set != set) { - entries = sk_X509_NAME_ENTRY_new_null(); - if (!entries) - goto err; - if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries)) { - sk_X509_NAME_ENTRY_free(entries); - goto err; - } - set = entry->set; - } - tmpentry = X509_NAME_ENTRY_new(); - if (tmpentry == NULL) - goto err; - tmpentry->object = OBJ_dup(entry->object); - if (tmpentry->object == NULL) - goto err; - if (!asn1_string_canon(tmpentry->value, entry->value)) - goto err; - if (!sk_X509_NAME_ENTRY_push(entries, tmpentry)) - goto err; - tmpentry = NULL; - } - - /* Finally generate encoding */ - - len = i2d_name_canon(intname, NULL); - if (len < 0) - goto err; - a->canon_enclen = len; - - p = OPENSSL_malloc(a->canon_enclen); - - if (p == NULL) - goto err; - - a->canon_enc = p; - - i2d_name_canon(intname, &p); - - ret = 1; - - err: - - X509_NAME_ENTRY_free(tmpentry); - sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname, - local_sk_X509_NAME_ENTRY_pop_free); - return ret; -} - -/* Bitmap of all the types of string that will be canonicalized. */ - -#define ASN1_MASK_CANON \ - (B_ASN1_UTF8STRING | B_ASN1_BMPSTRING | B_ASN1_UNIVERSALSTRING \ - | B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | B_ASN1_IA5STRING \ - | B_ASN1_VISIBLESTRING) - -static int asn1_string_canon(ASN1_STRING *out, const ASN1_STRING *in) -{ - unsigned char *to, *from; - int len, i; - - /* If type not in bitmask just copy string across */ - if (!(ASN1_tag2bit(in->type) & ASN1_MASK_CANON)) { - if (!ASN1_STRING_copy(out, in)) - return 0; - return 1; - } - - out->type = V_ASN1_UTF8STRING; - out->length = ASN1_STRING_to_UTF8(&out->data, in); - if (out->length == -1) - return 0; - - to = out->data; - from = to; - - len = out->length; - - /* - * Convert string in place to canonical form. Ultimately we may need to - * handle a wider range of characters but for now ignore anything with - * MSB set and rely on the isspace() and tolower() functions. - */ - - /* Ignore leading spaces */ - while ((len > 0) && !(*from & 0x80) && isspace(*from)) { - from++; - len--; - } - - to = from + len; - - /* Ignore trailing spaces */ - while ((len > 0) && !(to[-1] & 0x80) && isspace(to[-1])) { - to--; - len--; - } - - to = out->data; - - i = 0; - while (i < len) { - /* If MSB set just copy across */ - if (*from & 0x80) { - *to++ = *from++; - i++; - } - /* Collapse multiple spaces */ - else if (isspace(*from)) { - /* Copy one space across */ - *to++ = ' '; - /* - * Ignore subsequent spaces. Note: don't need to check len here - * because we know the last character is a non-space so we can't - * overflow. - */ - do { - from++; - i++; - } - while (!(*from & 0x80) && isspace(*from)); - } else { - *to++ = tolower(*from); - from++; - i++; - } - } - - out->length = to - out->data; - - return 1; - -} - -static int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) * _intname, - unsigned char **in) -{ - int i, len, ltmp; - ASN1_VALUE *v; - STACK_OF(ASN1_VALUE) *intname = (STACK_OF(ASN1_VALUE) *)_intname; - - len = 0; - for (i = 0; i < sk_ASN1_VALUE_num(intname); i++) { - v = sk_ASN1_VALUE_value(intname, i); - ltmp = ASN1_item_ex_i2d(&v, in, - ASN1_ITEM_rptr(X509_NAME_ENTRIES), -1, -1); - if (ltmp < 0) - return ltmp; - len += ltmp; - } - return len; -} - -int X509_NAME_set(X509_NAME **xn, X509_NAME *name) -{ - X509_NAME *in; - - if (!xn || !name) - return (0); - - if (*xn != name) { - in = X509_NAME_dup(name); - if (in != NULL) { - X509_NAME_free(*xn); - *xn = in; - } - } - return (*xn != NULL); -} - -int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase) -{ - char *s, *c, *b; - int l, i; - - l = 80 - 2 - obase; - - b = X509_NAME_oneline(name, NULL, 0); - if (!b) - return 0; - if (!*b) { - OPENSSL_free(b); - return 1; - } - s = b + 1; /* skip the first slash */ - - c = s; - for (;;) { -#ifndef CHARSET_EBCDIC - if (((*s == '/') && - ((s[1] >= 'A') && (s[1] <= 'Z') && ((s[2] == '=') || - ((s[2] >= 'A') - && (s[2] <= 'Z') - && (s[3] == '=')) - ))) || (*s == '\0')) -#else - if (((*s == '/') && - (isupper(s[1]) && ((s[2] == '=') || - (isupper(s[2]) && (s[3] == '=')) - ))) || (*s == '\0')) -#endif - { - i = s - c; - if (BIO_write(bp, c, i) != i) - goto err; - c = s + 1; /* skip following slash */ - if (*s != '\0') { - if (BIO_write(bp, ", ", 2) != 2) - goto err; - } - l--; - } - if (*s == '\0') - break; - s++; - l--; - } - - OPENSSL_free(b); - return 1; - err: - X509err(X509_F_X509_NAME_PRINT, ERR_R_BUF_LIB); - OPENSSL_free(b); - return 0; -} - -int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder, - size_t *pderlen) -{ - /* Make sure encoding is valid */ - if (i2d_X509_NAME(nm, NULL) <= 0) - return 0; - if (pder != NULL) - *pder = (unsigned char *)nm->bytes->data; - if (pderlen != NULL) - *pderlen = nm->bytes->length; - return 1; -} diff --git a/Cryptlib/OpenSSL/crypto/x509/x_pubkey.c b/Cryptlib/OpenSSL/crypto/x509/x_pubkey.c deleted file mode 100644 index cc692834..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/x_pubkey.c +++ /dev/null @@ -1,374 +0,0 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include "internal/cryptlib.h" -#include <openssl/asn1t.h> -#include <openssl/x509.h> -#include "internal/asn1_int.h" -#include "internal/evp_int.h" -#include "internal/x509_int.h" -#include <openssl/rsa.h> -#include <openssl/dsa.h> - -struct X509_pubkey_st { - X509_ALGOR *algor; - ASN1_BIT_STRING *public_key; - EVP_PKEY *pkey; -}; - -static int x509_pubkey_decode(EVP_PKEY **pk, X509_PUBKEY *key); - -/* Minor tweak to operation: free up EVP_PKEY */ -static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, - void *exarg) -{ - if (operation == ASN1_OP_FREE_POST) { - X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; - EVP_PKEY_free(pubkey->pkey); - } else if (operation == ASN1_OP_D2I_POST) { - /* Attempt to decode public key and cache in pubkey structure. */ - X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; - EVP_PKEY_free(pubkey->pkey); - /* - * Opportunistically decode the key but remove any non fatal errors - * from the queue. Subsequent explicit attempts to decode/use the key - * will return an appropriate error. - */ - ERR_set_mark(); - if (x509_pubkey_decode(&pubkey->pkey, pubkey) == -1) - return 0; - ERR_pop_to_mark(); - } - return 1; -} - -ASN1_SEQUENCE_cb(X509_PUBKEY, pubkey_cb) = { - ASN1_SIMPLE(X509_PUBKEY, algor, X509_ALGOR), - ASN1_SIMPLE(X509_PUBKEY, public_key, ASN1_BIT_STRING) -} ASN1_SEQUENCE_END_cb(X509_PUBKEY, X509_PUBKEY) - -IMPLEMENT_ASN1_FUNCTIONS(X509_PUBKEY) - -int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) -{ - X509_PUBKEY *pk = NULL; - - if (x == NULL) - return (0); - - if ((pk = X509_PUBKEY_new()) == NULL) - goto error; - - if (pkey->ameth) { - if (pkey->ameth->pub_encode) { - if (!pkey->ameth->pub_encode(pk, pkey)) { - X509err(X509_F_X509_PUBKEY_SET, - X509_R_PUBLIC_KEY_ENCODE_ERROR); - goto error; - } - } else { - X509err(X509_F_X509_PUBKEY_SET, X509_R_METHOD_NOT_SUPPORTED); - goto error; - } - } else { - X509err(X509_F_X509_PUBKEY_SET, X509_R_UNSUPPORTED_ALGORITHM); - goto error; - } - - X509_PUBKEY_free(*x); - *x = pk; - pk->pkey = pkey; - EVP_PKEY_up_ref(pkey); - return 1; - - error: - X509_PUBKEY_free(pk); - return 0; -} - -/* - * Attempt to decode a public key. - * Returns 1 on success, 0 for a decode failure and -1 for a fatal - * error e.g. malloc failure. - */ - - -static int x509_pubkey_decode(EVP_PKEY **ppkey, X509_PUBKEY *key) - { - EVP_PKEY *pkey = EVP_PKEY_new(); - - if (pkey == NULL) { - X509err(X509_F_X509_PUBKEY_DECODE, ERR_R_MALLOC_FAILURE); - return -1; - } - - if (!EVP_PKEY_set_type(pkey, OBJ_obj2nid(key->algor->algorithm))) { - X509err(X509_F_X509_PUBKEY_DECODE, X509_R_UNSUPPORTED_ALGORITHM); - goto error; - } - - if (pkey->ameth->pub_decode) { - /* - * Treat any failure of pub_decode as a decode error. In - * future we could have different return codes for decode - * errors and fatal errors such as malloc failure. - */ - if (!pkey->ameth->pub_decode(pkey, key)) { - X509err(X509_F_X509_PUBKEY_DECODE, X509_R_PUBLIC_KEY_DECODE_ERROR); - goto error; - } - } else { - X509err(X509_F_X509_PUBKEY_DECODE, X509_R_METHOD_NOT_SUPPORTED); - goto error; - } - - *ppkey = pkey; - return 1; - - error: - EVP_PKEY_free(pkey); - return 0; -} - -EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key) -{ - EVP_PKEY *ret = NULL; - - if (key == NULL || key->public_key == NULL) - return NULL; - - if (key->pkey != NULL) - return key->pkey; - - /* - * When the key ASN.1 is initially parsed an attempt is made to - * decode the public key and cache the EVP_PKEY structure. If this - * operation fails the cached value will be NULL. Parsing continues - * to allow parsing of unknown key types or unsupported forms. - * We repeat the decode operation so the appropriate errors are left - * in the queue. - */ - x509_pubkey_decode(&ret, key); - /* If decode doesn't fail something bad happened */ - if (ret != NULL) { - X509err(X509_F_X509_PUBKEY_GET0, ERR_R_INTERNAL_ERROR); - EVP_PKEY_free(ret); - } - - return NULL; -} - -EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) -{ - EVP_PKEY *ret = X509_PUBKEY_get0(key); - if (ret != NULL) - EVP_PKEY_up_ref(ret); - return ret; -} - -/* - * Now two pseudo ASN1 routines that take an EVP_PKEY structure and encode or - * decode as X509_PUBKEY - */ - -EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, const unsigned char **pp, long length) -{ - X509_PUBKEY *xpk; - EVP_PKEY *pktmp; - const unsigned char *q; - q = *pp; - xpk = d2i_X509_PUBKEY(NULL, &q, length); - if (!xpk) - return NULL; - pktmp = X509_PUBKEY_get(xpk); - X509_PUBKEY_free(xpk); - if (!pktmp) - return NULL; - *pp = q; - if (a) { - EVP_PKEY_free(*a); - *a = pktmp; - } - return pktmp; -} - -int i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp) -{ - X509_PUBKEY *xpk = NULL; - int ret; - if (!a) - return 0; - if (!X509_PUBKEY_set(&xpk, a)) - return 0; - ret = i2d_X509_PUBKEY(xpk, pp); - X509_PUBKEY_free(xpk); - return ret; -} - -/* - * The following are equivalents but which return RSA and DSA keys - */ -#ifndef OPENSSL_NO_RSA -RSA *d2i_RSA_PUBKEY(RSA **a, const unsigned char **pp, long length) -{ - EVP_PKEY *pkey; - RSA *key; - const unsigned char *q; - q = *pp; - pkey = d2i_PUBKEY(NULL, &q, length); - if (!pkey) - return NULL; - key = EVP_PKEY_get1_RSA(pkey); - EVP_PKEY_free(pkey); - if (!key) - return NULL; - *pp = q; - if (a) { - RSA_free(*a); - *a = key; - } - return key; -} - -int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp) -{ - EVP_PKEY *pktmp; - int ret; - if (!a) - return 0; - pktmp = EVP_PKEY_new(); - if (pktmp == NULL) { - ASN1err(ASN1_F_I2D_RSA_PUBKEY, ERR_R_MALLOC_FAILURE); - return 0; - } - EVP_PKEY_set1_RSA(pktmp, a); - ret = i2d_PUBKEY(pktmp, pp); - EVP_PKEY_free(pktmp); - return ret; -} -#endif - -#ifndef OPENSSL_NO_DSA -DSA *d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length) -{ - EVP_PKEY *pkey; - DSA *key; - const unsigned char *q; - q = *pp; - pkey = d2i_PUBKEY(NULL, &q, length); - if (!pkey) - return NULL; - key = EVP_PKEY_get1_DSA(pkey); - EVP_PKEY_free(pkey); - if (!key) - return NULL; - *pp = q; - if (a) { - DSA_free(*a); - *a = key; - } - return key; -} - -int i2d_DSA_PUBKEY(DSA *a, unsigned char **pp) -{ - EVP_PKEY *pktmp; - int ret; - if (!a) - return 0; - pktmp = EVP_PKEY_new(); - if (pktmp == NULL) { - ASN1err(ASN1_F_I2D_DSA_PUBKEY, ERR_R_MALLOC_FAILURE); - return 0; - } - EVP_PKEY_set1_DSA(pktmp, a); - ret = i2d_PUBKEY(pktmp, pp); - EVP_PKEY_free(pktmp); - return ret; -} -#endif - -#ifndef OPENSSL_NO_EC -EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length) -{ - EVP_PKEY *pkey; - EC_KEY *key; - const unsigned char *q; - q = *pp; - pkey = d2i_PUBKEY(NULL, &q, length); - if (!pkey) - return (NULL); - key = EVP_PKEY_get1_EC_KEY(pkey); - EVP_PKEY_free(pkey); - if (!key) - return (NULL); - *pp = q; - if (a) { - EC_KEY_free(*a); - *a = key; - } - return (key); -} - -int i2d_EC_PUBKEY(EC_KEY *a, unsigned char **pp) -{ - EVP_PKEY *pktmp; - int ret; - if (!a) - return (0); - if ((pktmp = EVP_PKEY_new()) == NULL) { - ASN1err(ASN1_F_I2D_EC_PUBKEY, ERR_R_MALLOC_FAILURE); - return (0); - } - EVP_PKEY_set1_EC_KEY(pktmp, a); - ret = i2d_PUBKEY(pktmp, pp); - EVP_PKEY_free(pktmp); - return (ret); -} -#endif - -int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj, - int ptype, void *pval, - unsigned char *penc, int penclen) -{ - if (!X509_ALGOR_set0(pub->algor, aobj, ptype, pval)) - return 0; - if (penc) { - OPENSSL_free(pub->public_key->data); - pub->public_key->data = penc; - pub->public_key->length = penclen; - /* Set number of unused bits to zero */ - pub->public_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); - pub->public_key->flags |= ASN1_STRING_FLAG_BITS_LEFT; - } - return 1; -} - -int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg, - const unsigned char **pk, int *ppklen, - X509_ALGOR **pa, X509_PUBKEY *pub) -{ - if (ppkalg) - *ppkalg = pub->algor->algorithm; - if (pk) { - *pk = pub->public_key->data; - *ppklen = pub->public_key->length; - } - if (pa) - *pa = pub->algor; - return 1; -} - -ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x) -{ - if (x == NULL) - return NULL; - return x->cert_info.key->public_key; -} diff --git a/Cryptlib/OpenSSL/crypto/x509/x_req.c b/Cryptlib/OpenSSL/crypto/x509/x_req.c deleted file mode 100644 index c2da95a7..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/x_req.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include "internal/cryptlib.h" -#include <openssl/asn1t.h> -#include <openssl/x509.h> -#include "internal/x509_int.h" - -/*- - * X509_REQ_INFO is handled in an unusual way to get round - * invalid encodings. Some broken certificate requests don't - * encode the attributes field if it is empty. This is in - * violation of PKCS#10 but we need to tolerate it. We do - * this by making the attributes field OPTIONAL then using - * the callback to initialise it to an empty STACK. - * - * This means that the field will be correctly encoded unless - * we NULL out the field. - * - * As a result we no longer need the req_kludge field because - * the information is now contained in the attributes field: - * 1. If it is NULL then it's the invalid omission. - * 2. If it is empty it is the correct encoding. - * 3. If it is not empty then some attributes are present. - * - */ - -static int rinf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, - void *exarg) -{ - X509_REQ_INFO *rinf = (X509_REQ_INFO *)*pval; - - if (operation == ASN1_OP_NEW_POST) { - rinf->attributes = sk_X509_ATTRIBUTE_new_null(); - if (!rinf->attributes) - return 0; - } - return 1; -} - -ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = { - ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER), - ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME), - ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY), - /* This isn't really OPTIONAL but it gets round invalid - * encodings - */ - ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0) -} ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO) - -IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO) - -ASN1_SEQUENCE_ref(X509_REQ, 0) = { - ASN1_EMBED(X509_REQ, req_info, X509_REQ_INFO), - ASN1_EMBED(X509_REQ, sig_alg, X509_ALGOR), - ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING) -} ASN1_SEQUENCE_END_ref(X509_REQ, X509_REQ) - -IMPLEMENT_ASN1_FUNCTIONS(X509_REQ) - -IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ) diff --git a/Cryptlib/OpenSSL/crypto/x509/x_x509.c b/Cryptlib/OpenSSL/crypto/x509/x_x509.c deleted file mode 100644 index 6783fd87..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/x_x509.c +++ /dev/null @@ -1,224 +0,0 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include "internal/cryptlib.h" -#include <openssl/evp.h> -#include <openssl/asn1t.h> -#include <openssl/x509.h> -#include <openssl/x509v3.h> -#include "internal/x509_int.h" - -ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = { - ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0), - ASN1_EMBED(X509_CINF, serialNumber, ASN1_INTEGER), - ASN1_EMBED(X509_CINF, signature, X509_ALGOR), - ASN1_SIMPLE(X509_CINF, issuer, X509_NAME), - ASN1_EMBED(X509_CINF, validity, X509_VAL), - ASN1_SIMPLE(X509_CINF, subject, X509_NAME), - ASN1_SIMPLE(X509_CINF, key, X509_PUBKEY), - ASN1_IMP_OPT(X509_CINF, issuerUID, ASN1_BIT_STRING, 1), - ASN1_IMP_OPT(X509_CINF, subjectUID, ASN1_BIT_STRING, 2), - ASN1_EXP_SEQUENCE_OF_OPT(X509_CINF, extensions, X509_EXTENSION, 3) -} ASN1_SEQUENCE_END_enc(X509_CINF, X509_CINF) - -IMPLEMENT_ASN1_FUNCTIONS(X509_CINF) -/* X509 top level structure needs a bit of customisation */ - -extern void policy_cache_free(X509_POLICY_CACHE *cache); - -static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, - void *exarg) -{ - X509 *ret = (X509 *)*pval; - - switch (operation) { - - case ASN1_OP_NEW_POST: - ret->ex_flags = 0; - ret->ex_pathlen = -1; - ret->ex_pcpathlen = -1; - ret->skid = NULL; - ret->akid = NULL; -#ifndef OPENSSL_NO_RFC3779 - ret->rfc3779_addr = NULL; - ret->rfc3779_asid = NULL; -#endif - ret->aux = NULL; - ret->crldp = NULL; - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data)) - return 0; - break; - - case ASN1_OP_FREE_POST: - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); - X509_CERT_AUX_free(ret->aux); - ASN1_OCTET_STRING_free(ret->skid); - AUTHORITY_KEYID_free(ret->akid); - CRL_DIST_POINTS_free(ret->crldp); - policy_cache_free(ret->policy_cache); - GENERAL_NAMES_free(ret->altname); - NAME_CONSTRAINTS_free(ret->nc); -#ifndef OPENSSL_NO_RFC3779 - sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); - ASIdentifiers_free(ret->rfc3779_asid); -#endif - break; - - } - - return 1; - -} - -ASN1_SEQUENCE_ref(X509, x509_cb) = { - ASN1_EMBED(X509, cert_info, X509_CINF), - ASN1_EMBED(X509, sig_alg, X509_ALGOR), - ASN1_EMBED(X509, signature, ASN1_BIT_STRING) -} ASN1_SEQUENCE_END_ref(X509, X509) - -IMPLEMENT_ASN1_FUNCTIONS(X509) - -IMPLEMENT_ASN1_DUP_FUNCTION(X509) - -int X509_set_ex_data(X509 *r, int idx, void *arg) -{ - return (CRYPTO_set_ex_data(&r->ex_data, idx, arg)); -} - -void *X509_get_ex_data(X509 *r, int idx) -{ - return (CRYPTO_get_ex_data(&r->ex_data, idx)); -} - -/* - * X509_AUX ASN1 routines. X509_AUX is the name given to a certificate with - * extra info tagged on the end. Since these functions set how a certificate - * is trusted they should only be used when the certificate comes from a - * reliable source such as local storage. - */ - -X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) -{ - const unsigned char *q; - X509 *ret; - int freeret = 0; - - /* Save start position */ - q = *pp; - - if (a == NULL || *a == NULL) - freeret = 1; - ret = d2i_X509(a, &q, length); - /* If certificate unreadable then forget it */ - if (ret == NULL) - return NULL; - /* update length */ - length -= q - *pp; - if (length > 0 && !d2i_X509_CERT_AUX(&ret->aux, &q, length)) - goto err; - *pp = q; - return ret; - err: - if (freeret) { - X509_free(ret); - if (a) - *a = NULL; - } - return NULL; -} - -/* - * Serialize trusted certificate to *pp or just return the required buffer - * length if pp == NULL. We ultimately want to avoid modifying *pp in the - * error path, but that depends on similar hygiene in lower-level functions. - * Here we avoid compounding the problem. - */ -static int i2d_x509_aux_internal(X509 *a, unsigned char **pp) -{ - int length, tmplen; - unsigned char *start = pp != NULL ? *pp : NULL; - - OPENSSL_assert(pp == NULL || *pp != NULL); - - /* - * This might perturb *pp on error, but fixing that belongs in i2d_X509() - * not here. It should be that if a == NULL length is zero, but we check - * both just in case. - */ - length = i2d_X509(a, pp); - if (length <= 0 || a == NULL) - return length; - - tmplen = i2d_X509_CERT_AUX(a->aux, pp); - if (tmplen < 0) { - if (start != NULL) - *pp = start; - return tmplen; - } - length += tmplen; - - return length; -} - -/* - * Serialize trusted certificate to *pp, or just return the required buffer - * length if pp == NULL. - * - * When pp is not NULL, but *pp == NULL, we allocate the buffer, but since - * we're writing two ASN.1 objects back to back, we can't have i2d_X509() do - * the allocation, nor can we allow i2d_X509_CERT_AUX() to increment the - * allocated buffer. - */ -int i2d_X509_AUX(X509 *a, unsigned char **pp) -{ - int length; - unsigned char *tmp; - - /* Buffer provided by caller */ - if (pp == NULL || *pp != NULL) - return i2d_x509_aux_internal(a, pp); - - /* Obtain the combined length */ - if ((length = i2d_x509_aux_internal(a, NULL)) <= 0) - return length; - - /* Allocate requisite combined storage */ - *pp = tmp = OPENSSL_malloc(length); - if (tmp == NULL) - return -1; /* Push error onto error stack? */ - - /* Encode, but keep *pp at the originally malloced pointer */ - length = i2d_x509_aux_internal(a, &tmp); - if (length <= 0) { - OPENSSL_free(*pp); - *pp = NULL; - } - return length; -} - -int i2d_re_X509_tbs(X509 *x, unsigned char **pp) -{ - x->cert_info.enc.modified = 1; - return i2d_X509_CINF(&x->cert_info, pp); -} - -void X509_get0_signature(const ASN1_BIT_STRING **psig, - const X509_ALGOR **palg, const X509 *x) -{ - if (psig) - *psig = &x->signature; - if (palg) - *palg = &x->sig_alg; -} - -int X509_get_signature_nid(const X509 *x) -{ - return OBJ_obj2nid(x->sig_alg.algorithm); -} diff --git a/Cryptlib/OpenSSL/crypto/x509/x_x509a.c b/Cryptlib/OpenSSL/crypto/x509/x_x509a.c deleted file mode 100644 index 8c9ad71d..00000000 --- a/Cryptlib/OpenSSL/crypto/x509/x_x509a.c +++ /dev/null @@ -1,169 +0,0 @@ -/* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include "internal/cryptlib.h" -#include <openssl/evp.h> -#include <openssl/asn1t.h> -#include <openssl/x509.h> -#include "internal/x509_int.h" - -/* - * X509_CERT_AUX routines. These are used to encode additional user - * modifiable data about a certificate. This data is appended to the X509 - * encoding when the *_X509_AUX routines are used. This means that the - * "traditional" X509 routines will simply ignore the extra data. - */ - -static X509_CERT_AUX *aux_get(X509 *x); - -ASN1_SEQUENCE(X509_CERT_AUX) = { - ASN1_SEQUENCE_OF_OPT(X509_CERT_AUX, trust, ASN1_OBJECT), - ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, reject, ASN1_OBJECT, 0), - ASN1_OPT(X509_CERT_AUX, alias, ASN1_UTF8STRING), - ASN1_OPT(X509_CERT_AUX, keyid, ASN1_OCTET_STRING), - ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, other, X509_ALGOR, 1) -} ASN1_SEQUENCE_END(X509_CERT_AUX) - -IMPLEMENT_ASN1_FUNCTIONS(X509_CERT_AUX) - -int X509_trusted(const X509 *x) -{ - return x->aux ? 1 : 0; -} - -static X509_CERT_AUX *aux_get(X509 *x) -{ - if (x == NULL) - return NULL; - if (x->aux == NULL && (x->aux = X509_CERT_AUX_new()) == NULL) - return NULL; - return x->aux; -} - -int X509_alias_set1(X509 *x, const unsigned char *name, int len) -{ - X509_CERT_AUX *aux; - if (!name) { - if (!x || !x->aux || !x->aux->alias) - return 1; - ASN1_UTF8STRING_free(x->aux->alias); - x->aux->alias = NULL; - return 1; - } - if ((aux = aux_get(x)) == NULL) - return 0; - if (aux->alias == NULL && (aux->alias = ASN1_UTF8STRING_new()) == NULL) - return 0; - return ASN1_STRING_set(aux->alias, name, len); -} - -int X509_keyid_set1(X509 *x, const unsigned char *id, int len) -{ - X509_CERT_AUX *aux; - if (!id) { - if (!x || !x->aux || !x->aux->keyid) - return 1; - ASN1_OCTET_STRING_free(x->aux->keyid); - x->aux->keyid = NULL; - return 1; - } - if ((aux = aux_get(x)) == NULL) - return 0; - if (aux->keyid == NULL - && (aux->keyid = ASN1_OCTET_STRING_new()) == NULL) - return 0; - return ASN1_STRING_set(aux->keyid, id, len); -} - -unsigned char *X509_alias_get0(X509 *x, int *len) -{ - if (!x->aux || !x->aux->alias) - return NULL; - if (len) - *len = x->aux->alias->length; - return x->aux->alias->data; -} - -unsigned char *X509_keyid_get0(X509 *x, int *len) -{ - if (!x->aux || !x->aux->keyid) - return NULL; - if (len) - *len = x->aux->keyid->length; - return x->aux->keyid->data; -} - -int X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj) -{ - X509_CERT_AUX *aux; - ASN1_OBJECT *objtmp = NULL; - if (obj) { - objtmp = OBJ_dup(obj); - if (!objtmp) - return 0; - } - if ((aux = aux_get(x)) == NULL) - goto err; - if (aux->trust == NULL - && (aux->trust = sk_ASN1_OBJECT_new_null()) == NULL) - goto err; - if (!objtmp || sk_ASN1_OBJECT_push(aux->trust, objtmp)) - return 1; - err: - ASN1_OBJECT_free(objtmp); - return 0; -} - -int X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj) -{ - X509_CERT_AUX *aux; - ASN1_OBJECT *objtmp; - if ((objtmp = OBJ_dup(obj)) == NULL) - return 0; - if ((aux = aux_get(x)) == NULL) - goto err; - if (aux->reject == NULL - && (aux->reject = sk_ASN1_OBJECT_new_null()) == NULL) - goto err; - return sk_ASN1_OBJECT_push(aux->reject, objtmp); - err: - ASN1_OBJECT_free(objtmp); - return 0; -} - -void X509_trust_clear(X509 *x) -{ - if (x->aux) { - sk_ASN1_OBJECT_pop_free(x->aux->trust, ASN1_OBJECT_free); - x->aux->trust = NULL; - } -} - -void X509_reject_clear(X509 *x) -{ - if (x->aux) { - sk_ASN1_OBJECT_pop_free(x->aux->reject, ASN1_OBJECT_free); - x->aux->reject = NULL; - } -} - -STACK_OF(ASN1_OBJECT) *X509_get0_trust_objects(X509 *x) -{ - if (x->aux != NULL) - return x->aux->trust; - return NULL; -} - -STACK_OF(ASN1_OBJECT) *X509_get0_reject_objects(X509 *x) -{ - if (x->aux != NULL) - return x->aux->reject; - return NULL; -} |