From 031e5cce385d3f96b1caa1d53495332a7eb03749 Mon Sep 17 00:00:00 2001 From: Steve McIntyre Date: Tue, 23 Mar 2021 23:49:46 +0000 Subject: New upstream version 15.3 --- Cryptlib/OpenSSL/crypto/x509/x509_vfy.c | 2365 +++++++++++-------------------- 1 file changed, 862 insertions(+), 1503 deletions(-) (limited to 'Cryptlib/OpenSSL/crypto/x509/x509_vfy.c') diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c index ebc44240..96f306b2 100644 --- a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c +++ b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c @@ -1,18 +1,66 @@ -/* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. +/* crypto/x509/x509_vfy.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] */ #include #include #include -#include -#include "internal/cryptlib.h" +#include "cryptlib.h" #include #include #include @@ -21,9 +69,7 @@ #include #include #include -#include -#include -#include "x509_lcl.h" +#include "vpm_int.h" /* CRL score values */ @@ -63,23 +109,16 @@ #define CRL_SCORE_TIME_DELTA 0x002 -static int build_chain(X509_STORE_CTX *ctx); -static int verify_chain(X509_STORE_CTX *ctx); -static int dane_verify(X509_STORE_CTX *ctx); static int null_callback(int ok, X509_STORE_CTX *e); static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); static int check_chain_extensions(X509_STORE_CTX *ctx); static int check_name_constraints(X509_STORE_CTX *ctx); static int check_id(X509_STORE_CTX *ctx); -static int check_trust(X509_STORE_CTX *ctx, int num_untrusted); +static int check_trust(X509_STORE_CTX *ctx); static int check_revocation(X509_STORE_CTX *ctx); static int check_cert(X509_STORE_CTX *ctx); static int check_policy(X509_STORE_CTX *ctx); -static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); -static int check_dane_issuer(X509_STORE_CTX *ctx, int depth); -static int check_key_level(X509_STORE_CTX *ctx, X509 *cert); -static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert); static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, X509_CRL *crl, X509 *x); @@ -98,20 +137,22 @@ static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *crl_path); static int internal_verify(X509_STORE_CTX *ctx); +const char X509_version[] = "X.509" OPENSSL_VERSION_PTEXT; static int null_callback(int ok, X509_STORE_CTX *e) { return ok; } +#if 0 +static int x509_subject_cmp(X509 **a, X509 **b) +{ + return X509_subject_name_cmp(*a, *b); +} +#endif /* Return 1 is a certificate is self signed */ static int cert_self_signed(X509 *x) { - /* - * FIXME: x509v3_cache_extensions() needs to detect more failures and not - * set EXFLAG_SET when that happens. Especially, if the failures are - * parse errors, rather than memory pressure! - */ X509_check_purpose(x, -1, 0); if (x->ex_flags & EXFLAG_SS) return 1; @@ -137,128 +178,30 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) break; } if (i < sk_X509_num(certs)) - X509_up_ref(xtmp); + CRYPTO_add(&xtmp->references, 1, CRYPTO_LOCK_X509); else xtmp = NULL; sk_X509_pop_free(certs, X509_free); return xtmp; } -/*- - * Inform the verify callback of an error. - * If B is not NULL it is the error cert, otherwise use the chain cert at - * B. - * If B is not X509_V_OK, that's the error value, otherwise leave - * unchanged (presumably set by the caller). - * - * Returns 0 to abort verification with an error, non-zero to continue. - */ -static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err) -{ - ctx->error_depth = depth; - ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth); - if (err != X509_V_OK) - ctx->error = err; - return ctx->verify_cb(0, ctx); -} - -/*- - * Inform the verify callback of an error, CRL-specific variant. Here, the - * error depth and certificate are already set, we just specify the error - * number. - * - * Returns 0 to abort verification with an error, non-zero to continue. - */ -static int verify_cb_crl(X509_STORE_CTX *ctx, int err) -{ - ctx->error = err; - return ctx->verify_cb(0, ctx); -} - -static int check_auth_level(X509_STORE_CTX *ctx) -{ - int i; - int num = sk_X509_num(ctx->chain); - - if (ctx->param->auth_level <= 0) - return 1; - - for (i = 0; i < num; ++i) { - X509 *cert = sk_X509_value(ctx->chain, i); - - /* - * We've already checked the security of the leaf key, so here we only - * check the security of issuer keys. - */ - if (i > 0 && !check_key_level(ctx, cert) && - verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL) == 0) - return 0; - /* - * We also check the signature algorithm security of all certificates - * except those of the trust anchor at index num-1. - */ - if (i < num - 1 && !check_sig_level(ctx, cert) && - verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK) == 0) - return 0; - } - return 1; -} - -static int verify_chain(X509_STORE_CTX *ctx) -{ - int err; - int ok; - - /* - * Before either returning with an error, or continuing with CRL checks, - * instantiate chain public key parameters. - */ - if ((ok = build_chain(ctx)) == 0 || - (ok = check_chain_extensions(ctx)) == 0 || - (ok = check_auth_level(ctx)) == 0 || - (ok = check_name_constraints(ctx)) == 0 || - (ok = check_id(ctx)) == 0 || 1) - X509_get_pubkey_parameters(NULL, ctx->chain); - if (ok == 0 || (ok = ctx->check_revocation(ctx)) == 0) - return ok; - - err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain, - ctx->param->flags); - if (err != X509_V_OK) { - if ((ok = verify_cb_cert(ctx, NULL, ctx->error_depth, err)) == 0) - return ok; - } - - /* Verify chain signatures and expiration times */ - ok = (ctx->verify != NULL) ? ctx->verify(ctx) : internal_verify(ctx); - if (!ok) - return ok; - -#ifndef OPENSSL_NO_RFC3779 - /* RFC 3779 path validation, now that CRL check has been done */ - if ((ok = X509v3_asid_validate_path(ctx)) == 0) - return ok; - if ((ok = X509v3_addr_validate_path(ctx)) == 0) - return ok; -#endif - - /* If we get this far evaluate policies */ - if (ctx->param->flags & X509_V_FLAG_POLICY_CHECK) - ok = ctx->check_policy(ctx); - return ok; -} - int X509_verify_cert(X509_STORE_CTX *ctx) { - SSL_DANE *dane = ctx->dane; - int ret; + X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; + int bad_chain = 0; + X509_VERIFY_PARAM *param = ctx->param; + int depth, i, ok = 0; + int num, j, retry; + int (*cb) (int xok, X509_STORE_CTX *xctx); + STACK_OF(X509) *sktmp = NULL; + int trust = X509_TRUST_UNTRUSTED; + int err; if (ctx->cert == NULL) { X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); ctx->error = X509_V_ERR_INVALID_CALL; return -1; } - if (ctx->chain != NULL) { /* * This X509_STORE_CTX has already been used to verify a cert. We @@ -269,6 +212,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) return -1; } + cb = ctx->verify_cb; + /* * first we make sure the chain we are going to build is present and that * the first entry is in place @@ -277,48 +222,332 @@ int X509_verify_cert(X509_STORE_CTX *ctx) (!sk_X509_push(ctx->chain, ctx->cert))) { X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); ctx->error = X509_V_ERR_OUT_OF_MEM; - return -1; + ok = -1; + goto err; } - X509_up_ref(ctx->cert); - ctx->num_untrusted = 1; + CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); + ctx->last_untrusted = 1; - /* If the peer's public key is too weak, we can stop early. */ - if (!check_key_level(ctx, ctx->cert) && - !verify_cb_cert(ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL)) - return 0; + /* We use a temporary STACK so we can chop and hack at it */ + if (ctx->untrusted != NULL + && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; + ok = -1; + goto err; + } - if (DANETLS_ENABLED(dane)) - ret = dane_verify(ctx); - else - ret = verify_chain(ctx); + num = sk_X509_num(ctx->chain); + x = sk_X509_value(ctx->chain, num - 1); + depth = param->depth; + + for (;;) { + /* If we have enough, we break */ + if (depth < num) + break; /* FIXME: If this happens, we should take + * note of it and, if appropriate, use the + * X509_V_ERR_CERT_CHAIN_TOO_LONG error code + * later. */ + + /* If we are self signed, we break */ + if (cert_self_signed(x)) + break; + /* + * If asked see if we can find issuer in trusted store first + */ + if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) { + ok = ctx->get_issuer(&xtmp, ctx, x); + if (ok < 0) { + ctx->error = X509_V_ERR_STORE_LOOKUP; + goto err; + } + /* + * If successful for now free up cert so it will be picked up + * again later. + */ + if (ok > 0) { + X509_free(xtmp); + break; + } + } + + /* If we were passed a cert chain, use it first */ + if (ctx->untrusted != NULL) { + xtmp = find_issuer(ctx, sktmp, x); + if (xtmp != NULL) { + if (!sk_X509_push(ctx->chain, xtmp)) { + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; + ok = -1; + goto err; + } + CRYPTO_add(&xtmp->references, 1, CRYPTO_LOCK_X509); + (void)sk_X509_delete_ptr(sktmp, xtmp); + ctx->last_untrusted++; + x = xtmp; + num++; + /* + * reparse the full chain for the next one + */ + continue; + } + } + break; + } + + /* Remember how many untrusted certs we have */ + j = num; + /* + * at this point, chain should contain a list of untrusted certificates. + * We now need to add at least one trusted one, if possible, otherwise we + * complain. + */ + + do { + /* + * Examine last certificate in chain and see if it is self signed. + */ + i = sk_X509_num(ctx->chain); + x = sk_X509_value(ctx->chain, i - 1); + if (cert_self_signed(x)) { + /* we have a self signed certificate */ + if (sk_X509_num(ctx->chain) == 1) { + /* + * We have a single self signed certificate: see if we can + * find it in the store. We must have an exact match to avoid + * possible impersonation. + */ + ok = ctx->get_issuer(&xtmp, ctx, x); + if ((ok <= 0) || X509_cmp(x, xtmp)) { + ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; + ctx->current_cert = x; + ctx->error_depth = i - 1; + if (ok == 1) + X509_free(xtmp); + bad_chain = 1; + ok = cb(0, ctx); + if (!ok) + goto err; + } else { + /* + * We have a match: replace certificate with store + * version so we get any trust settings. + */ + X509_free(x); + x = xtmp; + (void)sk_X509_set(ctx->chain, i - 1, x); + ctx->last_untrusted = 0; + } + } else { + /* + * extract and save self signed certificate for later use + */ + chain_ss = sk_X509_pop(ctx->chain); + ctx->last_untrusted--; + num--; + j--; + x = sk_X509_value(ctx->chain, num - 1); + } + } + /* We now lookup certs from the certificate store */ + for (;;) { + /* If we have enough, we break */ + if (depth < num) + break; + /* If we are self signed, we break */ + if (cert_self_signed(x)) + break; + ok = ctx->get_issuer(&xtmp, ctx, x); + + if (ok < 0) { + ctx->error = X509_V_ERR_STORE_LOOKUP; + goto err; + } + if (ok == 0) + break; + x = xtmp; + if (!sk_X509_push(ctx->chain, x)) { + X509_free(xtmp); + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; + ok = -1; + goto err; + } + num++; + } + + /* we now have our chain, lets check it... */ + if ((trust = check_trust(ctx)) == X509_TRUST_REJECTED) { + /* Callback already issued */ + ok = 0; + goto err; + } + + /* + * If it's not explicitly trusted then check if there is an alternative + * chain that could be used. We only do this if we haven't already + * checked via TRUSTED_FIRST and the user hasn't switched off alternate + * chain checking + */ + retry = 0; + if (trust != X509_TRUST_TRUSTED + && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) + && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { + while (j-- > 1) { + xtmp2 = sk_X509_value(ctx->chain, j - 1); + ok = ctx->get_issuer(&xtmp, ctx, xtmp2); + if (ok < 0) { + ctx->error = X509_V_ERR_STORE_LOOKUP; + goto err; + } + /* Check if we found an alternate chain */ + if (ok > 0) { + /* + * Free up the found cert we'll add it again later + */ + X509_free(xtmp); + + /* + * Dump all the certs above this point - we've found an + * alternate chain + */ + while (num > j) { + xtmp = sk_X509_pop(ctx->chain); + X509_free(xtmp); + num--; + } + ctx->last_untrusted = sk_X509_num(ctx->chain); + retry = 1; + break; + } + } + } + } while (retry); + + /* + * If not explicitly trusted then indicate error unless it's a single + * self signed certificate in which case we've indicated an error already + * and set bad_chain == 1 + */ + if (trust != X509_TRUST_TRUSTED && !bad_chain) { + if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { + if (ctx->last_untrusted >= num) + ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; + else + ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; + ctx->current_cert = x; + } else { + + sk_X509_push(ctx->chain, chain_ss); + num++; + ctx->last_untrusted = num; + ctx->current_cert = chain_ss; + ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; + chain_ss = NULL; + } + + ctx->error_depth = num - 1; + bad_chain = 1; + ok = cb(0, ctx); + if (!ok) + goto err; + } + + /* We have the chain complete: now we need to check its purpose */ + ok = check_chain_extensions(ctx); + + if (!ok) + goto err; + + /* Check name constraints */ + + ok = check_name_constraints(ctx); + + if (!ok) + goto err; + + ok = check_id(ctx); + + if (!ok) + goto err; + + /* We may as well copy down any DSA parameters that are required */ + X509_get_pubkey_parameters(NULL, ctx->chain); /* - * Safety-net. If we are returning an error, we must also set ctx->error, - * so that the chain is not considered verified should the error be ignored - * (e.g. TLS with SSL_VERIFY_NONE). + * Check revocation status: we do this after copying parameters because + * they may be needed for CRL signature verification. */ - if (ret <= 0 && ctx->error == X509_V_OK) + + ok = ctx->check_revocation(ctx); + if (!ok) + goto err; + + err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain, + ctx->param->flags); + if (err != X509_V_OK) { + ctx->error = err; + ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth); + ok = cb(0, ctx); + if (!ok) + goto err; + } + + /* At this point, we have a chain and need to verify it */ + if (ctx->verify != NULL) + ok = ctx->verify(ctx); + else + ok = internal_verify(ctx); + if (!ok) + goto err; + +#ifndef OPENSSL_NO_RFC3779 + /* RFC 3779 path validation, now that CRL check has been done */ + ok = v3_asid_validate_path(ctx); + if (!ok) + goto err; + ok = v3_addr_validate_path(ctx); + if (!ok) + goto err; +#endif + + /* If we get this far evaluate policies */ + if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) + ok = ctx->check_policy(ctx); + if (!ok) + goto err; + if (0) { + err: + /* Ensure we return an error */ + if (ok > 0) + ok = 0; + X509_get_pubkey_parameters(NULL, ctx->chain); + } + if (sktmp != NULL) + sk_X509_free(sktmp); + if (chain_ss != NULL) + X509_free(chain_ss); + + /* Safety net, error returns must set ctx->error */ + if (ok <= 0 && ctx->error == X509_V_OK) ctx->error = X509_V_ERR_UNSPECIFIED; - return ret; + return ok; } /* * Given a STACK_OF(X509) find the issuer of cert (if any) */ + static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { int i; - X509 *issuer, *rv = NULL; - + X509 *issuer; for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); - if (ctx->check_issued(ctx, x, issuer)) { - rv = issuer; - if (x509_check_cert_time(ctx, rv, -1)) - break; - } + if (ctx->check_issued(ctx, x, issuer)) + return issuer; } - return rv; + return NULL; } /* Given a possible certificate and issuer check them */ @@ -326,25 +555,17 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { int ret; - if (x == issuer) - return cert_self_signed(x); ret = X509_check_issued(issuer, x); - if (ret == X509_V_OK) { - int i; - X509 *ch; - /* Special case: single self signed certificate */ - if (cert_self_signed(x) && sk_X509_num(ctx->chain) == 1) - return 1; - for (i = 0; i < sk_X509_num(ctx->chain); i++) { - ch = sk_X509_value(ctx->chain, i); - if (ch == issuer || !X509_cmp(ch, issuer)) { - ret = X509_V_ERR_PATH_LOOP; - break; - } - } - } + if (ret == X509_V_OK) + return 1; + /* If we haven't asked for issuer errors don't set ctx */ + if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) + return 0; - return (ret == X509_V_OK); + ctx->error = ret; + ctx->current_cert = x; + ctx->current_issuer = issuer; + return ctx->verify_cb(0, ctx); } /* Alternative lookup method: look from a STACK stored in other_ctx */ @@ -353,83 +574,12 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { *issuer = find_issuer(ctx, ctx->other_ctx, x); if (*issuer) { - X509_up_ref(*issuer); + CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509); return 1; } else return 0; } -static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, X509_NAME *nm) -{ - STACK_OF(X509) *sk = NULL; - X509 *x; - int i; - for (i = 0; i < sk_X509_num(ctx->other_ctx); i++) { - x = sk_X509_value(ctx->other_ctx, i); - if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) { - if (sk == NULL) - sk = sk_X509_new_null(); - if (sk == NULL || sk_X509_push(sk, x) == 0) { - sk_X509_pop_free(sk, X509_free); - return NULL; - } - X509_up_ref(x); - } - } - return sk; -} - -/* - * Check EE or CA certificate purpose. For trusted certificates explicit local - * auxiliary trust can be used to override EKU-restrictions. - */ -static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth, - int must_be_ca) -{ - int tr_ok = X509_TRUST_UNTRUSTED; - - /* - * For trusted certificates we want to see whether any auxiliary trust - * settings trump the purpose constraints. - * - * This is complicated by the fact that the trust ordinals in - * ctx->param->trust are entirely independent of the purpose ordinals in - * ctx->param->purpose! - * - * What connects them is their mutual initialization via calls from - * X509_STORE_CTX_set_default() into X509_VERIFY_PARAM_lookup() which sets - * related values of both param->trust and param->purpose. It is however - * typically possible to infer associated trust values from a purpose value - * via the X509_PURPOSE API. - * - * Therefore, we can only check for trust overrides when the purpose we're - * checking is the same as ctx->param->purpose and ctx->param->trust is - * also set. - */ - if (depth >= ctx->num_untrusted && purpose == ctx->param->purpose) - tr_ok = X509_check_trust(x, ctx->param->trust, X509_TRUST_NO_SS_COMPAT); - - switch (tr_ok) { - case X509_TRUST_TRUSTED: - return 1; - case X509_TRUST_REJECTED: - break; - default: - switch (X509_check_purpose(x, purpose, must_be_ca > 0)) { - case 1: - return 1; - case 0: - break; - default: - if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) == 0) - return 1; - } - break; - } - - return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE); -} - /* * Check a certificate chains extensions for consistency with the supplied * purpose @@ -437,12 +587,16 @@ static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth, static int check_chain_extensions(X509_STORE_CTX *ctx) { - int i, must_be_ca, plen = 0; +#ifdef OPENSSL_NO_CHAIN_VERIFY + return 1; +#else + int i, ok = 0, must_be_ca, plen = 0; X509 *x; + int (*cb) (int xok, X509_STORE_CTX *xctx); int proxy_path_length = 0; int purpose; int allow_proxy_certs; - int num = sk_X509_num(ctx->chain); + cb = ctx->verify_cb; /*- * must_be_ca can have 1 of 3 values: @@ -462,22 +616,35 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) } else { allow_proxy_certs = ! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); + /* + * A hack to keep people who don't want to modify their software + * happy + */ + if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) + allow_proxy_certs = 1; purpose = ctx->param->purpose; } - for (i = 0; i < num; i++) { + /* Check all untrusted certificates */ + for (i = 0; i < ctx->last_untrusted; i++) { int ret; x = sk_X509_value(ctx->chain, i); if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) && (x->ex_flags & EXFLAG_CRITICAL)) { - if (!verify_cb_cert(ctx, x, i, - X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION)) - return 0; + ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; + ctx->error_depth = i; + ctx->current_cert = x; + ok = cb(0, ctx); + if (!ok) + goto end; } if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { - if (!verify_cb_cert(ctx, x, i, - X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED)) - return 0; + ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; + ctx->error_depth = i; + ctx->current_cert = x; + ok = cb(0, ctx); + if (!ok) + goto end; } ret = X509_check_ca(x); switch (must_be_ca) { @@ -497,9 +664,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ret = 1; break; default: - /* X509_V_FLAG_X509_STRICT is implicit for intermediate CAs */ if ((ret == 0) - || ((i + 1 < num || ctx->param->flags & X509_V_FLAG_X509_STRICT) + || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && (ret != 1))) { ret = 0; ctx->error = X509_V_ERR_INVALID_CA; @@ -507,17 +673,36 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ret = 1; break; } - if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK)) - return 0; - /* check_purpose() makes the callback as needed */ - if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca)) - return 0; - /* Check pathlen if not self issued */ - if ((i > 1) && !(x->ex_flags & EXFLAG_SI) + if (ret == 0) { + ctx->error_depth = i; + ctx->current_cert = x; + ok = cb(0, ctx); + if (!ok) + goto end; + } + if (ctx->param->purpose > 0) { + ret = X509_check_purpose(x, purpose, must_be_ca > 0); + if ((ret == 0) + || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1))) { + ctx->error = X509_V_ERR_INVALID_PURPOSE; + ctx->error_depth = i; + ctx->current_cert = x; + ok = cb(0, ctx); + if (!ok) + goto end; + } + } + /* Check pathlen if not self issued */ + if ((i > 1) && !(x->ex_flags & EXFLAG_SI) && (x->ex_pathlen != -1) && (plen > (x->ex_pathlen + proxy_path_length + 1))) { - if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED)) - return 0; + ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; + ctx->error_depth = i; + ctx->current_cert = x; + ok = cb(0, ctx); + if (!ok) + goto end; } /* Increment path length if not self issued */ if (!(x->ex_flags & EXFLAG_SI)) @@ -541,9 +726,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) */ if (x->ex_pcpathlen != -1) { if (proxy_path_length > x->ex_pcpathlen) { - if (!verify_cb_cert(ctx, x, i, - X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED)) - return 0; + ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; + ctx->error_depth = i; + ctx->current_cert = x; + ok = cb(0, ctx); + if (!ok) + goto end; } proxy_path_length = x->ex_pcpathlen; } @@ -552,18 +740,19 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) } else must_be_ca = 1; } - return 1; + ok = 1; + end: + return ok; +#endif } static int check_name_constraints(X509_STORE_CTX *ctx) { - int i; - + X509 *x; + int i, j, rv; /* Check name constraints for all certificates */ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { - X509 *x = sk_X509_value(ctx->chain, i); - int j; - + x = sk_X509_value(ctx->chain, i); /* Ignore self issued certs unless last in chain */ if (i && (x->ex_flags & EXFLAG_SI)) continue; @@ -602,10 +791,8 @@ static int check_name_constraints(X509_STORE_CTX *ctx) * Check that the last subject component isn't part of a * multivalued RDN */ - if (X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject, - last_object_loc)) - == X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject, - last_object_loc - 1))) { + if (X509_NAME_get_entry(tmpsubject, last_object_loc)->set + == X509_NAME_get_entry(tmpsubject, last_object_loc - 1)->set) { err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; goto proxy_name_done; } @@ -635,9 +822,13 @@ static int check_name_constraints(X509_STORE_CTX *ctx) X509_NAME_free(tmpsubject); proxy_name_done: - if (err != X509_V_OK - && !verify_cb_cert(ctx, x, i, err)) - return 0; + if (err != X509_V_OK) { + ctx->error = err; + ctx->error_depth = i; + ctx->current_cert = x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } } /* @@ -648,21 +839,19 @@ static int check_name_constraints(X509_STORE_CTX *ctx) */ for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) { NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; - if (nc) { - int rv = NAME_CONSTRAINTS_check(x, nc); - - /* If EE certificate check commonName too */ - if (rv == X509_V_OK && i == 0) - rv = NAME_CONSTRAINTS_check_CN(x, nc); - + rv = NAME_CONSTRAINTS_check(x, nc); switch (rv) { case X509_V_OK: - break; + continue; case X509_V_ERR_OUT_OF_MEM: + ctx->error = rv; return 0; default: - if (!verify_cb_cert(ctx, x, i, rv)) + ctx->error = rv; + ctx->error_depth = i; + ctx->current_cert = x; + if (!ctx->verify_cb(0, ctx)) return 0; break; } @@ -674,22 +863,25 @@ static int check_name_constraints(X509_STORE_CTX *ctx) static int check_id_error(X509_STORE_CTX *ctx, int errcode) { - return verify_cb_cert(ctx, ctx->cert, 0, errcode); + ctx->error = errcode; + ctx->current_cert = ctx->cert; + ctx->error_depth = 0; + return ctx->verify_cb(0, ctx); } -static int check_hosts(X509 *x, X509_VERIFY_PARAM *vpm) +static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id) { int i; - int n = sk_OPENSSL_STRING_num(vpm->hosts); + int n = sk_OPENSSL_STRING_num(id->hosts); char *name; - if (vpm->peername != NULL) { - OPENSSL_free(vpm->peername); - vpm->peername = NULL; + if (id->peername != NULL) { + OPENSSL_free(id->peername); + id->peername = NULL; } for (i = 0; i < n; ++i) { - name = sk_OPENSSL_STRING_value(vpm->hosts, i); - if (X509_check_host(x, name, 0, vpm->hostflags, &vpm->peername) > 0) + name = sk_OPENSSL_STRING_value(id->hosts, i); + if (X509_check_host(x, name, 0, id->hostflags, &id->peername) > 0) return 1; } return n == 0; @@ -698,95 +890,65 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM *vpm) static int check_id(X509_STORE_CTX *ctx) { X509_VERIFY_PARAM *vpm = ctx->param; + X509_VERIFY_PARAM_ID *id = vpm->id; X509 *x = ctx->cert; - if (vpm->hosts && check_hosts(x, vpm) <= 0) { + if (id->hosts && check_hosts(x, id) <= 0) { if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) return 0; } - if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) { + if (id->email && X509_check_email(x, id->email, id->emaillen, 0) <= 0) { if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH)) return 0; } - if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) { + if (id->ip && X509_check_ip(x, id->ip, id->iplen, 0) <= 0) { if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH)) return 0; } return 1; } -static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) +static int check_trust(X509_STORE_CTX *ctx) { - int i; + int i, ok; X509 *x = NULL; - X509 *mx; - SSL_DANE *dane = ctx->dane; - int num = sk_X509_num(ctx->chain); - int trust; - - /* - * Check for a DANE issuer at depth 1 or greater, if it is a DANE-TA(2) - * match, we're done, otherwise we'll merely record the match depth. - */ - if (DANETLS_HAS_TA(dane) && num_untrusted > 0 && num_untrusted < num) { - switch (trust = check_dane_issuer(ctx, num_untrusted)) { - case X509_TRUST_TRUSTED: - case X509_TRUST_REJECTED: - return trust; - } - } - - /* - * Check trusted certificates in chain at depth num_untrusted and up. - * Note, that depths 0..num_untrusted-1 may also contain trusted - * certificates, but the caller is expected to have already checked those, - * and wants to incrementally check just any added since. - */ - for (i = num_untrusted; i < num; i++) { + int (*cb) (int xok, X509_STORE_CTX *xctx); + cb = ctx->verify_cb; + /* Check all trusted certificates in chain */ + for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) { x = sk_X509_value(ctx->chain, i); - trust = X509_check_trust(x, ctx->param->trust, 0); + ok = X509_check_trust(x, ctx->param->trust, 0); /* If explicitly trusted return trusted */ - if (trust == X509_TRUST_TRUSTED) - goto trusted; - if (trust == X509_TRUST_REJECTED) - goto rejected; + if (ok == X509_TRUST_TRUSTED) + return X509_TRUST_TRUSTED; + /* + * If explicitly rejected notify callback and reject if not + * overridden. + */ + if (ok == X509_TRUST_REJECTED) { + ctx->error_depth = i; + ctx->current_cert = x; + ctx->error = X509_V_ERR_CERT_REJECTED; + ok = cb(0, ctx); + if (!ok) + return X509_TRUST_REJECTED; + } } - /* - * If we are looking at a trusted certificate, and accept partial chains, - * the chain is PKIX trusted. + * If we accept partial chains and have at least one trusted certificate + * return success. */ - if (num_untrusted < num) { - if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) - goto trusted; - return X509_TRUST_UNTRUSTED; - } - - if (num_untrusted == num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { - /* - * Last-resort call with no new trusted certificates, check the leaf - * for a direct trust store match. - */ - i = 0; - x = sk_X509_value(ctx->chain, i); + if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { + X509 *mx; + if (ctx->last_untrusted < sk_X509_num(ctx->chain)) + return X509_TRUST_TRUSTED; + x = sk_X509_value(ctx->chain, 0); mx = lookup_cert_match(ctx, x); - if (!mx) - return X509_TRUST_UNTRUSTED; - - /* - * Check explicit auxiliary trust/reject settings. If none are set, - * we'll accept X509_TRUST_UNTRUSTED when not self-signed. - */ - trust = X509_check_trust(mx, ctx->param->trust, 0); - if (trust == X509_TRUST_REJECTED) { - X509_free(mx); - goto rejected; + if (mx) { + (void)sk_X509_set(ctx->chain, 0, mx); + X509_free(x); + ctx->last_untrusted = 0; + return X509_TRUST_TRUSTED; } - - /* Replace leaf with trusted match */ - (void) sk_X509_set(ctx->chain, 0, mx); - X509_free(x); - ctx->num_untrusted = 0; - goto trusted; } /* @@ -794,26 +956,11 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) * standard (no issuer cert) etc errors to be indicated. */ return X509_TRUST_UNTRUSTED; - - rejected: - if (!verify_cb_cert(ctx, x, i, X509_V_ERR_CERT_REJECTED)) - return X509_TRUST_REJECTED; - return X509_TRUST_UNTRUSTED; - - trusted: - if (!DANETLS_ENABLED(dane)) - return X509_TRUST_TRUSTED; - if (dane->pdpth < 0) - dane->pdpth = num_untrusted; - /* With DANE, PKIX alone is not trusted until we have both */ - if (dane->mdpth >= 0) - return X509_TRUST_TRUSTED; - return X509_TRUST_UNTRUSTED; } static int check_revocation(X509_STORE_CTX *ctx) { - int i = 0, last = 0, ok = 0; + int i, last, ok; if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) return 1; if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) @@ -836,21 +983,20 @@ static int check_revocation(X509_STORE_CTX *ctx) static int check_cert(X509_STORE_CTX *ctx) { X509_CRL *crl = NULL, *dcrl = NULL; - int ok = 0; - int cnum = ctx->error_depth; - X509 *x = sk_X509_value(ctx->chain, cnum); - + X509 *x; + int ok = 0; /* current openssl sets 'ok' to zero here */ + int cnum; + unsigned int last_reasons; + cnum = ctx->error_depth; + x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; ctx->current_issuer = NULL; ctx->current_crl_score = 0; ctx->current_reasons = 0; - if (x->ex_flags & EXFLAG_PROXY) return 1; - while (ctx->current_reasons != CRLDP_ALL_REASONS) { - unsigned int last_reasons = ctx->current_reasons; - + last_reasons = ctx->current_reasons; /* Try to retrieve relevant CRL */ if (ctx->get_crl) ok = ctx->get_crl(ctx, &crl, x); @@ -860,21 +1006,22 @@ static int check_cert(X509_STORE_CTX *ctx) * If error looking up CRL, nothing we can do except notify callback */ if (!ok) { - ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL); - goto done; + ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; + ok = ctx->verify_cb(0, ctx); + goto err; } ctx->current_crl = crl; ok = ctx->check_crl(ctx, crl); if (!ok) - goto done; + goto err; if (dcrl) { ok = ctx->check_crl(ctx, dcrl); if (!ok) - goto done; + goto err; ok = ctx->cert_crl(ctx, dcrl, x); if (!ok) - goto done; + goto err; } else ok = 1; @@ -882,7 +1029,7 @@ static int check_cert(X509_STORE_CTX *ctx) if (ok != 2) { ok = ctx->cert_crl(ctx, crl, x); if (!ok) - goto done; + goto err; } X509_CRL_free(crl); @@ -890,20 +1037,22 @@ static int check_cert(X509_STORE_CTX *ctx) crl = NULL; dcrl = NULL; /* - * If reasons not updated we won't get anywhere by another iteration, + * If reasons not updated we wont get anywhere by another iteration, * so exit loop. */ if (last_reasons == ctx->current_reasons) { - ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL); - goto done; + ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; + ok = ctx->verify_cb(0, ctx); + goto err; } } - done: + err: X509_CRL_free(crl); X509_CRL_free(dcrl); ctx->current_crl = NULL; return ok; + } /* Check CRL times against values in X509_STORE_CTX */ @@ -912,7 +1061,6 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { time_t *ptime; int i; - if (notify) ctx->current_crl = crl; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) @@ -922,35 +1070,39 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) else ptime = NULL; - i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime); + i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); if (i == 0) { if (!notify) return 0; - if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD)) + ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; + if (!ctx->verify_cb(0, ctx)) return 0; } if (i > 0) { if (!notify) return 0; - if (!verify_cb_crl(ctx, X509_V_ERR_CRL_NOT_YET_VALID)) + ctx->error = X509_V_ERR_CRL_NOT_YET_VALID; + if (!ctx->verify_cb(0, ctx)) return 0; } - if (X509_CRL_get0_nextUpdate(crl)) { - i = X509_cmp_time(X509_CRL_get0_nextUpdate(crl), ptime); + if (X509_CRL_get_nextUpdate(crl)) { + i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); if (i == 0) { if (!notify) return 0; - if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD)) + ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; + if (!ctx->verify_cb(0, ctx)) return 0; } /* Ignore expiry of base CRL is delta is valid */ if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { if (!notify) return 0; - if (!verify_cb_crl(ctx, X509_V_ERR_CRL_HAS_EXPIRED)) + ctx->error = X509_V_ERR_CRL_HAS_EXPIRED; + if (!ctx->verify_cb(0, ctx)) return 0; } } @@ -980,8 +1132,8 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, /* If current CRL is equivalent use it if it is newer */ if (crl_score == best_score && best_crl != NULL) { int day, sec; - if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl), - X509_CRL_get0_lastUpdate(crl)) == 0) + if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl), + X509_CRL_get_lastUpdate(crl)) == 0) continue; /* * ASN1_TIME_diff never returns inconsistent signs for |day| @@ -997,14 +1149,17 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, } if (best_crl) { - X509_CRL_free(*pcrl); + if (*pcrl) + X509_CRL_free(*pcrl); *pcrl = best_crl; *pissuer = best_crl_issuer; *pscore = best_score; *preasons = best_reasons; - X509_CRL_up_ref(best_crl); - X509_CRL_free(*pdcrl); - *pdcrl = NULL; + CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); + if (*pdcrl) { + X509_CRL_free(*pdcrl); + *pdcrl = NULL; + } get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); } @@ -1100,7 +1255,7 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, if (check_delta_base(delta, base)) { if (check_crl_time(ctx, delta, 0)) *pscore |= CRL_SCORE_TIME_DELTA; - X509_CRL_up_ref(delta); + CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); *dcrl = delta; return; } @@ -1242,7 +1397,6 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) { X509_STORE_CTX crl_ctx; int ret; - /* Don't allow recursive CRL path validation */ if (ctx->parent) return 0; @@ -1258,10 +1412,12 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) /* Verify CRL issuer */ ret = X509_verify_cert(&crl_ctx); + if (ret <= 0) goto err; /* Check chain is acceptable */ + ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); err: X509_STORE_CTX_cleanup(&crl_ctx); @@ -1418,10 +1574,10 @@ static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL *crl = NULL, *dcrl = NULL; STACK_OF(X509_CRL) *skcrl; X509_NAME *nm = X509_get_issuer_name(x); - reasons = ctx->current_reasons; ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, ctx->crls); + if (ok) goto done; @@ -1438,6 +1594,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx, sk_X509_CRL_pop_free(skcrl, X509_CRL_free); done: + /* If we got any kind of CRL use it and return success */ if (crl) { ctx->current_issuer = issuer; @@ -1447,6 +1604,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx, *pdcrl = dcrl; return 1; } + return 0; } @@ -1455,12 +1613,13 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) { X509 *issuer = NULL; EVP_PKEY *ikey = NULL; - int cnum = ctx->error_depth; - int chnum = sk_X509_num(ctx->chain) - 1; - + int ok = 0, chnum, cnum; + cnum = ctx->error_depth; + chnum = sk_X509_num(ctx->chain) - 1; /* if we have an alternative CRL issuer cert use that */ if (ctx->current_issuer) issuer = ctx->current_issuer; + /* * Else find CRL issuer: if not last certificate then issuer is next * certificate in chain. @@ -1470,85 +1629,121 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) else { issuer = sk_X509_value(ctx->chain, chnum); /* If not self signed, can't check signature */ - if (!ctx->check_issued(ctx, issuer, issuer) && - !verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER)) - return 0; + if (!ctx->check_issued(ctx, issuer, issuer)) { + ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } } - if (issuer == NULL) - return 1; + if (issuer) { + /* + * Skip most tests for deltas because they have already been done + */ + if (!crl->base_crl_number) { + /* Check for cRLSign bit if keyUsage present */ + if ((issuer->ex_flags & EXFLAG_KUSAGE) && + !(issuer->ex_kusage & KU_CRL_SIGN)) { + ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } - /* - * Skip most tests for deltas because they have already been done - */ - if (!crl->base_crl_number) { - /* Check for cRLSign bit if keyUsage present */ - if ((issuer->ex_flags & EXFLAG_KUSAGE) && - !(issuer->ex_kusage & KU_CRL_SIGN) && - !verify_cb_crl(ctx, X509_V_ERR_KEYUSAGE_NO_CRL_SIGN)) - return 0; + if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { + ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } - if (!(ctx->current_crl_score & CRL_SCORE_SCOPE) && - !verify_cb_crl(ctx, X509_V_ERR_DIFFERENT_CRL_SCOPE)) - return 0; + if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { + if (check_crl_path(ctx, ctx->current_issuer) <= 0) { + ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } + } - if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH) && - check_crl_path(ctx, ctx->current_issuer) <= 0 && - !verify_cb_crl(ctx, X509_V_ERR_CRL_PATH_VALIDATION_ERROR)) - return 0; + if (crl->idp_flags & IDP_INVALID) { + ctx->error = X509_V_ERR_INVALID_EXTENSION; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } - if ((crl->idp_flags & IDP_INVALID) && - !verify_cb_crl(ctx, X509_V_ERR_INVALID_EXTENSION)) - return 0; - } + } - if (!(ctx->current_crl_score & CRL_SCORE_TIME) && - !check_crl_time(ctx, crl, 1)) - return 0; + if (!(ctx->current_crl_score & CRL_SCORE_TIME)) { + ok = check_crl_time(ctx, crl, 1); + if (!ok) + goto err; + } - /* Attempt to get issuer certificate public key */ - ikey = X509_get0_pubkey(issuer); + /* Attempt to get issuer certificate public key */ + ikey = X509_get_pubkey(issuer); - if (!ikey && - !verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) - return 0; + if (!ikey) { + ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } else { + int rv; + rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags); + if (rv != X509_V_OK) { + ctx->error = rv; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } + /* Verify CRL signature */ + if (X509_CRL_verify(crl, ikey) <= 0) { + ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE; + ok = ctx->verify_cb(0, ctx); + if (!ok) + goto err; + } + } + } - if (ikey) { - int rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags); + ok = 1; - if (rv != X509_V_OK && !verify_cb_crl(ctx, rv)) - return 0; - /* Verify CRL signature */ - if (X509_CRL_verify(crl, ikey) <= 0 && - !verify_cb_crl(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE)) - return 0; - } - return 1; + err: + EVP_PKEY_free(ikey); + return ok; } /* Check certificate against CRL */ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { + int ok; X509_REVOKED *rev; - /* * The rules changed for this... previously if a CRL contained unhandled * critical extensions it could still be used to indicate a certificate - * was revoked. This has since been changed since critical extensions can + * was revoked. This has since been changed since critical extension can * change the meaning of CRL entries. */ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (crl->flags & EXFLAG_CRITICAL) && - !verify_cb_crl(ctx, X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION)) - return 0; + && (crl->flags & EXFLAG_CRITICAL)) { + ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; + ok = ctx->verify_cb(0, ctx); + if (!ok) + return 0; + } /* - * Look for serial number of certificate in CRL. If found, make sure - * reason is not removeFromCRL. + * Look for serial number of certificate in CRL If found make sure reason + * is not removeFromCRL. */ if (X509_CRL_get0_by_cert(crl, &rev, x)) { if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) return 2; - if (!verify_cb_crl(ctx, X509_V_ERR_CERT_REVOKED)) + ctx->error = X509_V_ERR_CERT_REVOKED; + ok = ctx->verify_cb(0, ctx); + if (!ok) return 0; } @@ -1558,60 +1753,38 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) static int check_policy(X509_STORE_CTX *ctx) { int ret; - if (ctx->parent) return 1; - /* - * With DANE, the trust anchor might be a bare public key, not a - * certificate! In that case our chain does not have the trust anchor - * certificate as a top-most element. This comports well with RFC5280 - * chain verification, since there too, the trust anchor is not part of the - * chain to be verified. In particular, X509_policy_check() does not look - * at the TA cert, but assumes that it is present as the top-most chain - * element. We therefore temporarily push a NULL cert onto the chain if it - * was verified via a bare public key, and pop it off right after the - * X509_policy_check() call. - */ - if (ctx->bare_ta_signed && !sk_X509_push(ctx->chain, NULL)) { - X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; - } ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, ctx->param->policies, ctx->param->flags); - if (ctx->bare_ta_signed) - sk_X509_pop(ctx->chain); - - if (ret == X509_PCY_TREE_INTERNAL) { + if (ret == 0) { X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE); ctx->error = X509_V_ERR_OUT_OF_MEM; return 0; } /* Invalid or inconsistent extensions */ - if (ret == X509_PCY_TREE_INVALID) { + if (ret == -1) { + /* + * Locate certificates with bad extensions and notify callback. + */ + X509 *x; int i; - - /* Locate certificates with bad extensions and notify callback. */ for (i = 1; i < sk_X509_num(ctx->chain); i++) { - X509 *x = sk_X509_value(ctx->chain, i); - + x = sk_X509_value(ctx->chain, i); if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) continue; - if (!verify_cb_cert(ctx, x, i, - X509_V_ERR_INVALID_POLICY_EXTENSION)) + ctx->current_cert = x; + ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; + if (!ctx->verify_cb(0, ctx)) return 0; } return 1; } - if (ret == X509_PCY_TREE_FAILURE) { + if (ret == -2) { ctx->current_cert = NULL; ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; return ctx->verify_cb(0, ctx); } - if (ret != X509_PCY_TREE_VALID) { - X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR); - return 0; - } if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { ctx->current_cert = NULL; @@ -1628,14 +1801,7 @@ static int check_policy(X509_STORE_CTX *ctx) return 1; } -/*- - * Check certificate validity times. - * If depth >= 0, invoke verification callbacks on error, otherwise just return - * the validation status. - * - * Return 1 on success, 0 otherwise. - */ -int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) +static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { time_t *ptime; int i; @@ -1647,42 +1813,52 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) else ptime = NULL; - i = X509_cmp_time(X509_get0_notBefore(x), ptime); - if (i >= 0 && depth < 0) - return 0; - if (i == 0 && !verify_cb_cert(ctx, x, depth, - X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD)) - return 0; - if (i > 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID)) - return 0; + i = X509_cmp_time(X509_get_notBefore(x), ptime); + if (i == 0) { + ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; + ctx->current_cert = x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + if (i > 0) { + ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; + ctx->current_cert = x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + i = X509_cmp_time(X509_get_notAfter(x), ptime); + if (i == 0) { + ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; + ctx->current_cert = x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + if (i < 0) { + ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; + ctx->current_cert = x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } - i = X509_cmp_time(X509_get0_notAfter(x), ptime); - if (i <= 0 && depth < 0) - return 0; - if (i == 0 && !verify_cb_cert(ctx, x, depth, - X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD)) - return 0; - if (i < 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_HAS_EXPIRED)) - return 0; return 1; } static int internal_verify(X509_STORE_CTX *ctx) { - int n = sk_X509_num(ctx->chain) - 1; - X509 *xi = sk_X509_value(ctx->chain, n); - X509 *xs; + int ok = 0, n; + X509 *xs, *xi; + EVP_PKEY *pkey = NULL; + int (*cb) (int xok, X509_STORE_CTX *xctx); - /* - * With DANE-verified bare public key TA signatures, it remains only to - * check the timestamps of the top certificate. We report the issuer as - * NULL, since all we have is a bare key. - */ - if (ctx->bare_ta_signed) { - xs = xi; - xi = NULL; - goto check_cert; - } + cb = ctx->verify_cb; + + n = sk_X509_num(ctx->chain); + ctx->error_depth = n - 1; + n--; + xi = sk_X509_value(ctx->chain, n); if (ctx->check_issued(ctx, xi, xi)) xs = xi; @@ -1691,60 +1867,72 @@ static int internal_verify(X509_STORE_CTX *ctx) xs = xi; goto check_cert; } - if (n <= 0) - return verify_cb_cert(ctx, xi, 0, - X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE); - n--; - ctx->error_depth = n; - xs = sk_X509_value(ctx->chain, n); + if (n <= 0) { + ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; + ctx->current_cert = xi; + ok = cb(0, ctx); + goto end; + } else { + n--; + ctx->error_depth = n; + xs = sk_X509_value(ctx->chain, n); + } } - /* - * Do not clear ctx->error=0, it must be "sticky", only the user's callback - * is allowed to reset errors (at its own peril). - */ +/* ctx->error=0; not needed */ while (n >= 0) { - EVP_PKEY *pkey; + ctx->error_depth = n; /* - * Skip signature check for self signed certificates unless explicitly - * asked for. It doesn't add any security and just wastes time. If - * the issuer's public key is unusable, report the issuer certificate - * and its depth (rather than the depth of the subject). + * Skip signature check for self signed certificates unless + * explicitly asked for. It doesn't add any security and just wastes + * time. */ - if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { - if ((pkey = X509_get0_pubkey(xi)) == NULL) { - if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, - X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) - return 0; + if (!xs->valid + && (xs != xi + || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { + if ((pkey = X509_get_pubkey(xi)) == NULL) { + ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; + ctx->current_cert = xi; + ok = (*cb) (0, ctx); + if (!ok) + goto end; } else if (X509_verify(xs, pkey) <= 0) { - if (!verify_cb_cert(ctx, xs, n, - X509_V_ERR_CERT_SIGNATURE_FAILURE)) - return 0; + ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE; + ctx->current_cert = xs; + ok = (*cb) (0, ctx); + if (!ok) { + EVP_PKEY_free(pkey); + goto end; + } } + EVP_PKEY_free(pkey); + pkey = NULL; } + xs->valid = 1; + check_cert: - /* Calls verify callback as needed */ - if (!x509_check_cert_time(ctx, xs, n)) - return 0; + ok = check_cert_time(ctx, xs); + if (!ok) + goto end; - /* - * Signal success at this depth. However, the previous error (if any) - * is retained. - */ + /* The last error (if any) is still in the error value */ ctx->current_issuer = xi; ctx->current_cert = xs; - ctx->error_depth = n; - if (!ctx->verify_cb(1, ctx)) - return 0; + ok = (*cb) (1, ctx); + if (!ok) + goto end; - if (--n >= 0) { + n--; + if (n >= 0) { xi = xs; xs = sk_X509_value(ctx->chain, n); } } - return 1; + ok = 1; + end: + return ok; } int X509_cmp_current_time(const ASN1_TIME *ctm) @@ -1907,7 +2095,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) return 1; for (i = 0; i < sk_X509_num(chain); i++) { - ktmp = X509_get0_pubkey(sk_X509_value(chain, i)); + ktmp = X509_get_pubkey(sk_X509_value(chain, i)); if (ktmp == NULL) { X509err(X509_F_X509_GET_PUBKEY_PARAMETERS, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); @@ -1915,6 +2103,10 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) } if (!EVP_PKEY_missing_parameters(ktmp)) break; + else { + EVP_PKEY_free(ktmp); + ktmp = NULL; + } } if (ktmp == NULL) { X509err(X509_F_X509_GET_PUBKEY_PARAMETERS, @@ -1924,12 +2116,14 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) /* first, populate the other certs */ for (j = i - 1; j >= 0; j--) { - ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j)); + ktmp2 = X509_get_pubkey(sk_X509_value(chain, j)); EVP_PKEY_copy_parameters(ktmp2, ktmp); + EVP_PKEY_free(ktmp2); } if (pkey != NULL) EVP_PKEY_copy_parameters(pkey, ktmp); + EVP_PKEY_free(ktmp); return 1; } @@ -1978,15 +2172,15 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, } /* Create new CRL */ crl = X509_CRL_new(); - if (crl == NULL || !X509_CRL_set_version(crl, 1)) + if (!crl || !X509_CRL_set_version(crl, 1)) goto memerr; /* Set issuer name */ if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer))) goto memerr; - if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer))) + if (!X509_CRL_set_lastUpdate(crl, X509_CRL_get_lastUpdate(newer))) goto memerr; - if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer))) + if (!X509_CRL_set_nextUpdate(crl, X509_CRL_get_nextUpdate(newer))) goto memerr; /* Set base CRL number: must be critical */ @@ -2017,7 +2211,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, * Add only if not also in base. TODO: need something cleverer here * for some more complex CRLs covering multiple CAs. */ - if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) { + if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) { rvtmp = X509_REVOKED_dup(rvn); if (!rvtmp) goto memerr; @@ -2036,10 +2230,24 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, memerr: X509err(X509_F_X509_CRL_DIFF, ERR_R_MALLOC_FAILURE); - X509_CRL_free(crl); + if (crl) + X509_CRL_free(crl); return NULL; } +int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func) +{ + /* + * This function is (usually) called only once, by + * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). + */ + return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, + new_func, dup_func, free_func); +} + int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) { return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); @@ -2065,22 +2273,12 @@ int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) return ctx->error_depth; } -void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth) -{ - ctx->error_depth = depth; -} - X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) { return ctx->current_cert; } -void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x) -{ - ctx->current_cert = x; -} - -STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx) +STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) { return ctx->chain; } @@ -2112,6 +2310,11 @@ void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) ctx->cert = x; } +void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +{ + ctx->untrusted = sk; +} + void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) { ctx->crls = sk; @@ -2119,20 +2322,11 @@ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) { - /* - * XXX: Why isn't this function always used to set the associated trust? - * Should there even be a VPM->trust field at all? Or should the trust - * always be inferred from the purpose by X509_STORE_CTX_init(). - */ return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); } int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) { - /* - * XXX: See above, this function would only be needed when the default - * trust for the purpose needs an override in a corner case. - */ return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); } @@ -2166,11 +2360,6 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, ptmp = X509_PURPOSE_get0(idx); if (ptmp->trust == X509_TRUST_DEFAULT) { idx = X509_PURPOSE_get_by_id(def_purpose); - /* - * XXX: In the two callers above def_purpose is always 0, which is - * not a known value, so idx will always be -1. How is the - * X509_TRUST_DEFAULT case actually supposed to be handled? - */ if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_PURPOSE_ID); @@ -2200,20 +2389,20 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, X509_STORE_CTX *X509_STORE_CTX_new(void) { - X509_STORE_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); - - if (ctx == NULL) { + X509_STORE_CTX *ctx; + ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); + if (!ctx) { X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE); return NULL; } + memset(ctx, 0, sizeof(X509_STORE_CTX)); return ctx; } void X509_STORE_CTX_free(X509_STORE_CTX *ctx) { - if (ctx == NULL) + if (!ctx) return; - X509_STORE_CTX_cleanup(ctx); OPENSSL_free(ctx); } @@ -2222,12 +2411,12 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain) { int ret = 1; - ctx->ctx = store; + ctx->current_method = 0; ctx->cert = x509; ctx->untrusted = chain; ctx->crls = NULL; - ctx->num_untrusted = 0; + ctx->last_untrusted = 0; ctx->other_ctx = NULL; ctx->valid = 0; ctx->chain = NULL; @@ -2241,17 +2430,39 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->current_reasons = 0; ctx->tree = NULL; ctx->parent = NULL; - ctx->dane = NULL; - ctx->bare_ta_signed = 0; /* Zero ex_data to make sure we're cleanup-safe */ memset(&ctx->ex_data, 0, sizeof(ctx->ex_data)); - /* store->cleanup is always 0 in OpenSSL, if set must be idempotent */ + ctx->param = X509_VERIFY_PARAM_new(); + if (!ctx->param) { + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); + return 0; + } + + /* + * Inherit callbacks and flags from X509_STORE if not set use defaults. + */ if (store) - ctx->cleanup = store->cleanup; + ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); else + ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE; + + if (store) { + ctx->verify_cb = store->verify_cb; + /* Seems to always be 0 in OpenSSL, else must be idempotent */ + ctx->cleanup = store->cleanup; + } else ctx->cleanup = 0; + if (ret) + ret = X509_VERIFY_PARAM_inherit(ctx->param, + X509_VERIFY_PARAM_lookup("default")); + + if (ret == 0) { + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); + goto err; + } + if (store && store->check_issued) ctx->check_issued = store->check_issued; else @@ -2292,79 +2503,41 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, else ctx->cert_crl = cert_crl; - if (store && store->check_policy) - ctx->check_policy = store->check_policy; - else - ctx->check_policy = check_policy; - if (store && store->lookup_certs) ctx->lookup_certs = store->lookup_certs; else - ctx->lookup_certs = X509_STORE_CTX_get1_certs; + ctx->lookup_certs = X509_STORE_get1_certs; if (store && store->lookup_crls) ctx->lookup_crls = store->lookup_crls; else - ctx->lookup_crls = X509_STORE_CTX_get1_crls; + ctx->lookup_crls = X509_STORE_get1_crls; - ctx->param = X509_VERIFY_PARAM_new(); - if (ctx->param == NULL) { - X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); - goto err; - } + ctx->check_policy = check_policy; + + if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, + &ctx->ex_data)) + return 1; + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); + err: /* - * Inherit callbacks and flags from X509_STORE if not set use defaults. + * On error clean up allocated storage, if the store context was not + * allocated with X509_STORE_CTX_new() this is our last chance to do so. */ - if (store) - ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); - else - ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE; - - if (ret) - ret = X509_VERIFY_PARAM_inherit(ctx->param, - X509_VERIFY_PARAM_lookup("default")); - - if (ret == 0) { - X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); - goto err; - } - - /* - * XXX: For now, continue to inherit trust from VPM, but infer from the - * purpose if this still yields the default value. - */ - if (ctx->param->trust == X509_TRUST_DEFAULT) { - int idx = X509_PURPOSE_get_by_id(ctx->param->purpose); - X509_PURPOSE *xp = X509_PURPOSE_get0(idx); - - if (xp != NULL) - ctx->param->trust = X509_PURPOSE_get_trust(xp); - } - - if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, - &ctx->ex_data)) - return 1; - X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); - - err: - /* - * On error clean up allocated storage, if the store context was not - * allocated with X509_STORE_CTX_new() this is our last chance to do so. - */ - X509_STORE_CTX_cleanup(ctx); - return 0; -} + X509_STORE_CTX_cleanup(ctx); + return 0; +} /* * Set alternative lookup method: just a STACK of trusted certificates. This * avoids X509_STORE nastiness where it isn't needed. */ -void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) + +void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { ctx->other_ctx = sk; ctx->get_issuer = get_issuer_sk; - ctx->lookup_certs = lookup_certs_sk; } void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) @@ -2385,12 +2558,16 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) X509_VERIFY_PARAM_free(ctx->param); ctx->param = NULL; } - X509_policy_tree_free(ctx->tree); - ctx->tree = NULL; - sk_X509_pop_free(ctx->chain, X509_free); - ctx->chain = NULL; + if (ctx->tree != NULL) { + X509_policy_tree_free(ctx->tree); + ctx->tree = NULL; + } + if (ctx->chain != NULL) { + sk_X509_pop_free(ctx->chain, X509_free); + ctx->chain = NULL; + } CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); - memset(&ctx->ex_data, 0, sizeof(ctx->ex_data)); + memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA)); } void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) @@ -2409,99 +2586,12 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, X509_VERIFY_PARAM_set_time(ctx->param, t); } -X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) -{ - return ctx->cert; -} - -STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) -{ - return ctx->untrusted; -} - -void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) -{ - ctx->untrusted = sk; -} - -void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) -{ - sk_X509_pop_free(ctx->chain, X509_free); - ctx->chain = sk; -} - void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, - X509_STORE_CTX_verify_cb verify_cb) + int (*verify_cb) (int, X509_STORE_CTX *)) { ctx->verify_cb = verify_cb; } -X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx) -{ - return ctx->verify_cb; -} - -void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, - X509_STORE_CTX_verify_fn verify) -{ - ctx->verify = verify; -} - -X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx) -{ - return ctx->verify; -} - -X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx) -{ - return ctx->get_issuer; -} - -X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx) -{ - return ctx->check_issued; -} - -X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx) -{ - return ctx->check_revocation; -} - -X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx) -{ - return ctx->get_crl; -} - -X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx) -{ - return ctx->check_crl; -} - -X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx) -{ - return ctx->cert_crl; -} - -X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx) -{ - return ctx->check_policy; -} - -X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx) -{ - return ctx->lookup_certs; -} - -X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx) -{ - return ctx->lookup_crls; -} - -X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx) -{ - return ctx->cleanup; -} - X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) { return ctx->tree; @@ -2512,11 +2602,6 @@ int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) return ctx->explicit_policy; } -int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx) -{ - return ctx->num_untrusted; -} - int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) { const X509_VERIFY_PARAM *param; @@ -2533,743 +2618,17 @@ X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) { - X509_VERIFY_PARAM_free(ctx->param); + if (ctx->param) + X509_VERIFY_PARAM_free(ctx->param); ctx->param = param; } -void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane) -{ - ctx->dane = dane; -} - -static unsigned char *dane_i2d( - X509 *cert, - uint8_t selector, - unsigned int *i2dlen) -{ - unsigned char *buf = NULL; - int len; - - /* - * Extract ASN.1 DER form of certificate or public key. - */ - switch (selector) { - case DANETLS_SELECTOR_CERT: - len = i2d_X509(cert, &buf); - break; - case DANETLS_SELECTOR_SPKI: - len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf); - break; - default: - X509err(X509_F_DANE_I2D, X509_R_BAD_SELECTOR); - return NULL; - } - - if (len < 0 || buf == NULL) { - X509err(X509_F_DANE_I2D, ERR_R_MALLOC_FAILURE); - return NULL; - } - - *i2dlen = (unsigned int)len; - return buf; -} - -#define DANETLS_NONE 256 /* impossible uint8_t */ - -static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth) -{ - SSL_DANE *dane = ctx->dane; - unsigned usage = DANETLS_NONE; - unsigned selector = DANETLS_NONE; - unsigned ordinal = DANETLS_NONE; - unsigned mtype = DANETLS_NONE; - unsigned char *i2dbuf = NULL; - unsigned int i2dlen = 0; - unsigned char mdbuf[EVP_MAX_MD_SIZE]; - unsigned char *cmpbuf = NULL; - unsigned int cmplen = 0; - int i; - int recnum; - int matched = 0; - danetls_record *t = NULL; - uint32_t mask; - - mask = (depth == 0) ? DANETLS_EE_MASK : DANETLS_TA_MASK; - - /* - * The trust store is not applicable with DANE-TA(2) - */ - if (depth >= ctx->num_untrusted) - mask &= DANETLS_PKIX_MASK; - - /* - * If we've previously matched a PKIX-?? record, no need to test any - * further PKIX-?? records, it remains to just build the PKIX chain. - * Had the match been a DANE-?? record, we'd be done already. - */ - if (dane->mdpth >= 0) - mask &= ~DANETLS_PKIX_MASK; - - /*- - * https://tools.ietf.org/html/rfc7671#section-5.1 - * https://tools.ietf.org/html/rfc7671#section-5.2 - * https://tools.ietf.org/html/rfc7671#section-5.3 - * https://tools.ietf.org/html/rfc7671#section-5.4 - * - * We handle DANE-EE(3) records first as they require no chain building - * and no expiration or hostname checks. We also process digests with - * higher ordinals first and ignore lower priorities except Full(0) which - * is always processed (last). If none match, we then process PKIX-EE(1). - * - * NOTE: This relies on DANE usages sorting before the corresponding PKIX - * usages in SSL_dane_tlsa_add(), and also on descending sorting of digest - * priorities. See twin comment in ssl/ssl_lib.c. - * - * We expect that most TLSA RRsets will have just a single usage, so we - * don't go out of our way to cache multiple selector-specific i2d buffers - * across usages, but if the selector happens to remain the same as switch - * usages, that's OK. Thus, a set of "3 1 1", "3 0 1", "1 1 1", "1 0 1", - * records would result in us generating each of the certificate and public - * key DER forms twice, but more typically we'd just see multiple "3 1 1" - * or multiple "3 0 1" records. - * - * As soon as we find a match at any given depth, we stop, because either - * we've matched a DANE-?? record and the peer is authenticated, or, after - * exhausting all DANE-?? records, we've matched a PKIX-?? record, which is - * sufficient for DANE, and what remains to do is ordinary PKIX validation. - */ - recnum = (dane->umask & mask) ? sk_danetls_record_num(dane->trecs) : 0; - for (i = 0; matched == 0 && i < recnum; ++i) { - t = sk_danetls_record_value(dane->trecs, i); - if ((DANETLS_USAGE_BIT(t->usage) & mask) == 0) - continue; - if (t->usage != usage) { - usage = t->usage; - - /* Reset digest agility for each usage/selector pair */ - mtype = DANETLS_NONE; - ordinal = dane->dctx->mdord[t->mtype]; - } - if (t->selector != selector) { - selector = t->selector; - - /* Update per-selector state */ - OPENSSL_free(i2dbuf); - i2dbuf = dane_i2d(cert, selector, &i2dlen); - if (i2dbuf == NULL) - return -1; - - /* Reset digest agility for each usage/selector pair */ - mtype = DANETLS_NONE; - ordinal = dane->dctx->mdord[t->mtype]; - } else if (t->mtype != DANETLS_MATCHING_FULL) { - /*- - * Digest agility: - * - * - * - * For a fixed selector, after processing all records with the - * highest mtype ordinal, ignore all mtypes with lower ordinals - * other than "Full". - */ - if (dane->dctx->mdord[t->mtype] < ordinal) - continue; - } - - /* - * Each time we hit a (new selector or) mtype, re-compute the relevant - * digest, more complex caching is not worth the code space. - */ - if (t->mtype != mtype) { - const EVP_MD *md = dane->dctx->mdevp[mtype = t->mtype]; - cmpbuf = i2dbuf; - cmplen = i2dlen; - - if (md != NULL) { - cmpbuf = mdbuf; - if (!EVP_Digest(i2dbuf, i2dlen, cmpbuf, &cmplen, md, 0)) { - matched = -1; - break; - } - } - } - - /* - * Squirrel away the certificate and depth if we have a match. Any - * DANE match is dispositive, but with PKIX we still need to build a - * full chain. - */ - if (cmplen == t->dlen && - memcmp(cmpbuf, t->data, cmplen) == 0) { - if (DANETLS_USAGE_BIT(usage) & DANETLS_DANE_MASK) - matched = 1; - if (matched || dane->mdpth < 0) { - dane->mdpth = depth; - dane->mtlsa = t; - OPENSSL_free(dane->mcert); - dane->mcert = cert; - X509_up_ref(cert); - } - break; - } - } - - /* Clear the one-element DER cache */ - OPENSSL_free(i2dbuf); - return matched; -} - -static int check_dane_issuer(X509_STORE_CTX *ctx, int depth) -{ - SSL_DANE *dane = ctx->dane; - int matched = 0; - X509 *cert; +IMPLEMENT_STACK_OF(X509) - if (!DANETLS_HAS_TA(dane) || depth == 0) - return X509_TRUST_UNTRUSTED; +IMPLEMENT_ASN1_SET_OF(X509) - /* - * Record any DANE trust-anchor matches, for the first depth to test, if - * there's one at that depth. (This'll be false for length 1 chains looking - * for an exact match for the leaf certificate). - */ - cert = sk_X509_value(ctx->chain, depth); - if (cert != NULL && (matched = dane_match(ctx, cert, depth)) < 0) - return X509_TRUST_REJECTED; - if (matched > 0) { - ctx->num_untrusted = depth - 1; - return X509_TRUST_TRUSTED; - } - - return X509_TRUST_UNTRUSTED; -} - -static int check_dane_pkeys(X509_STORE_CTX *ctx) -{ - SSL_DANE *dane = ctx->dane; - danetls_record *t; - int num = ctx->num_untrusted; - X509 *cert = sk_X509_value(ctx->chain, num - 1); - int recnum = sk_danetls_record_num(dane->trecs); - int i; - - for (i = 0; i < recnum; ++i) { - t = sk_danetls_record_value(dane->trecs, i); - if (t->usage != DANETLS_USAGE_DANE_TA || - t->selector != DANETLS_SELECTOR_SPKI || - t->mtype != DANETLS_MATCHING_FULL || - X509_verify(cert, t->spki) <= 0) - continue; +IMPLEMENT_STACK_OF(X509_NAME) - /* Clear any PKIX-?? matches that failed to extend to a full chain */ - X509_free(dane->mcert); - dane->mcert = NULL; +IMPLEMENT_STACK_OF(X509_ATTRIBUTE) - /* Record match via a bare TA public key */ - ctx->bare_ta_signed = 1; - dane->mdpth = num - 1; - dane->mtlsa = t; - - /* Prune any excess chain certificates */ - num = sk_X509_num(ctx->chain); - for (; num > ctx->num_untrusted; --num) - X509_free(sk_X509_pop(ctx->chain)); - - return X509_TRUST_TRUSTED; - } - - return X509_TRUST_UNTRUSTED; -} - -static void dane_reset(SSL_DANE *dane) -{ - /* - * Reset state to verify another chain, or clear after failure. - */ - X509_free(dane->mcert); - dane->mcert = NULL; - dane->mtlsa = NULL; - dane->mdpth = -1; - dane->pdpth = -1; -} - -static int check_leaf_suiteb(X509_STORE_CTX *ctx, X509 *cert) -{ - int err = X509_chain_check_suiteb(NULL, cert, NULL, ctx->param->flags); - - if (err == X509_V_OK) - return 1; - return verify_cb_cert(ctx, cert, 0, err); -} - -static int dane_verify(X509_STORE_CTX *ctx) -{ - X509 *cert = ctx->cert; - SSL_DANE *dane = ctx->dane; - int matched; - int done; - - dane_reset(dane); - - /*- - * When testing the leaf certificate, if we match a DANE-EE(3) record, - * dane_match() returns 1 and we're done. If however we match a PKIX-EE(1) - * record, the match depth and matching TLSA record are recorded, but the - * return value is 0, because we still need to find a PKIX trust-anchor. - * Therefore, when DANE authentication is enabled (required), we're done - * if: - * + matched < 0, internal error. - * + matched == 1, we matched a DANE-EE(3) record - * + matched == 0, mdepth < 0 (no PKIX-EE match) and there are no - * DANE-TA(2) or PKIX-TA(0) to test. - */ - matched = dane_match(ctx, ctx->cert, 0); - done = matched != 0 || (!DANETLS_HAS_TA(dane) && dane->mdpth < 0); - - if (done) - X509_get_pubkey_parameters(NULL, ctx->chain); - - if (matched > 0) { - /* Callback invoked as needed */ - if (!check_leaf_suiteb(ctx, cert)) - return 0; - /* Callback invoked as needed */ - if ((dane->flags & DANE_FLAG_NO_DANE_EE_NAMECHECKS) == 0 && - !check_id(ctx)) - return 0; - /* Bypass internal_verify(), issue depth 0 success callback */ - ctx->error_depth = 0; - ctx->current_cert = cert; - return ctx->verify_cb(1, ctx); - } - - if (matched < 0) { - ctx->error_depth = 0; - ctx->current_cert = cert; - ctx->error = X509_V_ERR_OUT_OF_MEM; - return -1; - } - - if (done) { - /* Fail early, TA-based success is not possible */ - if (!check_leaf_suiteb(ctx, cert)) - return 0; - return verify_cb_cert(ctx, cert, 0, X509_V_ERR_DANE_NO_MATCH); - } - - /* - * Chain verification for usages 0/1/2. TLSA record matching of depth > 0 - * certificates happens in-line with building the rest of the chain. - */ - return verify_chain(ctx); -} - -/* Get issuer, without duplicate suppression */ -static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert) -{ - STACK_OF(X509) *saved_chain = ctx->chain; - int ok; - - ctx->chain = NULL; - ok = ctx->get_issuer(issuer, ctx, cert); - ctx->chain = saved_chain; - - return ok; -} - -static int build_chain(X509_STORE_CTX *ctx) -{ - SSL_DANE *dane = ctx->dane; - int num = sk_X509_num(ctx->chain); - X509 *cert = sk_X509_value(ctx->chain, num - 1); - int ss = cert_self_signed(cert); - STACK_OF(X509) *sktmp = NULL; - unsigned int search; - int may_trusted = 0; - int may_alternate = 0; - int trust = X509_TRUST_UNTRUSTED; - int alt_untrusted = 0; - int depth; - int ok = 0; - int i; - - /* Our chain starts with a single untrusted element. */ - OPENSSL_assert(num == 1 && ctx->num_untrusted == num); - -#define S_DOUNTRUSTED (1 << 0) /* Search untrusted chain */ -#define S_DOTRUSTED (1 << 1) /* Search trusted store */ -#define S_DOALTERNATE (1 << 2) /* Retry with pruned alternate chain */ - /* - * Set up search policy, untrusted if possible, trusted-first if enabled. - * If we're doing DANE and not doing PKIX-TA/PKIX-EE, we never look in the - * trust_store, otherwise we might look there first. If not trusted-first, - * and alternate chains are not disabled, try building an alternate chain - * if no luck with untrusted first. - */ - search = (ctx->untrusted != NULL) ? S_DOUNTRUSTED : 0; - if (DANETLS_HAS_PKIX(dane) || !DANETLS_HAS_DANE(dane)) { - if (search == 0 || ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) - search |= S_DOTRUSTED; - else if (!(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) - may_alternate = 1; - may_trusted = 1; - } - - /* - * Shallow-copy the stack of untrusted certificates (with TLS, this is - * typically the content of the peer's certificate message) so can make - * multiple passes over it, while free to remove elements as we go. - */ - if (ctx->untrusted && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { - X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; - } - - /* - * If we got any "DANE-TA(2) Cert(0) Full(0)" trust-anchors from DNS, add - * them to our working copy of the untrusted certificate stack. Since the - * caller of X509_STORE_CTX_init() may have provided only a leaf cert with - * no corresponding stack of untrusted certificates, we may need to create - * an empty stack first. [ At present only the ssl library provides DANE - * support, and ssl_verify_cert_chain() always provides a non-null stack - * containing at least the leaf certificate, but we must be prepared for - * this to change. ] - */ - if (DANETLS_ENABLED(dane) && dane->certs != NULL) { - if (sktmp == NULL && (sktmp = sk_X509_new_null()) == NULL) { - X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; - } - for (i = 0; i < sk_X509_num(dane->certs); ++i) { - if (!sk_X509_push(sktmp, sk_X509_value(dane->certs, i))) { - sk_X509_free(sktmp); - X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - return 0; - } - } - } - - /* - * Still absurdly large, but arithmetically safe, a lower hard upper bound - * might be reasonable. - */ - if (ctx->param->depth > INT_MAX/2) - ctx->param->depth = INT_MAX/2; - - /* - * Try to Extend the chain until we reach an ultimately trusted issuer. - * Build chains up to one longer the limit, later fail if we hit the limit, - * with an X509_V_ERR_CERT_CHAIN_TOO_LONG error code. - */ - depth = ctx->param->depth + 1; - - while (search != 0) { - X509 *x; - X509 *xtmp = NULL; - - /* - * Look in the trust store if enabled for first lookup, or we've run - * out of untrusted issuers and search here is not disabled. When we - * reach the depth limit, we stop extending the chain, if by that point - * we've not found a trust-anchor, any trusted chain would be too long. - * - * The error reported to the application verify callback is at the - * maximal valid depth with the current certificate equal to the last - * not ultimately-trusted issuer. For example, with verify_depth = 0, - * the callback will report errors at depth=1 when the immediate issuer - * of the leaf certificate is not a trust anchor. No attempt will be - * made to locate an issuer for that certificate, since such a chain - * would be a-priori too long. - */ - if ((search & S_DOTRUSTED) != 0) { - i = num = sk_X509_num(ctx->chain); - if ((search & S_DOALTERNATE) != 0) { - /* - * As high up the chain as we can, look for an alternative - * trusted issuer of an untrusted certificate that currently - * has an untrusted issuer. We use the alt_untrusted variable - * to track how far up the chain we find the first match. It - * is only if and when we find a match, that we prune the chain - * and reset ctx->num_untrusted to the reduced count of - * untrusted certificates. While we're searching for such a - * match (which may never be found), it is neither safe nor - * wise to preemptively modify either the chain or - * ctx->num_untrusted. - * - * Note, like ctx->num_untrusted, alt_untrusted is a count of - * untrusted certificates, not a "depth". - */ - i = alt_untrusted; - } - x = sk_X509_value(ctx->chain, i-1); - - ok = (depth < num) ? 0 : get_issuer(&xtmp, ctx, x); - - if (ok < 0) { - trust = X509_TRUST_REJECTED; - ctx->error = X509_V_ERR_STORE_LOOKUP; - search = 0; - continue; - } - - if (ok > 0) { - /* - * Alternative trusted issuer for a mid-chain untrusted cert? - * Pop the untrusted cert's successors and retry. We might now - * be able to complete a valid chain via the trust store. Note - * that despite the current trust-store match we might still - * fail complete the chain to a suitable trust-anchor, in which - * case we may prune some more untrusted certificates and try - * again. Thus the S_DOALTERNATE bit may yet be turned on - * again with an even shorter untrusted chain! - * - * If in the process we threw away our matching PKIX-TA trust - * anchor, reset DANE trust. We might find a suitable trusted - * certificate among the ones from the trust store. - */ - if ((search & S_DOALTERNATE) != 0) { - OPENSSL_assert(num > i && i > 0 && ss == 0); - search &= ~S_DOALTERNATE; - for (; num > i; --num) - X509_free(sk_X509_pop(ctx->chain)); - ctx->num_untrusted = num; - - if (DANETLS_ENABLED(dane) && - dane->mdpth >= ctx->num_untrusted) { - dane->mdpth = -1; - X509_free(dane->mcert); - dane->mcert = NULL; - } - if (DANETLS_ENABLED(dane) && - dane->pdpth >= ctx->num_untrusted) - dane->pdpth = -1; - } - - /* - * Self-signed untrusted certificates get replaced by their - * trusted matching issuer. Otherwise, grow the chain. - */ - if (ss == 0) { - if (!sk_X509_push(ctx->chain, x = xtmp)) { - X509_free(xtmp); - X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); - trust = X509_TRUST_REJECTED; - ctx->error = X509_V_ERR_OUT_OF_MEM; - search = 0; - continue; - } - ss = cert_self_signed(x); - } else if (num == ctx->num_untrusted) { - /* - * We have a self-signed certificate that has the same - * subject name (and perhaps keyid and/or serial number) as - * a trust-anchor. We must have an exact match to avoid - * possible impersonation via key substitution etc. - */ - if (X509_cmp(x, xtmp) != 0) { - /* Self-signed untrusted mimic. */ - X509_free(xtmp); - ok = 0; - } else { - X509_free(x); - ctx->num_untrusted = --num; - (void) sk_X509_set(ctx->chain, num, x = xtmp); - } - } - - /* - * We've added a new trusted certificate to the chain, recheck - * trust. If not done, and not self-signed look deeper. - * Whether or not we're doing "trusted first", we no longer - * look for untrusted certificates from the peer's chain. - * - * At this point ctx->num_trusted and num must reflect the - * correct number of untrusted certificates, since the DANE - * logic in check_trust() depends on distinguishing CAs from - * "the wire" from CAs from the trust store. In particular, the - * certificate at depth "num" should be the new trusted - * certificate with ctx->num_untrusted <= num. - */ - if (ok) { - OPENSSL_assert(ctx->num_untrusted <= num); - search &= ~S_DOUNTRUSTED; - switch (trust = check_trust(ctx, num)) { - case X509_TRUST_TRUSTED: - case X509_TRUST_REJECTED: - search = 0; - continue; - } - if (ss == 0) - continue; - } - } - - /* - * No dispositive decision, and either self-signed or no match, if - * we were doing untrusted-first, and alt-chains are not disabled, - * do that, by repeatedly losing one untrusted element at a time, - * and trying to extend the shorted chain. - */ - if ((search & S_DOUNTRUSTED) == 0) { - /* Continue search for a trusted issuer of a shorter chain? */ - if ((search & S_DOALTERNATE) != 0 && --alt_untrusted > 0) - continue; - /* Still no luck and no fallbacks left? */ - if (!may_alternate || (search & S_DOALTERNATE) != 0 || - ctx->num_untrusted < 2) - break; - /* Search for a trusted issuer of a shorter chain */ - search |= S_DOALTERNATE; - alt_untrusted = ctx->num_untrusted - 1; - ss = 0; - } - } - - /* - * Extend chain with peer-provided certificates - */ - if ((search & S_DOUNTRUSTED) != 0) { - num = sk_X509_num(ctx->chain); - OPENSSL_assert(num == ctx->num_untrusted); - x = sk_X509_value(ctx->chain, num-1); - - /* - * Once we run out of untrusted issuers, we stop looking for more - * and start looking only in the trust store if enabled. - */ - xtmp = (ss || depth < num) ? NULL : find_issuer(ctx, sktmp, x); - if (xtmp == NULL) { - search &= ~S_DOUNTRUSTED; - if (may_trusted) - search |= S_DOTRUSTED; - continue; - } - - /* Drop this issuer from future consideration */ - (void) sk_X509_delete_ptr(sktmp, xtmp); - - if (!sk_X509_push(ctx->chain, xtmp)) { - X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); - trust = X509_TRUST_REJECTED; - ctx->error = X509_V_ERR_OUT_OF_MEM; - search = 0; - continue; - } - - X509_up_ref(x = xtmp); - ++ctx->num_untrusted; - ss = cert_self_signed(xtmp); - - /* - * Check for DANE-TA trust of the topmost untrusted certificate. - */ - switch (trust = check_dane_issuer(ctx, ctx->num_untrusted - 1)) { - case X509_TRUST_TRUSTED: - case X509_TRUST_REJECTED: - search = 0; - continue; - } - } - } - sk_X509_free(sktmp); - - /* - * Last chance to make a trusted chain, either bare DANE-TA public-key - * signers, or else direct leaf PKIX trust. - */ - num = sk_X509_num(ctx->chain); - if (num <= depth) { - if (trust == X509_TRUST_UNTRUSTED && DANETLS_HAS_DANE_TA(dane)) - trust = check_dane_pkeys(ctx); - if (trust == X509_TRUST_UNTRUSTED && num == ctx->num_untrusted) - trust = check_trust(ctx, num); - } - - switch (trust) { - case X509_TRUST_TRUSTED: - return 1; - case X509_TRUST_REJECTED: - /* Callback already issued */ - return 0; - case X509_TRUST_UNTRUSTED: - default: - num = sk_X509_num(ctx->chain); - if (num > depth) - return verify_cb_cert(ctx, NULL, num-1, - X509_V_ERR_CERT_CHAIN_TOO_LONG); - if (DANETLS_ENABLED(dane) && - (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0)) - return verify_cb_cert(ctx, NULL, num-1, X509_V_ERR_DANE_NO_MATCH); - if (ss && sk_X509_num(ctx->chain) == 1) - return verify_cb_cert(ctx, NULL, num-1, - X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT); - if (ss) - return verify_cb_cert(ctx, NULL, num-1, - X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN); - if (ctx->num_untrusted < num) - return verify_cb_cert(ctx, NULL, num-1, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT); - return verify_cb_cert(ctx, NULL, num-1, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY); - } -} - -static const int minbits_table[] = { 80, 112, 128, 192, 256 }; -static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table); - -/* - * Check whether the public key of ``cert`` meets the security level of - * ``ctx``. - * - * Returns 1 on success, 0 otherwise. - */ -static int check_key_level(X509_STORE_CTX *ctx, X509 *cert) -{ - EVP_PKEY *pkey = X509_get0_pubkey(cert); - int level = ctx->param->auth_level; - - /* Unsupported or malformed keys are not secure */ - if (pkey == NULL) - return 0; - - if (level <= 0) - return 1; - if (level > NUM_AUTH_LEVELS) - level = NUM_AUTH_LEVELS; - - return EVP_PKEY_security_bits(pkey) >= minbits_table[level - 1]; -} - -/* - * Check whether the signature digest algorithm of ``cert`` meets the security - * level of ``ctx``. Should not be checked for trust anchors (whether - * self-signed or otherwise). - * - * Returns 1 on success, 0 otherwise. - */ -static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) -{ - int nid = X509_get_signature_nid(cert); - int mdnid = NID_undef; - int secbits = -1; - int level = ctx->param->auth_level; - - if (level <= 0) - return 1; - if (level > NUM_AUTH_LEVELS) - level = NUM_AUTH_LEVELS; - - /* Lookup signature algorithm digest */ - if (nid && OBJ_find_sigid_algs(nid, &mdnid, NULL)) { - const EVP_MD *md; - - /* Assume 4 bits of collision resistance for each hash octet */ - if (mdnid != NID_undef && (md = EVP_get_digestbynid(mdnid)) != NULL) - secbits = EVP_MD_size(md) * 4; - } - - return secbits >= minbits_table[level - 1]; -} +IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE) -- cgit v1.2.3