1 /* $OpenBSD: x509_vfy.c,v 1.145 2024/08/28 07:37:50 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <errno.h> 60 #include <stdio.h> 61 #include <string.h> 62 #include <time.h> 63 #include <unistd.h> 64 65 #include <openssl/opensslconf.h> 66 67 #include <openssl/asn1.h> 68 #include <openssl/buffer.h> 69 #include <openssl/crypto.h> 70 #include <openssl/err.h> 71 #include <openssl/evp.h> 72 #include <openssl/lhash.h> 73 #include <openssl/objects.h> 74 #include <openssl/x509.h> 75 #include <openssl/x509v3.h> 76 77 #include "asn1_local.h" 78 #include "x509_internal.h" 79 #include "x509_local.h" 80 81 /* CRL score values */ 82 83 /* No unhandled critical extensions */ 84 85 #define CRL_SCORE_NOCRITICAL 0x100 86 87 /* certificate is within CRL scope */ 88 89 #define CRL_SCORE_SCOPE 0x080 90 91 /* CRL times valid */ 92 93 #define CRL_SCORE_TIME 0x040 94 95 /* Issuer name matches certificate */ 96 97 #define CRL_SCORE_ISSUER_NAME 0x020 98 99 /* If this score or above CRL is probably valid */ 100 101 #define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE) 102 103 /* CRL issuer is certificate issuer */ 104 105 #define CRL_SCORE_ISSUER_CERT 0x018 106 107 /* CRL issuer is on certificate path */ 108 109 #define CRL_SCORE_SAME_PATH 0x008 110 111 /* CRL issuer matches CRL AKID */ 112 113 #define CRL_SCORE_AKID 0x004 114 115 /* Have a delta CRL with valid times */ 116 117 #define CRL_SCORE_TIME_DELTA 0x002 118 119 static int x509_vfy_check_crl(X509_STORE_CTX *ctx, X509_CRL *crl); 120 static int x509_vfy_cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); 121 122 static int null_callback(int ok, X509_STORE_CTX *e); 123 static int check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer); 124 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, 125 int allow_expired); 126 static int check_name_constraints(X509_STORE_CTX *ctx); 127 static int check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth); 128 129 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, 130 unsigned int *preasons, X509_CRL *crl, X509 *x); 131 static int get_crl_delta(X509_STORE_CTX *ctx, 132 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); 133 static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, 134 X509_CRL *base, STACK_OF(X509_CRL) *crls); 135 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, 136 int *pcrl_score); 137 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, 138 unsigned int *preasons); 139 static int check_crl_path(X509_STORE_CTX *ctx, X509 *x); 140 static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, 141 STACK_OF(X509) *crl_path); 142 static int X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, 143 int clamp_notafter); 144 145 static int internal_verify(X509_STORE_CTX *ctx); 146 static int check_key_level(X509_STORE_CTX *ctx, X509 *cert); 147 static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err); 148 149 static int 150 null_callback(int ok, X509_STORE_CTX *e) 151 { 152 return ok; 153 } 154 155 /* Return 1 if a certificate is self signed */ 156 static int 157 cert_self_signed(X509 *x) 158 { 159 X509_check_purpose(x, -1, 0); 160 if (x->ex_flags & EXFLAG_SS) 161 return 1; 162 else 163 return 0; 164 } 165 166 static int 167 check_id_error(X509_STORE_CTX *ctx, int errcode) 168 { 169 ctx->error = errcode; 170 ctx->current_cert = ctx->cert; 171 ctx->error_depth = 0; 172 return ctx->verify_cb(0, ctx); 173 } 174 175 static int 176 x509_vfy_check_hosts(X509 *x, X509_VERIFY_PARAM *vpm) 177 { 178 int i, n; 179 char *name; 180 181 n = sk_OPENSSL_STRING_num(vpm->hosts); 182 free(vpm->peername); 183 vpm->peername = NULL; 184 185 for (i = 0; i < n; ++i) { 186 name = sk_OPENSSL_STRING_value(vpm->hosts, i); 187 if (X509_check_host(x, name, strlen(name), vpm->hostflags, 188 &vpm->peername) > 0) 189 return 1; 190 } 191 return n == 0; 192 } 193 194 int 195 x509_vfy_check_id(X509_STORE_CTX *ctx) 196 { 197 X509_VERIFY_PARAM *vpm = ctx->param; 198 X509 *x = ctx->cert; 199 200 if (vpm->hosts && x509_vfy_check_hosts(x, vpm) <= 0) { 201 if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) 202 return 0; 203 } 204 if (vpm->email != NULL && X509_check_email(x, vpm->email, vpm->emaillen, 0) 205 <= 0) { 206 if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH)) 207 return 0; 208 } 209 if (vpm->ip != NULL && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) { 210 if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH)) 211 return 0; 212 } 213 return 1; 214 } 215 216 /* 217 * This is the effectively broken legacy OpenSSL chain builder. It 218 * might find an unvalidated chain and leave it sitting in 219 * ctx->chain. It does not correctly handle many cases where multiple 220 * chains could exist. 221 * 222 * Oh no.. I know a dirty word... 223 * Oooooooh.. 224 */ 225 static int 226 X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok) 227 { 228 X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; 229 int bad_chain = 0; 230 X509_VERIFY_PARAM *param = ctx->param; 231 int ok = 0, ret = 0; 232 int depth, i; 233 int num, j, retry, trust; 234 int (*cb) (int xok, X509_STORE_CTX *xctx); 235 STACK_OF(X509) *sktmp = NULL; 236 237 cb = ctx->verify_cb; 238 239 /* 240 * First we make sure the chain we are going to build is 241 * present and that the first entry is in place. 242 */ 243 ctx->chain = sk_X509_new_null(); 244 if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) { 245 X509error(ERR_R_MALLOC_FAILURE); 246 ctx->error = X509_V_ERR_OUT_OF_MEM; 247 goto end; 248 } 249 X509_up_ref(ctx->cert); 250 ctx->num_untrusted = 1; 251 252 /* We use a temporary STACK so we can chop and hack at it */ 253 if (ctx->untrusted != NULL && 254 (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { 255 X509error(ERR_R_MALLOC_FAILURE); 256 ctx->error = X509_V_ERR_OUT_OF_MEM; 257 goto end; 258 } 259 260 num = sk_X509_num(ctx->chain); 261 x = sk_X509_value(ctx->chain, num - 1); 262 depth = param->depth; 263 264 for (;;) { 265 /* If we have enough, we break */ 266 /* FIXME: If this happens, we should take 267 * note of it and, if appropriate, use the 268 * X509_V_ERR_CERT_CHAIN_TOO_LONG error code 269 * later. 270 */ 271 if (depth < num) 272 break; 273 /* If we are self signed, we break */ 274 if (cert_self_signed(x)) 275 break; 276 /* 277 * If asked see if we can find issuer in trusted store first 278 */ 279 if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) { 280 ok = ctx->get_issuer(&xtmp, ctx, x); 281 if (ok < 0) { 282 ctx->error = X509_V_ERR_STORE_LOOKUP; 283 goto end; 284 } 285 /* 286 * If successful for now free up cert so it 287 * will be picked up again later. 288 */ 289 if (ok > 0) { 290 X509_free(xtmp); 291 break; 292 } 293 } 294 /* If we were passed a cert chain, use it first */ 295 if (ctx->untrusted != NULL) { 296 /* 297 * If we do not find a non-expired untrusted cert, peek 298 * ahead and see if we can satisfy this from the trusted 299 * store. If not, see if we have an expired untrusted cert. 300 */ 301 xtmp = find_issuer(ctx, sktmp, x, 0); 302 if (xtmp == NULL && 303 !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)) { 304 ok = ctx->get_issuer(&xtmp, ctx, x); 305 if (ok < 0) { 306 ctx->error = X509_V_ERR_STORE_LOOKUP; 307 goto end; 308 } 309 if (ok > 0) { 310 X509_free(xtmp); 311 break; 312 } 313 xtmp = find_issuer(ctx, sktmp, x, 1); 314 } 315 if (xtmp != NULL) { 316 if (!sk_X509_push(ctx->chain, xtmp)) { 317 X509error(ERR_R_MALLOC_FAILURE); 318 ctx->error = X509_V_ERR_OUT_OF_MEM; 319 ok = 0; 320 goto end; 321 } 322 X509_up_ref(xtmp); 323 (void)sk_X509_delete_ptr(sktmp, xtmp); 324 ctx->num_untrusted++; 325 x = xtmp; 326 num++; 327 /* 328 * reparse the full chain for the next one 329 */ 330 continue; 331 } 332 } 333 break; 334 } 335 /* Remember how many untrusted certs we have */ 336 j = num; 337 338 /* 339 * At this point, chain should contain a list of untrusted 340 * certificates. We now need to add at least one trusted one, 341 * if possible, otherwise we complain. 342 */ 343 344 do { 345 /* 346 * Examine last certificate in chain and see if it is 347 * self signed. 348 */ 349 i = sk_X509_num(ctx->chain); 350 x = sk_X509_value(ctx->chain, i - 1); 351 if (cert_self_signed(x)) { 352 /* we have a self signed certificate */ 353 if (i == 1) { 354 /* 355 * We have a single self signed 356 * certificate: see if we can find it 357 * in the store. We must have an exact 358 * match to avoid possible 359 * impersonation. 360 */ 361 ok = ctx->get_issuer(&xtmp, ctx, x); 362 if ((ok <= 0) || X509_cmp(x, xtmp)) { 363 ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; 364 ctx->current_cert = x; 365 ctx->error_depth = i - 1; 366 if (ok == 1) 367 X509_free(xtmp); 368 bad_chain = 1; 369 ok = cb(0, ctx); 370 if (!ok) 371 goto end; 372 } else { 373 /* 374 * We have a match: replace 375 * certificate with store 376 * version so we get any trust 377 * settings. 378 */ 379 X509_free(x); 380 x = xtmp; 381 (void)sk_X509_set(ctx->chain, i - 1, x); 382 ctx->num_untrusted = 0; 383 } 384 } else { 385 /* 386 * extract and save self signed 387 * certificate for later use 388 */ 389 chain_ss = sk_X509_pop(ctx->chain); 390 ctx->num_untrusted--; 391 num--; 392 j--; 393 x = sk_X509_value(ctx->chain, num - 1); 394 } 395 } 396 /* We now lookup certs from the certificate store */ 397 for (;;) { 398 /* If we have enough, we break */ 399 if (depth < num) 400 break; 401 /* If we are self signed, we break */ 402 if (cert_self_signed(x)) 403 break; 404 ok = ctx->get_issuer(&xtmp, ctx, x); 405 406 if (ok < 0) { 407 ctx->error = X509_V_ERR_STORE_LOOKUP; 408 goto end; 409 } 410 if (ok == 0) 411 break; 412 x = xtmp; 413 if (!sk_X509_push(ctx->chain, x)) { 414 X509_free(xtmp); 415 X509error(ERR_R_MALLOC_FAILURE); 416 ctx->error = X509_V_ERR_OUT_OF_MEM; 417 ok = 0; 418 goto end; 419 } 420 num++; 421 } 422 423 /* we now have our chain, lets check it... */ 424 trust = x509_vfy_check_trust(ctx); 425 426 /* If explicitly rejected error */ 427 if (trust == X509_TRUST_REJECTED) { 428 ok = 0; 429 goto end; 430 } 431 /* 432 * If it's not explicitly trusted then check if there 433 * is an alternative chain that could be used. We only 434 * do this if we haven't already checked via 435 * TRUSTED_FIRST and the user hasn't switched off 436 * alternate chain checking 437 */ 438 retry = 0; 439 if (trust != X509_TRUST_TRUSTED && 440 !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) && 441 !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { 442 while (j-- > 1) { 443 xtmp2 = sk_X509_value(ctx->chain, j - 1); 444 ok = ctx->get_issuer(&xtmp, ctx, xtmp2); 445 if (ok < 0) 446 goto end; 447 /* Check if we found an alternate chain */ 448 if (ok > 0) { 449 /* 450 * Free up the found cert 451 * we'll add it again later 452 */ 453 X509_free(xtmp); 454 /* 455 * Dump all the certs above 456 * this point - we've found an 457 * alternate chain 458 */ 459 while (num > j) { 460 xtmp = sk_X509_pop(ctx->chain); 461 X509_free(xtmp); 462 num--; 463 } 464 ctx->num_untrusted = sk_X509_num(ctx->chain); 465 retry = 1; 466 break; 467 } 468 } 469 } 470 } while (retry); 471 472 /* 473 * If not explicitly trusted then indicate error unless it's a single 474 * self signed certificate in which case we've indicated an error already 475 * and set bad_chain == 1 476 */ 477 if (trust != X509_TRUST_TRUSTED && !bad_chain) { 478 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { 479 if (ctx->num_untrusted >= num) 480 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 481 else 482 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; 483 ctx->current_cert = x; 484 } else { 485 if (!sk_X509_push(ctx->chain, chain_ss)) { 486 X509error(ERR_R_MALLOC_FAILURE); 487 ctx->error = X509_V_ERR_OUT_OF_MEM; 488 ok = 0; 489 goto end; 490 } 491 num++; 492 ctx->num_untrusted = num; 493 ctx->current_cert = chain_ss; 494 ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 495 chain_ss = NULL; 496 } 497 498 ctx->error_depth = num - 1; 499 bad_chain = 1; 500 ok = cb(0, ctx); 501 if (!ok) 502 goto end; 503 } 504 505 ret = 1; 506 end: 507 sk_X509_free(sktmp); 508 X509_free(chain_ss); 509 *bad = bad_chain; 510 *out_ok = ok; 511 512 return ret; 513 } 514 515 static int 516 X509_verify_cert_legacy(X509_STORE_CTX *ctx) 517 { 518 int ok = 0, bad_chain; 519 520 ctx->error = X509_V_OK; /* Initialize to OK */ 521 522 if (!X509_verify_cert_legacy_build_chain(ctx, &bad_chain, &ok)) 523 goto end; 524 525 /* We have the chain complete: now we need to check its purpose */ 526 ok = x509_vfy_check_chain_extensions(ctx); 527 if (!ok) 528 goto end; 529 530 /* Check that the chain satisfies the security level. */ 531 ok = x509_vfy_check_security_level(ctx); 532 if (!ok) 533 goto end; 534 535 /* Check name constraints */ 536 ok = check_name_constraints(ctx); 537 if (!ok) 538 goto end; 539 540 #ifndef OPENSSL_NO_RFC3779 541 ok = X509v3_asid_validate_path(ctx); 542 if (!ok) 543 goto end; 544 545 ok = X509v3_addr_validate_path(ctx); 546 if (!ok) 547 goto end; 548 #endif 549 550 ok = x509_vfy_check_id(ctx); 551 if (!ok) 552 goto end; 553 554 /* 555 * Check revocation status: we do this after copying parameters because 556 * they may be needed for CRL signature verification. 557 */ 558 ok = x509_vfy_check_revocation(ctx); 559 if (!ok) 560 goto end; 561 562 /* At this point, we have a chain and need to verify it */ 563 if (ctx->verify != NULL) 564 ok = ctx->verify(ctx); 565 else 566 ok = internal_verify(ctx); 567 if (!ok) 568 goto end; 569 570 /* If we get this far evaluate policies */ 571 if (!bad_chain) 572 ok = x509_vfy_check_policy(ctx); 573 574 end: 575 /* Safety net, error returns must set ctx->error */ 576 if (ok <= 0 && ctx->error == X509_V_OK) 577 ctx->error = X509_V_ERR_UNSPECIFIED; 578 579 return ok; 580 } 581 582 int 583 X509_verify_cert(X509_STORE_CTX *ctx) 584 { 585 struct x509_verify_ctx *vctx = NULL; 586 int chain_count = 0; 587 588 if (ctx->cert == NULL) { 589 X509error(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); 590 ctx->error = X509_V_ERR_INVALID_CALL; 591 return -1; 592 } 593 if (ctx->chain != NULL) { 594 /* 595 * This X509_STORE_CTX has already been used to verify 596 * a cert. We cannot do another one. 597 */ 598 X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 599 ctx->error = X509_V_ERR_INVALID_CALL; 600 return -1; 601 } 602 if (ctx->param->poisoned) { 603 /* 604 * This X509_STORE_CTX had failures setting 605 * up verify parameters. We can not use it. 606 */ 607 X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 608 ctx->error = X509_V_ERR_INVALID_CALL; 609 return -1; 610 } 611 if (ctx->error != X509_V_ERR_INVALID_CALL) { 612 /* 613 * This X509_STORE_CTX has not been properly initialized. 614 */ 615 X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 616 ctx->error = X509_V_ERR_INVALID_CALL; 617 return -1; 618 } 619 620 /* 621 * If the certificate's public key is too weak, don't bother 622 * continuing. 623 */ 624 if (!check_key_level(ctx, ctx->cert) && 625 !verify_cb_cert(ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL)) 626 return 0; 627 628 /* 629 * If flags request legacy, use the legacy verifier. If we 630 * requested "no alt chains" from the age of hammer pants, use 631 * the legacy verifier because the multi chain verifier really 632 * does find all the "alt chains". 633 * 634 * XXX deprecate the NO_ALT_CHAINS flag? 635 */ 636 if ((ctx->param->flags & X509_V_FLAG_LEGACY_VERIFY) || 637 (ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) 638 return X509_verify_cert_legacy(ctx); 639 640 /* Use the modern multi-chain verifier from x509_verify_cert */ 641 642 if ((vctx = x509_verify_ctx_new_from_xsc(ctx)) != NULL) { 643 ctx->error = X509_V_OK; /* Initialize to OK */ 644 chain_count = x509_verify(vctx, NULL, NULL); 645 } 646 x509_verify_ctx_free(vctx); 647 648 /* if we succeed we have a chain in ctx->chain */ 649 return chain_count > 0 && ctx->chain != NULL; 650 } 651 LCRYPTO_ALIAS(X509_verify_cert); 652 653 /* Given a STACK_OF(X509) find the issuer of cert (if any) 654 */ 655 656 static X509 * 657 find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, 658 int allow_expired) 659 { 660 int i; 661 X509 *issuer, *rv = NULL; 662 663 for (i = 0; i < sk_X509_num(sk); i++) { 664 issuer = sk_X509_value(sk, i); 665 if (ctx->check_issued(ctx, x, issuer)) { 666 if (x509_check_cert_time(ctx, issuer, -1)) 667 return issuer; 668 if (allow_expired) 669 rv = issuer; 670 } 671 } 672 return rv; 673 } 674 675 /* Given a possible certificate and issuer check them */ 676 677 static int 678 check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer) 679 { 680 /* 681 * Yes, the arguments of X509_STORE_CTX_check_issued_fn were exposed in 682 * reverse order compared to the already public X509_check_issued()... 683 */ 684 return X509_check_issued(issuer, subject) == X509_V_OK; 685 } 686 687 /* Alternative lookup method: look from a STACK stored in ctx->trusted */ 688 689 static int 690 x509_vfy_get_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 691 { 692 *issuer = find_issuer(ctx, ctx->trusted, x, 1); 693 if (*issuer) { 694 CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509); 695 return 1; 696 } else 697 return 0; 698 } 699 700 /* Check a certificate chains extensions for consistency 701 * with the supplied purpose 702 */ 703 704 int 705 x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) 706 { 707 #ifdef OPENSSL_NO_CHAIN_VERIFY 708 return 1; 709 #else 710 int i, ok = 0, must_be_ca, plen = 0; 711 X509 *x; 712 int (*cb)(int xok, X509_STORE_CTX *xctx); 713 int proxy_path_length = 0; 714 int purpose; 715 716 cb = ctx->verify_cb; 717 718 /* must_be_ca can have 1 of 3 values: 719 -1: we accept both CA and non-CA certificates, to allow direct 720 use of self-signed certificates (which are marked as CA). 721 0: we only accept non-CA certificates. This is currently not 722 used, but the possibility is present for future extensions. 723 1: we only accept CA certificates. This is currently used for 724 all certificates in the chain except the leaf certificate. 725 */ 726 must_be_ca = -1; 727 728 /* CRL path validation */ 729 if (ctx->parent) 730 purpose = X509_PURPOSE_CRL_SIGN; 731 else 732 purpose = ctx->param->purpose; 733 734 /* Check all untrusted certificates */ 735 for (i = 0; i < ctx->num_untrusted; i++) { 736 int ret; 737 x = sk_X509_value(ctx->chain, i); 738 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) && 739 (x->ex_flags & EXFLAG_CRITICAL)) { 740 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 741 ctx->error_depth = i; 742 ctx->current_cert = x; 743 ok = cb(0, ctx); 744 if (!ok) 745 goto end; 746 } 747 ret = X509_check_ca(x); 748 if (must_be_ca == -1) { 749 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && 750 (ret != 1) && (ret != 0)) { 751 ret = 0; 752 ctx->error = X509_V_ERR_INVALID_CA; 753 } else 754 ret = 1; 755 } else { 756 if ((ret == 0) || 757 ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && 758 (ret != 1))) { 759 ret = 0; 760 ctx->error = X509_V_ERR_INVALID_CA; 761 } else 762 ret = 1; 763 } 764 if (ret == 0) { 765 ctx->error_depth = i; 766 ctx->current_cert = x; 767 ok = cb(0, ctx); 768 if (!ok) 769 goto end; 770 } 771 if (ctx->param->purpose > 0) { 772 ret = X509_check_purpose(x, purpose, must_be_ca > 0); 773 if ((ret == 0) || 774 ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && 775 (ret != 1))) { 776 ctx->error = X509_V_ERR_INVALID_PURPOSE; 777 ctx->error_depth = i; 778 ctx->current_cert = x; 779 ok = cb(0, ctx); 780 if (!ok) 781 goto end; 782 } 783 } 784 /* Check pathlen if not self issued */ 785 if ((i > 1) && !(x->ex_flags & EXFLAG_SI) && 786 (x->ex_pathlen != -1) && 787 (plen > (x->ex_pathlen + proxy_path_length + 1))) { 788 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; 789 ctx->error_depth = i; 790 ctx->current_cert = x; 791 ok = cb(0, ctx); 792 if (!ok) 793 goto end; 794 } 795 /* Increment path length if not self issued */ 796 if (!(x->ex_flags & EXFLAG_SI)) 797 plen++; 798 must_be_ca = 1; 799 } 800 ok = 1; 801 802 end: 803 return ok; 804 #endif 805 } 806 807 static int 808 check_name_constraints(X509_STORE_CTX *ctx) 809 { 810 if (!x509_constraints_chain(ctx->chain, &ctx->error, 811 &ctx->error_depth)) { 812 ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth); 813 if (!ctx->verify_cb(0, ctx)) 814 return 0; 815 } 816 return 1; 817 } 818 819 /* Given a certificate try and find an exact match in the store */ 820 821 static X509 * 822 lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) 823 { 824 STACK_OF(X509) *certs; 825 X509 *xtmp = NULL; 826 size_t i; 827 828 /* Lookup all certs with matching subject name */ 829 certs = X509_STORE_CTX_get1_certs(ctx, X509_get_subject_name(x)); 830 if (certs == NULL) 831 return NULL; 832 833 /* Look for exact match */ 834 for (i = 0; i < sk_X509_num(certs); i++) { 835 xtmp = sk_X509_value(certs, i); 836 if (!X509_cmp(xtmp, x)) 837 break; 838 } 839 840 if (i < sk_X509_num(certs)) 841 X509_up_ref(xtmp); 842 else 843 xtmp = NULL; 844 845 sk_X509_pop_free(certs, X509_free); 846 return xtmp; 847 } 848 849 X509 * 850 x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) 851 { 852 if (ctx->store == NULL || ctx->store->objs == NULL) 853 return NULL; 854 return lookup_cert_match(ctx, x); 855 } 856 857 int 858 x509_vfy_check_trust(X509_STORE_CTX *ctx) 859 { 860 size_t i; 861 int ok; 862 X509 *x = NULL; 863 int (*cb) (int xok, X509_STORE_CTX *xctx); 864 865 cb = ctx->verify_cb; 866 /* Check all trusted certificates in chain */ 867 for (i = ctx->num_untrusted; i < sk_X509_num(ctx->chain); i++) { 868 x = sk_X509_value(ctx->chain, i); 869 ok = X509_check_trust(x, ctx->param->trust, 0); 870 871 /* If explicitly trusted return trusted */ 872 if (ok == X509_TRUST_TRUSTED) 873 return X509_TRUST_TRUSTED; 874 /* 875 * If explicitly rejected notify callback and reject if not 876 * overridden. 877 */ 878 if (ok == X509_TRUST_REJECTED) { 879 ctx->error_depth = i; 880 ctx->current_cert = x; 881 ctx->error = X509_V_ERR_CERT_REJECTED; 882 ok = cb(0, ctx); 883 if (!ok) 884 return X509_TRUST_REJECTED; 885 } 886 } 887 /* 888 * If we accept partial chains and have at least one trusted certificate 889 * return success. 890 */ 891 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { 892 X509 *mx; 893 if (ctx->num_untrusted < (int)sk_X509_num(ctx->chain)) 894 return X509_TRUST_TRUSTED; 895 x = sk_X509_value(ctx->chain, 0); 896 mx = lookup_cert_match(ctx, x); 897 if (mx) { 898 (void)sk_X509_set(ctx->chain, 0, mx); 899 X509_free(x); 900 ctx->num_untrusted = 0; 901 return X509_TRUST_TRUSTED; 902 } 903 } 904 905 /* 906 * If no trusted certs in chain at all return untrusted and allow 907 * standard (no issuer cert) etc errors to be indicated. 908 */ 909 return X509_TRUST_UNTRUSTED; 910 } 911 912 int 913 x509_vfy_check_revocation(X509_STORE_CTX *ctx) 914 { 915 int i, last, ok; 916 917 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) 918 return 1; 919 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) 920 last = sk_X509_num(ctx->chain) - 1; 921 else { 922 /* If checking CRL paths this isn't the EE certificate */ 923 if (ctx->parent) 924 return 1; 925 last = 0; 926 } 927 for (i = 0; i <= last; i++) { 928 ok = check_cert(ctx, ctx->chain, i); 929 if (!ok) 930 return ok; 931 } 932 return 1; 933 } 934 935 static int 936 check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth) 937 { 938 X509_CRL *crl = NULL, *dcrl = NULL; 939 X509 *x; 940 int ok = 0, cnum; 941 unsigned int last_reasons; 942 943 cnum = ctx->error_depth = depth; 944 x = sk_X509_value(chain, cnum); 945 ctx->current_cert = x; 946 ctx->current_issuer = NULL; 947 ctx->current_crl_score = 0; 948 ctx->current_reasons = 0; 949 while (ctx->current_reasons != CRLDP_ALL_REASONS) { 950 last_reasons = ctx->current_reasons; 951 /* Try to retrieve relevant CRL */ 952 ok = get_crl_delta(ctx, &crl, &dcrl, x); 953 if (!ok) { 954 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 955 ok = ctx->verify_cb(0, ctx); 956 goto err; 957 } 958 ctx->current_crl = crl; 959 ok = x509_vfy_check_crl(ctx, crl); 960 if (!ok) 961 goto err; 962 963 if (dcrl) { 964 ok = x509_vfy_check_crl(ctx, dcrl); 965 if (!ok) 966 goto err; 967 ok = x509_vfy_cert_crl(ctx, dcrl, x); 968 if (!ok) 969 goto err; 970 } else 971 ok = 1; 972 973 /* Don't look in full CRL if delta reason is removefromCRL */ 974 if (ok != 2) { 975 ok = x509_vfy_cert_crl(ctx, crl, x); 976 if (!ok) 977 goto err; 978 } 979 980 ctx->current_crl = NULL; 981 X509_CRL_free(crl); 982 X509_CRL_free(dcrl); 983 crl = NULL; 984 dcrl = NULL; 985 /* If reasons not updated we wont get anywhere by 986 * another iteration, so exit loop. 987 */ 988 if (last_reasons == ctx->current_reasons) { 989 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; 990 ok = ctx->verify_cb(0, ctx); 991 goto err; 992 } 993 } 994 995 err: 996 ctx->current_crl = NULL; 997 X509_CRL_free(crl); 998 X509_CRL_free(dcrl); 999 return ok; 1000 } 1001 1002 /* Check CRL times against values in X509_STORE_CTX */ 1003 1004 static int 1005 check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) 1006 { 1007 time_t *ptime; 1008 int i; 1009 1010 if (notify) 1011 ctx->current_crl = crl; 1012 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) 1013 ptime = &ctx->param->check_time; 1014 else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) 1015 return 1; 1016 else 1017 ptime = NULL; 1018 1019 i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); 1020 if (i == 0) { 1021 if (!notify) 1022 return 0; 1023 ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; 1024 if (!ctx->verify_cb(0, ctx)) 1025 return 0; 1026 } 1027 1028 if (i > 0) { 1029 if (!notify) 1030 return 0; 1031 ctx->error = X509_V_ERR_CRL_NOT_YET_VALID; 1032 if (!ctx->verify_cb(0, ctx)) 1033 return 0; 1034 } 1035 1036 if (X509_CRL_get_nextUpdate(crl)) { 1037 i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); 1038 1039 if (i == 0) { 1040 if (!notify) 1041 return 0; 1042 ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; 1043 if (!ctx->verify_cb(0, ctx)) 1044 return 0; 1045 } 1046 /* Ignore expiry of base CRL is delta is valid */ 1047 if ((i < 0) && 1048 !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { 1049 if (!notify) 1050 return 0; 1051 ctx->error = X509_V_ERR_CRL_HAS_EXPIRED; 1052 if (!ctx->verify_cb(0, ctx)) 1053 return 0; 1054 } 1055 } 1056 1057 if (notify) 1058 ctx->current_crl = NULL; 1059 1060 return 1; 1061 } 1062 1063 static int 1064 get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, 1065 X509 **pissuer, int *pscore, unsigned int *preasons, 1066 STACK_OF(X509_CRL) *crls) 1067 { 1068 int i, crl_score, best_score = *pscore; 1069 unsigned int reasons, best_reasons = 0; 1070 X509 *x = ctx->current_cert; 1071 X509_CRL *crl, *best_crl = NULL; 1072 X509 *crl_issuer = NULL, *best_crl_issuer = NULL; 1073 1074 for (i = 0; i < sk_X509_CRL_num(crls); i++) { 1075 crl = sk_X509_CRL_value(crls, i); 1076 reasons = *preasons; 1077 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); 1078 1079 if (crl_score > best_score) { 1080 best_crl = crl; 1081 best_crl_issuer = crl_issuer; 1082 best_score = crl_score; 1083 best_reasons = reasons; 1084 } 1085 } 1086 1087 if (best_crl) { 1088 if (*pcrl) 1089 X509_CRL_free(*pcrl); 1090 *pcrl = best_crl; 1091 *pissuer = best_crl_issuer; 1092 *pscore = best_score; 1093 *preasons = best_reasons; 1094 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); 1095 if (*pdcrl) { 1096 X509_CRL_free(*pdcrl); 1097 *pdcrl = NULL; 1098 } 1099 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); 1100 } 1101 1102 if (best_score >= CRL_SCORE_VALID) 1103 return 1; 1104 1105 return 0; 1106 } 1107 1108 /* Compare two CRL extensions for delta checking purposes. They should be 1109 * both present or both absent. If both present all fields must be identical. 1110 */ 1111 1112 static int 1113 crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) 1114 { 1115 ASN1_OCTET_STRING *exta, *extb; 1116 int i; 1117 1118 i = X509_CRL_get_ext_by_NID(a, nid, -1); 1119 if (i >= 0) { 1120 /* Can't have multiple occurrences */ 1121 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) 1122 return 0; 1123 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); 1124 } else 1125 exta = NULL; 1126 1127 i = X509_CRL_get_ext_by_NID(b, nid, -1); 1128 1129 if (i >= 0) { 1130 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) 1131 return 0; 1132 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); 1133 } else 1134 extb = NULL; 1135 1136 if (!exta && !extb) 1137 return 1; 1138 1139 if (!exta || !extb) 1140 return 0; 1141 1142 if (ASN1_OCTET_STRING_cmp(exta, extb)) 1143 return 0; 1144 1145 return 1; 1146 } 1147 1148 /* See if a base and delta are compatible */ 1149 1150 static int 1151 check_delta_base(X509_CRL *delta, X509_CRL *base) 1152 { 1153 /* Delta CRL must be a delta */ 1154 if (!delta->base_crl_number) 1155 return 0; 1156 /* Base must have a CRL number */ 1157 if (!base->crl_number) 1158 return 0; 1159 /* Issuer names must match */ 1160 if (X509_NAME_cmp(X509_CRL_get_issuer(base), 1161 X509_CRL_get_issuer(delta))) 1162 return 0; 1163 /* AKID and IDP must match */ 1164 if (!crl_extension_match(delta, base, NID_authority_key_identifier)) 1165 return 0; 1166 if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) 1167 return 0; 1168 /* Delta CRL base number must not exceed Full CRL number. */ 1169 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) 1170 return 0; 1171 /* Delta CRL number must exceed full CRL number */ 1172 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) 1173 return 1; 1174 return 0; 1175 } 1176 1177 /* For a given base CRL find a delta... maybe extend to delta scoring 1178 * or retrieve a chain of deltas... 1179 */ 1180 1181 static void 1182 get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base, 1183 STACK_OF(X509_CRL) *crls) 1184 { 1185 X509_CRL *delta; 1186 int i; 1187 1188 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) 1189 return; 1190 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) 1191 return; 1192 for (i = 0; i < sk_X509_CRL_num(crls); i++) { 1193 delta = sk_X509_CRL_value(crls, i); 1194 if (check_delta_base(delta, base)) { 1195 if (check_crl_time(ctx, delta, 0)) 1196 *pscore |= CRL_SCORE_TIME_DELTA; 1197 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); 1198 *dcrl = delta; 1199 return; 1200 } 1201 } 1202 *dcrl = NULL; 1203 } 1204 1205 /* For a given CRL return how suitable it is for the supplied certificate 'x'. 1206 * The return value is a mask of several criteria. 1207 * If the issuer is not the certificate issuer this is returned in *pissuer. 1208 * The reasons mask is also used to determine if the CRL is suitable: if 1209 * no new reasons the CRL is rejected, otherwise reasons is updated. 1210 */ 1211 1212 static int 1213 get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, 1214 X509_CRL *crl, X509 *x) 1215 { 1216 int crl_score = 0; 1217 unsigned int tmp_reasons = *preasons, crl_reasons; 1218 1219 /* First see if we can reject CRL straight away */ 1220 1221 /* Invalid IDP cannot be processed */ 1222 if (crl->idp_flags & IDP_INVALID) 1223 return 0; 1224 /* Reason codes or indirect CRLs need extended CRL support */ 1225 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) { 1226 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) 1227 return 0; 1228 } else if (crl->idp_flags & IDP_REASONS) { 1229 /* If no new reasons reject */ 1230 if (!(crl->idp_reasons & ~tmp_reasons)) 1231 return 0; 1232 } 1233 /* Don't process deltas at this stage */ 1234 else if (crl->base_crl_number) 1235 return 0; 1236 /* If issuer name doesn't match certificate need indirect CRL */ 1237 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) { 1238 if (!(crl->idp_flags & IDP_INDIRECT)) 1239 return 0; 1240 } else 1241 crl_score |= CRL_SCORE_ISSUER_NAME; 1242 1243 if (!(crl->flags & EXFLAG_CRITICAL)) 1244 crl_score |= CRL_SCORE_NOCRITICAL; 1245 1246 /* Check expiry */ 1247 if (check_crl_time(ctx, crl, 0)) 1248 crl_score |= CRL_SCORE_TIME; 1249 1250 /* Check authority key ID and locate certificate issuer */ 1251 crl_akid_check(ctx, crl, pissuer, &crl_score); 1252 1253 /* If we can't locate certificate issuer at this point forget it */ 1254 1255 if (!(crl_score & CRL_SCORE_AKID)) 1256 return 0; 1257 1258 /* Check cert for matching CRL distribution points */ 1259 1260 if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) { 1261 /* If no new reasons reject */ 1262 if (!(crl_reasons & ~tmp_reasons)) 1263 return 0; 1264 tmp_reasons |= crl_reasons; 1265 crl_score |= CRL_SCORE_SCOPE; 1266 } 1267 1268 *preasons = tmp_reasons; 1269 1270 return crl_score; 1271 } 1272 1273 static void 1274 crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, 1275 int *pcrl_score) 1276 { 1277 X509 *crl_issuer = NULL; 1278 X509_NAME *cnm = X509_CRL_get_issuer(crl); 1279 int cidx = ctx->error_depth; 1280 int i; 1281 1282 if (cidx != sk_X509_num(ctx->chain) - 1) 1283 cidx++; 1284 1285 crl_issuer = sk_X509_value(ctx->chain, cidx); 1286 1287 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { 1288 if (*pcrl_score & CRL_SCORE_ISSUER_NAME) { 1289 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT; 1290 *pissuer = crl_issuer; 1291 return; 1292 } 1293 } 1294 1295 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) { 1296 crl_issuer = sk_X509_value(ctx->chain, cidx); 1297 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) 1298 continue; 1299 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { 1300 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH; 1301 *pissuer = crl_issuer; 1302 return; 1303 } 1304 } 1305 1306 /* Anything else needs extended CRL support */ 1307 1308 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) 1309 return; 1310 1311 /* Otherwise the CRL issuer is not on the path. Look for it in the 1312 * set of untrusted certificates. 1313 */ 1314 for (i = 0; i < sk_X509_num(ctx->untrusted); i++) { 1315 crl_issuer = sk_X509_value(ctx->untrusted, i); 1316 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) 1317 continue; 1318 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { 1319 *pissuer = crl_issuer; 1320 *pcrl_score |= CRL_SCORE_AKID; 1321 return; 1322 } 1323 } 1324 } 1325 1326 /* Check the path of a CRL issuer certificate. This creates a new 1327 * X509_STORE_CTX and populates it with most of the parameters from the 1328 * parent. This could be optimised somewhat since a lot of path checking 1329 * will be duplicated by the parent, but this will rarely be used in 1330 * practice. 1331 */ 1332 1333 static int 1334 check_crl_path(X509_STORE_CTX *ctx, X509 *x) 1335 { 1336 X509_STORE_CTX crl_ctx; 1337 int ret; 1338 1339 /* Don't allow recursive CRL path validation */ 1340 if (ctx->parent) 1341 return 0; 1342 if (!X509_STORE_CTX_init(&crl_ctx, ctx->store, x, ctx->untrusted)) { 1343 ret = -1; 1344 goto err; 1345 } 1346 1347 crl_ctx.crls = ctx->crls; 1348 /* Copy verify params across */ 1349 X509_STORE_CTX_set0_param(&crl_ctx, ctx->param); 1350 1351 crl_ctx.parent = ctx; 1352 crl_ctx.verify_cb = ctx->verify_cb; 1353 1354 /* Verify CRL issuer */ 1355 ret = X509_verify_cert(&crl_ctx); 1356 1357 if (ret <= 0) 1358 goto err; 1359 1360 /* Check chain is acceptable */ 1361 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); 1362 1363 err: 1364 X509_STORE_CTX_cleanup(&crl_ctx); 1365 return ret; 1366 } 1367 1368 /* RFC3280 says nothing about the relationship between CRL path 1369 * and certificate path, which could lead to situations where a 1370 * certificate could be revoked or validated by a CA not authorised 1371 * to do so. RFC5280 is more strict and states that the two paths must 1372 * end in the same trust anchor, though some discussions remain... 1373 * until this is resolved we use the RFC5280 version 1374 */ 1375 1376 static int 1377 check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, 1378 STACK_OF(X509) *crl_path) 1379 { 1380 X509 *cert_ta, *crl_ta; 1381 1382 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); 1383 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); 1384 if (!X509_cmp(cert_ta, crl_ta)) 1385 return 1; 1386 return 0; 1387 } 1388 1389 /* Check for match between two dist point names: three separate cases. 1390 * 1. Both are relative names and compare X509_NAME types. 1391 * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES. 1392 * 3. Both are full names and compare two GENERAL_NAMES. 1393 * 4. One is NULL: automatic match. 1394 */ 1395 1396 static int 1397 idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) 1398 { 1399 X509_NAME *nm = NULL; 1400 GENERAL_NAMES *gens = NULL; 1401 GENERAL_NAME *gena, *genb; 1402 int i, j; 1403 1404 if (!a || !b) 1405 return 1; 1406 if (a->type == 1) { 1407 if (!a->dpname) 1408 return 0; 1409 /* Case 1: two X509_NAME */ 1410 if (b->type == 1) { 1411 if (!b->dpname) 1412 return 0; 1413 if (!X509_NAME_cmp(a->dpname, b->dpname)) 1414 return 1; 1415 else 1416 return 0; 1417 } 1418 /* Case 2: set name and GENERAL_NAMES appropriately */ 1419 nm = a->dpname; 1420 gens = b->name.fullname; 1421 } else if (b->type == 1) { 1422 if (!b->dpname) 1423 return 0; 1424 /* Case 2: set name and GENERAL_NAMES appropriately */ 1425 gens = a->name.fullname; 1426 nm = b->dpname; 1427 } 1428 1429 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ 1430 if (nm) { 1431 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { 1432 gena = sk_GENERAL_NAME_value(gens, i); 1433 if (gena->type != GEN_DIRNAME) 1434 continue; 1435 if (!X509_NAME_cmp(nm, gena->d.directoryName)) 1436 return 1; 1437 } 1438 return 0; 1439 } 1440 1441 /* Else case 3: two GENERAL_NAMES */ 1442 1443 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) { 1444 gena = sk_GENERAL_NAME_value(a->name.fullname, i); 1445 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) { 1446 genb = sk_GENERAL_NAME_value(b->name.fullname, j); 1447 if (!GENERAL_NAME_cmp(gena, genb)) 1448 return 1; 1449 } 1450 } 1451 1452 return 0; 1453 } 1454 1455 static int 1456 crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) 1457 { 1458 int i; 1459 X509_NAME *nm = X509_CRL_get_issuer(crl); 1460 1461 /* If no CRLissuer return is successful iff don't need a match */ 1462 if (!dp->CRLissuer) 1463 return !!(crl_score & CRL_SCORE_ISSUER_NAME); 1464 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { 1465 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); 1466 if (gen->type != GEN_DIRNAME) 1467 continue; 1468 if (!X509_NAME_cmp(gen->d.directoryName, nm)) 1469 return 1; 1470 } 1471 return 0; 1472 } 1473 1474 /* Check CRLDP and IDP */ 1475 1476 static int 1477 crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons) 1478 { 1479 int i; 1480 1481 if (crl->idp_flags & IDP_ONLYATTR) 1482 return 0; 1483 if (x->ex_flags & EXFLAG_CA) { 1484 if (crl->idp_flags & IDP_ONLYUSER) 1485 return 0; 1486 } else { 1487 if (crl->idp_flags & IDP_ONLYCA) 1488 return 0; 1489 } 1490 *preasons = crl->idp_reasons; 1491 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { 1492 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); 1493 if (crldp_check_crlissuer(dp, crl, crl_score)) { 1494 if (!crl->idp || 1495 idp_check_dp(dp->distpoint, crl->idp->distpoint)) { 1496 *preasons &= dp->dp_reasons; 1497 return 1; 1498 } 1499 } 1500 } 1501 if ((!crl->idp || !crl->idp->distpoint) && 1502 (crl_score & CRL_SCORE_ISSUER_NAME)) 1503 return 1; 1504 return 0; 1505 } 1506 1507 /* Retrieve CRL corresponding to current certificate. 1508 * If deltas enabled try to find a delta CRL too 1509 */ 1510 1511 static int 1512 get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) 1513 { 1514 int ok; 1515 X509 *issuer = NULL; 1516 int crl_score = 0; 1517 unsigned int reasons; 1518 X509_CRL *crl = NULL, *dcrl = NULL; 1519 STACK_OF(X509_CRL) *skcrl; 1520 X509_NAME *nm = X509_get_issuer_name(x); 1521 1522 reasons = ctx->current_reasons; 1523 ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, 1524 ctx->crls); 1525 if (ok) 1526 goto done; 1527 1528 /* Lookup CRLs from store */ 1529 skcrl = X509_STORE_CTX_get1_crls(ctx, nm); 1530 1531 /* If no CRLs found and a near match from get_crl_sk use that */ 1532 if (!skcrl && crl) 1533 goto done; 1534 1535 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl); 1536 1537 sk_X509_CRL_pop_free(skcrl, X509_CRL_free); 1538 1539 done: 1540 1541 /* If we got any kind of CRL use it and return success */ 1542 if (crl) { 1543 ctx->current_issuer = issuer; 1544 ctx->current_crl_score = crl_score; 1545 ctx->current_reasons = reasons; 1546 *pcrl = crl; 1547 *pdcrl = dcrl; 1548 return 1; 1549 } 1550 1551 return 0; 1552 } 1553 1554 /* Check CRL validity */ 1555 static int 1556 x509_vfy_check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) 1557 { 1558 X509 *issuer = NULL; 1559 EVP_PKEY *ikey = NULL; 1560 int ok = 0, chnum, cnum; 1561 1562 cnum = ctx->error_depth; 1563 chnum = sk_X509_num(ctx->chain) - 1; 1564 /* if we have an alternative CRL issuer cert use that */ 1565 if (ctx->current_issuer) { 1566 issuer = ctx->current_issuer; 1567 } else if (cnum < chnum) { 1568 /* 1569 * Else find CRL issuer: if not last certificate then issuer 1570 * is next certificate in chain. 1571 */ 1572 issuer = sk_X509_value(ctx->chain, cnum + 1); 1573 } else { 1574 issuer = sk_X509_value(ctx->chain, chnum); 1575 /* If not self signed, can't check signature */ 1576 if (!ctx->check_issued(ctx, issuer, issuer)) { 1577 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; 1578 ok = ctx->verify_cb(0, ctx); 1579 if (!ok) 1580 goto err; 1581 } 1582 } 1583 1584 if (issuer) { 1585 /* Skip most tests for deltas because they have already 1586 * been done 1587 */ 1588 if (!crl->base_crl_number) { 1589 /* Check for cRLSign bit if keyUsage present */ 1590 if ((issuer->ex_flags & EXFLAG_KUSAGE) && 1591 !(issuer->ex_kusage & KU_CRL_SIGN)) { 1592 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; 1593 ok = ctx->verify_cb(0, ctx); 1594 if (!ok) 1595 goto err; 1596 } 1597 1598 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { 1599 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; 1600 ok = ctx->verify_cb(0, ctx); 1601 if (!ok) 1602 goto err; 1603 } 1604 1605 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { 1606 if (check_crl_path(ctx, 1607 ctx->current_issuer) <= 0) { 1608 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; 1609 ok = ctx->verify_cb(0, ctx); 1610 if (!ok) 1611 goto err; 1612 } 1613 } 1614 1615 if (crl->idp_flags & IDP_INVALID) { 1616 ctx->error = X509_V_ERR_INVALID_EXTENSION; 1617 ok = ctx->verify_cb(0, ctx); 1618 if (!ok) 1619 goto err; 1620 } 1621 1622 1623 } 1624 1625 if (!(ctx->current_crl_score & CRL_SCORE_TIME)) { 1626 ok = check_crl_time(ctx, crl, 1); 1627 if (!ok) 1628 goto err; 1629 } 1630 1631 /* Attempt to get issuer certificate public key */ 1632 ikey = X509_get_pubkey(issuer); 1633 1634 if (!ikey) { 1635 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 1636 ok = ctx->verify_cb(0, ctx); 1637 if (!ok) 1638 goto err; 1639 } else { 1640 /* Verify CRL signature */ 1641 if (X509_CRL_verify(crl, ikey) <= 0) { 1642 ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE; 1643 ok = ctx->verify_cb(0, ctx); 1644 if (!ok) 1645 goto err; 1646 } 1647 } 1648 } 1649 1650 ok = 1; 1651 1652 err: 1653 EVP_PKEY_free(ikey); 1654 return ok; 1655 } 1656 1657 /* Check certificate against CRL */ 1658 static int 1659 x509_vfy_cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) 1660 { 1661 int ok; 1662 X509_REVOKED *rev; 1663 1664 /* The rules changed for this... previously if a CRL contained 1665 * unhandled critical extensions it could still be used to indicate 1666 * a certificate was revoked. This has since been changed since 1667 * critical extension can change the meaning of CRL entries. 1668 */ 1669 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) && 1670 (crl->flags & EXFLAG_CRITICAL)) { 1671 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; 1672 ok = ctx->verify_cb(0, ctx); 1673 if (!ok) 1674 return 0; 1675 } 1676 /* Look for serial number of certificate in CRL 1677 * If found make sure reason is not removeFromCRL. 1678 */ 1679 if (X509_CRL_get0_by_cert(crl, &rev, x)) { 1680 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) 1681 return 2; 1682 ctx->error = X509_V_ERR_CERT_REVOKED; 1683 ok = ctx->verify_cb(0, ctx); 1684 if (!ok) 1685 return 0; 1686 } 1687 1688 return 1; 1689 } 1690 1691 int 1692 x509_vfy_check_policy(X509_STORE_CTX *ctx) 1693 { 1694 X509 *current_cert = NULL; 1695 int ret; 1696 1697 if (ctx->parent != NULL) 1698 return 1; 1699 1700 ret = X509_policy_check(ctx->chain, ctx->param->policies, 1701 ctx->param->flags, ¤t_cert); 1702 if (ret != X509_V_OK) { 1703 ctx->current_cert = current_cert; 1704 ctx->error = ret; 1705 if (ret == X509_V_ERR_OUT_OF_MEM) 1706 return 0; 1707 return ctx->verify_cb(0, ctx); 1708 } 1709 1710 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { 1711 ctx->current_cert = NULL; 1712 /* 1713 * Verification errors need to be "sticky", a callback may have 1714 * allowed an SSL handshake to continue despite an error, and 1715 * we must then remain in an error state. Therefore, we MUST 1716 * NOT clear earlier verification errors by setting the error 1717 * to X509_V_OK. 1718 */ 1719 if (!ctx->verify_cb(2, ctx)) 1720 return 0; 1721 } 1722 1723 return 1; 1724 } 1725 1726 /* 1727 * Inform the verify callback of an error. 1728 * 1729 * If x is not NULL it is the error cert, otherwise use the chain cert 1730 * at depth. 1731 * 1732 * If err is not X509_V_OK, that's the error value, otherwise leave 1733 * unchanged (presumably set by the caller). 1734 * 1735 * Returns 0 to abort verification with an error, non-zero to continue. 1736 */ 1737 static int 1738 verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err) 1739 { 1740 ctx->error_depth = depth; 1741 ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth); 1742 if (err != X509_V_OK) 1743 ctx->error = err; 1744 return ctx->verify_cb(0, ctx); 1745 } 1746 1747 /* 1748 * Check certificate validity times. 1749 * 1750 * If depth >= 0, invoke verification callbacks on error, otherwise just return 1751 * the validation status. 1752 * 1753 * Return 1 on success, 0 otherwise. 1754 */ 1755 int 1756 x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) 1757 { 1758 time_t ptime; 1759 int i; 1760 1761 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) 1762 ptime = ctx->param->check_time; 1763 else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) 1764 return 1; 1765 else 1766 ptime = time(NULL); 1767 1768 i = X509_cmp_time(X509_get_notBefore(x), &ptime); 1769 1770 if (i >= 0 && depth < 0) 1771 return 0; 1772 if (i == 0 && !verify_cb_cert(ctx, x, depth, 1773 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD)) 1774 return 0; 1775 if (i > 0 && !verify_cb_cert(ctx, x, depth, 1776 X509_V_ERR_CERT_NOT_YET_VALID)) 1777 return 0; 1778 1779 i = X509_cmp_time_internal(X509_get_notAfter(x), &ptime, 1); 1780 1781 if (i <= 0 && depth < 0) 1782 return 0; 1783 if (i == 0 && !verify_cb_cert(ctx, x, depth, 1784 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD)) 1785 return 0; 1786 if (i < 0 && !verify_cb_cert(ctx, x, depth, 1787 X509_V_ERR_CERT_HAS_EXPIRED)) 1788 return 0; 1789 1790 return 1; 1791 } 1792 1793 static int 1794 x509_vfy_internal_verify(X509_STORE_CTX *ctx, int chain_verified) 1795 { 1796 int n = sk_X509_num(ctx->chain) - 1; 1797 X509 *xi = sk_X509_value(ctx->chain, n); 1798 X509 *xs; 1799 1800 if (ctx->check_issued(ctx, xi, xi)) 1801 xs = xi; 1802 else { 1803 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { 1804 xs = xi; 1805 goto check_cert; 1806 } 1807 if (n <= 0) 1808 return verify_cb_cert(ctx, xi, 0, 1809 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE); 1810 n--; 1811 ctx->error_depth = n; 1812 xs = sk_X509_value(ctx->chain, n); 1813 } 1814 1815 /* 1816 * Do not clear ctx->error=0, it must be "sticky", only the 1817 * user's callback is allowed to reset errors (at its own 1818 * peril). 1819 */ 1820 while (n >= 0) { 1821 1822 /* 1823 * Skip signature check for self signed certificates 1824 * unless explicitly asked for. It doesn't add any 1825 * security and just wastes time. If the issuer's 1826 * public key is unusable, report the issuer 1827 * certificate and its depth (rather than the depth of 1828 * the subject). 1829 */ 1830 if (!chain_verified && ( xs != xi || 1831 (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { 1832 EVP_PKEY *pkey; 1833 if ((pkey = X509_get_pubkey(xi)) == NULL) { 1834 if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, 1835 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) 1836 return 0; 1837 } else if (X509_verify(xs, pkey) <= 0) { 1838 if (!verify_cb_cert(ctx, xs, n, 1839 X509_V_ERR_CERT_SIGNATURE_FAILURE)) { 1840 EVP_PKEY_free(pkey); 1841 return 0; 1842 } 1843 } 1844 EVP_PKEY_free(pkey); 1845 } 1846 check_cert: 1847 /* Calls verify callback as needed */ 1848 if (!chain_verified && !x509_check_cert_time(ctx, xs, n)) 1849 return 0; 1850 1851 /* 1852 * Signal success at this depth. However, the 1853 * previous error (if any) is retained. 1854 */ 1855 ctx->current_issuer = xi; 1856 ctx->current_cert = xs; 1857 ctx->error_depth = n; 1858 if (!ctx->verify_cb(1, ctx)) 1859 return 0; 1860 1861 if (--n >= 0) { 1862 xi = xs; 1863 xs = sk_X509_value(ctx->chain, n); 1864 } 1865 } 1866 return 1; 1867 } 1868 1869 static int 1870 internal_verify(X509_STORE_CTX *ctx) 1871 { 1872 return x509_vfy_internal_verify(ctx, 0); 1873 } 1874 1875 /* 1876 * Internal verify, but with a chain where the verification 1877 * math has already been performed. 1878 */ 1879 int 1880 x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx) 1881 { 1882 return x509_vfy_internal_verify(ctx, 1); 1883 } 1884 1885 int 1886 X509_cmp_current_time(const ASN1_TIME *ctm) 1887 { 1888 return X509_cmp_time(ctm, NULL); 1889 } 1890 LCRYPTO_ALIAS(X509_cmp_current_time); 1891 1892 /* 1893 * Compare a possibly unvalidated ASN1_TIME string against a time_t 1894 * using RFC 5280 rules for the time string. If *cmp_time is NULL 1895 * the current system time is used. 1896 * 1897 * XXX NOTE that unlike what you expect a "cmp" function to do in C, 1898 * XXX this one is "special", and returns 0 for error. 1899 * 1900 * Returns: 1901 * -1 if the ASN1_time is earlier than OR the same as *cmp_time. 1902 * 1 if the ASN1_time is later than *cmp_time. 1903 * 0 on error. 1904 */ 1905 static int 1906 X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int is_notafter) 1907 { 1908 time_t compare, cert_time; 1909 1910 if (cmp_time == NULL) 1911 compare = time(NULL); 1912 else 1913 compare = *cmp_time; 1914 1915 if (!x509_verify_asn1_time_to_time_t(ctm, is_notafter, &cert_time)) 1916 return 0; /* invalid time */ 1917 1918 if (cert_time <= compare) 1919 return -1; /* 0 is used for error, so map same to less than */ 1920 1921 return 1; 1922 } 1923 1924 int 1925 X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) 1926 { 1927 return X509_cmp_time_internal(ctm, cmp_time, 0); 1928 } 1929 LCRYPTO_ALIAS(X509_cmp_time); 1930 1931 1932 ASN1_TIME * 1933 X509_gmtime_adj(ASN1_TIME *s, long adj) 1934 { 1935 return X509_time_adj(s, adj, NULL); 1936 } 1937 LCRYPTO_ALIAS(X509_gmtime_adj); 1938 1939 ASN1_TIME * 1940 X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_time) 1941 { 1942 return X509_time_adj_ex(s, 0, offset_sec, in_time); 1943 } 1944 LCRYPTO_ALIAS(X509_time_adj); 1945 1946 ASN1_TIME * 1947 X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_time) 1948 { 1949 time_t t; 1950 if (in_time == NULL) 1951 t = time(NULL); 1952 else 1953 t = *in_time; 1954 1955 return ASN1_TIME_adj(s, t, offset_day, offset_sec); 1956 } 1957 LCRYPTO_ALIAS(X509_time_adj_ex); 1958 1959 int 1960 X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) 1961 { 1962 EVP_PKEY *ktmp = NULL, *ktmp2; 1963 int i, j; 1964 1965 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) 1966 return 1; 1967 1968 for (i = 0; i < sk_X509_num(chain); i++) { 1969 ktmp = X509_get0_pubkey(sk_X509_value(chain, i)); 1970 if (ktmp == NULL) { 1971 X509error(X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); 1972 return 0; 1973 } 1974 if (!EVP_PKEY_missing_parameters(ktmp)) 1975 break; 1976 else 1977 ktmp = NULL; 1978 } 1979 if (ktmp == NULL) { 1980 X509error(X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); 1981 return 0; 1982 } 1983 1984 /* first, populate the other certs */ 1985 for (j = i - 1; j >= 0; j--) { 1986 if ((ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j))) == NULL) 1987 return 0; 1988 if (!EVP_PKEY_copy_parameters(ktmp2, ktmp)) 1989 return 0; 1990 } 1991 1992 if (pkey != NULL) 1993 if (!EVP_PKEY_copy_parameters(pkey, ktmp)) 1994 return 0; 1995 return 1; 1996 } 1997 LCRYPTO_ALIAS(X509_get_pubkey_parameters); 1998 1999 int 2000 X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 2001 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 2002 { 2003 /* This function is (usually) called only once, by 2004 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ 2005 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, 2006 argl, argp, new_func, dup_func, free_func); 2007 } 2008 LCRYPTO_ALIAS(X509_STORE_CTX_get_ex_new_index); 2009 2010 int 2011 X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) 2012 { 2013 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); 2014 } 2015 LCRYPTO_ALIAS(X509_STORE_CTX_set_ex_data); 2016 2017 void * 2018 X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) 2019 { 2020 return CRYPTO_get_ex_data(&ctx->ex_data, idx); 2021 } 2022 LCRYPTO_ALIAS(X509_STORE_CTX_get_ex_data); 2023 2024 int 2025 X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) 2026 { 2027 return ctx->error; 2028 } 2029 LCRYPTO_ALIAS(X509_STORE_CTX_get_error); 2030 2031 void 2032 X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) 2033 { 2034 ctx->error = err; 2035 } 2036 LCRYPTO_ALIAS(X509_STORE_CTX_set_error); 2037 2038 int 2039 X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) 2040 { 2041 return ctx->error_depth; 2042 } 2043 LCRYPTO_ALIAS(X509_STORE_CTX_get_error_depth); 2044 2045 void 2046 X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth) 2047 { 2048 ctx->error_depth = depth; 2049 } 2050 LCRYPTO_ALIAS(X509_STORE_CTX_set_error_depth); 2051 2052 X509 * 2053 X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) 2054 { 2055 return ctx->current_cert; 2056 } 2057 LCRYPTO_ALIAS(X509_STORE_CTX_get_current_cert); 2058 2059 void 2060 X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x) 2061 { 2062 ctx->current_cert = x; 2063 } 2064 LCRYPTO_ALIAS(X509_STORE_CTX_set_current_cert); 2065 2066 STACK_OF(X509) * 2067 X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) 2068 { 2069 return ctx->chain; 2070 } 2071 LCRYPTO_ALIAS(X509_STORE_CTX_get_chain); 2072 2073 STACK_OF(X509) * 2074 X509_STORE_CTX_get0_chain(X509_STORE_CTX *xs) 2075 { 2076 return xs->chain; 2077 } 2078 LCRYPTO_ALIAS(X509_STORE_CTX_get0_chain); 2079 2080 STACK_OF(X509) * 2081 X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) 2082 { 2083 int i; 2084 X509 *x; 2085 STACK_OF(X509) *chain; 2086 2087 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) 2088 return NULL; 2089 for (i = 0; i < sk_X509_num(chain); i++) { 2090 x = sk_X509_value(chain, i); 2091 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 2092 } 2093 return chain; 2094 } 2095 LCRYPTO_ALIAS(X509_STORE_CTX_get1_chain); 2096 2097 X509 * 2098 X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) 2099 { 2100 return ctx->current_issuer; 2101 } 2102 LCRYPTO_ALIAS(X509_STORE_CTX_get0_current_issuer); 2103 2104 X509_CRL * 2105 X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) 2106 { 2107 return ctx->current_crl; 2108 } 2109 LCRYPTO_ALIAS(X509_STORE_CTX_get0_current_crl); 2110 2111 X509_STORE_CTX * 2112 X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) 2113 { 2114 return ctx->parent; 2115 } 2116 LCRYPTO_ALIAS(X509_STORE_CTX_get0_parent_ctx); 2117 2118 X509_STORE * 2119 X509_STORE_CTX_get0_store(X509_STORE_CTX *xs) 2120 { 2121 return xs->store; 2122 } 2123 LCRYPTO_ALIAS(X509_STORE_CTX_get0_store); 2124 2125 void 2126 X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) 2127 { 2128 ctx->cert = x; 2129 } 2130 LCRYPTO_ALIAS(X509_STORE_CTX_set_cert); 2131 2132 void 2133 X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 2134 { 2135 ctx->untrusted = sk; 2136 } 2137 LCRYPTO_ALIAS(X509_STORE_CTX_set_chain); 2138 2139 void 2140 X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) 2141 { 2142 ctx->crls = sk; 2143 } 2144 LCRYPTO_ALIAS(X509_STORE_CTX_set0_crls); 2145 2146 /* 2147 * This function is used to set the X509_STORE_CTX purpose and trust 2148 * values. This is intended to be used when another structure has its 2149 * own trust and purpose values which (if set) will be inherited by 2150 * the ctx. If they aren't set then we will usually have a default 2151 * purpose in mind which should then be used to set the trust value. 2152 * An example of this is SSL use: an SSL structure will have its own 2153 * purpose and trust settings which the application can set: if they 2154 * aren't set then we use the default of SSL client/server. 2155 */ 2156 int 2157 X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose_id) 2158 { 2159 const X509_PURPOSE *purpose; 2160 int idx; 2161 2162 /* XXX - Match wacky/documented behavior. Do we need to keep this? */ 2163 if (purpose_id == 0) 2164 return 1; 2165 2166 if (purpose_id < X509_PURPOSE_MIN || purpose_id > X509_PURPOSE_MAX) { 2167 X509error(X509_R_UNKNOWN_PURPOSE_ID); 2168 return 0; 2169 } 2170 idx = purpose_id - X509_PURPOSE_MIN; 2171 if ((purpose = X509_PURPOSE_get0(idx)) == NULL) { 2172 X509error(X509_R_UNKNOWN_PURPOSE_ID); 2173 return 0; 2174 } 2175 2176 /* XXX - Succeeding while ignoring purpose_id and trust is awful. */ 2177 if (ctx->param->purpose == 0) 2178 ctx->param->purpose = purpose_id; 2179 if (ctx->param->trust == 0) 2180 ctx->param->trust = X509_PURPOSE_get_trust(purpose); 2181 2182 return 1; 2183 } 2184 LCRYPTO_ALIAS(X509_STORE_CTX_set_purpose); 2185 2186 int 2187 X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust_id) 2188 { 2189 /* XXX - Match wacky/documented behavior. Do we need to keep this? */ 2190 if (trust_id == 0) 2191 return 1; 2192 2193 if (trust_id < X509_TRUST_MIN || trust_id > X509_TRUST_MAX) { 2194 X509error(X509_R_UNKNOWN_TRUST_ID); 2195 return 0; 2196 } 2197 2198 /* XXX - Succeeding while ignoring the trust_id is awful. */ 2199 if (ctx->param->trust == 0) 2200 ctx->param->trust = trust_id; 2201 2202 return 1; 2203 } 2204 LCRYPTO_ALIAS(X509_STORE_CTX_set_trust); 2205 2206 X509_STORE_CTX * 2207 X509_STORE_CTX_new(void) 2208 { 2209 X509_STORE_CTX *ctx; 2210 2211 ctx = calloc(1, sizeof(X509_STORE_CTX)); 2212 if (!ctx) { 2213 X509error(ERR_R_MALLOC_FAILURE); 2214 return NULL; 2215 } 2216 return ctx; 2217 } 2218 LCRYPTO_ALIAS(X509_STORE_CTX_new); 2219 2220 void 2221 X509_STORE_CTX_free(X509_STORE_CTX *ctx) 2222 { 2223 if (ctx == NULL) 2224 return; 2225 2226 X509_STORE_CTX_cleanup(ctx); 2227 free(ctx); 2228 } 2229 LCRYPTO_ALIAS(X509_STORE_CTX_free); 2230 2231 int 2232 X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *leaf, 2233 STACK_OF(X509) *untrusted) 2234 { 2235 int param_ret = 1; 2236 2237 /* 2238 * Make sure everything is initialized properly even in case of an 2239 * early return due to an error. 2240 * 2241 * While this 'ctx' can be reused, X509_STORE_CTX_cleanup() will have 2242 * freed everything and memset ex_data anyway. This also allows us 2243 * to safely use X509_STORE_CTX variables from the stack which will 2244 * have uninitialized data. 2245 */ 2246 memset(ctx, 0, sizeof(*ctx)); 2247 2248 /* 2249 * Start with this set to not valid - it will be set to valid 2250 * in X509_verify_cert. 2251 */ 2252 ctx->error = X509_V_ERR_INVALID_CALL; 2253 2254 /* 2255 * Set values other than 0. Keep this in the same order as 2256 * X509_STORE_CTX except for values that may fail. All fields that 2257 * may fail should go last to make sure 'ctx' is as consistent as 2258 * possible even on early exits. 2259 */ 2260 ctx->store = store; 2261 ctx->cert = leaf; 2262 ctx->untrusted = untrusted; 2263 2264 if (store && store->verify) 2265 ctx->verify = store->verify; 2266 else 2267 ctx->verify = internal_verify; 2268 2269 if (store && store->verify_cb) 2270 ctx->verify_cb = store->verify_cb; 2271 else 2272 ctx->verify_cb = null_callback; 2273 2274 ctx->get_issuer = X509_STORE_CTX_get1_issuer; 2275 ctx->check_issued = check_issued; 2276 2277 ctx->param = X509_VERIFY_PARAM_new(); 2278 if (!ctx->param) { 2279 X509error(ERR_R_MALLOC_FAILURE); 2280 return 0; 2281 } 2282 2283 /* Inherit callbacks and flags from X509_STORE if not set 2284 * use defaults. 2285 */ 2286 if (store) 2287 param_ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); 2288 else 2289 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; 2290 2291 if (param_ret) 2292 param_ret = X509_VERIFY_PARAM_inherit(ctx->param, 2293 X509_VERIFY_PARAM_lookup("default")); 2294 2295 if (param_ret == 0) { 2296 X509error(ERR_R_MALLOC_FAILURE); 2297 return 0; 2298 } 2299 2300 if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, 2301 &ctx->ex_data) == 0) { 2302 X509error(ERR_R_MALLOC_FAILURE); 2303 return 0; 2304 } 2305 return 1; 2306 } 2307 LCRYPTO_ALIAS(X509_STORE_CTX_init); 2308 2309 /* Set alternative lookup method: just a STACK of trusted certificates. 2310 * This avoids X509_STORE nastiness where it isn't needed. 2311 */ 2312 2313 void 2314 X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *trusted) 2315 { 2316 X509_STORE_CTX_set0_trusted_stack(ctx, trusted); 2317 } 2318 LCRYPTO_ALIAS(X509_STORE_CTX_trusted_stack); 2319 2320 void 2321 X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *trusted) 2322 { 2323 ctx->trusted = trusted; 2324 ctx->get_issuer = x509_vfy_get_trusted_issuer; 2325 } 2326 LCRYPTO_ALIAS(X509_STORE_CTX_set0_trusted_stack); 2327 2328 void 2329 X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) 2330 { 2331 if (ctx->param != NULL) { 2332 if (ctx->parent == NULL) 2333 X509_VERIFY_PARAM_free(ctx->param); 2334 ctx->param = NULL; 2335 } 2336 if (ctx->chain != NULL) { 2337 sk_X509_pop_free(ctx->chain, X509_free); 2338 ctx->chain = NULL; 2339 } 2340 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &ctx->ex_data); 2341 memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA)); 2342 } 2343 LCRYPTO_ALIAS(X509_STORE_CTX_cleanup); 2344 2345 void 2346 X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) 2347 { 2348 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 2349 } 2350 LCRYPTO_ALIAS(X509_STORE_CTX_set_depth); 2351 2352 void 2353 X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) 2354 { 2355 X509_VERIFY_PARAM_set_flags(ctx->param, flags); 2356 } 2357 LCRYPTO_ALIAS(X509_STORE_CTX_set_flags); 2358 2359 void 2360 X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) 2361 { 2362 X509_VERIFY_PARAM_set_time(ctx->param, t); 2363 } 2364 LCRYPTO_ALIAS(X509_STORE_CTX_set_time); 2365 2366 int 2367 (*X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx))(int, X509_STORE_CTX *) 2368 { 2369 return ctx->verify_cb; 2370 } 2371 LCRYPTO_ALIAS(X509_STORE_CTX_get_verify_cb); 2372 2373 void 2374 X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, 2375 int (*verify_cb)(int, X509_STORE_CTX *)) 2376 { 2377 ctx->verify_cb = verify_cb; 2378 } 2379 LCRYPTO_ALIAS(X509_STORE_CTX_set_verify_cb); 2380 2381 int 2382 (*X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx))(X509_STORE_CTX *) 2383 { 2384 return ctx->verify; 2385 } 2386 LCRYPTO_ALIAS(X509_STORE_CTX_get_verify); 2387 2388 void 2389 X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, int (*verify)(X509_STORE_CTX *)) 2390 { 2391 ctx->verify = verify; 2392 } 2393 LCRYPTO_ALIAS(X509_STORE_CTX_set_verify); 2394 2395 X509_STORE_CTX_check_issued_fn 2396 X509_STORE_get_check_issued(X509_STORE *store) 2397 { 2398 return store->check_issued; 2399 } 2400 LCRYPTO_ALIAS(X509_STORE_get_check_issued); 2401 2402 void 2403 X509_STORE_set_check_issued(X509_STORE *store, 2404 X509_STORE_CTX_check_issued_fn check_issued) 2405 { 2406 store->check_issued = check_issued; 2407 } 2408 LCRYPTO_ALIAS(X509_STORE_set_check_issued); 2409 2410 X509_STORE_CTX_check_issued_fn 2411 X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx) 2412 { 2413 return ctx->check_issued; 2414 } 2415 LCRYPTO_ALIAS(X509_STORE_CTX_get_check_issued); 2416 2417 X509 * 2418 X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) 2419 { 2420 return ctx->cert; 2421 } 2422 LCRYPTO_ALIAS(X509_STORE_CTX_get0_cert); 2423 2424 STACK_OF(X509) * 2425 X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) 2426 { 2427 return ctx->untrusted; 2428 } 2429 LCRYPTO_ALIAS(X509_STORE_CTX_get0_untrusted); 2430 2431 void 2432 X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 2433 { 2434 ctx->untrusted = sk; 2435 } 2436 LCRYPTO_ALIAS(X509_STORE_CTX_set0_untrusted); 2437 2438 void 2439 X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) 2440 { 2441 sk_X509_pop_free(ctx->chain, X509_free); 2442 ctx->chain = sk; 2443 } 2444 LCRYPTO_ALIAS(X509_STORE_CTX_set0_verified_chain); 2445 2446 int 2447 X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx) 2448 { 2449 return ctx->num_untrusted; 2450 } 2451 LCRYPTO_ALIAS(X509_STORE_CTX_get_num_untrusted); 2452 2453 int 2454 X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) 2455 { 2456 const X509_VERIFY_PARAM *param; 2457 param = X509_VERIFY_PARAM_lookup(name); 2458 if (!param) 2459 return 0; 2460 return X509_VERIFY_PARAM_inherit(ctx->param, param); 2461 } 2462 LCRYPTO_ALIAS(X509_STORE_CTX_set_default); 2463 2464 X509_VERIFY_PARAM * 2465 X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) 2466 { 2467 return ctx->param; 2468 } 2469 LCRYPTO_ALIAS(X509_STORE_CTX_get0_param); 2470 2471 void 2472 X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) 2473 { 2474 if (ctx->param) 2475 X509_VERIFY_PARAM_free(ctx->param); 2476 ctx->param = param; 2477 } 2478 LCRYPTO_ALIAS(X509_STORE_CTX_set0_param); 2479 2480 /* 2481 * Check if |bits| are adequate for |security level|. 2482 * Returns 1 if ok, 0 otherwise. 2483 */ 2484 static int 2485 enough_bits_for_security_level(int bits, int level) 2486 { 2487 /* 2488 * Sigh. OpenSSL does this silly squashing, so we will 2489 * too. Derp for Derp compatibility being important. 2490 */ 2491 if (level < 0) 2492 level = 0; 2493 if (level > 5) 2494 level = 5; 2495 2496 switch (level) { 2497 case 0: 2498 return 1; 2499 case 1: 2500 return bits >= 80; 2501 case 2: 2502 return bits >= 112; 2503 case 3: 2504 return bits >= 128; 2505 case 4: 2506 return bits >= 192; 2507 case 5: 2508 return bits >= 256; 2509 default: 2510 return 0; 2511 } 2512 } 2513 2514 /* 2515 * Check whether the public key of |cert| meets the security level of |ctx|. 2516 * 2517 * Returns 1 on success, 0 otherwise. 2518 */ 2519 static int 2520 check_key_level(X509_STORE_CTX *ctx, X509 *cert) 2521 { 2522 EVP_PKEY *pkey; 2523 int bits; 2524 2525 /* Unsupported or malformed keys are not secure */ 2526 if ((pkey = X509_get0_pubkey(cert)) == NULL) 2527 return 0; 2528 2529 if ((bits = EVP_PKEY_security_bits(pkey)) <= 0) 2530 return 0; 2531 2532 return enough_bits_for_security_level(bits, ctx->param->security_level); 2533 } 2534 2535 /* 2536 * Check whether the signature digest algorithm of |cert| meets the security 2537 * level of |ctx|. Do not check trust anchors (self-signed or not). 2538 * 2539 * Returns 1 on success, 0 otherwise. 2540 */ 2541 static int 2542 check_sig_level(X509_STORE_CTX *ctx, X509 *cert) 2543 { 2544 int bits; 2545 2546 if (!X509_get_signature_info(cert, NULL, NULL, &bits, NULL)) 2547 return 0; 2548 2549 return enough_bits_for_security_level(bits, ctx->param->security_level); 2550 } 2551 2552 int 2553 x509_vfy_check_security_level(X509_STORE_CTX *ctx) 2554 { 2555 int num = sk_X509_num(ctx->chain); 2556 int i; 2557 2558 if (ctx->param->security_level <= 0) 2559 return 1; 2560 2561 for (i = 0; i < num; i++) { 2562 X509 *cert = sk_X509_value(ctx->chain, i); 2563 2564 /* 2565 * We've already checked the security of the leaf key, so here 2566 * we only check the security of issuer keys. 2567 */ 2568 if (i > 0) { 2569 if (!check_key_level(ctx, cert) && 2570 !verify_cb_cert(ctx, cert, i, 2571 X509_V_ERR_CA_KEY_TOO_SMALL)) 2572 return 0; 2573 } 2574 2575 /* 2576 * We also check the signature algorithm security of all certs 2577 * except those of the trust anchor at index num - 1. 2578 */ 2579 if (i == num - 1) 2580 break; 2581 2582 if (!check_sig_level(ctx, cert) && 2583 !verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK)) 2584 return 0; 2585 } 2586 return 1; 2587 } 2588