1 /* $OpenBSD: callback.c,v 1.5 2024/08/23 12:56:26 anton Exp $ */ 2 /* 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <err.h> 20 #include <string.h> 21 22 #include <openssl/bio.h> 23 #include <openssl/err.h> 24 #include <openssl/pem.h> 25 #include <openssl/x509.h> 26 #include <openssl/x509v3.h> 27 28 #include "x509_verify.h" 29 30 #define MODE_MODERN_VFY 0 31 #define MODE_MODERN_VFY_DIR 1 32 #define MODE_LEGACY_VFY 2 33 #define MODE_VERIFY 3 34 35 static int verbose = 1; 36 FILE *output; 37 38 static int 39 passwd_cb(char *buf, int size, int rwflag, void *u) 40 { 41 memset(buf, 0, size); 42 return (0); 43 } 44 45 static int 46 certs_from_file(const char *filename, STACK_OF(X509) **certs) 47 { 48 STACK_OF(X509_INFO) *xis = NULL; 49 STACK_OF(X509) *xs = NULL; 50 BIO *bio = NULL; 51 X509 *x; 52 int i; 53 54 if ((xs = sk_X509_new_null()) == NULL) 55 errx(1, "failed to create X509 stack"); 56 if ((bio = BIO_new_file(filename, "r")) == NULL) { 57 ERR_print_errors_fp(stderr); 58 errx(1, "failed to create bio"); 59 } 60 if ((xis = PEM_X509_INFO_read_bio(bio, NULL, passwd_cb, NULL)) == NULL) 61 errx(1, "failed to read PEM"); 62 63 for (i = 0; i < sk_X509_INFO_num(xis); i++) { 64 if ((x = sk_X509_INFO_value(xis, i)->x509) == NULL) 65 continue; 66 if (!sk_X509_push(xs, x)) 67 errx(1, "failed to push X509"); 68 X509_up_ref(x); 69 } 70 71 *certs = xs; 72 xs = NULL; 73 74 sk_X509_INFO_pop_free(xis, X509_INFO_free); 75 sk_X509_pop_free(xs, X509_free); 76 BIO_free(bio); 77 78 return 1; 79 } 80 81 static int 82 verify_cert_cb(int ok, X509_STORE_CTX *xsc) 83 { 84 X509 *current_cert, *issuer_cert; 85 int verify_err, verify_depth; 86 87 current_cert = X509_STORE_CTX_get_current_cert(xsc); 88 issuer_cert = X509_STORE_CTX_get0_current_issuer(xsc); 89 verify_depth = X509_STORE_CTX_get_error_depth(xsc); 90 verify_err = X509_STORE_CTX_get_error(xsc); 91 fprintf(output, "depth %d error %d", verify_depth, verify_err); 92 fprintf(output, " cert: "); 93 if (current_cert != NULL) { 94 X509_NAME_print_ex_fp(output, 95 X509_get_subject_name(current_cert), 0, 96 XN_FLAG_ONELINE); 97 } else 98 fprintf(output, "NULL"); 99 fprintf(output, " issuer: "); 100 if (issuer_cert != NULL) { 101 X509_NAME_print_ex_fp(output, 102 X509_get_subject_name(issuer_cert), 0, 103 XN_FLAG_ONELINE); 104 } else 105 fprintf(output, "NULL"); 106 fprintf(output, "\n"); 107 108 return ok; 109 } 110 111 static void 112 verify_cert(const char *roots_dir, const char *roots_file, 113 const char *bundle_file, int *chains, int mode) 114 { 115 STACK_OF(X509) *roots = NULL, *bundle = NULL; 116 X509_STORE_CTX *xsc = NULL; 117 X509_STORE *store = NULL; 118 int verify_err, use_dir; 119 X509 *leaf = NULL; 120 121 *chains = 0; 122 use_dir = (mode == MODE_MODERN_VFY_DIR); 123 124 if (!use_dir && !certs_from_file(roots_file, &roots)) 125 errx(1, "failed to load roots from '%s'", roots_file); 126 if (!certs_from_file(bundle_file, &bundle)) 127 errx(1, "failed to load bundle from '%s'", bundle_file); 128 if (sk_X509_num(bundle) < 1) 129 errx(1, "not enough certs in bundle"); 130 leaf = sk_X509_shift(bundle); 131 132 if ((xsc = X509_STORE_CTX_new()) == NULL) 133 errx(1, "X509_STORE_CTX"); 134 if (use_dir && (store = X509_STORE_new()) == NULL) 135 errx(1, "X509_STORE"); 136 if (!X509_STORE_CTX_init(xsc, store, leaf, bundle)) { 137 ERR_print_errors_fp(stderr); 138 errx(1, "failed to init store context"); 139 } 140 if (use_dir) { 141 if (!X509_STORE_load_locations(store, NULL, roots_dir)) 142 errx(1, "failed to set by_dir directory of %s", roots_dir); 143 } 144 if (mode == MODE_LEGACY_VFY) 145 X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_LEGACY_VERIFY); 146 else 147 X509_VERIFY_PARAM_clear_flags(X509_STORE_CTX_get0_param(xsc), 148 X509_V_FLAG_LEGACY_VERIFY); 149 150 if (verbose) 151 X509_STORE_CTX_set_verify_cb(xsc, verify_cert_cb); 152 if (!use_dir) 153 X509_STORE_CTX_set0_trusted_stack(xsc, roots); 154 if (X509_verify_cert(xsc) == 1) { 155 *chains = 1; /* XXX */ 156 goto done; 157 } 158 159 verify_err = X509_STORE_CTX_get_error(xsc); 160 if (verify_err == 0) 161 errx(1, "Error unset on failure!"); 162 163 fprintf(stderr, "failed to verify at %d: %s\n", 164 X509_STORE_CTX_get_error_depth(xsc), 165 X509_verify_cert_error_string(verify_err)); 166 167 done: 168 sk_X509_pop_free(roots, X509_free); 169 sk_X509_pop_free(bundle, X509_free); 170 X509_STORE_free(store); 171 X509_STORE_CTX_free(xsc); 172 X509_free(leaf); 173 } 174 175 struct verify_cert_test { 176 const char *id; 177 int want_chains; 178 int failing; 179 }; 180 181 struct verify_cert_test verify_cert_tests[] = { 182 { 183 .id = "1a", 184 .want_chains = 1, 185 }, 186 { 187 .id = "2a", 188 .want_chains = 1, 189 }, 190 { 191 .id = "2b", 192 .want_chains = 0, 193 }, 194 { 195 .id = "2c", 196 .want_chains = 1, 197 }, 198 { 199 .id = "3a", 200 .want_chains = 1, 201 }, 202 { 203 .id = "3b", 204 .want_chains = 0, 205 }, 206 { 207 .id = "3c", 208 .want_chains = 0, 209 }, 210 { 211 .id = "3d", 212 .want_chains = 0, 213 }, 214 { 215 .id = "3e", 216 .want_chains = 1, 217 }, 218 { 219 .id = "4a", 220 .want_chains = 2, 221 }, 222 { 223 .id = "4b", 224 .want_chains = 1, 225 }, 226 { 227 .id = "4c", 228 .want_chains = 1, 229 .failing = 1, 230 }, 231 { 232 .id = "4d", 233 .want_chains = 1, 234 }, 235 { 236 .id = "4e", 237 .want_chains = 1, 238 }, 239 { 240 .id = "4f", 241 .want_chains = 2, 242 }, 243 { 244 .id = "4g", 245 .want_chains = 1, 246 .failing = 1, 247 }, 248 { 249 .id = "4h", 250 .want_chains = 1, 251 }, 252 { 253 .id = "5a", 254 .want_chains = 2, 255 }, 256 { 257 .id = "5b", 258 .want_chains = 1, 259 .failing = 1, 260 }, 261 { 262 .id = "5c", 263 .want_chains = 1, 264 }, 265 { 266 .id = "5d", 267 .want_chains = 1, 268 }, 269 { 270 .id = "5e", 271 .want_chains = 1, 272 .failing = 1, 273 }, 274 { 275 .id = "5f", 276 .want_chains = 1, 277 }, 278 { 279 .id = "5g", 280 .want_chains = 2, 281 }, 282 { 283 .id = "5h", 284 .want_chains = 1, 285 }, 286 { 287 .id = "5i", 288 .want_chains = 1, 289 .failing = 1, 290 }, 291 { 292 .id = "6a", 293 .want_chains = 1, 294 }, 295 { 296 .id = "6b", 297 .want_chains = 1, 298 .failing = 1, 299 }, 300 { 301 .id = "7a", 302 .want_chains = 1, 303 .failing = 1, 304 }, 305 { 306 .id = "7b", 307 .want_chains = 1, 308 }, 309 { 310 .id = "8a", 311 .want_chains = 0, 312 }, 313 { 314 .id = "9a", 315 .want_chains = 0, 316 }, 317 { 318 .id = "10a", 319 .want_chains = 1, 320 }, 321 { 322 .id = "10b", 323 .want_chains = 1, 324 }, 325 { 326 .id = "11a", 327 .want_chains = 1, 328 .failing = 1, 329 }, 330 { 331 .id = "11b", 332 .want_chains = 1, 333 }, 334 { 335 .id = "12a", 336 .want_chains = 1, 337 }, 338 { 339 .id = "13a", 340 .want_chains = 1, 341 .failing = 1, 342 }, 343 }; 344 345 #define N_VERIFY_CERT_TESTS \ 346 (sizeof(verify_cert_tests) / sizeof(*verify_cert_tests)) 347 348 static int 349 verify_cert_test(const char *certs_path, int mode) 350 { 351 char *roots_file, *bundle_file, *roots_dir; 352 struct verify_cert_test *vct; 353 int failed = 0; 354 int chains; 355 size_t i; 356 357 for (i = 0; i < N_VERIFY_CERT_TESTS; i++) { 358 vct = &verify_cert_tests[i]; 359 360 if (asprintf(&roots_file, "%s/%s/roots.pem", certs_path, 361 vct->id) == -1) 362 errx(1, "asprintf"); 363 if (asprintf(&bundle_file, "%s/%s/bundle.pem", certs_path, 364 vct->id) == -1) 365 errx(1, "asprintf"); 366 if (asprintf(&roots_dir, "./%s/roots", vct->id) == -1) 367 errx(1, "asprintf"); 368 369 fprintf(output, "== Test %zu (%s)\n", i, vct->id); 370 fprintf(output, "== Legacy:\n"); 371 mode = MODE_LEGACY_VFY; 372 verify_cert(roots_dir, roots_file, bundle_file, &chains, mode); 373 if ((mode == MODE_VERIFY && chains == vct->want_chains) || 374 (chains == 0 && vct->want_chains == 0) || 375 (chains == 1 && vct->want_chains > 0)) { 376 fprintf(output, "INFO: Succeeded with %d chains%s\n", 377 chains, vct->failing ? " (legacy failure)" : ""); 378 if (mode == MODE_LEGACY_VFY && vct->failing) 379 failed |= 1; 380 } else { 381 fprintf(output, "FAIL: Failed with %d chains%s\n", 382 chains, vct->failing ? " (legacy failure)" : ""); 383 if (!vct->failing) 384 failed |= 1; 385 } 386 fprintf(output, "\n"); 387 fprintf(output, "== Modern:\n"); 388 mode = MODE_MODERN_VFY; 389 verify_cert(roots_dir, roots_file, bundle_file, &chains, mode); 390 if ((mode == MODE_VERIFY && chains == vct->want_chains) || 391 (chains == 0 && vct->want_chains == 0) || 392 (chains == 1 && vct->want_chains > 0)) { 393 fprintf(output, "INFO: Succeeded with %d chains%s\n", 394 chains, vct->failing ? " (legacy failure)" : ""); 395 if (mode == MODE_LEGACY_VFY && vct->failing) 396 failed |= 1; 397 } else { 398 fprintf(output, "FAIL: Failed with %d chains%s\n", 399 chains, vct->failing ? " (legacy failure)" : ""); 400 if (!vct->failing) 401 failed |= 1; 402 } 403 fprintf(output, "\n"); 404 405 free(roots_file); 406 free(bundle_file); 407 free(roots_dir); 408 } 409 410 return failed; 411 } 412 413 int 414 main(int argc, char **argv) 415 { 416 int failed = 0; 417 418 if (argc != 2) { 419 fprintf(stderr, "usage: %s <certs_path>\n", argv[0]); 420 exit(1); 421 } 422 423 output = fopen("callback.out", "w+"); 424 425 fprintf(stderr, "\n\nTesting legacy and modern X509_vfy\n"); 426 failed |= verify_cert_test(argv[1], MODE_LEGACY_VFY); 427 return (failed); 428 } 429