1 /* $OpenBSD: x509_verify.c,v 1.49 2021/09/09 15:09:43 beck Exp $ */ 2 /* 3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 /* x509_verify - inspired by golang's crypto/x509.Verify */ 19 20 #include <errno.h> 21 #include <stdio.h> 22 #include <string.h> 23 #include <time.h> 24 #include <unistd.h> 25 26 #include <openssl/safestack.h> 27 #include <openssl/x509.h> 28 #include <openssl/x509v3.h> 29 30 #include "x509_internal.h" 31 #include "x509_issuer_cache.h" 32 33 static int x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert, 34 struct x509_verify_chain *current_chain); 35 static void x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, 36 struct x509_verify_chain *current_chain, int full_chain); 37 static int x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, 38 size_t depth, int error, int ok); 39 static void x509_verify_chain_free(struct x509_verify_chain *chain); 40 41 #define X509_VERIFY_CERT_HASH (EVP_sha512()) 42 43 struct x509_verify_chain * 44 x509_verify_chain_new(void) 45 { 46 struct x509_verify_chain *chain; 47 48 if ((chain = calloc(1, sizeof(*chain))) == NULL) 49 goto err; 50 if ((chain->certs = sk_X509_new_null()) == NULL) 51 goto err; 52 if ((chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS, 53 sizeof(int))) == NULL) 54 goto err; 55 if ((chain->names = 56 x509_constraints_names_new(X509_VERIFY_MAX_CHAIN_NAMES)) == NULL) 57 goto err; 58 59 return chain; 60 err: 61 x509_verify_chain_free(chain); 62 return NULL; 63 } 64 65 static void 66 x509_verify_chain_clear(struct x509_verify_chain *chain) 67 { 68 sk_X509_pop_free(chain->certs, X509_free); 69 chain->certs = NULL; 70 free(chain->cert_errors); 71 chain->cert_errors = NULL; 72 x509_constraints_names_free(chain->names); 73 chain->names = NULL; 74 } 75 76 static void 77 x509_verify_chain_free(struct x509_verify_chain *chain) 78 { 79 if (chain == NULL) 80 return; 81 x509_verify_chain_clear(chain); 82 free(chain); 83 } 84 85 static struct x509_verify_chain * 86 x509_verify_chain_dup(struct x509_verify_chain *chain) 87 { 88 struct x509_verify_chain *new_chain; 89 90 if ((new_chain = calloc(1, sizeof(*chain))) == NULL) 91 goto err; 92 if ((new_chain->certs = X509_chain_up_ref(chain->certs)) == NULL) 93 goto err; 94 if ((new_chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS, 95 sizeof(int))) == NULL) 96 goto err; 97 memcpy(new_chain->cert_errors, chain->cert_errors, 98 X509_VERIFY_MAX_CHAIN_CERTS * sizeof(int)); 99 if ((new_chain->names = 100 x509_constraints_names_dup(chain->names)) == NULL) 101 goto err; 102 return(new_chain); 103 err: 104 x509_verify_chain_free(new_chain); 105 return NULL; 106 } 107 108 static int 109 x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert, 110 int *error) 111 { 112 int verify_err = X509_V_ERR_UNSPECIFIED; 113 size_t idx; 114 115 if (!x509_constraints_extract_names(chain->names, cert, 116 sk_X509_num(chain->certs) == 0, &verify_err)) { 117 *error = verify_err; 118 return 0; 119 } 120 121 X509_up_ref(cert); 122 if (!sk_X509_push(chain->certs, cert)) { 123 X509_free(cert); 124 *error = X509_V_ERR_OUT_OF_MEM; 125 return 0; 126 } 127 128 idx = sk_X509_num(chain->certs) - 1; 129 chain->cert_errors[idx] = *error; 130 131 /* 132 * We've just added the issuer for the previous certificate, 133 * clear its error if appropriate. 134 */ 135 if (idx > 1 && chain->cert_errors[idx - 1] == 136 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) 137 chain->cert_errors[idx - 1] = X509_V_OK; 138 139 return 1; 140 } 141 142 static X509 * 143 x509_verify_chain_last(struct x509_verify_chain *chain) 144 { 145 int last; 146 147 if (chain->certs == NULL) 148 return NULL; 149 if ((last = sk_X509_num(chain->certs) - 1) < 0) 150 return NULL; 151 return sk_X509_value(chain->certs, last); 152 } 153 154 X509 * 155 x509_verify_chain_leaf(struct x509_verify_chain *chain) 156 { 157 if (chain->certs == NULL) 158 return NULL; 159 return sk_X509_value(chain->certs, 0); 160 } 161 162 static void 163 x509_verify_ctx_reset(struct x509_verify_ctx *ctx) 164 { 165 size_t i; 166 167 for (i = 0; i < ctx->chains_count; i++) 168 x509_verify_chain_free(ctx->chains[i]); 169 sk_X509_pop_free(ctx->saved_error_chain, X509_free); 170 ctx->saved_error = 0; 171 ctx->saved_error_depth = 0; 172 ctx->error = 0; 173 ctx->error_depth = 0; 174 ctx->chains_count = 0; 175 ctx->sig_checks = 0; 176 ctx->check_time = NULL; 177 } 178 179 static void 180 x509_verify_ctx_clear(struct x509_verify_ctx *ctx) 181 { 182 x509_verify_ctx_reset(ctx); 183 sk_X509_pop_free(ctx->intermediates, X509_free); 184 free(ctx->chains); 185 memset(ctx, 0, sizeof(*ctx)); 186 } 187 188 static int 189 x509_verify_cert_cache_extensions(X509 *cert) { 190 if (!(cert->ex_flags & EXFLAG_SET)) { 191 CRYPTO_w_lock(CRYPTO_LOCK_X509); 192 x509v3_cache_extensions(cert); 193 CRYPTO_w_unlock(CRYPTO_LOCK_X509); 194 } 195 if (cert->ex_flags & EXFLAG_INVALID) 196 return 0; 197 return (cert->ex_flags & EXFLAG_SET); 198 } 199 200 static int 201 x509_verify_cert_self_signed(X509 *cert) 202 { 203 return (cert->ex_flags & EXFLAG_SS) ? 1 : 0; 204 } 205 206 static int 207 x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, 208 int full_chain) 209 { 210 X509 *match = NULL; 211 int i; 212 213 if (!x509_verify_cert_cache_extensions(cert)) 214 return 0; 215 216 /* Check by lookup if we have a legacy xsc */ 217 if (ctx->xsc != NULL) { 218 if ((match = x509_vfy_lookup_cert_match(ctx->xsc, 219 cert)) != NULL) { 220 X509_free(match); 221 return !full_chain || 222 x509_verify_cert_self_signed(cert); 223 } 224 } else { 225 /* Check the provided roots */ 226 for (i = 0; i < sk_X509_num(ctx->roots); i++) { 227 if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) 228 return !full_chain || 229 x509_verify_cert_self_signed(cert); 230 } 231 } 232 233 return 0; 234 } 235 236 static int 237 x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx *ctx, 238 struct x509_verify_chain *chain, int set_error, int is_trusted) 239 { 240 size_t num_untrusted; 241 int i; 242 243 if (ctx->xsc == NULL) 244 return 1; 245 246 /* 247 * XXX last_untrusted is actually the number of untrusted certs at the 248 * bottom of the chain. This works now since we stop at the first 249 * trusted cert. This will need fixing once we allow more than one 250 * trusted certificate. 251 */ 252 num_untrusted = sk_X509_num(chain->certs); 253 if (is_trusted && num_untrusted > 0) 254 num_untrusted--; 255 ctx->xsc->last_untrusted = num_untrusted; 256 257 sk_X509_pop_free(ctx->xsc->chain, X509_free); 258 ctx->xsc->chain = X509_chain_up_ref(chain->certs); 259 if (ctx->xsc->chain == NULL) 260 return x509_verify_cert_error(ctx, NULL, 0, 261 X509_V_ERR_OUT_OF_MEM, 0); 262 263 if (set_error) { 264 ctx->xsc->error = X509_V_OK; 265 ctx->xsc->error_depth = 0; 266 for (i = 0; i < sk_X509_num(chain->certs); i++) { 267 if (chain->cert_errors[i] != X509_V_OK) { 268 ctx->xsc->error = chain->cert_errors[i]; 269 ctx->xsc->error_depth = i; 270 break; 271 } 272 } 273 } 274 275 return 1; 276 } 277 278 279 /* 280 * Save the error state and unvalidated chain off of the xsc for 281 * later. 282 */ 283 static int 284 x509_verify_ctx_save_xsc_error(struct x509_verify_ctx *ctx) 285 { 286 if (ctx->xsc != NULL && ctx->xsc->chain != NULL) { 287 sk_X509_pop_free(ctx->saved_error_chain, X509_free); 288 ctx->saved_error_chain = X509_chain_up_ref(ctx->xsc->chain); 289 if (ctx->saved_error_chain == NULL) 290 return x509_verify_cert_error(ctx, NULL, 0, 291 X509_V_ERR_OUT_OF_MEM, 0); 292 ctx->saved_error = ctx->xsc->error; 293 ctx->saved_error_depth = ctx->xsc->error_depth; 294 } 295 return 1; 296 } 297 298 /* 299 * Restore the saved error state and unvalidated chain to the xsc 300 * if we do not have a validated chain. 301 */ 302 static int 303 x509_verify_ctx_restore_xsc_error(struct x509_verify_ctx *ctx) 304 { 305 if (ctx->xsc != NULL && ctx->chains_count == 0 && 306 ctx->saved_error_chain != NULL) { 307 sk_X509_pop_free(ctx->xsc->chain, X509_free); 308 ctx->xsc->chain = X509_chain_up_ref(ctx->saved_error_chain); 309 if (ctx->xsc->chain == NULL) 310 return x509_verify_cert_error(ctx, NULL, 0, 311 X509_V_ERR_OUT_OF_MEM, 0); 312 ctx->xsc->error = ctx->saved_error; 313 ctx->xsc->error_depth = ctx->saved_error_depth; 314 } 315 return 1; 316 } 317 318 /* Perform legacy style validation of a chain */ 319 static int 320 x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, 321 struct x509_verify_chain *chain, size_t depth) 322 { 323 int ret = 0, trust; 324 325 if (ctx->xsc == NULL) 326 return 1; 327 328 /* 329 * If we have a legacy xsc, choose a validated chain, and 330 * apply the extensions, revocation, and policy checks just 331 * like the legacy code did. We do this here instead of as 332 * building the chains to more easily support the callback and 333 * the bewildering array of VERIFY_PARAM knobs that are there 334 * for the fiddling. 335 */ 336 337 /* These may be set in one of the following calls. */ 338 ctx->xsc->error = X509_V_OK; 339 ctx->xsc->error_depth = 0; 340 341 trust = x509_vfy_check_trust(ctx->xsc); 342 if (trust == X509_TRUST_REJECTED) 343 goto err; 344 345 if (!x509_verify_ctx_set_xsc_chain(ctx, chain, 0, 1)) 346 goto err; 347 348 /* 349 * XXX currently this duplicates some work done in chain 350 * build, but we keep it here until we have feature parity 351 */ 352 if (!x509_vfy_check_chain_extensions(ctx->xsc)) 353 goto err; 354 355 if (!x509_constraints_chain(ctx->xsc->chain, 356 &ctx->xsc->error, &ctx->xsc->error_depth)) { 357 X509 *cert = sk_X509_value(ctx->xsc->chain, depth); 358 if (!x509_verify_cert_error(ctx, cert, 359 ctx->xsc->error_depth, ctx->xsc->error, 0)) 360 goto err; 361 } 362 363 if (!x509_vfy_check_revocation(ctx->xsc)) 364 goto err; 365 366 if (!x509_vfy_check_policy(ctx->xsc)) 367 goto err; 368 369 if ((!(ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN)) && 370 trust != X509_TRUST_TRUSTED) 371 goto err; 372 373 ret = 1; 374 375 err: 376 /* 377 * The above checks may have set ctx->xsc->error and 378 * ctx->xsc->error_depth - save these for later on. 379 */ 380 if (ctx->xsc->error != X509_V_OK) { 381 if (ctx->xsc->error_depth < 0 || 382 ctx->xsc->error_depth >= X509_VERIFY_MAX_CHAIN_CERTS) 383 return 0; 384 chain->cert_errors[ctx->xsc->error_depth] = 385 ctx->xsc->error; 386 ctx->error_depth = ctx->xsc->error_depth; 387 } 388 389 return ret; 390 } 391 392 /* Add a validated chain to our list of valid chains */ 393 static int 394 x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, 395 struct x509_verify_chain *chain) 396 { 397 size_t depth; 398 X509 *last = x509_verify_chain_last(chain); 399 400 depth = sk_X509_num(chain->certs); 401 if (depth > 0) 402 depth--; 403 404 if (ctx->chains_count >= ctx->max_chains) 405 return x509_verify_cert_error(ctx, last, depth, 406 X509_V_ERR_CERT_CHAIN_TOO_LONG, 0); 407 408 /* Clear a get issuer failure for a root certificate. */ 409 if (chain->cert_errors[depth] == 410 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) 411 chain->cert_errors[depth] = X509_V_OK; 412 413 if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) 414 return 0; 415 416 /* 417 * In the non-legacy code, extensions and purpose are dealt 418 * with as the chain is built. 419 * 420 * The non-legacy api returns multiple chains but does not do 421 * any revocation checking (it must be done by the caller on 422 * any chain they wish to use) 423 */ 424 425 if ((ctx->chains[ctx->chains_count] = x509_verify_chain_dup(chain)) == 426 NULL) { 427 return x509_verify_cert_error(ctx, last, depth, 428 X509_V_ERR_OUT_OF_MEM, 0); 429 } 430 ctx->chains_count++; 431 ctx->error = X509_V_OK; 432 ctx->error_depth = depth; 433 return 1; 434 } 435 436 static int 437 x509_verify_potential_parent(struct x509_verify_ctx *ctx, X509 *parent, 438 X509 *child) 439 { 440 if (!x509_verify_cert_cache_extensions(parent)) 441 return 0; 442 if (ctx->xsc != NULL) 443 return (ctx->xsc->check_issued(ctx->xsc, child, parent)); 444 445 /* XXX key usage */ 446 return X509_check_issued(child, parent) != X509_V_OK; 447 } 448 449 static int 450 x509_verify_parent_signature(X509 *parent, X509 *child, 451 unsigned char *child_md, int *error) 452 { 453 unsigned char parent_md[EVP_MAX_MD_SIZE] = { 0 }; 454 EVP_PKEY *pkey; 455 int cached; 456 int ret = 0; 457 458 /* Use cached value if we have it */ 459 if (child_md != NULL) { 460 if (!X509_digest(parent, X509_VERIFY_CERT_HASH, parent_md, 461 NULL)) 462 return 0; 463 if ((cached = x509_issuer_cache_find(parent_md, child_md)) >= 0) 464 return cached; 465 } 466 467 /* Check signature. Did parent sign child? */ 468 if ((pkey = X509_get_pubkey(parent)) == NULL) { 469 *error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 470 return 0; 471 } 472 if (X509_verify(child, pkey) <= 0) 473 *error = X509_V_ERR_CERT_SIGNATURE_FAILURE; 474 else 475 ret = 1; 476 477 /* Add result to cache */ 478 if (child_md != NULL) 479 x509_issuer_cache_add(parent_md, child_md, ret); 480 481 EVP_PKEY_free(pkey); 482 483 return ret; 484 } 485 486 static int 487 x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert, 488 unsigned char *cert_md, int is_root_cert, X509 *candidate, 489 struct x509_verify_chain *current_chain, int full_chain) 490 { 491 int depth = sk_X509_num(current_chain->certs); 492 struct x509_verify_chain *new_chain; 493 int i; 494 495 /* Fail if the certificate is already in the chain */ 496 for (i = 0; i < sk_X509_num(current_chain->certs); i++) { 497 if (X509_cmp(sk_X509_value(current_chain->certs, i), 498 candidate) == 0) 499 return 0; 500 } 501 502 if (ctx->sig_checks++ > X509_VERIFY_MAX_SIGCHECKS) { 503 /* don't allow callback to override safety check */ 504 (void) x509_verify_cert_error(ctx, candidate, depth, 505 X509_V_ERR_CERT_CHAIN_TOO_LONG, 0); 506 return 0; 507 } 508 509 if (!x509_verify_parent_signature(candidate, cert, cert_md, 510 &ctx->error)) { 511 if (!x509_verify_cert_error(ctx, candidate, depth, 512 ctx->error, 0)) 513 return 0; 514 } 515 516 if (!x509_verify_cert_valid(ctx, candidate, current_chain)) 517 return 0; 518 519 /* candidate is good, add it to a copy of the current chain */ 520 if ((new_chain = x509_verify_chain_dup(current_chain)) == NULL) { 521 x509_verify_cert_error(ctx, candidate, depth, 522 X509_V_ERR_OUT_OF_MEM, 0); 523 return 0; 524 } 525 if (!x509_verify_chain_append(new_chain, candidate, &ctx->error)) { 526 x509_verify_cert_error(ctx, candidate, depth, ctx->error, 0); 527 x509_verify_chain_free(new_chain); 528 return 0; 529 } 530 531 /* 532 * If candidate is a trusted root, we have a validated chain, 533 * so we save it. Otherwise, recurse until we find a root or 534 * give up. 535 */ 536 if (is_root_cert) { 537 if (!x509_verify_ctx_set_xsc_chain(ctx, new_chain, 0, 1)) { 538 x509_verify_chain_free(new_chain); 539 return 0; 540 } 541 if (!x509_verify_ctx_add_chain(ctx, new_chain)) { 542 x509_verify_chain_free(new_chain); 543 return 0; 544 } 545 goto done; 546 } 547 548 x509_verify_build_chains(ctx, candidate, new_chain, full_chain); 549 550 done: 551 x509_verify_chain_free(new_chain); 552 return 1; 553 } 554 555 static int 556 x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, size_t depth, 557 int error, int ok) 558 { 559 ctx->error = error; 560 ctx->error_depth = depth; 561 if (ctx->xsc != NULL) { 562 ctx->xsc->error = error; 563 ctx->xsc->error_depth = depth; 564 ctx->xsc->current_cert = cert; 565 return ctx->xsc->verify_cb(ok, ctx->xsc); 566 } 567 return ok; 568 } 569 570 static void 571 x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, 572 struct x509_verify_chain *current_chain, int full_chain) 573 { 574 unsigned char cert_md[EVP_MAX_MD_SIZE] = { 0 }; 575 X509 *candidate; 576 int i, depth, count, ret, is_root; 577 578 /* 579 * If we are finding chains with an xsc, just stop after we have 580 * one chain, there's no point in finding more, it just exercises 581 * the potentially buggy callback processing in the calling software. 582 */ 583 if (ctx->xsc != NULL && ctx->chains_count > 0) 584 return; 585 586 depth = sk_X509_num(current_chain->certs); 587 if (depth > 0) 588 depth--; 589 590 if (depth >= ctx->max_depth && 591 !x509_verify_cert_error(ctx, cert, depth, 592 X509_V_ERR_CERT_CHAIN_TOO_LONG, 0)) 593 return; 594 595 if (!X509_digest(cert, X509_VERIFY_CERT_HASH, cert_md, NULL) && 596 !x509_verify_cert_error(ctx, cert, depth, 597 X509_V_ERR_UNSPECIFIED, 0)) 598 return; 599 600 count = ctx->chains_count; 601 602 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 603 ctx->error_depth = depth; 604 605 if (ctx->saved_error != 0) 606 ctx->error = ctx->saved_error; 607 if (ctx->saved_error_depth != 0) 608 ctx->error_depth = ctx->saved_error_depth; 609 610 if (ctx->xsc != NULL) { 611 /* 612 * Long ago experiments at Muppet labs resulted in a 613 * situation where software not only sees these errors 614 * but forced developers to expect them in certain cases. 615 * so we must mimic this awfulness for the legacy case. 616 */ 617 if (cert->ex_flags & EXFLAG_SS) 618 ctx->error = (depth == 0) ? 619 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 620 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 621 } 622 623 /* Check for legacy mode roots */ 624 if (ctx->xsc != NULL) { 625 if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) { 626 x509_verify_cert_error(ctx, cert, depth, 627 X509_V_ERR_STORE_LOOKUP, 0); 628 return; 629 } 630 if (ret > 0) { 631 if (x509_verify_potential_parent(ctx, candidate, cert)) { 632 is_root = !full_chain || 633 x509_verify_cert_self_signed(candidate); 634 x509_verify_consider_candidate(ctx, cert, 635 cert_md, is_root, candidate, current_chain, 636 full_chain); 637 } 638 X509_free(candidate); 639 } 640 } else { 641 /* Check to see if we have a trusted root issuer. */ 642 for (i = 0; i < sk_X509_num(ctx->roots); i++) { 643 candidate = sk_X509_value(ctx->roots, i); 644 if (x509_verify_potential_parent(ctx, candidate, cert)) { 645 is_root = !full_chain || 646 x509_verify_cert_self_signed(candidate); 647 x509_verify_consider_candidate(ctx, cert, 648 cert_md, is_root, candidate, current_chain, 649 full_chain); 650 } 651 } 652 } 653 654 /* Check intermediates after checking roots */ 655 if (ctx->intermediates != NULL) { 656 for (i = 0; i < sk_X509_num(ctx->intermediates); i++) { 657 candidate = sk_X509_value(ctx->intermediates, i); 658 if (x509_verify_potential_parent(ctx, candidate, cert)) { 659 x509_verify_consider_candidate(ctx, cert, 660 cert_md, 0, candidate, current_chain, 661 full_chain); 662 } 663 } 664 } 665 666 if (ctx->chains_count > count) { 667 if (ctx->xsc != NULL) { 668 ctx->xsc->error = X509_V_OK; 669 ctx->xsc->error_depth = depth; 670 ctx->xsc->current_cert = cert; 671 } 672 } else if (ctx->error_depth == depth) { 673 if (!x509_verify_ctx_set_xsc_chain(ctx, current_chain, 0, 0)) 674 return; 675 } 676 } 677 678 static int 679 x509_verify_cert_hostname(struct x509_verify_ctx *ctx, X509 *cert, char *name) 680 { 681 char *candidate; 682 size_t len; 683 684 if (name == NULL) { 685 if (ctx->xsc != NULL) { 686 int ret; 687 688 if ((ret = x509_vfy_check_id(ctx->xsc)) == 0) 689 ctx->error = ctx->xsc->error; 690 return ret; 691 } 692 return 1; 693 } 694 if ((candidate = strdup(name)) == NULL) { 695 ctx->error = X509_V_ERR_OUT_OF_MEM; 696 goto err; 697 } 698 if ((len = strlen(candidate)) < 1) { 699 ctx->error = X509_V_ERR_UNSPECIFIED; /* XXX */ 700 goto err; 701 } 702 703 /* IP addresses may be written in [ ]. */ 704 if (candidate[0] == '[' && candidate[len - 1] == ']') { 705 candidate[len - 1] = '\0'; 706 if (X509_check_ip_asc(cert, candidate + 1, 0) <= 0) { 707 ctx->error = X509_V_ERR_IP_ADDRESS_MISMATCH; 708 goto err; 709 } 710 } else { 711 int flags = 0; 712 713 if (ctx->xsc == NULL) 714 flags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; 715 716 if (X509_check_host(cert, candidate, len, flags, NULL) <= 0) { 717 ctx->error = X509_V_ERR_HOSTNAME_MISMATCH; 718 goto err; 719 } 720 } 721 free(candidate); 722 return 1; 723 err: 724 free(candidate); 725 return x509_verify_cert_error(ctx, cert, 0, ctx->error, 0); 726 } 727 728 static int 729 x509_verify_set_check_time(struct x509_verify_ctx *ctx) { 730 if (ctx->xsc != NULL) { 731 if (ctx->xsc->param->flags & X509_V_FLAG_USE_CHECK_TIME) { 732 ctx->check_time = &ctx->xsc->param->check_time; 733 return 1; 734 } 735 if (ctx->xsc->param->flags & X509_V_FLAG_NO_CHECK_TIME) 736 return 0; 737 } 738 739 ctx->check_time = NULL; 740 return 1; 741 } 742 743 int 744 x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, int notafter) 745 { 746 int type; 747 748 type = ASN1_time_parse(atime->data, atime->length, tm, atime->type); 749 if (type == -1) 750 return 0; 751 752 /* RFC 5280 section 4.1.2.5 */ 753 if (tm->tm_year < 150 && type != V_ASN1_UTCTIME) 754 return 0; 755 if (tm->tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME) 756 return 0; 757 758 if (notafter) { 759 /* 760 * If we are a completely broken operating system with a 761 * 32 bit time_t, and we have been told this is a notafter 762 * date, limit the date to a 32 bit representable value. 763 */ 764 if (!ASN1_time_tm_clamp_notafter(tm)) 765 return 0; 766 } 767 768 /* 769 * Defensively fail if the time string is not representable as 770 * a time_t. A time_t must be sane if you care about times after 771 * Jan 19 2038. 772 */ 773 if (timegm(tm) == -1) 774 return 0; 775 776 return 1; 777 } 778 779 static int 780 x509_verify_cert_time(int is_notafter, const ASN1_TIME *cert_asn1, 781 time_t *cmp_time, int *error) 782 { 783 struct tm cert_tm, when_tm; 784 time_t when; 785 786 if (cmp_time == NULL) 787 when = time(NULL); 788 else 789 when = *cmp_time; 790 791 if (!x509_verify_asn1_time_to_tm(cert_asn1, &cert_tm, 792 is_notafter)) { 793 *error = is_notafter ? 794 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD : 795 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 796 return 0; 797 } 798 799 if (gmtime_r(&when, &when_tm) == NULL) { 800 *error = X509_V_ERR_UNSPECIFIED; 801 return 0; 802 } 803 804 if (is_notafter) { 805 if (ASN1_time_tm_cmp(&cert_tm, &when_tm) == -1) { 806 *error = X509_V_ERR_CERT_HAS_EXPIRED; 807 return 0; 808 } 809 } else { 810 if (ASN1_time_tm_cmp(&cert_tm, &when_tm) == 1) { 811 *error = X509_V_ERR_CERT_NOT_YET_VALID; 812 return 0; 813 } 814 } 815 816 return 1; 817 } 818 819 static int 820 x509_verify_validate_constraints(X509 *cert, 821 struct x509_verify_chain *current_chain, int *error) 822 { 823 struct x509_constraints_names *excluded = NULL; 824 struct x509_constraints_names *permitted = NULL; 825 int err = X509_V_ERR_UNSPECIFIED; 826 827 if (current_chain == NULL) 828 return 1; 829 830 if (cert->nc != NULL) { 831 if ((permitted = x509_constraints_names_new( 832 X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) { 833 err = X509_V_ERR_OUT_OF_MEM; 834 goto err; 835 } 836 if ((excluded = x509_constraints_names_new( 837 X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) { 838 err = X509_V_ERR_OUT_OF_MEM; 839 goto err; 840 } 841 if (!x509_constraints_extract_constraints(cert, 842 permitted, excluded, &err)) 843 goto err; 844 if (!x509_constraints_check(current_chain->names, 845 permitted, excluded, &err)) 846 goto err; 847 x509_constraints_names_free(excluded); 848 x509_constraints_names_free(permitted); 849 } 850 851 return 1; 852 err: 853 *error = err; 854 x509_constraints_names_free(excluded); 855 x509_constraints_names_free(permitted); 856 return 0; 857 } 858 859 static int 860 x509_verify_cert_extensions(struct x509_verify_ctx *ctx, X509 *cert, int need_ca) 861 { 862 if (!x509_verify_cert_cache_extensions(cert)) { 863 ctx->error = X509_V_ERR_UNSPECIFIED; 864 return 0; 865 } 866 867 if (ctx->xsc != NULL) 868 return 1; /* legacy is checked after chain is built */ 869 870 if (cert->ex_flags & EXFLAG_CRITICAL) { 871 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 872 return 0; 873 } 874 /* No we don't care about v1, netscape, and other ancient silliness */ 875 if (need_ca && (!(cert->ex_flags & EXFLAG_BCONS) && 876 (cert->ex_flags & EXFLAG_CA))) { 877 ctx->error = X509_V_ERR_INVALID_CA; 878 return 0; 879 } 880 if (ctx->purpose > 0 && X509_check_purpose(cert, ctx->purpose, need_ca)) { 881 ctx->error = X509_V_ERR_INVALID_PURPOSE; 882 return 0; 883 } 884 885 /* XXX support proxy certs later in new api */ 886 if (ctx->xsc == NULL && cert->ex_flags & EXFLAG_PROXY) { 887 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; 888 return 0; 889 } 890 891 return 1; 892 } 893 894 /* Validate that cert is a possible candidate to append to current_chain */ 895 static int 896 x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert, 897 struct x509_verify_chain *current_chain) 898 { 899 X509 *issuer_candidate; 900 int should_be_ca = current_chain != NULL; 901 size_t depth = 0; 902 903 if (current_chain != NULL) 904 depth = sk_X509_num(current_chain->certs); 905 906 if (!x509_verify_cert_extensions(ctx, cert, should_be_ca)) 907 return 0; 908 909 if (should_be_ca) { 910 issuer_candidate = x509_verify_chain_last(current_chain); 911 if (issuer_candidate != NULL && 912 !X509_check_issued(issuer_candidate, cert)) 913 if (!x509_verify_cert_error(ctx, cert, depth, 914 X509_V_ERR_SUBJECT_ISSUER_MISMATCH, 0)) 915 return 0; 916 } 917 918 if (x509_verify_set_check_time(ctx)) { 919 if (!x509_verify_cert_time(0, X509_get_notBefore(cert), 920 ctx->check_time, &ctx->error)) { 921 if (!x509_verify_cert_error(ctx, cert, depth, 922 ctx->error, 0)) 923 return 0; 924 } 925 926 if (!x509_verify_cert_time(1, X509_get_notAfter(cert), 927 ctx->check_time, &ctx->error)) { 928 if (!x509_verify_cert_error(ctx, cert, depth, 929 ctx->error, 0)) 930 return 0; 931 } 932 } 933 934 if (!x509_verify_validate_constraints(cert, current_chain, 935 &ctx->error) && !x509_verify_cert_error(ctx, cert, depth, 936 ctx->error, 0)) 937 return 0; 938 939 return 1; 940 } 941 942 struct x509_verify_ctx * 943 x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc) 944 { 945 struct x509_verify_ctx *ctx; 946 size_t max_depth; 947 948 if (xsc == NULL) 949 return NULL; 950 951 if ((ctx = x509_verify_ctx_new(NULL)) == NULL) 952 return NULL; 953 954 ctx->xsc = xsc; 955 956 if (xsc->untrusted && 957 (ctx->intermediates = X509_chain_up_ref(xsc->untrusted)) == NULL) 958 goto err; 959 960 max_depth = X509_VERIFY_MAX_CHAIN_CERTS; 961 if (xsc->param->depth > 0 && xsc->param->depth < X509_VERIFY_MAX_CHAIN_CERTS) 962 max_depth = xsc->param->depth; 963 if (!x509_verify_ctx_set_max_depth(ctx, max_depth)) 964 goto err; 965 966 return ctx; 967 err: 968 x509_verify_ctx_free(ctx); 969 return NULL; 970 } 971 972 /* Public API */ 973 974 struct x509_verify_ctx * 975 x509_verify_ctx_new(STACK_OF(X509) *roots) 976 { 977 struct x509_verify_ctx *ctx; 978 979 if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL) 980 return NULL; 981 982 if (roots != NULL) { 983 if ((ctx->roots = X509_chain_up_ref(roots)) == NULL) 984 goto err; 985 } else { 986 if ((ctx->roots = sk_X509_new_null()) == NULL) 987 goto err; 988 } 989 990 ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS; 991 ctx->max_chains = X509_VERIFY_MAX_CHAINS; 992 ctx->max_sigs = X509_VERIFY_MAX_SIGCHECKS; 993 994 if ((ctx->chains = calloc(X509_VERIFY_MAX_CHAINS, 995 sizeof(*ctx->chains))) == NULL) 996 goto err; 997 998 return ctx; 999 err: 1000 x509_verify_ctx_free(ctx); 1001 return NULL; 1002 } 1003 1004 void 1005 x509_verify_ctx_free(struct x509_verify_ctx *ctx) 1006 { 1007 if (ctx == NULL) 1008 return; 1009 sk_X509_pop_free(ctx->roots, X509_free); 1010 x509_verify_ctx_clear(ctx); 1011 free(ctx); 1012 } 1013 1014 int 1015 x509_verify_ctx_set_max_depth(struct x509_verify_ctx *ctx, size_t max) 1016 { 1017 if (max < 1 || max > X509_VERIFY_MAX_CHAIN_CERTS) 1018 return 0; 1019 ctx->max_depth = max; 1020 return 1; 1021 } 1022 1023 int 1024 x509_verify_ctx_set_max_chains(struct x509_verify_ctx *ctx, size_t max) 1025 { 1026 if (max < 1 || max > X509_VERIFY_MAX_CHAINS) 1027 return 0; 1028 ctx->max_chains = max; 1029 return 1; 1030 } 1031 1032 int 1033 x509_verify_ctx_set_max_signatures(struct x509_verify_ctx *ctx, size_t max) 1034 { 1035 if (max < 1 || max > 100000) 1036 return 0; 1037 ctx->max_sigs = max; 1038 return 1; 1039 } 1040 1041 int 1042 x509_verify_ctx_set_purpose(struct x509_verify_ctx *ctx, int purpose) 1043 { 1044 if (purpose < X509_PURPOSE_MIN || purpose > X509_PURPOSE_MAX) 1045 return 0; 1046 ctx->purpose = purpose; 1047 return 1; 1048 } 1049 1050 int 1051 x509_verify_ctx_set_intermediates(struct x509_verify_ctx *ctx, 1052 STACK_OF(X509) *intermediates) 1053 { 1054 if ((ctx->intermediates = X509_chain_up_ref(intermediates)) == NULL) 1055 return 0; 1056 return 1; 1057 } 1058 1059 const char * 1060 x509_verify_ctx_error_string(struct x509_verify_ctx *ctx) 1061 { 1062 return X509_verify_cert_error_string(ctx->error); 1063 } 1064 1065 size_t 1066 x509_verify_ctx_error_depth(struct x509_verify_ctx *ctx) 1067 { 1068 return ctx->error_depth; 1069 } 1070 1071 STACK_OF(X509) * 1072 x509_verify_ctx_chain(struct x509_verify_ctx *ctx, size_t i) 1073 { 1074 if (i >= ctx->chains_count) 1075 return NULL; 1076 return ctx->chains[i]->certs; 1077 } 1078 1079 size_t 1080 x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) 1081 { 1082 struct x509_verify_chain *current_chain; 1083 int retry_chain_build, full_chain = 0; 1084 1085 if (ctx->roots == NULL || ctx->max_depth == 0) { 1086 ctx->error = X509_V_ERR_INVALID_CALL; 1087 goto err; 1088 } 1089 1090 if (ctx->xsc != NULL) { 1091 if (leaf != NULL || name != NULL) { 1092 ctx->error = X509_V_ERR_INVALID_CALL; 1093 goto err; 1094 } 1095 leaf = ctx->xsc->cert; 1096 1097 /* XXX */ 1098 full_chain = 1; 1099 if (ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN) 1100 full_chain = 0; 1101 /* 1102 * XXX 1103 * The legacy code expects the top level cert to be 1104 * there, even if we didn't find a chain. So put it 1105 * there, we will clobber it later if we find a valid 1106 * chain. 1107 */ 1108 if ((ctx->xsc->chain = sk_X509_new_null()) == NULL) { 1109 ctx->error = X509_V_ERR_OUT_OF_MEM; 1110 goto err; 1111 } 1112 if (!X509_up_ref(leaf)) { 1113 ctx->error = X509_V_ERR_OUT_OF_MEM; 1114 goto err; 1115 } 1116 if (!sk_X509_push(ctx->xsc->chain, leaf)) { 1117 X509_free(leaf); 1118 ctx->error = X509_V_ERR_OUT_OF_MEM; 1119 goto err; 1120 } 1121 ctx->xsc->error_depth = 0; 1122 ctx->xsc->current_cert = leaf; 1123 } 1124 1125 if (!x509_verify_cert_valid(ctx, leaf, NULL)) 1126 goto err; 1127 1128 if (!x509_verify_cert_hostname(ctx, leaf, name)) 1129 goto err; 1130 1131 if ((current_chain = x509_verify_chain_new()) == NULL) { 1132 ctx->error = X509_V_ERR_OUT_OF_MEM; 1133 goto err; 1134 } 1135 if (!x509_verify_chain_append(current_chain, leaf, &ctx->error)) { 1136 x509_verify_chain_free(current_chain); 1137 goto err; 1138 } 1139 do { 1140 retry_chain_build = 0; 1141 if (x509_verify_ctx_cert_is_root(ctx, leaf, full_chain)) { 1142 if (!x509_verify_ctx_add_chain(ctx, current_chain)) { 1143 x509_verify_chain_free(current_chain); 1144 goto err; 1145 } 1146 } else { 1147 x509_verify_build_chains(ctx, leaf, current_chain, 1148 full_chain); 1149 if (full_chain && ctx->chains_count == 0) { 1150 /* 1151 * Save the error state from the xsc 1152 * at this point to put back on the 1153 * xsc in case we do not find a chain 1154 * that is trusted but not a full 1155 * chain to a self signed root. This 1156 * is because the unvalidated chain is 1157 * used by the autochain batshittery 1158 * on failure and will be needed for 1159 * that. 1160 */ 1161 if (!x509_verify_ctx_save_xsc_error(ctx)) { 1162 x509_verify_chain_free(current_chain); 1163 goto err; 1164 } 1165 full_chain = 0; 1166 retry_chain_build = 1; 1167 } 1168 } 1169 } while (retry_chain_build); 1170 1171 x509_verify_chain_free(current_chain); 1172 1173 /* 1174 * Bring back the failure case we wanted to the xsc if 1175 * we saved one. 1176 */ 1177 if (!x509_verify_ctx_restore_xsc_error(ctx)) 1178 goto err; 1179 1180 /* 1181 * Safety net: 1182 * We could not find a validated chain, and for some reason do not 1183 * have an error set. 1184 */ 1185 if (ctx->chains_count == 0 && ctx->error == X509_V_OK) { 1186 ctx->error = X509_V_ERR_UNSPECIFIED; 1187 if (ctx->xsc != NULL && ctx->xsc->error != X509_V_OK) 1188 ctx->error = ctx->xsc->error; 1189 } 1190 1191 /* Clear whatever errors happened if we have any validated chain */ 1192 if (ctx->chains_count > 0) 1193 ctx->error = X509_V_OK; 1194 1195 if (ctx->xsc != NULL) { 1196 ctx->xsc->error = ctx->error; 1197 if (ctx->chains_count > 0) { 1198 /* Take the first chain we found. */ 1199 if (!x509_verify_ctx_set_xsc_chain(ctx, ctx->chains[0], 1200 1, 1)) 1201 goto err; 1202 ctx->xsc->error = X509_V_OK; 1203 /* 1204 * Call the callback indicating success up our already 1205 * verified chain. The callback could still tell us to 1206 * fail. 1207 */ 1208 if(!x509_vfy_callback_indicate_success(ctx->xsc)) { 1209 /* The callback can change the error code */ 1210 ctx->error = ctx->xsc->error; 1211 goto err; 1212 } 1213 } else { 1214 /* 1215 * We had a failure, indicate the failure, but 1216 * allow the callback to override at depth 0 1217 */ 1218 if (ctx->xsc->verify_cb(0, ctx->xsc)) { 1219 ctx->xsc->error = X509_V_OK; 1220 return 1; 1221 } 1222 } 1223 } 1224 return (ctx->chains_count); 1225 1226 err: 1227 if (ctx->error == X509_V_OK) 1228 ctx->error = X509_V_ERR_UNSPECIFIED; 1229 if (ctx->xsc != NULL) 1230 ctx->xsc->error = ctx->error; 1231 return 0; 1232 } 1233