1 /* $OpenBSD: x509_verify.c,v 1.25 2020/12/16 18:46:29 tb Exp $ */ 2 /* 3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 /* x509_verify - inspired by golang's crypto/x509.Verify */ 19 20 #include <errno.h> 21 #include <stdio.h> 22 #include <string.h> 23 #include <time.h> 24 #include <unistd.h> 25 26 #include <openssl/safestack.h> 27 #include <openssl/x509.h> 28 #include <openssl/x509v3.h> 29 30 #include "x509_internal.h" 31 #include "x509_issuer_cache.h" 32 33 static int x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert, 34 struct x509_verify_chain *current_chain); 35 static void x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, 36 struct x509_verify_chain *current_chain); 37 static int x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, 38 size_t depth, int error, int ok); 39 static void x509_verify_chain_free(struct x509_verify_chain *chain); 40 41 #define X509_VERIFY_CERT_HASH (EVP_sha512()) 42 43 struct x509_verify_chain * 44 x509_verify_chain_new(void) 45 { 46 struct x509_verify_chain *chain; 47 48 if ((chain = calloc(1, sizeof(*chain))) == NULL) 49 goto err; 50 if ((chain->certs = sk_X509_new_null()) == NULL) 51 goto err; 52 if ((chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS, 53 sizeof(int))) == NULL) 54 goto err; 55 if ((chain->names = x509_constraints_names_new()) == NULL) 56 goto err; 57 58 return chain; 59 err: 60 x509_verify_chain_free(chain); 61 return NULL; 62 } 63 64 static void 65 x509_verify_chain_clear(struct x509_verify_chain *chain) 66 { 67 sk_X509_pop_free(chain->certs, X509_free); 68 chain->certs = NULL; 69 free(chain->cert_errors); 70 chain->cert_errors = NULL; 71 x509_constraints_names_free(chain->names); 72 chain->names = NULL; 73 } 74 75 static void 76 x509_verify_chain_free(struct x509_verify_chain *chain) 77 { 78 if (chain == NULL) 79 return; 80 x509_verify_chain_clear(chain); 81 free(chain); 82 } 83 84 static struct x509_verify_chain * 85 x509_verify_chain_dup(struct x509_verify_chain *chain) 86 { 87 struct x509_verify_chain *new_chain; 88 89 if ((new_chain = calloc(1, sizeof(*chain))) == NULL) 90 goto err; 91 if ((new_chain->certs = X509_chain_up_ref(chain->certs)) == NULL) 92 goto err; 93 if ((new_chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS, 94 sizeof(int))) == NULL) 95 goto err; 96 memcpy(new_chain->cert_errors, chain->cert_errors, 97 X509_VERIFY_MAX_CHAIN_CERTS * sizeof(int)); 98 if ((new_chain->names = 99 x509_constraints_names_dup(chain->names)) == NULL) 100 goto err; 101 return(new_chain); 102 err: 103 x509_verify_chain_free(new_chain); 104 return NULL; 105 } 106 107 static int 108 x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert, 109 int *error) 110 { 111 int verify_err = X509_V_ERR_UNSPECIFIED; 112 size_t idx; 113 114 if (!x509_constraints_extract_names(chain->names, cert, 115 sk_X509_num(chain->certs) == 0, &verify_err)) { 116 *error = verify_err; 117 return 0; 118 } 119 120 X509_up_ref(cert); 121 if (!sk_X509_push(chain->certs, cert)) { 122 X509_free(cert); 123 *error = X509_V_ERR_OUT_OF_MEM; 124 return 0; 125 } 126 127 idx = sk_X509_num(chain->certs) - 1; 128 chain->cert_errors[idx] = *error; 129 130 /* 131 * We've just added the issuer for the previous certificate, 132 * clear its error if appropriate. 133 */ 134 if (idx > 1 && chain->cert_errors[idx - 1] == 135 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) 136 chain->cert_errors[idx - 1] = X509_V_OK; 137 138 return 1; 139 } 140 141 static X509 * 142 x509_verify_chain_last(struct x509_verify_chain *chain) 143 { 144 int last; 145 146 if (chain->certs == NULL) 147 return NULL; 148 if ((last = sk_X509_num(chain->certs) - 1) < 0) 149 return NULL; 150 return sk_X509_value(chain->certs, last); 151 } 152 153 X509 * 154 x509_verify_chain_leaf(struct x509_verify_chain *chain) 155 { 156 if (chain->certs == NULL) 157 return NULL; 158 return sk_X509_value(chain->certs, 0); 159 } 160 161 static void 162 x509_verify_ctx_reset(struct x509_verify_ctx *ctx) 163 { 164 size_t i; 165 166 for (i = 0; i < ctx->chains_count; i++) 167 x509_verify_chain_free(ctx->chains[i]); 168 ctx->error = 0; 169 ctx->error_depth = 0; 170 ctx->chains_count = 0; 171 ctx->sig_checks = 0; 172 ctx->check_time = NULL; 173 } 174 175 static void 176 x509_verify_ctx_clear(struct x509_verify_ctx *ctx) 177 { 178 x509_verify_ctx_reset(ctx); 179 sk_X509_pop_free(ctx->intermediates, X509_free); 180 free(ctx->chains); 181 memset(ctx, 0, sizeof(*ctx)); 182 } 183 184 static int 185 x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert) 186 { 187 int i; 188 189 for (i = 0; i < sk_X509_num(ctx->roots); i++) { 190 if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) 191 return 1; 192 } 193 return 0; 194 } 195 196 static int 197 x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx *ctx, 198 struct x509_verify_chain *chain, int set_error) 199 { 200 X509 *last = x509_verify_chain_last(chain); 201 size_t depth; 202 int i; 203 204 if (ctx->xsc == NULL) 205 return 1; 206 207 depth = sk_X509_num(chain->certs); 208 if (depth > 0) 209 depth--; 210 211 ctx->xsc->last_untrusted = depth ? depth - 1 : 0; 212 sk_X509_pop_free(ctx->xsc->chain, X509_free); 213 ctx->xsc->chain = X509_chain_up_ref(chain->certs); 214 if (ctx->xsc->chain == NULL) 215 return x509_verify_cert_error(ctx, last, depth, 216 X509_V_ERR_OUT_OF_MEM, 0); 217 218 if (set_error) { 219 ctx->xsc->error = X509_V_OK; 220 ctx->xsc->error_depth = 0; 221 for (i = 0; i < sk_X509_num(chain->certs); i++) { 222 if (chain->cert_errors[i] != X509_V_OK) { 223 ctx->xsc->error = chain->cert_errors[i]; 224 ctx->xsc->error_depth = i; 225 break; 226 } 227 } 228 } 229 230 return 1; 231 } 232 233 /* Add a validated chain to our list of valid chains */ 234 static int 235 x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, 236 struct x509_verify_chain *chain) 237 { 238 size_t depth; 239 X509 *last = x509_verify_chain_last(chain); 240 241 depth = sk_X509_num(chain->certs); 242 if (depth > 0) 243 depth--; 244 245 if (ctx->chains_count >= ctx->max_chains) 246 return x509_verify_cert_error(ctx, last, depth, 247 X509_V_ERR_CERT_CHAIN_TOO_LONG, 0); 248 249 /* Clear a get issuer failure for a root certificate. */ 250 if (chain->cert_errors[depth] == 251 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) 252 chain->cert_errors[depth] = X509_V_OK; 253 254 /* 255 * If we have a legacy xsc, choose a validated chain, 256 * and apply the extensions, revocation, and policy checks 257 * just like the legacy code did. We do this here instead 258 * of as building the chains to more easily support the 259 * callback and the bewildering array of VERIFY_PARAM 260 * knobs that are there for the fiddling. 261 */ 262 if (ctx->xsc != NULL) { 263 /* These may be set in one of the following calls. */ 264 ctx->xsc->error = X509_V_OK; 265 ctx->xsc->error_depth = 0; 266 267 if (!x509_verify_ctx_set_xsc_chain(ctx, chain, 0)) 268 return 0; 269 270 /* 271 * XXX currently this duplicates some work done 272 * in chain build, but we keep it here until 273 * we have feature parity 274 */ 275 if (!x509_vfy_check_chain_extensions(ctx->xsc)) 276 return 0; 277 278 if (!x509_constraints_chain(ctx->xsc->chain, 279 &ctx->xsc->error, &ctx->xsc->error_depth)) { 280 X509 *cert = sk_X509_value(ctx->xsc->chain, depth); 281 if (!x509_verify_cert_error(ctx, cert, 282 ctx->xsc->error_depth, ctx->xsc->error, 0)) 283 return 0; 284 } 285 286 if (!x509_vfy_check_revocation(ctx->xsc)) 287 return 0; 288 289 if (!x509_vfy_check_policy(ctx->xsc)) 290 return 0; 291 292 /* 293 * The above checks may have set ctx->xsc->error and 294 * ctx->xsc->error_depth - save these for later on. 295 */ 296 if (ctx->xsc->error != X509_V_OK) { 297 if (ctx->xsc->error_depth < 0 || 298 ctx->xsc->error_depth >= X509_VERIFY_MAX_CHAIN_CERTS) 299 return 0; 300 chain->cert_errors[ctx->xsc->error_depth] = 301 ctx->xsc->error; 302 } 303 } 304 /* 305 * no xsc means we are being called from the non-legacy API, 306 * extensions and purpose are dealt with as the chain is built. 307 * 308 * The non-legacy api returns multiple chains but does not do 309 * any revocation checking (it must be done by the caller on 310 * any chain they wish to use) 311 */ 312 313 if ((ctx->chains[ctx->chains_count] = x509_verify_chain_dup(chain)) == 314 NULL) { 315 return x509_verify_cert_error(ctx, last, depth, 316 X509_V_ERR_OUT_OF_MEM, 0); 317 } 318 ctx->chains_count++; 319 ctx->error = X509_V_OK; 320 ctx->error_depth = depth; 321 return 1; 322 } 323 324 static int 325 x509_verify_potential_parent(struct x509_verify_ctx *ctx, X509 *parent, 326 X509 *child) 327 { 328 if (ctx->xsc != NULL) 329 return (ctx->xsc->check_issued(ctx->xsc, child, parent)); 330 331 /* XXX key usage */ 332 return X509_check_issued(child, parent) != X509_V_OK; 333 } 334 335 static int 336 x509_verify_parent_signature(X509 *parent, X509 *child, 337 unsigned char *child_md, int *error) 338 { 339 unsigned char parent_md[EVP_MAX_MD_SIZE] = { 0 }; 340 EVP_PKEY *pkey; 341 int cached; 342 int ret = 0; 343 344 /* Use cached value if we have it */ 345 if (child_md != NULL) { 346 if (!X509_digest(parent, X509_VERIFY_CERT_HASH, parent_md, 347 NULL)) 348 return 0; 349 if ((cached = x509_issuer_cache_find(parent_md, child_md)) >= 0) 350 return cached; 351 } 352 353 /* Check signature. Did parent sign child? */ 354 if ((pkey = X509_get_pubkey(parent)) == NULL) { 355 *error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; 356 return 0; 357 } 358 if (X509_verify(child, pkey) <= 0) 359 *error = X509_V_ERR_CERT_SIGNATURE_FAILURE; 360 else 361 ret = 1; 362 363 /* Add result to cache */ 364 if (child_md != NULL) 365 x509_issuer_cache_add(parent_md, child_md, ret); 366 367 EVP_PKEY_free(pkey); 368 369 return ret; 370 } 371 372 static int 373 x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert, 374 unsigned char *cert_md, int is_root_cert, X509 *candidate, 375 struct x509_verify_chain *current_chain) 376 { 377 int depth = sk_X509_num(current_chain->certs); 378 struct x509_verify_chain *new_chain; 379 int i; 380 381 /* Fail if the certificate is already in the chain */ 382 for (i = 0; i < sk_X509_num(current_chain->certs); i++) { 383 if (X509_cmp(sk_X509_value(current_chain->certs, i), 384 candidate) == 0) 385 return 0; 386 } 387 388 if (ctx->sig_checks++ > X509_VERIFY_MAX_SIGCHECKS) { 389 /* don't allow callback to override safety check */ 390 (void) x509_verify_cert_error(ctx, candidate, depth, 391 X509_V_ERR_CERT_CHAIN_TOO_LONG, 0); 392 return 0; 393 } 394 395 if (!x509_verify_parent_signature(candidate, cert, cert_md, 396 &ctx->error)) { 397 if (!x509_verify_cert_error(ctx, candidate, depth, 398 ctx->error, 0)) 399 return 0; 400 } 401 402 if (!x509_verify_cert_valid(ctx, candidate, current_chain)) 403 return 0; 404 405 /* candidate is good, add it to a copy of the current chain */ 406 if ((new_chain = x509_verify_chain_dup(current_chain)) == NULL) { 407 x509_verify_cert_error(ctx, candidate, depth, 408 X509_V_ERR_OUT_OF_MEM, 0); 409 return 0; 410 } 411 if (!x509_verify_chain_append(new_chain, candidate, &ctx->error)) { 412 x509_verify_cert_error(ctx, candidate, depth, ctx->error, 0); 413 x509_verify_chain_free(new_chain); 414 return 0; 415 } 416 417 /* 418 * If candidate is a trusted root, we have a validated chain, 419 * so we save it. Otherwise, recurse until we find a root or 420 * give up. 421 */ 422 if (is_root_cert) { 423 if (!x509_verify_ctx_set_xsc_chain(ctx, new_chain, 0)) { 424 x509_verify_chain_free(new_chain); 425 return 0; 426 } 427 if (x509_verify_cert_error(ctx, candidate, depth, X509_V_OK, 1)) { 428 (void) x509_verify_ctx_add_chain(ctx, new_chain); 429 goto done; 430 } 431 } 432 433 x509_verify_build_chains(ctx, candidate, new_chain); 434 435 done: 436 x509_verify_chain_free(new_chain); 437 return 1; 438 } 439 440 static int 441 x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, size_t depth, 442 int error, int ok) 443 { 444 ctx->error = error; 445 ctx->error_depth = depth; 446 if (ctx->xsc != NULL) { 447 ctx->xsc->error = error; 448 ctx->xsc->error_depth = depth; 449 ctx->xsc->current_cert = cert; 450 return ctx->xsc->verify_cb(ok, ctx->xsc); 451 } 452 return ok; 453 } 454 455 static void 456 x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, 457 struct x509_verify_chain *current_chain) 458 { 459 unsigned char cert_md[EVP_MAX_MD_SIZE] = { 0 }; 460 X509 *candidate; 461 int i, depth, count, ret; 462 463 depth = sk_X509_num(current_chain->certs); 464 if (depth > 0) 465 depth--; 466 467 if (depth >= ctx->max_depth && 468 !x509_verify_cert_error(ctx, cert, depth, 469 X509_V_ERR_CERT_CHAIN_TOO_LONG, 0)) 470 return; 471 472 if (!X509_digest(cert, X509_VERIFY_CERT_HASH, cert_md, NULL) && 473 !x509_verify_cert_error(ctx, cert, depth, 474 X509_V_ERR_UNSPECIFIED, 0)) 475 return; 476 477 count = ctx->chains_count; 478 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; 479 ctx->error_depth = depth; 480 if (ctx->xsc != NULL) { 481 /* 482 * Long ago experiments at Muppet labs resulted in a 483 * situation where software not only sees these errors 484 * but forced developers to expect them in certain cases. 485 * so we must mimic this awfulness for the legacy case. 486 */ 487 if (cert->ex_flags & EXFLAG_SS) 488 ctx->error = (depth == 0) ? 489 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 490 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 491 } 492 493 for (i = 0; i < sk_X509_num(ctx->roots); i++) { 494 candidate = sk_X509_value(ctx->roots, i); 495 if (x509_verify_potential_parent(ctx, candidate, cert)) { 496 x509_verify_consider_candidate(ctx, cert, 497 cert_md, 1, candidate, current_chain); 498 } 499 } 500 if (ctx->intermediates != NULL) { 501 for (i = 0; i < sk_X509_num(ctx->intermediates); i++) { 502 candidate = sk_X509_value(ctx->intermediates, i); 503 if (x509_verify_potential_parent(ctx, candidate, cert)) { 504 x509_verify_consider_candidate(ctx, cert, 505 cert_md, 0, candidate, current_chain); 506 } 507 } 508 } 509 if (ctx->xsc != NULL) { 510 if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) { 511 x509_verify_cert_error(ctx, cert, depth, 512 X509_V_ERR_STORE_LOOKUP, 0); 513 return; 514 } 515 if (ret > 0) { 516 if (x509_verify_potential_parent(ctx, candidate, cert)) { 517 x509_verify_consider_candidate(ctx, cert, 518 cert_md, 1, candidate, current_chain); 519 } 520 X509_free(candidate); 521 } 522 } 523 524 if (ctx->chains_count > count) { 525 if (ctx->xsc != NULL) { 526 ctx->xsc->error = X509_V_OK; 527 ctx->xsc->error_depth = depth; 528 ctx->xsc->current_cert = cert; 529 (void) ctx->xsc->verify_cb(1, ctx->xsc); 530 } 531 } else if (ctx->error_depth == depth) { 532 (void) x509_verify_cert_error(ctx, cert, depth, 533 ctx->error, 0); 534 } 535 } 536 537 static int 538 x509_verify_cert_hostname(struct x509_verify_ctx *ctx, X509 *cert, char *name) 539 { 540 char *candidate; 541 size_t len; 542 543 if (name == NULL) { 544 if (ctx->xsc != NULL) { 545 int ret; 546 547 if ((ret = x509_vfy_check_id(ctx->xsc)) == 0) 548 ctx->error = ctx->xsc->error; 549 return ret; 550 } 551 return 1; 552 } 553 if ((candidate = strdup(name)) == NULL) { 554 ctx->error = X509_V_ERR_OUT_OF_MEM; 555 goto err; 556 } 557 if ((len = strlen(candidate)) < 1) { 558 ctx->error = X509_V_ERR_UNSPECIFIED; /* XXX */ 559 goto err; 560 } 561 562 /* IP addresses may be written in [ ]. */ 563 if (candidate[0] == '[' && candidate[len - 1] == ']') { 564 candidate[len - 1] = '\0'; 565 if (X509_check_ip_asc(cert, candidate + 1, 0) <= 0) { 566 ctx->error = X509_V_ERR_IP_ADDRESS_MISMATCH; 567 goto err; 568 } 569 } else { 570 int flags = 0; 571 572 if (ctx->xsc == NULL) 573 flags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; 574 575 if (X509_check_host(cert, candidate, len, flags, NULL) <= 0) { 576 ctx->error = X509_V_ERR_HOSTNAME_MISMATCH; 577 goto err; 578 } 579 } 580 free(candidate); 581 return 1; 582 err: 583 free(candidate); 584 return x509_verify_cert_error(ctx, cert, 0, ctx->error, 0); 585 } 586 587 static int 588 x509_verify_set_check_time(struct x509_verify_ctx *ctx) { 589 if (ctx->xsc != NULL) { 590 if (ctx->xsc->param->flags & X509_V_FLAG_USE_CHECK_TIME) { 591 ctx->check_time = &ctx->xsc->param->check_time; 592 return 1; 593 } 594 if (ctx->xsc->param->flags & X509_V_FLAG_NO_CHECK_TIME) 595 return 0; 596 } 597 598 ctx->check_time = NULL; 599 return 1; 600 } 601 602 int 603 x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, int notafter) 604 { 605 int type; 606 607 type = ASN1_time_parse(atime->data, atime->length, tm, atime->type); 608 if (type == -1) 609 return 0; 610 611 /* RFC 5280 section 4.1.2.5 */ 612 if (tm->tm_year < 150 && type != V_ASN1_UTCTIME) 613 return 0; 614 if (tm->tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME) 615 return 0; 616 617 if (notafter) { 618 /* 619 * If we are a completely broken operating system with a 620 * 32 bit time_t, and we have been told this is a notafter 621 * date, limit the date to a 32 bit representable value. 622 */ 623 if (!ASN1_time_tm_clamp_notafter(tm)) 624 return 0; 625 } 626 627 /* 628 * Defensively fail if the time string is not representable as 629 * a time_t. A time_t must be sane if you care about times after 630 * Jan 19 2038. 631 */ 632 if (timegm(tm) == -1) 633 return 0; 634 635 return 1; 636 } 637 638 static int 639 x509_verify_cert_time(int is_notafter, const ASN1_TIME *cert_asn1, 640 time_t *cmp_time, int *error) 641 { 642 struct tm cert_tm, when_tm; 643 time_t when; 644 645 if (cmp_time == NULL) 646 when = time(NULL); 647 else 648 when = *cmp_time; 649 650 if (!x509_verify_asn1_time_to_tm(cert_asn1, &cert_tm, 651 is_notafter)) { 652 *error = is_notafter ? 653 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD : 654 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; 655 return 0; 656 } 657 658 if (gmtime_r(&when, &when_tm) == NULL) { 659 *error = X509_V_ERR_UNSPECIFIED; 660 return 0; 661 } 662 663 if (is_notafter) { 664 if (ASN1_time_tm_cmp(&cert_tm, &when_tm) == -1) { 665 *error = X509_V_ERR_CERT_HAS_EXPIRED; 666 return 0; 667 } 668 } else { 669 if (ASN1_time_tm_cmp(&cert_tm, &when_tm) == 1) { 670 *error = X509_V_ERR_CERT_NOT_YET_VALID; 671 return 0; 672 } 673 } 674 675 return 1; 676 } 677 678 static int 679 x509_verify_validate_constraints(X509 *cert, 680 struct x509_verify_chain *current_chain, int *error) 681 { 682 struct x509_constraints_names *excluded = NULL; 683 struct x509_constraints_names *permitted = NULL; 684 int err = X509_V_ERR_UNSPECIFIED; 685 686 if (current_chain == NULL) 687 return 1; 688 689 if (cert->nc != NULL) { 690 if ((permitted = x509_constraints_names_new()) == NULL) { 691 err = X509_V_ERR_OUT_OF_MEM; 692 goto err; 693 } 694 if ((excluded = x509_constraints_names_new()) == NULL) { 695 err = X509_V_ERR_OUT_OF_MEM; 696 goto err; 697 } 698 if (!x509_constraints_extract_constraints(cert, 699 permitted, excluded, &err)) 700 goto err; 701 if (!x509_constraints_check(current_chain->names, 702 permitted, excluded, &err)) 703 goto err; 704 x509_constraints_names_free(excluded); 705 x509_constraints_names_free(permitted); 706 } 707 708 return 1; 709 err: 710 *error = err; 711 x509_constraints_names_free(excluded); 712 x509_constraints_names_free(permitted); 713 return 0; 714 } 715 716 static int 717 x509_verify_cert_extensions(struct x509_verify_ctx *ctx, X509 *cert, int need_ca) 718 { 719 if (!(cert->ex_flags & EXFLAG_SET)) { 720 CRYPTO_w_lock(CRYPTO_LOCK_X509); 721 x509v3_cache_extensions(cert); 722 CRYPTO_w_unlock(CRYPTO_LOCK_X509); 723 } 724 725 if (ctx->xsc != NULL) 726 return 1; /* legacy is checked after chain is built */ 727 728 if (cert->ex_flags & EXFLAG_CRITICAL) { 729 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; 730 return 0; 731 } 732 /* No we don't care about v1, netscape, and other ancient silliness */ 733 if (need_ca && (!(cert->ex_flags & EXFLAG_BCONS) && 734 (cert->ex_flags & EXFLAG_CA))) { 735 ctx->error = X509_V_ERR_INVALID_CA; 736 return 0; 737 } 738 if (ctx->purpose > 0 && X509_check_purpose(cert, ctx->purpose, need_ca)) { 739 ctx->error = X509_V_ERR_INVALID_PURPOSE; 740 return 0; 741 } 742 743 /* XXX support proxy certs later in new api */ 744 if (ctx->xsc == NULL && cert->ex_flags & EXFLAG_PROXY) { 745 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; 746 return 0; 747 } 748 749 return 1; 750 } 751 752 /* Validate that cert is a possible candidate to append to current_chain */ 753 static int 754 x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert, 755 struct x509_verify_chain *current_chain) 756 { 757 X509 *issuer_candidate; 758 int should_be_ca = current_chain != NULL; 759 size_t depth = 0; 760 761 if (current_chain != NULL) 762 depth = sk_X509_num(current_chain->certs); 763 764 if (!x509_verify_cert_extensions(ctx, cert, should_be_ca)) 765 return 0; 766 767 if (should_be_ca) { 768 issuer_candidate = x509_verify_chain_last(current_chain); 769 if (issuer_candidate != NULL && 770 !X509_check_issued(issuer_candidate, cert)) 771 if (!x509_verify_cert_error(ctx, cert, depth, 772 X509_V_ERR_SUBJECT_ISSUER_MISMATCH, 0)) 773 return 0; 774 } 775 776 if (x509_verify_set_check_time(ctx)) { 777 if (!x509_verify_cert_time(0, X509_get_notBefore(cert), 778 ctx->check_time, &ctx->error)) { 779 if (!x509_verify_cert_error(ctx, cert, depth, 780 ctx->error, 0)) 781 return 0; 782 } 783 784 if (!x509_verify_cert_time(1, X509_get_notAfter(cert), 785 ctx->check_time, &ctx->error)) { 786 if (!x509_verify_cert_error(ctx, cert, depth, 787 ctx->error, 0)) 788 return 0; 789 } 790 } 791 792 if (!x509_verify_validate_constraints(cert, current_chain, 793 &ctx->error) && !x509_verify_cert_error(ctx, cert, depth, 794 ctx->error, 0)) 795 return 0; 796 797 return 1; 798 } 799 800 struct x509_verify_ctx * 801 x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots) 802 { 803 struct x509_verify_ctx *ctx; 804 size_t max_depth; 805 806 if (xsc == NULL) 807 return NULL; 808 809 if ((ctx = x509_verify_ctx_new(roots)) == NULL) 810 return NULL; 811 812 ctx->xsc = xsc; 813 814 if (xsc->untrusted && 815 (ctx->intermediates = X509_chain_up_ref(xsc->untrusted)) == NULL) 816 goto err; 817 818 max_depth = X509_VERIFY_MAX_CHAIN_CERTS; 819 if (xsc->param->depth > 0 && xsc->param->depth < X509_VERIFY_MAX_CHAIN_CERTS) 820 max_depth = xsc->param->depth; 821 if (!x509_verify_ctx_set_max_depth(ctx, max_depth)) 822 goto err; 823 824 return ctx; 825 err: 826 x509_verify_ctx_free(ctx); 827 return NULL; 828 } 829 830 /* Public API */ 831 832 struct x509_verify_ctx * 833 x509_verify_ctx_new(STACK_OF(X509) *roots) 834 { 835 struct x509_verify_ctx *ctx; 836 837 if (roots == NULL) 838 return NULL; 839 840 if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL) 841 return NULL; 842 843 if ((ctx->roots = X509_chain_up_ref(roots)) == NULL) 844 goto err; 845 846 ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS; 847 ctx->max_chains = X509_VERIFY_MAX_CHAINS; 848 ctx->max_sigs = X509_VERIFY_MAX_SIGCHECKS; 849 850 if ((ctx->chains = calloc(X509_VERIFY_MAX_CHAINS, 851 sizeof(*ctx->chains))) == NULL) 852 goto err; 853 854 return ctx; 855 err: 856 x509_verify_ctx_free(ctx); 857 return NULL; 858 } 859 860 void 861 x509_verify_ctx_free(struct x509_verify_ctx *ctx) 862 { 863 if (ctx == NULL) 864 return; 865 sk_X509_pop_free(ctx->roots, X509_free); 866 x509_verify_ctx_clear(ctx); 867 free(ctx); 868 } 869 870 int 871 x509_verify_ctx_set_max_depth(struct x509_verify_ctx *ctx, size_t max) 872 { 873 if (max < 1 || max > X509_VERIFY_MAX_CHAIN_CERTS) 874 return 0; 875 ctx->max_depth = max; 876 return 1; 877 } 878 879 int 880 x509_verify_ctx_set_max_chains(struct x509_verify_ctx *ctx, size_t max) 881 { 882 if (max < 1 || max > X509_VERIFY_MAX_CHAINS) 883 return 0; 884 ctx->max_chains = max; 885 return 1; 886 } 887 888 int 889 x509_verify_ctx_set_max_signatures(struct x509_verify_ctx *ctx, size_t max) 890 { 891 if (max < 1 || max > 100000) 892 return 0; 893 ctx->max_sigs = max; 894 return 1; 895 } 896 897 int 898 x509_verify_ctx_set_purpose(struct x509_verify_ctx *ctx, int purpose) 899 { 900 if (purpose < X509_PURPOSE_MIN || purpose > X509_PURPOSE_MAX) 901 return 0; 902 ctx->purpose = purpose; 903 return 1; 904 } 905 906 int 907 x509_verify_ctx_set_intermediates(struct x509_verify_ctx *ctx, 908 STACK_OF(X509) *intermediates) 909 { 910 if ((ctx->intermediates = X509_chain_up_ref(intermediates)) == NULL) 911 return 0; 912 return 1; 913 } 914 915 const char * 916 x509_verify_ctx_error_string(struct x509_verify_ctx *ctx) 917 { 918 return X509_verify_cert_error_string(ctx->error); 919 } 920 921 size_t 922 x509_verify_ctx_error_depth(struct x509_verify_ctx *ctx) 923 { 924 return ctx->error_depth; 925 } 926 927 STACK_OF(X509) * 928 x509_verify_ctx_chain(struct x509_verify_ctx *ctx, size_t i) 929 { 930 if (i >= ctx->chains_count) 931 return NULL; 932 return ctx->chains[i]->certs; 933 } 934 935 size_t 936 x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) 937 { 938 struct x509_verify_chain *current_chain; 939 940 if (ctx->roots == NULL || ctx->max_depth == 0) { 941 ctx->error = X509_V_ERR_INVALID_CALL; 942 goto err; 943 } 944 945 if (ctx->xsc != NULL) { 946 if (leaf != NULL || name != NULL) { 947 ctx->error = X509_V_ERR_INVALID_CALL; 948 goto err; 949 } 950 leaf = ctx->xsc->cert; 951 952 /* 953 * XXX 954 * The legacy code expects the top level cert to be 955 * there, even if we didn't find a chain. So put it 956 * there, we will clobber it later if we find a valid 957 * chain. 958 */ 959 if ((ctx->xsc->chain = sk_X509_new_null()) == NULL) { 960 ctx->error = X509_V_ERR_OUT_OF_MEM; 961 goto err; 962 } 963 if (!X509_up_ref(leaf)) { 964 ctx->error = X509_V_ERR_OUT_OF_MEM; 965 goto err; 966 } 967 if (!sk_X509_push(ctx->xsc->chain, leaf)) { 968 X509_free(leaf); 969 ctx->error = X509_V_ERR_OUT_OF_MEM; 970 goto err; 971 } 972 ctx->xsc->error_depth = 0; 973 ctx->xsc->current_cert = leaf; 974 } 975 976 if (!x509_verify_cert_valid(ctx, leaf, NULL)) 977 goto err; 978 979 if (!x509_verify_cert_hostname(ctx, leaf, name)) 980 goto err; 981 982 if ((current_chain = x509_verify_chain_new()) == NULL) { 983 ctx->error = X509_V_ERR_OUT_OF_MEM; 984 goto err; 985 } 986 if (!x509_verify_chain_append(current_chain, leaf, &ctx->error)) { 987 x509_verify_chain_free(current_chain); 988 goto err; 989 } 990 if (x509_verify_ctx_cert_is_root(ctx, leaf)) 991 x509_verify_ctx_add_chain(ctx, current_chain); 992 else 993 x509_verify_build_chains(ctx, leaf, current_chain); 994 995 x509_verify_chain_free(current_chain); 996 997 /* 998 * Safety net: 999 * We could not find a validated chain, and for some reason do not 1000 * have an error set. 1001 */ 1002 if (ctx->chains_count == 0 && ctx->error == X509_V_OK) { 1003 ctx->error = X509_V_ERR_UNSPECIFIED; 1004 if (ctx->xsc != NULL && ctx->xsc->error != X509_V_OK) 1005 ctx->error = ctx->xsc->error; 1006 } 1007 1008 /* Clear whatever errors happened if we have any validated chain */ 1009 if (ctx->chains_count > 0) 1010 ctx->error = X509_V_OK; 1011 1012 if (ctx->xsc != NULL) { 1013 ctx->xsc->error = ctx->error; 1014 if (ctx->chains_count > 0) { 1015 /* Take the first chain we found. */ 1016 if (!x509_verify_ctx_set_xsc_chain(ctx, ctx->chains[0], 1)) 1017 goto err; 1018 } 1019 return ctx->xsc->verify_cb(ctx->chains_count > 0, ctx->xsc); 1020 } 1021 return (ctx->chains_count); 1022 1023 err: 1024 if (ctx->error == X509_V_OK) 1025 ctx->error = X509_V_ERR_UNSPECIFIED; 1026 if (ctx->xsc != NULL) 1027 ctx->xsc->error = ctx->error; 1028 return 0; 1029 } 1030