OLD | NEW |
1 /* crypto/x509/x509_vfy.c */ | 1 /* crypto/x509/x509_vfy.c */ |
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 * All rights reserved. | 3 * All rights reserved. |
4 * | 4 * |
5 * This package is an SSL implementation written | 5 * This package is an SSL implementation written |
6 * by Eric Young (eay@cryptsoft.com). | 6 * by Eric Young (eay@cryptsoft.com). |
7 * The implementation was written so as to conform with Netscapes SSL. | 7 * The implementation was written so as to conform with Netscapes SSL. |
8 * | 8 * |
9 * This library is free for commercial and non-commercial use as long as | 9 * This library is free for commercial and non-commercial use as long as |
10 * the following conditions are aheared to. The following conditions | 10 * the following conditions are aheared to. The following conditions |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
63 #include "cryptlib.h" | 63 #include "cryptlib.h" |
64 #include <openssl/crypto.h> | 64 #include <openssl/crypto.h> |
65 #include <openssl/lhash.h> | 65 #include <openssl/lhash.h> |
66 #include <openssl/buffer.h> | 66 #include <openssl/buffer.h> |
67 #include <openssl/evp.h> | 67 #include <openssl/evp.h> |
68 #include <openssl/asn1.h> | 68 #include <openssl/asn1.h> |
69 #include <openssl/x509.h> | 69 #include <openssl/x509.h> |
70 #include <openssl/x509v3.h> | 70 #include <openssl/x509v3.h> |
71 #include <openssl/objects.h> | 71 #include <openssl/objects.h> |
72 | 72 |
| 73 /* CRL score values */ |
| 74 |
| 75 /* No unhandled critical extensions */ |
| 76 |
| 77 #define CRL_SCORE_NOCRITICAL 0x100 |
| 78 |
| 79 /* certificate is within CRL scope */ |
| 80 |
| 81 #define CRL_SCORE_SCOPE 0x080 |
| 82 |
| 83 /* CRL times valid */ |
| 84 |
| 85 #define CRL_SCORE_TIME 0x040 |
| 86 |
| 87 /* Issuer name matches certificate */ |
| 88 |
| 89 #define CRL_SCORE_ISSUER_NAME 0x020 |
| 90 |
| 91 /* If this score or above CRL is probably valid */ |
| 92 |
| 93 #define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE) |
| 94 |
| 95 /* CRL issuer is certificate issuer */ |
| 96 |
| 97 #define CRL_SCORE_ISSUER_CERT 0x018 |
| 98 |
| 99 /* CRL issuer is on certificate path */ |
| 100 |
| 101 #define CRL_SCORE_SAME_PATH 0x008 |
| 102 |
| 103 /* CRL issuer matches CRL AKID */ |
| 104 |
| 105 #define CRL_SCORE_AKID 0x004 |
| 106 |
| 107 /* Have a delta CRL with valid times */ |
| 108 |
| 109 #define CRL_SCORE_TIME_DELTA 0x002 |
| 110 |
73 static int null_callback(int ok,X509_STORE_CTX *e); | 111 static int null_callback(int ok,X509_STORE_CTX *e); |
74 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); | 112 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); |
75 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); | 113 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); |
76 static int check_chain_extensions(X509_STORE_CTX *ctx); | 114 static int check_chain_extensions(X509_STORE_CTX *ctx); |
| 115 static int check_name_constraints(X509_STORE_CTX *ctx); |
77 static int check_trust(X509_STORE_CTX *ctx); | 116 static int check_trust(X509_STORE_CTX *ctx); |
78 static int check_revocation(X509_STORE_CTX *ctx); | 117 static int check_revocation(X509_STORE_CTX *ctx); |
79 static int check_cert(X509_STORE_CTX *ctx); | 118 static int check_cert(X509_STORE_CTX *ctx); |
80 static int check_policy(X509_STORE_CTX *ctx); | 119 static int check_policy(X509_STORE_CTX *ctx); |
| 120 |
| 121 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, |
| 122 unsigned int *preasons, |
| 123 X509_CRL *crl, X509 *x); |
| 124 static int get_crl_delta(X509_STORE_CTX *ctx, |
| 125 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); |
| 126 static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, |
| 127 X509_CRL *base, STACK_OF(X509_CRL) *crls); |
| 128 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, |
| 129 X509 **pissuer, int *pcrl_score); |
| 130 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, |
| 131 unsigned int *preasons); |
| 132 static int check_crl_path(X509_STORE_CTX *ctx, X509 *x); |
| 133 static int check_crl_chain(X509_STORE_CTX *ctx, |
| 134 STACK_OF(X509) *cert_path, |
| 135 STACK_OF(X509) *crl_path); |
| 136 |
81 static int internal_verify(X509_STORE_CTX *ctx); | 137 static int internal_verify(X509_STORE_CTX *ctx); |
82 const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; | 138 const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; |
83 | 139 |
84 | 140 |
85 static int null_callback(int ok, X509_STORE_CTX *e) | 141 static int null_callback(int ok, X509_STORE_CTX *e) |
86 { | 142 { |
87 return ok; | 143 return ok; |
88 } | 144 } |
89 | 145 |
90 #if 0 | 146 #if 0 |
(...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
282 bad_chain = 1; | 338 bad_chain = 1; |
283 ok=cb(0,ctx); | 339 ok=cb(0,ctx); |
284 if (!ok) goto end; | 340 if (!ok) goto end; |
285 } | 341 } |
286 | 342 |
287 /* We have the chain complete: now we need to check its purpose */ | 343 /* We have the chain complete: now we need to check its purpose */ |
288 ok = check_chain_extensions(ctx); | 344 ok = check_chain_extensions(ctx); |
289 | 345 |
290 if (!ok) goto end; | 346 if (!ok) goto end; |
291 | 347 |
| 348 /* Check name constraints */ |
| 349 |
| 350 ok = check_name_constraints(ctx); |
| 351 |
| 352 if (!ok) goto end; |
| 353 |
292 /* The chain extensions are OK: check trust */ | 354 /* The chain extensions are OK: check trust */ |
293 | 355 |
294 if (param->trust > 0) ok = check_trust(ctx); | 356 if (param->trust > 0) ok = check_trust(ctx); |
295 | 357 |
296 if (!ok) goto end; | 358 if (!ok) goto end; |
297 | 359 |
298 /* We may as well copy down any DSA parameters that are required */ | 360 /* We may as well copy down any DSA parameters that are required */ |
299 X509_get_pubkey_parameters(NULL,ctx->chain); | 361 X509_get_pubkey_parameters(NULL,ctx->chain); |
300 | 362 |
301 /* Check revocation status: we do this after copying parameters | 363 /* Check revocation status: we do this after copying parameters |
(...skipping 89 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
391 | 453 |
392 static int check_chain_extensions(X509_STORE_CTX *ctx) | 454 static int check_chain_extensions(X509_STORE_CTX *ctx) |
393 { | 455 { |
394 #ifdef OPENSSL_NO_CHAIN_VERIFY | 456 #ifdef OPENSSL_NO_CHAIN_VERIFY |
395 return 1; | 457 return 1; |
396 #else | 458 #else |
397 int i, ok=0, must_be_ca, plen = 0; | 459 int i, ok=0, must_be_ca, plen = 0; |
398 X509 *x; | 460 X509 *x; |
399 int (*cb)(int xok,X509_STORE_CTX *xctx); | 461 int (*cb)(int xok,X509_STORE_CTX *xctx); |
400 int proxy_path_length = 0; | 462 int proxy_path_length = 0; |
401 » int allow_proxy_certs = | 463 » int purpose; |
402 » » !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); | 464 » int allow_proxy_certs; |
403 cb=ctx->verify_cb; | 465 cb=ctx->verify_cb; |
404 | 466 |
405 /* must_be_ca can have 1 of 3 values: | 467 /* must_be_ca can have 1 of 3 values: |
406 -1: we accept both CA and non-CA certificates, to allow direct | 468 -1: we accept both CA and non-CA certificates, to allow direct |
407 use of self-signed certificates (which are marked as CA). | 469 use of self-signed certificates (which are marked as CA). |
408 0: we only accept non-CA certificates. This is currently not | 470 0: we only accept non-CA certificates. This is currently not |
409 used, but the possibility is present for future extensions. | 471 used, but the possibility is present for future extensions. |
410 1: we only accept CA certificates. This is currently used for | 472 1: we only accept CA certificates. This is currently used for |
411 all certificates in the chain except the leaf certificate. | 473 all certificates in the chain except the leaf certificate. |
412 */ | 474 */ |
413 must_be_ca = -1; | 475 must_be_ca = -1; |
414 | 476 |
415 » /* A hack to keep people who don't want to modify their software | 477 » /* CRL path validation */ |
416 » happy */ | 478 » if (ctx->parent) |
417 » if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) | 479 » » { |
418 » » allow_proxy_certs = 1; | 480 » » allow_proxy_certs = 0; |
| 481 » » purpose = X509_PURPOSE_CRL_SIGN; |
| 482 » » } |
| 483 » else |
| 484 » » { |
| 485 » » allow_proxy_certs = |
| 486 » » » !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); |
| 487 » » /* A hack to keep people who don't want to modify their |
| 488 » » software happy */ |
| 489 » » if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) |
| 490 » » » allow_proxy_certs = 1; |
| 491 » » purpose = ctx->param->purpose; |
| 492 » » } |
419 | 493 |
420 /* Check all untrusted certificates */ | 494 /* Check all untrusted certificates */ |
421 for (i = 0; i < ctx->last_untrusted; i++) | 495 for (i = 0; i < ctx->last_untrusted; i++) |
422 { | 496 { |
423 int ret; | 497 int ret; |
424 x = sk_X509_value(ctx->chain, i); | 498 x = sk_X509_value(ctx->chain, i); |
425 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) | 499 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) |
426 && (x->ex_flags & EXFLAG_CRITICAL)) | 500 && (x->ex_flags & EXFLAG_CRITICAL)) |
427 { | 501 { |
428 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; | 502 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
475 } | 549 } |
476 if (ret == 0) | 550 if (ret == 0) |
477 { | 551 { |
478 ctx->error_depth = i; | 552 ctx->error_depth = i; |
479 ctx->current_cert = x; | 553 ctx->current_cert = x; |
480 ok=cb(0,ctx); | 554 ok=cb(0,ctx); |
481 if (!ok) goto end; | 555 if (!ok) goto end; |
482 } | 556 } |
483 if (ctx->param->purpose > 0) | 557 if (ctx->param->purpose > 0) |
484 { | 558 { |
485 » » » ret = X509_check_purpose(x, ctx->param->purpose, | 559 » » » ret = X509_check_purpose(x, purpose, must_be_ca > 0); |
486 » » » » must_be_ca > 0); | |
487 if ((ret == 0) | 560 if ((ret == 0) |
488 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT
) | 561 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT
) |
489 && (ret != 1))) | 562 && (ret != 1))) |
490 { | 563 { |
491 ctx->error = X509_V_ERR_INVALID_PURPOSE; | 564 ctx->error = X509_V_ERR_INVALID_PURPOSE; |
492 ctx->error_depth = i; | 565 ctx->error_depth = i; |
493 ctx->current_cert = x; | 566 ctx->current_cert = x; |
494 ok=cb(0,ctx); | 567 ok=cb(0,ctx); |
495 if (!ok) goto end; | 568 if (!ok) goto end; |
496 } | 569 } |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
529 } | 602 } |
530 else | 603 else |
531 must_be_ca = 1; | 604 must_be_ca = 1; |
532 } | 605 } |
533 ok = 1; | 606 ok = 1; |
534 end: | 607 end: |
535 return ok; | 608 return ok; |
536 #endif | 609 #endif |
537 } | 610 } |
538 | 611 |
| 612 static int check_name_constraints(X509_STORE_CTX *ctx) |
| 613 { |
| 614 X509 *x; |
| 615 int i, j, rv; |
| 616 /* Check name constraints for all certificates */ |
| 617 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) |
| 618 { |
| 619 x = sk_X509_value(ctx->chain, i); |
| 620 /* Ignore self issued certs unless last in chain */ |
| 621 if (i && (x->ex_flags & EXFLAG_SI)) |
| 622 continue; |
| 623 /* Check against constraints for all certificates higher in |
| 624 * chain including trust anchor. Trust anchor not strictly |
| 625 * speaking needed but if it includes constraints it is to be |
| 626 * assumed it expects them to be obeyed. |
| 627 */ |
| 628 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) |
| 629 { |
| 630 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; |
| 631 if (nc) |
| 632 { |
| 633 rv = NAME_CONSTRAINTS_check(x, nc); |
| 634 if (rv != X509_V_OK) |
| 635 { |
| 636 ctx->error = rv; |
| 637 ctx->error_depth = i; |
| 638 ctx->current_cert = x; |
| 639 if (!ctx->verify_cb(0,ctx)) |
| 640 return 0; |
| 641 } |
| 642 } |
| 643 } |
| 644 } |
| 645 return 1; |
| 646 } |
| 647 |
539 static int check_trust(X509_STORE_CTX *ctx) | 648 static int check_trust(X509_STORE_CTX *ctx) |
540 { | 649 { |
541 #ifdef OPENSSL_NO_CHAIN_VERIFY | 650 #ifdef OPENSSL_NO_CHAIN_VERIFY |
542 return 1; | 651 return 1; |
543 #else | 652 #else |
544 int i, ok; | 653 int i, ok; |
545 X509 *x; | 654 X509 *x; |
546 int (*cb)(int xok,X509_STORE_CTX *xctx); | 655 int (*cb)(int xok,X509_STORE_CTX *xctx); |
547 cb=ctx->verify_cb; | 656 cb=ctx->verify_cb; |
548 /* For now just check the last certificate in the chain */ | 657 /* For now just check the last certificate in the chain */ |
(...skipping 14 matching lines...) Expand all Loading... |
563 } | 672 } |
564 | 673 |
565 static int check_revocation(X509_STORE_CTX *ctx) | 674 static int check_revocation(X509_STORE_CTX *ctx) |
566 { | 675 { |
567 int i, last, ok; | 676 int i, last, ok; |
568 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) | 677 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) |
569 return 1; | 678 return 1; |
570 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) | 679 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) |
571 last = sk_X509_num(ctx->chain) - 1; | 680 last = sk_X509_num(ctx->chain) - 1; |
572 else | 681 else |
| 682 { |
| 683 /* If checking CRL paths this isn't the EE certificate */ |
| 684 if (ctx->parent) |
| 685 return 1; |
573 last = 0; | 686 last = 0; |
| 687 } |
574 for(i = 0; i <= last; i++) | 688 for(i = 0; i <= last; i++) |
575 { | 689 { |
576 ctx->error_depth = i; | 690 ctx->error_depth = i; |
577 ok = check_cert(ctx); | 691 ok = check_cert(ctx); |
578 if (!ok) return ok; | 692 if (!ok) return ok; |
579 } | 693 } |
580 return 1; | 694 return 1; |
581 } | 695 } |
582 | 696 |
583 static int check_cert(X509_STORE_CTX *ctx) | 697 static int check_cert(X509_STORE_CTX *ctx) |
584 { | 698 { |
585 » X509_CRL *crl = NULL; | 699 » X509_CRL *crl = NULL, *dcrl = NULL; |
586 X509 *x; | 700 X509 *x; |
587 int ok, cnum; | 701 int ok, cnum; |
588 cnum = ctx->error_depth; | 702 cnum = ctx->error_depth; |
589 x = sk_X509_value(ctx->chain, cnum); | 703 x = sk_X509_value(ctx->chain, cnum); |
590 ctx->current_cert = x; | 704 ctx->current_cert = x; |
591 » /* Try to retrieve relevant CRL */ | 705 » ctx->current_issuer = NULL; |
592 » ok = ctx->get_crl(ctx, &crl, x); | 706 » ctx->current_crl_score = 0; |
593 » /* If error looking up CRL, nothing we can do except | 707 » ctx->current_reasons = 0; |
594 » * notify callback | 708 » while (ctx->current_reasons != CRLDP_ALL_REASONS) |
595 » */ | |
596 » if(!ok) | |
597 { | 709 { |
598 » » ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; | 710 » » /* Try to retrieve relevant CRL */ |
599 » » ok = ctx->verify_cb(0, ctx); | 711 » » if (ctx->get_crl) |
600 » » goto err; | 712 » » » ok = ctx->get_crl(ctx, &crl, x); |
| 713 » » else |
| 714 » » » ok = get_crl_delta(ctx, &crl, &dcrl, x); |
| 715 » » /* If error looking up CRL, nothing we can do except |
| 716 » » * notify callback |
| 717 » » */ |
| 718 » » if(!ok) |
| 719 » » » { |
| 720 » » » ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; |
| 721 » » » ok = ctx->verify_cb(0, ctx); |
| 722 » » » goto err; |
| 723 » » » } |
| 724 » » ctx->current_crl = crl; |
| 725 » » ok = ctx->check_crl(ctx, crl); |
| 726 » » if (!ok) |
| 727 » » » goto err; |
| 728 |
| 729 » » if (dcrl) |
| 730 » » » { |
| 731 » » » ok = ctx->check_crl(ctx, dcrl); |
| 732 » » » if (!ok) |
| 733 » » » » goto err; |
| 734 » » » ok = ctx->cert_crl(ctx, dcrl, x); |
| 735 » » » if (!ok) |
| 736 » » » » goto err; |
| 737 » » » } |
| 738 » » else |
| 739 » » » ok = 1; |
| 740 |
| 741 » » /* Don't look in full CRL if delta reason is removefromCRL */ |
| 742 » » if (ok != 2) |
| 743 » » » { |
| 744 » » » ok = ctx->cert_crl(ctx, crl, x); |
| 745 » » » if (!ok) |
| 746 » » » » goto err; |
| 747 » » » } |
| 748 |
| 749 » » X509_CRL_free(crl); |
| 750 » » X509_CRL_free(dcrl); |
| 751 » » crl = NULL; |
| 752 » » dcrl = NULL; |
601 } | 753 } |
602 ctx->current_crl = crl; | |
603 ok = ctx->check_crl(ctx, crl); | |
604 if (!ok) goto err; | |
605 ok = ctx->cert_crl(ctx, crl, x); | |
606 err: | 754 err: |
| 755 X509_CRL_free(crl); |
| 756 X509_CRL_free(dcrl); |
| 757 |
607 ctx->current_crl = NULL; | 758 ctx->current_crl = NULL; |
608 X509_CRL_free(crl); | |
609 return ok; | 759 return ok; |
610 | 760 |
611 } | 761 } |
612 | 762 |
613 /* Check CRL times against values in X509_STORE_CTX */ | 763 /* Check CRL times against values in X509_STORE_CTX */ |
614 | 764 |
615 static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) | 765 static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) |
616 { | 766 { |
617 time_t *ptime; | 767 time_t *ptime; |
618 int i; | 768 int i; |
619 » ctx->current_crl = crl; | 769 » if (notify) |
| 770 » » ctx->current_crl = crl; |
620 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) | 771 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) |
621 ptime = &ctx->param->check_time; | 772 ptime = &ctx->param->check_time; |
622 else | 773 else |
623 ptime = NULL; | 774 ptime = NULL; |
624 | 775 |
625 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); | 776 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); |
626 if (i == 0) | 777 if (i == 0) |
627 { | 778 { |
| 779 if (!notify) |
| 780 return 0; |
628 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; | 781 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; |
629 » » if (!notify || !ctx->verify_cb(0, ctx)) | 782 » » if (!ctx->verify_cb(0, ctx)) |
630 return 0; | 783 return 0; |
631 } | 784 } |
632 | 785 |
633 if (i > 0) | 786 if (i > 0) |
634 { | 787 { |
| 788 if (!notify) |
| 789 return 0; |
635 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; | 790 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; |
636 » » if (!notify || !ctx->verify_cb(0, ctx)) | 791 » » if (!ctx->verify_cb(0, ctx)) |
637 return 0; | 792 return 0; |
638 } | 793 } |
639 | 794 |
640 if(X509_CRL_get_nextUpdate(crl)) | 795 if(X509_CRL_get_nextUpdate(crl)) |
641 { | 796 { |
642 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); | 797 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); |
643 | 798 |
644 if (i == 0) | 799 if (i == 0) |
645 { | 800 { |
| 801 if (!notify) |
| 802 return 0; |
646 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; | 803 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; |
647 » » » if (!notify || !ctx->verify_cb(0, ctx)) | 804 » » » if (!ctx->verify_cb(0, ctx)) |
648 return 0; | 805 return 0; |
649 } | 806 } |
650 | 807 » » /* Ignore expiry of base CRL is delta is valid */ |
651 » » if (i < 0) | 808 » » if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) |
652 » » » { | 809 » » » { |
| 810 » » » if (!notify) |
| 811 » » » » return 0; |
653 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; | 812 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; |
654 » » » if (!notify || !ctx->verify_cb(0, ctx)) | 813 » » » if (!ctx->verify_cb(0, ctx)) |
655 return 0; | 814 return 0; |
656 } | 815 } |
657 } | 816 } |
658 | 817 |
659 » ctx->current_crl = NULL; | 818 » if (notify) |
| 819 » » ctx->current_crl = NULL; |
660 | 820 |
661 return 1; | 821 return 1; |
662 } | 822 } |
663 | 823 |
664 /* Lookup CRLs from the supplied list. Look for matching isser name | 824 static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, |
665 * and validity. If we can't find a valid CRL return the last one | 825 » » » X509 **pissuer, int *pscore, unsigned int *preasons, |
666 * with matching name. This gives more meaningful error codes. Otherwise | 826 » » » STACK_OF(X509_CRL) *crls) |
667 * we'd get a CRL not found error if a CRL existed with matching name but | 827 » { |
668 * was invalid. | 828 » int i, crl_score, best_score = *pscore; |
669 */ | 829 » unsigned int reasons, best_reasons = 0; |
670 | 830 » X509 *x = ctx->current_cert; |
671 static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, | 831 » X509_CRL *crl, *best_crl = NULL; |
672 » » » X509_NAME *nm, STACK_OF(X509_CRL) *crls) | 832 » X509 *crl_issuer = NULL, *best_crl_issuer = NULL; |
673 » { | 833 |
| 834 » for (i = 0; i < sk_X509_CRL_num(crls); i++) |
| 835 » » { |
| 836 » » crl = sk_X509_CRL_value(crls, i); |
| 837 » » reasons = *preasons; |
| 838 » » crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); |
| 839 |
| 840 » » if (crl_score > best_score) |
| 841 » » » { |
| 842 » » » best_crl = crl; |
| 843 » » » best_crl_issuer = crl_issuer; |
| 844 » » » best_score = crl_score; |
| 845 » » » best_reasons = reasons; |
| 846 » » » } |
| 847 » » } |
| 848 |
| 849 » if (best_crl) |
| 850 » » { |
| 851 » » if (*pcrl) |
| 852 » » » X509_CRL_free(*pcrl); |
| 853 » » *pcrl = best_crl; |
| 854 » » *pissuer = best_crl_issuer; |
| 855 » » *pscore = best_score; |
| 856 » » *preasons = best_reasons; |
| 857 » » CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); |
| 858 » » if (*pdcrl) |
| 859 » » » { |
| 860 » » » X509_CRL_free(*pdcrl); |
| 861 » » » *pdcrl = NULL; |
| 862 » » » } |
| 863 » » get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); |
| 864 » » } |
| 865 |
| 866 » if (best_score >= CRL_SCORE_VALID) |
| 867 » » return 1; |
| 868 |
| 869 » return 0; |
| 870 » } |
| 871 |
| 872 /* Compare two CRL extensions for delta checking purposes. They should be |
| 873 * both present or both absent. If both present all fields must be identical. |
| 874 */ |
| 875 |
| 876 static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) |
| 877 » { |
| 878 » ASN1_OCTET_STRING *exta, *extb; |
674 int i; | 879 int i; |
675 » X509_CRL *crl, *best_crl = NULL; | 880 » i = X509_CRL_get_ext_by_NID(a, nid, 0); |
| 881 » if (i >= 0) |
| 882 » » { |
| 883 » » /* Can't have multiple occurrences */ |
| 884 » » if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) |
| 885 » » » return 0; |
| 886 » » exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); |
| 887 » » } |
| 888 » else |
| 889 » » exta = NULL; |
| 890 |
| 891 » i = X509_CRL_get_ext_by_NID(b, nid, 0); |
| 892 |
| 893 » if (i >= 0) |
| 894 » » { |
| 895 |
| 896 » » if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) |
| 897 » » » return 0; |
| 898 » » extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); |
| 899 » » } |
| 900 » else |
| 901 » » extb = NULL; |
| 902 |
| 903 » if (!exta && !extb) |
| 904 » » return 1; |
| 905 |
| 906 » if (!exta || !extb) |
| 907 » » return 0; |
| 908 |
| 909 |
| 910 » if (ASN1_OCTET_STRING_cmp(exta, extb)) |
| 911 » » return 0; |
| 912 |
| 913 » return 1; |
| 914 » } |
| 915 |
| 916 /* See if a base and delta are compatible */ |
| 917 |
| 918 static int check_delta_base(X509_CRL *delta, X509_CRL *base) |
| 919 » { |
| 920 » /* Delta CRL must be a delta */ |
| 921 » if (!delta->base_crl_number) |
| 922 » » » return 0; |
| 923 » /* Base must have a CRL number */ |
| 924 » if (!base->crl_number) |
| 925 » » » return 0; |
| 926 » /* Issuer names must match */ |
| 927 » if (X509_NAME_cmp(X509_CRL_get_issuer(base), |
| 928 » » » » X509_CRL_get_issuer(delta))) |
| 929 » » return 0; |
| 930 » /* AKID and IDP must match */ |
| 931 » if (!crl_extension_match(delta, base, NID_authority_key_identifier)) |
| 932 » » » return 0; |
| 933 » if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) |
| 934 » » » return 0; |
| 935 » /* Delta CRL base number must not exceed Full CRL number. */ |
| 936 » if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) |
| 937 » » » return 0; |
| 938 » /* Delta CRL number must exceed full CRL number */ |
| 939 » if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) |
| 940 » » » return 1; |
| 941 » return 0; |
| 942 » } |
| 943 |
| 944 /* For a given base CRL find a delta... maybe extend to delta scoring |
| 945 * or retrieve a chain of deltas... |
| 946 */ |
| 947 |
| 948 static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, |
| 949 » » » X509_CRL *base, STACK_OF(X509_CRL) *crls) |
| 950 » { |
| 951 » X509_CRL *delta; |
| 952 » int i; |
| 953 » if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) |
| 954 » » return; |
| 955 » if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) |
| 956 » » return; |
676 for (i = 0; i < sk_X509_CRL_num(crls); i++) | 957 for (i = 0; i < sk_X509_CRL_num(crls); i++) |
677 { | 958 { |
678 » » crl = sk_X509_CRL_value(crls, i); | 959 » » delta = sk_X509_CRL_value(crls, i); |
679 » » if (X509_NAME_cmp(nm, X509_CRL_get_issuer(crl))) | 960 » » if (check_delta_base(delta, base)) |
| 961 » » » { |
| 962 » » » if (check_crl_time(ctx, delta, 0)) |
| 963 » » » » *pscore |= CRL_SCORE_TIME_DELTA; |
| 964 » » » CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); |
| 965 » » » *dcrl = delta; |
| 966 » » » return; |
| 967 » » » } |
| 968 » » } |
| 969 » *dcrl = NULL; |
| 970 » } |
| 971 |
| 972 /* For a given CRL return how suitable it is for the supplied certificate 'x'. |
| 973 * The return value is a mask of several criteria. |
| 974 * If the issuer is not the certificate issuer this is returned in *pissuer. |
| 975 * The reasons mask is also used to determine if the CRL is suitable: if |
| 976 * no new reasons the CRL is rejected, otherwise reasons is updated. |
| 977 */ |
| 978 |
| 979 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, |
| 980 » » » unsigned int *preasons, |
| 981 » » » X509_CRL *crl, X509 *x) |
| 982 » { |
| 983 |
| 984 » int crl_score = 0; |
| 985 » unsigned int tmp_reasons = *preasons, crl_reasons; |
| 986 |
| 987 » /* First see if we can reject CRL straight away */ |
| 988 |
| 989 » /* Invalid IDP cannot be processed */ |
| 990 » if (crl->idp_flags & IDP_INVALID) |
| 991 » » return 0; |
| 992 » /* Reason codes or indirect CRLs need extended CRL support */ |
| 993 » if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) |
| 994 » » { |
| 995 » » if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) |
| 996 » » » return 0; |
| 997 » » } |
| 998 » else if (crl->idp_flags & IDP_REASONS) |
| 999 » » { |
| 1000 » » /* If no new reasons reject */ |
| 1001 » » if (!(crl->idp_reasons & ~tmp_reasons)) |
| 1002 » » » return 0; |
| 1003 » » } |
| 1004 » /* Don't process deltas at this stage */ |
| 1005 » else if (crl->base_crl_number) |
| 1006 » » return 0; |
| 1007 » /* If issuer name doesn't match certificate need indirect CRL */ |
| 1008 » if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) |
| 1009 » » { |
| 1010 » » if (!(crl->idp_flags & IDP_INDIRECT)) |
| 1011 » » » return 0; |
| 1012 » » } |
| 1013 » else |
| 1014 » » crl_score |= CRL_SCORE_ISSUER_NAME; |
| 1015 |
| 1016 » if (!(crl->flags & EXFLAG_CRITICAL)) |
| 1017 » » crl_score |= CRL_SCORE_NOCRITICAL; |
| 1018 |
| 1019 » /* Check expiry */ |
| 1020 » if (check_crl_time(ctx, crl, 0)) |
| 1021 » » crl_score |= CRL_SCORE_TIME; |
| 1022 |
| 1023 » /* Check authority key ID and locate certificate issuer */ |
| 1024 » crl_akid_check(ctx, crl, pissuer, &crl_score); |
| 1025 |
| 1026 » /* If we can't locate certificate issuer at this point forget it */ |
| 1027 |
| 1028 » if (!(crl_score & CRL_SCORE_AKID)) |
| 1029 » » return 0; |
| 1030 |
| 1031 » /* Check cert for matching CRL distribution points */ |
| 1032 |
| 1033 » if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) |
| 1034 » » { |
| 1035 » » /* If no new reasons reject */ |
| 1036 » » if (!(crl_reasons & ~tmp_reasons)) |
| 1037 » » » return 0; |
| 1038 » » tmp_reasons |= crl_reasons; |
| 1039 » » crl_score |= CRL_SCORE_SCOPE; |
| 1040 » » } |
| 1041 |
| 1042 » *preasons = tmp_reasons; |
| 1043 |
| 1044 » return crl_score; |
| 1045 |
| 1046 » } |
| 1047 |
| 1048 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, |
| 1049 » » » » X509 **pissuer, int *pcrl_score) |
| 1050 » { |
| 1051 » X509 *crl_issuer = NULL; |
| 1052 » X509_NAME *cnm = X509_CRL_get_issuer(crl); |
| 1053 » int cidx = ctx->error_depth; |
| 1054 » int i; |
| 1055 |
| 1056 » if (cidx != sk_X509_num(ctx->chain) - 1) |
| 1057 » » cidx++; |
| 1058 |
| 1059 » crl_issuer = sk_X509_value(ctx->chain, cidx); |
| 1060 |
| 1061 » if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) |
| 1062 » » { |
| 1063 » » if (*pcrl_score & CRL_SCORE_ISSUER_NAME) |
| 1064 » » » { |
| 1065 » » » *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT; |
| 1066 » » » *pissuer = crl_issuer; |
| 1067 » » » return; |
| 1068 » » » } |
| 1069 » » } |
| 1070 |
| 1071 » for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) |
| 1072 » » { |
| 1073 » » crl_issuer = sk_X509_value(ctx->chain, cidx); |
| 1074 » » if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) |
680 continue; | 1075 continue; |
681 » » if (check_crl_time(ctx, crl, 0)) | 1076 » » if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) |
682 » » » { | 1077 » » » { |
683 » » » *pcrl = crl; | 1078 » » » *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH; |
684 » » » CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509); | 1079 » » » *pissuer = crl_issuer; |
| 1080 » » » return; |
| 1081 » » » } |
| 1082 » » } |
| 1083 |
| 1084 » /* Anything else needs extended CRL support */ |
| 1085 |
| 1086 » if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) |
| 1087 » » return; |
| 1088 |
| 1089 » /* Otherwise the CRL issuer is not on the path. Look for it in the |
| 1090 » * set of untrusted certificates. |
| 1091 » */ |
| 1092 » for (i = 0; i < sk_X509_num(ctx->untrusted); i++) |
| 1093 » » { |
| 1094 » » crl_issuer = sk_X509_value(ctx->untrusted, i); |
| 1095 » » if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) |
| 1096 » » » continue; |
| 1097 » » if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) |
| 1098 » » » { |
| 1099 » » » *pissuer = crl_issuer; |
| 1100 » » » *pcrl_score |= CRL_SCORE_AKID; |
| 1101 » » » return; |
| 1102 » » » } |
| 1103 » » } |
| 1104 » } |
| 1105 |
| 1106 /* Check the path of a CRL issuer certificate. This creates a new |
| 1107 * X509_STORE_CTX and populates it with most of the parameters from the |
| 1108 * parent. This could be optimised somewhat since a lot of path checking |
| 1109 * will be duplicated by the parent, but this will rarely be used in |
| 1110 * practice. |
| 1111 */ |
| 1112 |
| 1113 static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) |
| 1114 » { |
| 1115 » X509_STORE_CTX crl_ctx; |
| 1116 » int ret; |
| 1117 » /* Don't allow recursive CRL path validation */ |
| 1118 » if (ctx->parent) |
| 1119 » » return 0; |
| 1120 » if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted)) |
| 1121 » » return -1; |
| 1122 |
| 1123 » crl_ctx.crls = ctx->crls; |
| 1124 » /* Copy verify params across */ |
| 1125 » X509_STORE_CTX_set0_param(&crl_ctx, ctx->param); |
| 1126 |
| 1127 » crl_ctx.parent = ctx; |
| 1128 » crl_ctx.verify_cb = ctx->verify_cb; |
| 1129 |
| 1130 » /* Verify CRL issuer */ |
| 1131 » ret = X509_verify_cert(&crl_ctx); |
| 1132 |
| 1133 » if (ret <= 0) |
| 1134 » » goto err; |
| 1135 |
| 1136 » /* Check chain is acceptable */ |
| 1137 |
| 1138 » ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); |
| 1139 » err: |
| 1140 » X509_STORE_CTX_cleanup(&crl_ctx); |
| 1141 » return ret; |
| 1142 » } |
| 1143 |
| 1144 /* RFC3280 says nothing about the relationship between CRL path |
| 1145 * and certificate path, which could lead to situations where a |
| 1146 * certificate could be revoked or validated by a CA not authorised |
| 1147 * to do so. RFC5280 is more strict and states that the two paths must |
| 1148 * end in the same trust anchor, though some discussions remain... |
| 1149 * until this is resolved we use the RFC5280 version |
| 1150 */ |
| 1151 |
| 1152 static int check_crl_chain(X509_STORE_CTX *ctx, |
| 1153 » » » STACK_OF(X509) *cert_path, |
| 1154 » » » STACK_OF(X509) *crl_path) |
| 1155 » { |
| 1156 » X509 *cert_ta, *crl_ta; |
| 1157 » cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); |
| 1158 » crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); |
| 1159 » if (!X509_cmp(cert_ta, crl_ta)) |
| 1160 » » return 1; |
| 1161 » return 0; |
| 1162 » } |
| 1163 |
| 1164 /* Check for match between two dist point names: three separate cases. |
| 1165 * 1. Both are relative names and compare X509_NAME types. |
| 1166 * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES. |
| 1167 * 3. Both are full names and compare two GENERAL_NAMES. |
| 1168 * 4. One is NULL: automatic match. |
| 1169 */ |
| 1170 |
| 1171 |
| 1172 static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) |
| 1173 » { |
| 1174 » X509_NAME *nm = NULL; |
| 1175 » GENERAL_NAMES *gens = NULL; |
| 1176 » GENERAL_NAME *gena, *genb; |
| 1177 » int i, j; |
| 1178 » if (!a || !b) |
| 1179 » » return 1; |
| 1180 » if (a->type == 1) |
| 1181 » » { |
| 1182 » » if (!a->dpname) |
| 1183 » » » return 0; |
| 1184 » » /* Case 1: two X509_NAME */ |
| 1185 » » if (b->type == 1) |
| 1186 » » » { |
| 1187 » » » if (!b->dpname) |
| 1188 » » » » return 0; |
| 1189 » » » if (!X509_NAME_cmp(a->dpname, b->dpname)) |
| 1190 » » » » return 1; |
| 1191 » » » else |
| 1192 » » » » return 0; |
| 1193 » » » } |
| 1194 » » /* Case 2: set name and GENERAL_NAMES appropriately */ |
| 1195 » » nm = a->dpname; |
| 1196 » » gens = b->name.fullname; |
| 1197 » » } |
| 1198 » else if (b->type == 1) |
| 1199 » » { |
| 1200 » » if (!b->dpname) |
| 1201 » » » return 0; |
| 1202 » » /* Case 2: set name and GENERAL_NAMES appropriately */ |
| 1203 » » gens = a->name.fullname; |
| 1204 » » nm = b->dpname; |
| 1205 » » } |
| 1206 |
| 1207 » /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ |
| 1208 » if (nm) |
| 1209 » » { |
| 1210 » » for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) |
| 1211 » » » { |
| 1212 » » » gena = sk_GENERAL_NAME_value(gens, i);» |
| 1213 » » » if (gena->type != GEN_DIRNAME) |
| 1214 » » » » continue; |
| 1215 » » » if (!X509_NAME_cmp(nm, gena->d.directoryName)) |
| 1216 » » » » return 1; |
| 1217 » » » } |
| 1218 » » return 0; |
| 1219 » » } |
| 1220 |
| 1221 » /* Else case 3: two GENERAL_NAMES */ |
| 1222 |
| 1223 » for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) |
| 1224 » » { |
| 1225 » » gena = sk_GENERAL_NAME_value(a->name.fullname, i); |
| 1226 » » for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) |
| 1227 » » » { |
| 1228 » » » genb = sk_GENERAL_NAME_value(b->name.fullname, j); |
| 1229 » » » if (!GENERAL_NAME_cmp(gena, genb)) |
| 1230 » » » » return 1; |
| 1231 » » » } |
| 1232 » » } |
| 1233 |
| 1234 » return 0; |
| 1235 |
| 1236 » } |
| 1237 |
| 1238 static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) |
| 1239 » { |
| 1240 » int i; |
| 1241 » X509_NAME *nm = X509_CRL_get_issuer(crl); |
| 1242 » /* If no CRLissuer return is successful iff don't need a match */ |
| 1243 » if (!dp->CRLissuer) |
| 1244 » » return !!(crl_score & CRL_SCORE_ISSUER_NAME); |
| 1245 » for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) |
| 1246 » » { |
| 1247 » » GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); |
| 1248 » » if (gen->type != GEN_DIRNAME) |
| 1249 » » » continue; |
| 1250 » » if (!X509_NAME_cmp(gen->d.directoryName, nm)) |
685 return 1; | 1251 return 1; |
686 » » » } | 1252 » » } |
687 » » best_crl = crl; | 1253 » return 0; |
688 » » } | 1254 » } |
689 » if (best_crl) | 1255 |
690 » » { | 1256 /* Check CRLDP and IDP */ |
691 » » *pcrl = best_crl; | 1257 |
692 » » CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509); | 1258 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, |
693 » » } | 1259 » » » » unsigned int *preasons) |
694 » » | 1260 » { |
695 » return 0; | 1261 » int i; |
696 » } | 1262 » if (crl->idp_flags & IDP_ONLYATTR) |
697 | 1263 » » return 0; |
698 /* Retrieve CRL corresponding to certificate: currently just a | 1264 » if (x->ex_flags & EXFLAG_CA) |
699 * subject lookup: maybe use AKID later... | 1265 » » { |
700 */ | 1266 » » if (crl->idp_flags & IDP_ONLYUSER) |
701 static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) | 1267 » » » return 0; |
| 1268 » » } |
| 1269 » else |
| 1270 » » { |
| 1271 » » if (crl->idp_flags & IDP_ONLYCA) |
| 1272 » » » return 0; |
| 1273 » » } |
| 1274 » *preasons = crl->idp_reasons; |
| 1275 » for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) |
| 1276 » » { |
| 1277 » » DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); |
| 1278 » » if (crldp_check_crlissuer(dp, crl, crl_score)) |
| 1279 » » » { |
| 1280 » » » if (!crl->idp || |
| 1281 » » » idp_check_dp(dp->distpoint, crl->idp->distpoint)) |
| 1282 » » » » { |
| 1283 » » » » *preasons &= dp->dp_reasons; |
| 1284 » » » » return 1; |
| 1285 » » » » } |
| 1286 » » » } |
| 1287 » » } |
| 1288 » if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER
_NAME)) |
| 1289 » » return 1; |
| 1290 » return 0; |
| 1291 » } |
| 1292 |
| 1293 /* Retrieve CRL corresponding to current certificate. |
| 1294 * If deltas enabled try to find a delta CRL too |
| 1295 */ |
| 1296 » |
| 1297 static int get_crl_delta(X509_STORE_CTX *ctx, |
| 1298 » » » » X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) |
702 { | 1299 { |
703 int ok; | 1300 int ok; |
704 » X509_CRL *crl = NULL; | 1301 » X509 *issuer = NULL; |
705 » X509_OBJECT xobj; | 1302 » int crl_score = 0; |
706 » X509_NAME *nm; | 1303 » unsigned int reasons; |
707 » nm = X509_get_issuer_name(x); | 1304 » X509_CRL *crl = NULL, *dcrl = NULL; |
708 » ok = get_crl_sk(ctx, &crl, nm, ctx->crls); | 1305 » STACK_OF(X509_CRL) *skcrl; |
| 1306 » X509_NAME *nm = X509_get_issuer_name(x); |
| 1307 » reasons = ctx->current_reasons; |
| 1308 » ok = get_crl_sk(ctx, &crl, &dcrl, |
| 1309 » » » » &issuer, &crl_score, &reasons, ctx->crls); |
| 1310 |
709 if (ok) | 1311 if (ok) |
710 » » { | 1312 » » goto done; |
| 1313 |
| 1314 » /* Lookup CRLs from store */ |
| 1315 |
| 1316 » skcrl = ctx->lookup_crls(ctx, nm); |
| 1317 |
| 1318 » /* If no CRLs found and a near match from get_crl_sk use that */ |
| 1319 » if (!skcrl && crl) |
| 1320 » » goto done; |
| 1321 |
| 1322 » get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl); |
| 1323 |
| 1324 » sk_X509_CRL_pop_free(skcrl, X509_CRL_free); |
| 1325 |
| 1326 » done: |
| 1327 |
| 1328 » /* If we got any kind of CRL use it and return success */ |
| 1329 » if (crl) |
| 1330 » » { |
| 1331 » » ctx->current_issuer = issuer; |
| 1332 » » ctx->current_crl_score = crl_score; |
| 1333 » » ctx->current_reasons = reasons; |
711 *pcrl = crl; | 1334 *pcrl = crl; |
| 1335 *pdcrl = dcrl; |
712 return 1; | 1336 return 1; |
713 } | 1337 } |
714 | 1338 |
715 » ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj); | 1339 » return 0; |
716 | |
717 » if (!ok) | |
718 » » { | |
719 » » /* If we got a near match from get_crl_sk use that */ | |
720 » » if (crl) | |
721 » » » { | |
722 » » » *pcrl = crl; | |
723 » » » return 1; | |
724 » » » } | |
725 » » return 0; | |
726 » » } | |
727 | |
728 » *pcrl = xobj.data.crl; | |
729 » if (crl) | |
730 » » X509_CRL_free(crl); | |
731 » return 1; | |
732 } | 1340 } |
733 | 1341 |
734 /* Check CRL validity */ | 1342 /* Check CRL validity */ |
735 static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) | 1343 static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) |
736 { | 1344 { |
737 X509 *issuer = NULL; | 1345 X509 *issuer = NULL; |
738 EVP_PKEY *ikey = NULL; | 1346 EVP_PKEY *ikey = NULL; |
739 int ok = 0, chnum, cnum; | 1347 int ok = 0, chnum, cnum; |
740 cnum = ctx->error_depth; | 1348 cnum = ctx->error_depth; |
741 chnum = sk_X509_num(ctx->chain) - 1; | 1349 chnum = sk_X509_num(ctx->chain) - 1; |
742 » /* Find CRL issuer: if not last certificate then issuer | 1350 » /* if we have an alternative CRL issuer cert use that */ |
| 1351 » if (ctx->current_issuer) |
| 1352 » » issuer = ctx->current_issuer; |
| 1353 |
| 1354 » /* Else find CRL issuer: if not last certificate then issuer |
743 * is next certificate in chain. | 1355 * is next certificate in chain. |
744 */ | 1356 */ |
745 » if(cnum < chnum) | 1357 » else if (cnum < chnum) |
746 issuer = sk_X509_value(ctx->chain, cnum + 1); | 1358 issuer = sk_X509_value(ctx->chain, cnum + 1); |
747 else | 1359 else |
748 { | 1360 { |
749 issuer = sk_X509_value(ctx->chain, chnum); | 1361 issuer = sk_X509_value(ctx->chain, chnum); |
750 /* If not self signed, can't check signature */ | 1362 /* If not self signed, can't check signature */ |
751 if(!ctx->check_issued(ctx, issuer, issuer)) | 1363 if(!ctx->check_issued(ctx, issuer, issuer)) |
752 { | 1364 { |
753 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; | 1365 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; |
754 ok = ctx->verify_cb(0, ctx); | 1366 ok = ctx->verify_cb(0, ctx); |
755 if(!ok) goto err; | 1367 if(!ok) goto err; |
756 } | 1368 } |
757 } | 1369 } |
758 | 1370 |
759 if(issuer) | 1371 if(issuer) |
760 { | 1372 { |
761 » » /* Check for cRLSign bit if keyUsage present */ | 1373 » » /* Skip most tests for deltas because they have already |
762 » » if ((issuer->ex_flags & EXFLAG_KUSAGE) && | 1374 » » * been done |
763 » » » !(issuer->ex_kusage & KU_CRL_SIGN)) | 1375 » » */ |
| 1376 » » if (!crl->base_crl_number) |
764 { | 1377 { |
765 » » » ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; | 1378 » » » /* Check for cRLSign bit if keyUsage present */ |
766 » » » ok = ctx->verify_cb(0, ctx); | 1379 » » » if ((issuer->ex_flags & EXFLAG_KUSAGE) && |
767 » » » if(!ok) goto err; | 1380 » » » » !(issuer->ex_kusage & KU_CRL_SIGN)) |
| 1381 » » » » { |
| 1382 » » » » ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; |
| 1383 » » » » ok = ctx->verify_cb(0, ctx); |
| 1384 » » » » if(!ok) goto err; |
| 1385 » » » » } |
| 1386 |
| 1387 » » » if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) |
| 1388 » » » » { |
| 1389 » » » » ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; |
| 1390 » » » » ok = ctx->verify_cb(0, ctx); |
| 1391 » » » » if(!ok) goto err; |
| 1392 » » » » } |
| 1393 |
| 1394 » » » if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) |
| 1395 » » » » { |
| 1396 » » » » if (check_crl_path(ctx, ctx->current_issuer) <=
0) |
| 1397 » » » » » { |
| 1398 » » » » » ctx->error = X509_V_ERR_CRL_PATH_VALIDAT
ION_ERROR; |
| 1399 » » » » » ok = ctx->verify_cb(0, ctx); |
| 1400 » » » » » if(!ok) goto err; |
| 1401 » » » » » } |
| 1402 » » » » } |
| 1403 |
| 1404 » » » if (crl->idp_flags & IDP_INVALID) |
| 1405 » » » » { |
| 1406 » » » » ctx->error = X509_V_ERR_INVALID_EXTENSION; |
| 1407 » » » » ok = ctx->verify_cb(0, ctx); |
| 1408 » » » » if(!ok) goto err; |
| 1409 » » » » } |
| 1410 |
| 1411 |
| 1412 » » » } |
| 1413 |
| 1414 » » if (!(ctx->current_crl_score & CRL_SCORE_TIME)) |
| 1415 » » » { |
| 1416 » » » ok = check_crl_time(ctx, crl, 1); |
| 1417 » » » if (!ok) |
| 1418 » » » » goto err; |
768 } | 1419 } |
769 | 1420 |
770 /* Attempt to get issuer certificate public key */ | 1421 /* Attempt to get issuer certificate public key */ |
771 ikey = X509_get_pubkey(issuer); | 1422 ikey = X509_get_pubkey(issuer); |
772 | 1423 |
773 if(!ikey) | 1424 if(!ikey) |
774 { | 1425 { |
775 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
; | 1426 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
; |
776 ok = ctx->verify_cb(0, ctx); | 1427 ok = ctx->verify_cb(0, ctx); |
777 if (!ok) goto err; | 1428 if (!ok) goto err; |
778 } | 1429 } |
779 else | 1430 else |
780 { | 1431 { |
781 /* Verify CRL signature */ | 1432 /* Verify CRL signature */ |
782 if(X509_CRL_verify(crl, ikey) <= 0) | 1433 if(X509_CRL_verify(crl, ikey) <= 0) |
783 { | 1434 { |
784 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; | 1435 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; |
785 ok = ctx->verify_cb(0, ctx); | 1436 ok = ctx->verify_cb(0, ctx); |
786 if (!ok) goto err; | 1437 if (!ok) goto err; |
787 } | 1438 } |
788 } | 1439 } |
789 } | 1440 } |
790 | 1441 |
791 ok = check_crl_time(ctx, crl, 1); | |
792 if (!ok) | |
793 goto err; | |
794 | |
795 ok = 1; | 1442 ok = 1; |
796 | 1443 |
797 err: | 1444 err: |
798 EVP_PKEY_free(ikey); | 1445 EVP_PKEY_free(ikey); |
799 return ok; | 1446 return ok; |
800 } | 1447 } |
801 | 1448 |
802 /* Check certificate against CRL */ | 1449 /* Check certificate against CRL */ |
803 static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) | 1450 static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) |
804 { | 1451 { |
805 » int idx, ok; | 1452 » int ok; |
806 » X509_REVOKED rtmp; | 1453 » X509_REVOKED *rev; |
807 » STACK_OF(X509_EXTENSION) *exts; | 1454 » /* The rules changed for this... previously if a CRL contained |
808 » X509_EXTENSION *ext; | 1455 » * unhandled critical extensions it could still be used to indicate |
809 » /* Look for serial number of certificate in CRL */ | 1456 » * a certificate was revoked. This has since been changed since |
810 » rtmp.serialNumber = X509_get_serialNumber(x); | 1457 » * critical extension can change the meaning of CRL entries. |
811 » /* Sort revoked into serial number order if not already sorted. | 1458 » */ |
812 » * Do this under a lock to avoid race condition. | 1459 » if (crl->flags & EXFLAG_CRITICAL) |
813 » */ | |
814 » if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) | |
815 { | 1460 { |
816 » » CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL); | 1461 » » if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) |
817 » » sk_X509_REVOKED_sort(crl->crl->revoked); | 1462 » » » return 1; |
818 » » CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL); | 1463 » » ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; |
| 1464 » » ok = ctx->verify_cb(0, ctx); |
| 1465 » » if(!ok) |
| 1466 » » » return 0; |
819 } | 1467 } |
820 » idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); | 1468 » /* Look for serial number of certificate in CRL |
821 » /* If found assume revoked: want something cleverer than | 1469 » * If found make sure reason is not removeFromCRL. |
822 » * this to handle entry extensions in V2 CRLs. | |
823 */ | 1470 */ |
824 » if(idx >= 0) | 1471 » if (X509_CRL_get0_by_cert(crl, &rev, x)) |
825 { | 1472 { |
| 1473 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) |
| 1474 return 2; |
826 ctx->error = X509_V_ERR_CERT_REVOKED; | 1475 ctx->error = X509_V_ERR_CERT_REVOKED; |
827 ok = ctx->verify_cb(0, ctx); | 1476 ok = ctx->verify_cb(0, ctx); |
828 » » if (!ok) return 0; | 1477 » » if (!ok) |
| 1478 » » » return 0; |
829 } | 1479 } |
830 | 1480 |
831 if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) | |
832 return 1; | |
833 | |
834 /* See if we have any critical CRL extensions: since we | |
835 * currently don't handle any CRL extensions the CRL must be | |
836 * rejected. | |
837 * This code accesses the X509_CRL structure directly: applications | |
838 * shouldn't do this. | |
839 */ | |
840 | |
841 exts = crl->crl->extensions; | |
842 | |
843 for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) | |
844 { | |
845 ext = sk_X509_EXTENSION_value(exts, idx); | |
846 if (ext->critical > 0) | |
847 { | |
848 ctx->error = | |
849 X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; | |
850 ok = ctx->verify_cb(0, ctx); | |
851 if(!ok) return 0; | |
852 break; | |
853 } | |
854 } | |
855 return 1; | 1481 return 1; |
856 } | 1482 } |
857 | 1483 |
858 static int check_policy(X509_STORE_CTX *ctx) | 1484 static int check_policy(X509_STORE_CTX *ctx) |
859 { | 1485 { |
860 int ret; | 1486 int ret; |
| 1487 if (ctx->parent) |
| 1488 return 1; |
861 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, | 1489 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, |
862 ctx->param->policies, ctx->param->flags); | 1490 ctx->param->policies, ctx->param->flags); |
863 if (ret == 0) | 1491 if (ret == 0) |
864 { | 1492 { |
865 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); | 1493 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); |
866 return 0; | 1494 return 0; |
867 } | 1495 } |
868 /* Invalid or inconsistent extensions */ | 1496 /* Invalid or inconsistent extensions */ |
869 if (ret == -1) | 1497 if (ret == -1) |
870 { | 1498 { |
871 /* Locate certificates with bad extensions and notify | 1499 /* Locate certificates with bad extensions and notify |
872 * callback. | 1500 * callback. |
873 */ | 1501 */ |
874 X509 *x; | 1502 X509 *x; |
875 int i; | 1503 int i; |
876 for (i = 1; i < sk_X509_num(ctx->chain); i++) | 1504 for (i = 1; i < sk_X509_num(ctx->chain); i++) |
877 { | 1505 { |
878 x = sk_X509_value(ctx->chain, i); | 1506 x = sk_X509_value(ctx->chain, i); |
879 if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) | 1507 if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) |
880 continue; | 1508 continue; |
881 ctx->current_cert = x; | 1509 ctx->current_cert = x; |
882 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; | 1510 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; |
883 » » » ret = ctx->verify_cb(0, ctx); | 1511 » » » if(!ctx->verify_cb(0, ctx)) |
| 1512 » » » » return 0; |
884 } | 1513 } |
885 return 1; | 1514 return 1; |
886 } | 1515 } |
887 if (ret == -2) | 1516 if (ret == -2) |
888 { | 1517 { |
889 ctx->current_cert = NULL; | 1518 ctx->current_cert = NULL; |
890 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; | 1519 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; |
891 return ctx->verify_cb(0, ctx); | 1520 return ctx->verify_cb(0, ctx); |
892 } | 1521 } |
893 | 1522 |
(...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1032 { | 1661 { |
1033 xi=xs; | 1662 xi=xs; |
1034 xs=sk_X509_value(ctx->chain,n); | 1663 xs=sk_X509_value(ctx->chain,n); |
1035 } | 1664 } |
1036 } | 1665 } |
1037 ok=1; | 1666 ok=1; |
1038 end: | 1667 end: |
1039 return ok; | 1668 return ok; |
1040 } | 1669 } |
1041 | 1670 |
1042 int X509_cmp_current_time(ASN1_TIME *ctm) | 1671 int X509_cmp_current_time(const ASN1_TIME *ctm) |
1043 { | 1672 { |
1044 return X509_cmp_time(ctm, NULL); | 1673 return X509_cmp_time(ctm, NULL); |
1045 } | 1674 } |
1046 | 1675 |
1047 int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time) | 1676 int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) |
1048 { | 1677 { |
1049 char *str; | 1678 char *str; |
1050 ASN1_TIME atm; | 1679 ASN1_TIME atm; |
1051 long offset; | 1680 long offset; |
1052 char buff1[24],buff2[24],*p; | 1681 char buff1[24],buff2[24],*p; |
1053 int i,j; | 1682 int i,j; |
1054 | 1683 |
1055 p=buff1; | 1684 p=buff1; |
1056 i=ctm->length; | 1685 i=ctm->length; |
1057 str=(char *)ctm->data; | 1686 str=(char *)ctm->data; |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1092 else | 1721 else |
1093 { | 1722 { |
1094 if ((*str != '+') && (*str != '-')) | 1723 if ((*str != '+') && (*str != '-')) |
1095 return 0; | 1724 return 0; |
1096 offset=((str[1]-'0')*10+(str[2]-'0'))*60; | 1725 offset=((str[1]-'0')*10+(str[2]-'0'))*60; |
1097 offset+=(str[3]-'0')*10+(str[4]-'0'); | 1726 offset+=(str[3]-'0')*10+(str[4]-'0'); |
1098 if (*str == '-') | 1727 if (*str == '-') |
1099 offset= -offset; | 1728 offset= -offset; |
1100 } | 1729 } |
1101 atm.type=ctm->type; | 1730 atm.type=ctm->type; |
| 1731 atm.flags = 0; |
1102 atm.length=sizeof(buff2); | 1732 atm.length=sizeof(buff2); |
1103 atm.data=(unsigned char *)buff2; | 1733 atm.data=(unsigned char *)buff2; |
1104 | 1734 |
1105 » if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL) | 1735 » if (X509_time_adj(&atm, offset*60, cmp_time) == NULL) |
1106 return 0; | 1736 return 0; |
1107 | 1737 |
1108 if (ctm->type == V_ASN1_UTCTIME) | 1738 if (ctm->type == V_ASN1_UTCTIME) |
1109 { | 1739 { |
1110 i=(buff1[0]-'0')*10+(buff1[1]-'0'); | 1740 i=(buff1[0]-'0')*10+(buff1[1]-'0'); |
1111 if (i < 50) i+=100; /* cf. RFC 2459 */ | 1741 if (i < 50) i+=100; /* cf. RFC 2459 */ |
1112 j=(buff2[0]-'0')*10+(buff2[1]-'0'); | 1742 j=(buff2[0]-'0')*10+(buff2[1]-'0'); |
1113 if (j < 50) j+=100; | 1743 if (j < 50) j+=100; |
1114 | 1744 |
1115 if (i < j) return -1; | 1745 if (i < j) return -1; |
1116 if (i > j) return 1; | 1746 if (i > j) return 1; |
1117 } | 1747 } |
1118 i=strcmp(buff1,buff2); | 1748 i=strcmp(buff1,buff2); |
1119 if (i == 0) /* wait a second then return younger :-) */ | 1749 if (i == 0) /* wait a second then return younger :-) */ |
1120 return -1; | 1750 return -1; |
1121 else | 1751 else |
1122 return i; | 1752 return i; |
1123 } | 1753 } |
1124 | 1754 |
1125 ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) | 1755 ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) |
1126 { | 1756 { |
1127 return X509_time_adj(s, adj, NULL); | 1757 return X509_time_adj(s, adj, NULL); |
1128 } | 1758 } |
1129 | 1759 |
1130 ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *in_tm) | 1760 ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) |
| 1761 » { |
| 1762 » return X509_time_adj_ex(s, 0, offset_sec, in_tm); |
| 1763 » } |
| 1764 |
| 1765 ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, |
| 1766 » » » » int offset_day, long offset_sec, time_t *in_tm) |
1131 { | 1767 { |
1132 time_t t; | 1768 time_t t; |
1133 int type = -1; | |
1134 | 1769 |
1135 if (in_tm) t = *in_tm; | 1770 if (in_tm) t = *in_tm; |
1136 else time(&t); | 1771 else time(&t); |
1137 | 1772 |
1138 » t+=adj; | 1773 » if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) |
1139 » if (s) type = s->type; | 1774 » » { |
1140 » if (type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t); | 1775 » » if (s->type == V_ASN1_UTCTIME) |
1141 » if (type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_set(s, t
); | 1776 » » » return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); |
1142 » return ASN1_TIME_set(s, t); | 1777 » » if (s->type == V_ASN1_GENERALIZEDTIME) |
| 1778 » » » return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, |
| 1779 » » » » » » » » offset_sec); |
| 1780 » » } |
| 1781 » return ASN1_TIME_adj(s, t, offset_day, offset_sec); |
1143 } | 1782 } |
1144 | 1783 |
1145 int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) | 1784 int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) |
1146 { | 1785 { |
1147 EVP_PKEY *ktmp=NULL,*ktmp2; | 1786 EVP_PKEY *ktmp=NULL,*ktmp2; |
1148 int i,j; | 1787 int i,j; |
1149 | 1788 |
1150 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; | 1789 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; |
1151 | 1790 |
1152 for (i=0; i<sk_X509_num(chain); i++) | 1791 for (i=0; i<sk_X509_num(chain); i++) |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1235 STACK_OF(X509) *chain; | 1874 STACK_OF(X509) *chain; |
1236 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; | 1875 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; |
1237 for (i = 0; i < sk_X509_num(chain); i++) | 1876 for (i = 0; i < sk_X509_num(chain); i++) |
1238 { | 1877 { |
1239 x = sk_X509_value(chain, i); | 1878 x = sk_X509_value(chain, i); |
1240 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); | 1879 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); |
1241 } | 1880 } |
1242 return chain; | 1881 return chain; |
1243 } | 1882 } |
1244 | 1883 |
| 1884 X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) |
| 1885 { |
| 1886 return ctx->current_issuer; |
| 1887 } |
| 1888 |
| 1889 X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) |
| 1890 { |
| 1891 return ctx->current_crl; |
| 1892 } |
| 1893 |
| 1894 X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) |
| 1895 { |
| 1896 return ctx->parent; |
| 1897 } |
| 1898 |
1245 void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) | 1899 void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) |
1246 { | 1900 { |
1247 ctx->cert=x; | 1901 ctx->cert=x; |
1248 } | 1902 } |
1249 | 1903 |
1250 void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) | 1904 void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) |
1251 { | 1905 { |
1252 ctx->untrusted=sk; | 1906 ctx->untrusted=sk; |
1253 } | 1907 } |
1254 | 1908 |
(...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1355 ctx->crls = NULL; | 2009 ctx->crls = NULL; |
1356 ctx->last_untrusted=0; | 2010 ctx->last_untrusted=0; |
1357 ctx->other_ctx=NULL; | 2011 ctx->other_ctx=NULL; |
1358 ctx->valid=0; | 2012 ctx->valid=0; |
1359 ctx->chain=NULL; | 2013 ctx->chain=NULL; |
1360 ctx->error=0; | 2014 ctx->error=0; |
1361 ctx->explicit_policy=0; | 2015 ctx->explicit_policy=0; |
1362 ctx->error_depth=0; | 2016 ctx->error_depth=0; |
1363 ctx->current_cert=NULL; | 2017 ctx->current_cert=NULL; |
1364 ctx->current_issuer=NULL; | 2018 ctx->current_issuer=NULL; |
| 2019 ctx->current_crl=NULL; |
| 2020 ctx->current_crl_score=0; |
| 2021 ctx->current_reasons=0; |
1365 ctx->tree = NULL; | 2022 ctx->tree = NULL; |
| 2023 ctx->parent = NULL; |
1366 | 2024 |
1367 ctx->param = X509_VERIFY_PARAM_new(); | 2025 ctx->param = X509_VERIFY_PARAM_new(); |
1368 | 2026 |
1369 if (!ctx->param) | 2027 if (!ctx->param) |
1370 { | 2028 { |
1371 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); | 2029 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); |
1372 return 0; | 2030 return 0; |
1373 } | 2031 } |
1374 | 2032 |
1375 /* Inherit callbacks and flags from X509_STORE if not set | 2033 /* Inherit callbacks and flags from X509_STORE if not set |
1376 * use defaults. | 2034 * use defaults. |
1377 */ | 2035 */ |
1378 | 2036 |
1379 | 2037 |
1380 if (store) | 2038 if (store) |
1381 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); | 2039 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); |
1382 else | 2040 else |
1383 » » ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; | 2041 » » ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; |
1384 | 2042 |
1385 if (store) | 2043 if (store) |
1386 { | 2044 { |
1387 ctx->verify_cb = store->verify_cb; | 2045 ctx->verify_cb = store->verify_cb; |
1388 ctx->cleanup = store->cleanup; | 2046 ctx->cleanup = store->cleanup; |
1389 } | 2047 } |
1390 else | 2048 else |
1391 ctx->cleanup = 0; | 2049 ctx->cleanup = 0; |
1392 | 2050 |
1393 if (ret) | 2051 if (ret) |
(...skipping 27 matching lines...) Expand all Loading... |
1421 ctx->verify = internal_verify; | 2079 ctx->verify = internal_verify; |
1422 | 2080 |
1423 if (store && store->check_revocation) | 2081 if (store && store->check_revocation) |
1424 ctx->check_revocation = store->check_revocation; | 2082 ctx->check_revocation = store->check_revocation; |
1425 else | 2083 else |
1426 ctx->check_revocation = check_revocation; | 2084 ctx->check_revocation = check_revocation; |
1427 | 2085 |
1428 if (store && store->get_crl) | 2086 if (store && store->get_crl) |
1429 ctx->get_crl = store->get_crl; | 2087 ctx->get_crl = store->get_crl; |
1430 else | 2088 else |
1431 » » ctx->get_crl = get_crl; | 2089 » » ctx->get_crl = NULL; |
1432 | 2090 |
1433 if (store && store->check_crl) | 2091 if (store && store->check_crl) |
1434 ctx->check_crl = store->check_crl; | 2092 ctx->check_crl = store->check_crl; |
1435 else | 2093 else |
1436 ctx->check_crl = check_crl; | 2094 ctx->check_crl = check_crl; |
1437 | 2095 |
1438 if (store && store->cert_crl) | 2096 if (store && store->cert_crl) |
1439 ctx->cert_crl = store->cert_crl; | 2097 ctx->cert_crl = store->cert_crl; |
1440 else | 2098 else |
1441 ctx->cert_crl = cert_crl; | 2099 ctx->cert_crl = cert_crl; |
1442 | 2100 |
| 2101 if (store && store->lookup_certs) |
| 2102 ctx->lookup_certs = store->lookup_certs; |
| 2103 else |
| 2104 ctx->lookup_certs = X509_STORE_get1_certs; |
| 2105 |
| 2106 if (store && store->lookup_crls) |
| 2107 ctx->lookup_crls = store->lookup_crls; |
| 2108 else |
| 2109 ctx->lookup_crls = X509_STORE_get1_crls; |
| 2110 |
1443 ctx->check_policy = check_policy; | 2111 ctx->check_policy = check_policy; |
1444 | 2112 |
1445 | 2113 |
1446 /* This memset() can't make any sense anyway, so it's removed. As | 2114 /* This memset() can't make any sense anyway, so it's removed. As |
1447 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a | 2115 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a |
1448 * corresponding "new" here and remove this bogus initialisation. */ | 2116 * corresponding "new" here and remove this bogus initialisation. */ |
1449 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ | 2117 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ |
1450 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, | 2118 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, |
1451 &(ctx->ex_data))) | 2119 &(ctx->ex_data))) |
1452 { | 2120 { |
(...skipping 12 matching lines...) Expand all Loading... |
1465 { | 2133 { |
1466 ctx->other_ctx = sk; | 2134 ctx->other_ctx = sk; |
1467 ctx->get_issuer = get_issuer_sk; | 2135 ctx->get_issuer = get_issuer_sk; |
1468 } | 2136 } |
1469 | 2137 |
1470 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) | 2138 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) |
1471 { | 2139 { |
1472 if (ctx->cleanup) ctx->cleanup(ctx); | 2140 if (ctx->cleanup) ctx->cleanup(ctx); |
1473 if (ctx->param != NULL) | 2141 if (ctx->param != NULL) |
1474 { | 2142 { |
1475 » » X509_VERIFY_PARAM_free(ctx->param); | 2143 » » if (ctx->parent == NULL) |
| 2144 » » » X509_VERIFY_PARAM_free(ctx->param); |
1476 ctx->param=NULL; | 2145 ctx->param=NULL; |
1477 } | 2146 } |
1478 if (ctx->tree != NULL) | 2147 if (ctx->tree != NULL) |
1479 { | 2148 { |
1480 X509_policy_tree_free(ctx->tree); | 2149 X509_policy_tree_free(ctx->tree); |
1481 ctx->tree=NULL; | 2150 ctx->tree=NULL; |
1482 } | 2151 } |
1483 if (ctx->chain != NULL) | 2152 if (ctx->chain != NULL) |
1484 { | 2153 { |
1485 sk_X509_pop_free(ctx->chain,X509_free); | 2154 sk_X509_pop_free(ctx->chain,X509_free); |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1541 ctx->param = param; | 2210 ctx->param = param; |
1542 } | 2211 } |
1543 | 2212 |
1544 IMPLEMENT_STACK_OF(X509) | 2213 IMPLEMENT_STACK_OF(X509) |
1545 IMPLEMENT_ASN1_SET_OF(X509) | 2214 IMPLEMENT_ASN1_SET_OF(X509) |
1546 | 2215 |
1547 IMPLEMENT_STACK_OF(X509_NAME) | 2216 IMPLEMENT_STACK_OF(X509_NAME) |
1548 | 2217 |
1549 IMPLEMENT_STACK_OF(X509_ATTRIBUTE) | 2218 IMPLEMENT_STACK_OF(X509_ATTRIBUTE) |
1550 IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE) | 2219 IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE) |
OLD | NEW |