[331] | 1 | /*
|
---|
| 2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #include <stdio.h>
|
---|
| 11 | #include <time.h>
|
---|
| 12 | #include <errno.h>
|
---|
| 13 | #include <limits.h>
|
---|
| 14 |
|
---|
| 15 | #include "internal/cryptlib.h"
|
---|
| 16 | #include <openssl/crypto.h>
|
---|
| 17 | #include <openssl/lhash.h>
|
---|
| 18 | #include <openssl/buffer.h>
|
---|
| 19 | #include <openssl/evp.h>
|
---|
| 20 | #include <openssl/asn1.h>
|
---|
| 21 | #include <openssl/x509.h>
|
---|
| 22 | #include <openssl/x509v3.h>
|
---|
| 23 | #include <openssl/objects.h>
|
---|
| 24 | #include <internal/dane.h>
|
---|
| 25 | #include <internal/x509_int.h>
|
---|
| 26 | #include "x509_lcl.h"
|
---|
| 27 |
|
---|
| 28 | /* CRL score values */
|
---|
| 29 |
|
---|
| 30 | /* No unhandled critical extensions */
|
---|
| 31 |
|
---|
| 32 | #define CRL_SCORE_NOCRITICAL 0x100
|
---|
| 33 |
|
---|
| 34 | /* certificate is within CRL scope */
|
---|
| 35 |
|
---|
| 36 | #define CRL_SCORE_SCOPE 0x080
|
---|
| 37 |
|
---|
| 38 | /* CRL times valid */
|
---|
| 39 |
|
---|
| 40 | #define CRL_SCORE_TIME 0x040
|
---|
| 41 |
|
---|
| 42 | /* Issuer name matches certificate */
|
---|
| 43 |
|
---|
| 44 | #define CRL_SCORE_ISSUER_NAME 0x020
|
---|
| 45 |
|
---|
| 46 | /* If this score or above CRL is probably valid */
|
---|
| 47 |
|
---|
| 48 | #define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
|
---|
| 49 |
|
---|
| 50 | /* CRL issuer is certificate issuer */
|
---|
| 51 |
|
---|
| 52 | #define CRL_SCORE_ISSUER_CERT 0x018
|
---|
| 53 |
|
---|
| 54 | /* CRL issuer is on certificate path */
|
---|
| 55 |
|
---|
| 56 | #define CRL_SCORE_SAME_PATH 0x008
|
---|
| 57 |
|
---|
| 58 | /* CRL issuer matches CRL AKID */
|
---|
| 59 |
|
---|
| 60 | #define CRL_SCORE_AKID 0x004
|
---|
| 61 |
|
---|
| 62 | /* Have a delta CRL with valid times */
|
---|
| 63 |
|
---|
| 64 | #define CRL_SCORE_TIME_DELTA 0x002
|
---|
| 65 |
|
---|
| 66 | static int build_chain(X509_STORE_CTX *ctx);
|
---|
| 67 | static int verify_chain(X509_STORE_CTX *ctx);
|
---|
| 68 | static int dane_verify(X509_STORE_CTX *ctx);
|
---|
| 69 | static int null_callback(int ok, X509_STORE_CTX *e);
|
---|
| 70 | static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
|
---|
| 71 | static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
|
---|
| 72 | static int check_chain_extensions(X509_STORE_CTX *ctx);
|
---|
| 73 | static int check_name_constraints(X509_STORE_CTX *ctx);
|
---|
| 74 | static int check_id(X509_STORE_CTX *ctx);
|
---|
| 75 | static int check_trust(X509_STORE_CTX *ctx, int num_untrusted);
|
---|
| 76 | static int check_revocation(X509_STORE_CTX *ctx);
|
---|
| 77 | static int check_cert(X509_STORE_CTX *ctx);
|
---|
| 78 | static int check_policy(X509_STORE_CTX *ctx);
|
---|
| 79 | static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
|
---|
| 80 | static int check_dane_issuer(X509_STORE_CTX *ctx, int depth);
|
---|
| 81 | static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
|
---|
| 82 | static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert);
|
---|
| 83 |
|
---|
| 84 | static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
|
---|
| 85 | unsigned int *preasons, X509_CRL *crl, X509 *x);
|
---|
| 86 | static int get_crl_delta(X509_STORE_CTX *ctx,
|
---|
| 87 | X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
|
---|
| 88 | static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl,
|
---|
| 89 | int *pcrl_score, X509_CRL *base,
|
---|
| 90 | STACK_OF(X509_CRL) *crls);
|
---|
| 91 | static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
|
---|
| 92 | int *pcrl_score);
|
---|
| 93 | static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
|
---|
| 94 | unsigned int *preasons);
|
---|
| 95 | static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
|
---|
| 96 | static int check_crl_chain(X509_STORE_CTX *ctx,
|
---|
| 97 | STACK_OF(X509) *cert_path,
|
---|
| 98 | STACK_OF(X509) *crl_path);
|
---|
| 99 |
|
---|
| 100 | static int internal_verify(X509_STORE_CTX *ctx);
|
---|
| 101 |
|
---|
| 102 | static int null_callback(int ok, X509_STORE_CTX *e)
|
---|
| 103 | {
|
---|
| 104 | return ok;
|
---|
| 105 | }
|
---|
| 106 |
|
---|
| 107 | /* Return 1 is a certificate is self signed */
|
---|
| 108 | static int cert_self_signed(X509 *x)
|
---|
| 109 | {
|
---|
| 110 | /*
|
---|
| 111 | * FIXME: x509v3_cache_extensions() needs to detect more failures and not
|
---|
| 112 | * set EXFLAG_SET when that happens. Especially, if the failures are
|
---|
| 113 | * parse errors, rather than memory pressure!
|
---|
| 114 | */
|
---|
| 115 | X509_check_purpose(x, -1, 0);
|
---|
| 116 | if (x->ex_flags & EXFLAG_SS)
|
---|
| 117 | return 1;
|
---|
| 118 | else
|
---|
| 119 | return 0;
|
---|
| 120 | }
|
---|
| 121 |
|
---|
| 122 | /* Given a certificate try and find an exact match in the store */
|
---|
| 123 |
|
---|
| 124 | static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
|
---|
| 125 | {
|
---|
| 126 | STACK_OF(X509) *certs;
|
---|
| 127 | X509 *xtmp = NULL;
|
---|
| 128 | int i;
|
---|
| 129 | /* Lookup all certs with matching subject name */
|
---|
| 130 | certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
|
---|
| 131 | if (certs == NULL)
|
---|
| 132 | return NULL;
|
---|
| 133 | /* Look for exact match */
|
---|
| 134 | for (i = 0; i < sk_X509_num(certs); i++) {
|
---|
| 135 | xtmp = sk_X509_value(certs, i);
|
---|
| 136 | if (!X509_cmp(xtmp, x))
|
---|
| 137 | break;
|
---|
| 138 | }
|
---|
| 139 | if (i < sk_X509_num(certs))
|
---|
| 140 | X509_up_ref(xtmp);
|
---|
| 141 | else
|
---|
| 142 | xtmp = NULL;
|
---|
| 143 | sk_X509_pop_free(certs, X509_free);
|
---|
| 144 | return xtmp;
|
---|
| 145 | }
|
---|
| 146 |
|
---|
| 147 | /*-
|
---|
| 148 | * Inform the verify callback of an error.
|
---|
| 149 | * If B<x> is not NULL it is the error cert, otherwise use the chain cert at
|
---|
| 150 | * B<depth>.
|
---|
| 151 | * If B<err> is not X509_V_OK, that's the error value, otherwise leave
|
---|
| 152 | * unchanged (presumably set by the caller).
|
---|
| 153 | *
|
---|
| 154 | * Returns 0 to abort verification with an error, non-zero to continue.
|
---|
| 155 | */
|
---|
| 156 | static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err)
|
---|
| 157 | {
|
---|
| 158 | ctx->error_depth = depth;
|
---|
| 159 | ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth);
|
---|
| 160 | if (err != X509_V_OK)
|
---|
| 161 | ctx->error = err;
|
---|
| 162 | return ctx->verify_cb(0, ctx);
|
---|
| 163 | }
|
---|
| 164 |
|
---|
| 165 | /*-
|
---|
| 166 | * Inform the verify callback of an error, CRL-specific variant. Here, the
|
---|
| 167 | * error depth and certificate are already set, we just specify the error
|
---|
| 168 | * number.
|
---|
| 169 | *
|
---|
| 170 | * Returns 0 to abort verification with an error, non-zero to continue.
|
---|
| 171 | */
|
---|
| 172 | static int verify_cb_crl(X509_STORE_CTX *ctx, int err)
|
---|
| 173 | {
|
---|
| 174 | ctx->error = err;
|
---|
| 175 | return ctx->verify_cb(0, ctx);
|
---|
| 176 | }
|
---|
| 177 |
|
---|
| 178 | static int check_auth_level(X509_STORE_CTX *ctx)
|
---|
| 179 | {
|
---|
| 180 | int i;
|
---|
| 181 | int num = sk_X509_num(ctx->chain);
|
---|
| 182 |
|
---|
| 183 | if (ctx->param->auth_level <= 0)
|
---|
| 184 | return 1;
|
---|
| 185 |
|
---|
| 186 | for (i = 0; i < num; ++i) {
|
---|
| 187 | X509 *cert = sk_X509_value(ctx->chain, i);
|
---|
| 188 |
|
---|
| 189 | /*
|
---|
| 190 | * We've already checked the security of the leaf key, so here we only
|
---|
| 191 | * check the security of issuer keys.
|
---|
| 192 | */
|
---|
| 193 | if (i > 0 && !check_key_level(ctx, cert) &&
|
---|
| 194 | verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL) == 0)
|
---|
| 195 | return 0;
|
---|
| 196 | /*
|
---|
| 197 | * We also check the signature algorithm security of all certificates
|
---|
| 198 | * except those of the trust anchor at index num-1.
|
---|
| 199 | */
|
---|
| 200 | if (i < num - 1 && !check_sig_level(ctx, cert) &&
|
---|
| 201 | verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK) == 0)
|
---|
| 202 | return 0;
|
---|
| 203 | }
|
---|
| 204 | return 1;
|
---|
| 205 | }
|
---|
| 206 |
|
---|
| 207 | static int verify_chain(X509_STORE_CTX *ctx)
|
---|
| 208 | {
|
---|
| 209 | int err;
|
---|
| 210 | int ok;
|
---|
| 211 |
|
---|
| 212 | /*
|
---|
| 213 | * Before either returning with an error, or continuing with CRL checks,
|
---|
| 214 | * instantiate chain public key parameters.
|
---|
| 215 | */
|
---|
| 216 | if ((ok = build_chain(ctx)) == 0 ||
|
---|
| 217 | (ok = check_chain_extensions(ctx)) == 0 ||
|
---|
| 218 | (ok = check_auth_level(ctx)) == 0 ||
|
---|
| 219 | (ok = check_name_constraints(ctx)) == 0 ||
|
---|
| 220 | (ok = check_id(ctx)) == 0 || 1)
|
---|
| 221 | X509_get_pubkey_parameters(NULL, ctx->chain);
|
---|
| 222 | if (ok == 0 || (ok = ctx->check_revocation(ctx)) == 0)
|
---|
| 223 | return ok;
|
---|
| 224 |
|
---|
| 225 | err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
|
---|
| 226 | ctx->param->flags);
|
---|
| 227 | if (err != X509_V_OK) {
|
---|
| 228 | if ((ok = verify_cb_cert(ctx, NULL, ctx->error_depth, err)) == 0)
|
---|
| 229 | return ok;
|
---|
| 230 | }
|
---|
| 231 |
|
---|
| 232 | /* Verify chain signatures and expiration times */
|
---|
| 233 | ok = (ctx->verify != NULL) ? ctx->verify(ctx) : internal_verify(ctx);
|
---|
| 234 | if (!ok)
|
---|
| 235 | return ok;
|
---|
| 236 |
|
---|
| 237 | #ifndef OPENSSL_NO_RFC3779
|
---|
| 238 | /* RFC 3779 path validation, now that CRL check has been done */
|
---|
| 239 | if ((ok = X509v3_asid_validate_path(ctx)) == 0)
|
---|
| 240 | return ok;
|
---|
| 241 | if ((ok = X509v3_addr_validate_path(ctx)) == 0)
|
---|
| 242 | return ok;
|
---|
| 243 | #endif
|
---|
| 244 |
|
---|
| 245 | /* If we get this far evaluate policies */
|
---|
| 246 | if (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)
|
---|
| 247 | ok = ctx->check_policy(ctx);
|
---|
| 248 | return ok;
|
---|
| 249 | }
|
---|
| 250 |
|
---|
| 251 | int X509_verify_cert(X509_STORE_CTX *ctx)
|
---|
| 252 | {
|
---|
| 253 | SSL_DANE *dane = ctx->dane;
|
---|
| 254 | int ret;
|
---|
| 255 |
|
---|
| 256 | if (ctx->cert == NULL) {
|
---|
| 257 | X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
|
---|
| 258 | ctx->error = X509_V_ERR_INVALID_CALL;
|
---|
| 259 | return -1;
|
---|
| 260 | }
|
---|
| 261 |
|
---|
| 262 | if (ctx->chain != NULL) {
|
---|
| 263 | /*
|
---|
| 264 | * This X509_STORE_CTX has already been used to verify a cert. We
|
---|
| 265 | * cannot do another one.
|
---|
| 266 | */
|
---|
| 267 | X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
---|
| 268 | ctx->error = X509_V_ERR_INVALID_CALL;
|
---|
| 269 | return -1;
|
---|
| 270 | }
|
---|
| 271 |
|
---|
| 272 | /*
|
---|
| 273 | * first we make sure the chain we are going to build is present and that
|
---|
| 274 | * the first entry is in place
|
---|
| 275 | */
|
---|
| 276 | if (((ctx->chain = sk_X509_new_null()) == NULL) ||
|
---|
| 277 | (!sk_X509_push(ctx->chain, ctx->cert))) {
|
---|
| 278 | X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
|
---|
| 279 | ctx->error = X509_V_ERR_OUT_OF_MEM;
|
---|
| 280 | return -1;
|
---|
| 281 | }
|
---|
| 282 | X509_up_ref(ctx->cert);
|
---|
| 283 | ctx->num_untrusted = 1;
|
---|
| 284 |
|
---|
| 285 | /* If the peer's public key is too weak, we can stop early. */
|
---|
| 286 | if (!check_key_level(ctx, ctx->cert) &&
|
---|
| 287 | !verify_cb_cert(ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL))
|
---|
| 288 | return 0;
|
---|
| 289 |
|
---|
| 290 | if (DANETLS_ENABLED(dane))
|
---|
| 291 | ret = dane_verify(ctx);
|
---|
| 292 | else
|
---|
| 293 | ret = verify_chain(ctx);
|
---|
| 294 |
|
---|
| 295 | /*
|
---|
| 296 | * Safety-net. If we are returning an error, we must also set ctx->error,
|
---|
| 297 | * so that the chain is not considered verified should the error be ignored
|
---|
| 298 | * (e.g. TLS with SSL_VERIFY_NONE).
|
---|
| 299 | */
|
---|
| 300 | if (ret <= 0 && ctx->error == X509_V_OK)
|
---|
| 301 | ctx->error = X509_V_ERR_UNSPECIFIED;
|
---|
| 302 | return ret;
|
---|
| 303 | }
|
---|
| 304 |
|
---|
| 305 | /*
|
---|
| 306 | * Given a STACK_OF(X509) find the issuer of cert (if any)
|
---|
| 307 | */
|
---|
| 308 | static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
|
---|
| 309 | {
|
---|
| 310 | int i;
|
---|
| 311 | X509 *issuer, *rv = NULL;
|
---|
| 312 |
|
---|
| 313 | for (i = 0; i < sk_X509_num(sk); i++) {
|
---|
| 314 | issuer = sk_X509_value(sk, i);
|
---|
| 315 | if (ctx->check_issued(ctx, x, issuer)) {
|
---|
| 316 | rv = issuer;
|
---|
| 317 | if (x509_check_cert_time(ctx, rv, -1))
|
---|
| 318 | break;
|
---|
| 319 | }
|
---|
| 320 | }
|
---|
| 321 | return rv;
|
---|
| 322 | }
|
---|
| 323 |
|
---|
| 324 | /* Given a possible certificate and issuer check them */
|
---|
| 325 |
|
---|
| 326 | static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
|
---|
| 327 | {
|
---|
| 328 | int ret;
|
---|
| 329 | if (x == issuer)
|
---|
| 330 | return cert_self_signed(x);
|
---|
| 331 | ret = X509_check_issued(issuer, x);
|
---|
| 332 | if (ret == X509_V_OK) {
|
---|
| 333 | int i;
|
---|
| 334 | X509 *ch;
|
---|
| 335 | /* Special case: single self signed certificate */
|
---|
| 336 | if (cert_self_signed(x) && sk_X509_num(ctx->chain) == 1)
|
---|
| 337 | return 1;
|
---|
| 338 | for (i = 0; i < sk_X509_num(ctx->chain); i++) {
|
---|
| 339 | ch = sk_X509_value(ctx->chain, i);
|
---|
| 340 | if (ch == issuer || !X509_cmp(ch, issuer)) {
|
---|
| 341 | ret = X509_V_ERR_PATH_LOOP;
|
---|
| 342 | break;
|
---|
| 343 | }
|
---|
| 344 | }
|
---|
| 345 | }
|
---|
| 346 |
|
---|
| 347 | return (ret == X509_V_OK);
|
---|
| 348 | }
|
---|
| 349 |
|
---|
| 350 | /* Alternative lookup method: look from a STACK stored in other_ctx */
|
---|
| 351 |
|
---|
| 352 | static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
|
---|
| 353 | {
|
---|
| 354 | *issuer = find_issuer(ctx, ctx->other_ctx, x);
|
---|
| 355 | if (*issuer) {
|
---|
| 356 | X509_up_ref(*issuer);
|
---|
| 357 | return 1;
|
---|
| 358 | } else
|
---|
| 359 | return 0;
|
---|
| 360 | }
|
---|
| 361 |
|
---|
| 362 | static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, X509_NAME *nm)
|
---|
| 363 | {
|
---|
| 364 | STACK_OF(X509) *sk = NULL;
|
---|
| 365 | X509 *x;
|
---|
| 366 | int i;
|
---|
| 367 | for (i = 0; i < sk_X509_num(ctx->other_ctx); i++) {
|
---|
| 368 | x = sk_X509_value(ctx->other_ctx, i);
|
---|
| 369 | if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) {
|
---|
| 370 | if (sk == NULL)
|
---|
| 371 | sk = sk_X509_new_null();
|
---|
| 372 | if (sk == NULL || sk_X509_push(sk, x) == 0) {
|
---|
| 373 | sk_X509_pop_free(sk, X509_free);
|
---|
| 374 | return NULL;
|
---|
| 375 | }
|
---|
| 376 | X509_up_ref(x);
|
---|
| 377 | }
|
---|
| 378 | }
|
---|
| 379 | return sk;
|
---|
| 380 | }
|
---|
| 381 |
|
---|
| 382 | /*
|
---|
| 383 | * Check EE or CA certificate purpose. For trusted certificates explicit local
|
---|
| 384 | * auxiliary trust can be used to override EKU-restrictions.
|
---|
| 385 | */
|
---|
| 386 | static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth,
|
---|
| 387 | int must_be_ca)
|
---|
| 388 | {
|
---|
| 389 | int tr_ok = X509_TRUST_UNTRUSTED;
|
---|
| 390 |
|
---|
| 391 | /*
|
---|
| 392 | * For trusted certificates we want to see whether any auxiliary trust
|
---|
| 393 | * settings trump the purpose constraints.
|
---|
| 394 | *
|
---|
| 395 | * This is complicated by the fact that the trust ordinals in
|
---|
| 396 | * ctx->param->trust are entirely independent of the purpose ordinals in
|
---|
| 397 | * ctx->param->purpose!
|
---|
| 398 | *
|
---|
| 399 | * What connects them is their mutual initialization via calls from
|
---|
| 400 | * X509_STORE_CTX_set_default() into X509_VERIFY_PARAM_lookup() which sets
|
---|
| 401 | * related values of both param->trust and param->purpose. It is however
|
---|
| 402 | * typically possible to infer associated trust values from a purpose value
|
---|
| 403 | * via the X509_PURPOSE API.
|
---|
| 404 | *
|
---|
| 405 | * Therefore, we can only check for trust overrides when the purpose we're
|
---|
| 406 | * checking is the same as ctx->param->purpose and ctx->param->trust is
|
---|
| 407 | * also set.
|
---|
| 408 | */
|
---|
| 409 | if (depth >= ctx->num_untrusted && purpose == ctx->param->purpose)
|
---|
| 410 | tr_ok = X509_check_trust(x, ctx->param->trust, X509_TRUST_NO_SS_COMPAT);
|
---|
| 411 |
|
---|
| 412 | switch (tr_ok) {
|
---|
| 413 | case X509_TRUST_TRUSTED:
|
---|
| 414 | return 1;
|
---|
| 415 | case X509_TRUST_REJECTED:
|
---|
| 416 | break;
|
---|
| 417 | default:
|
---|
| 418 | switch (X509_check_purpose(x, purpose, must_be_ca > 0)) {
|
---|
| 419 | case 1:
|
---|
| 420 | return 1;
|
---|
| 421 | case 0:
|
---|
| 422 | break;
|
---|
| 423 | default:
|
---|
| 424 | if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) == 0)
|
---|
| 425 | return 1;
|
---|
| 426 | }
|
---|
| 427 | break;
|
---|
| 428 | }
|
---|
| 429 |
|
---|
| 430 | return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE);
|
---|
| 431 | }
|
---|
| 432 |
|
---|
| 433 | /*
|
---|
| 434 | * Check a certificate chains extensions for consistency with the supplied
|
---|
| 435 | * purpose
|
---|
| 436 | */
|
---|
| 437 |
|
---|
| 438 | static int check_chain_extensions(X509_STORE_CTX *ctx)
|
---|
| 439 | {
|
---|
| 440 | int i, must_be_ca, plen = 0;
|
---|
| 441 | X509 *x;
|
---|
| 442 | int proxy_path_length = 0;
|
---|
| 443 | int purpose;
|
---|
| 444 | int allow_proxy_certs;
|
---|
| 445 | int num = sk_X509_num(ctx->chain);
|
---|
| 446 |
|
---|
| 447 | /*-
|
---|
| 448 | * must_be_ca can have 1 of 3 values:
|
---|
| 449 | * -1: we accept both CA and non-CA certificates, to allow direct
|
---|
| 450 | * use of self-signed certificates (which are marked as CA).
|
---|
| 451 | * 0: we only accept non-CA certificates. This is currently not
|
---|
| 452 | * used, but the possibility is present for future extensions.
|
---|
| 453 | * 1: we only accept CA certificates. This is currently used for
|
---|
| 454 | * all certificates in the chain except the leaf certificate.
|
---|
| 455 | */
|
---|
| 456 | must_be_ca = -1;
|
---|
| 457 |
|
---|
| 458 | /* CRL path validation */
|
---|
| 459 | if (ctx->parent) {
|
---|
| 460 | allow_proxy_certs = 0;
|
---|
| 461 | purpose = X509_PURPOSE_CRL_SIGN;
|
---|
| 462 | } else {
|
---|
| 463 | allow_proxy_certs =
|
---|
| 464 | ! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
|
---|
| 465 | purpose = ctx->param->purpose;
|
---|
| 466 | }
|
---|
| 467 |
|
---|
| 468 | for (i = 0; i < num; i++) {
|
---|
| 469 | int ret;
|
---|
| 470 | x = sk_X509_value(ctx->chain, i);
|
---|
| 471 | if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
|
---|
| 472 | && (x->ex_flags & EXFLAG_CRITICAL)) {
|
---|
| 473 | if (!verify_cb_cert(ctx, x, i,
|
---|
| 474 | X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION))
|
---|
| 475 | return 0;
|
---|
| 476 | }
|
---|
| 477 | if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
|
---|
| 478 | if (!verify_cb_cert(ctx, x, i,
|
---|
| 479 | X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED))
|
---|
| 480 | return 0;
|
---|
| 481 | }
|
---|
| 482 | ret = X509_check_ca(x);
|
---|
| 483 | switch (must_be_ca) {
|
---|
| 484 | case -1:
|
---|
| 485 | if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
|
---|
| 486 | && (ret != 1) && (ret != 0)) {
|
---|
| 487 | ret = 0;
|
---|
| 488 | ctx->error = X509_V_ERR_INVALID_CA;
|
---|
| 489 | } else
|
---|
| 490 | ret = 1;
|
---|
| 491 | break;
|
---|
| 492 | case 0:
|
---|
| 493 | if (ret != 0) {
|
---|
| 494 | ret = 0;
|
---|
| 495 | ctx->error = X509_V_ERR_INVALID_NON_CA;
|
---|
| 496 | } else
|
---|
| 497 | ret = 1;
|
---|
| 498 | break;
|
---|
| 499 | default:
|
---|
| 500 | /* X509_V_FLAG_X509_STRICT is implicit for intermediate CAs */
|
---|
| 501 | if ((ret == 0)
|
---|
| 502 | || ((i + 1 < num || ctx->param->flags & X509_V_FLAG_X509_STRICT)
|
---|
| 503 | && (ret != 1))) {
|
---|
| 504 | ret = 0;
|
---|
| 505 | ctx->error = X509_V_ERR_INVALID_CA;
|
---|
| 506 | } else
|
---|
| 507 | ret = 1;
|
---|
| 508 | break;
|
---|
| 509 | }
|
---|
| 510 | if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK))
|
---|
| 511 | return 0;
|
---|
| 512 | /* check_purpose() makes the callback as needed */
|
---|
| 513 | if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
|
---|
| 514 | return 0;
|
---|
| 515 | /* Check pathlen if not self issued */
|
---|
| 516 | if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
|
---|
| 517 | && (x->ex_pathlen != -1)
|
---|
| 518 | && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
|
---|
| 519 | if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
|
---|
| 520 | return 0;
|
---|
| 521 | }
|
---|
| 522 | /* Increment path length if not self issued */
|
---|
| 523 | if (!(x->ex_flags & EXFLAG_SI))
|
---|
| 524 | plen++;
|
---|
| 525 | /*
|
---|
| 526 | * If this certificate is a proxy certificate, the next certificate
|
---|
| 527 | * must be another proxy certificate or a EE certificate. If not,
|
---|
| 528 | * the next certificate must be a CA certificate.
|
---|
| 529 | */
|
---|
| 530 | if (x->ex_flags & EXFLAG_PROXY) {
|
---|
| 531 | /*
|
---|
| 532 | * RFC3820, 4.1.3 (b)(1) stipulates that if pCPathLengthConstraint
|
---|
| 533 | * is less than max_path_length, the former should be copied to
|
---|
| 534 | * the latter, and 4.1.4 (a) stipulates that max_path_length
|
---|
| 535 | * should be verified to be larger than zero and decrement it.
|
---|
| 536 | *
|
---|
| 537 | * Because we're checking the certs in the reverse order, we start
|
---|
| 538 | * with verifying that proxy_path_length isn't larger than pcPLC,
|
---|
| 539 | * and copy the latter to the former if it is, and finally,
|
---|
| 540 | * increment proxy_path_length.
|
---|
| 541 | */
|
---|
| 542 | if (x->ex_pcpathlen != -1) {
|
---|
| 543 | if (proxy_path_length > x->ex_pcpathlen) {
|
---|
| 544 | if (!verify_cb_cert(ctx, x, i,
|
---|
| 545 | X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED))
|
---|
| 546 | return 0;
|
---|
| 547 | }
|
---|
| 548 | proxy_path_length = x->ex_pcpathlen;
|
---|
| 549 | }
|
---|
| 550 | proxy_path_length++;
|
---|
| 551 | must_be_ca = 0;
|
---|
| 552 | } else
|
---|
| 553 | must_be_ca = 1;
|
---|
| 554 | }
|
---|
| 555 | return 1;
|
---|
| 556 | }
|
---|
| 557 |
|
---|
| 558 | static int check_name_constraints(X509_STORE_CTX *ctx)
|
---|
| 559 | {
|
---|
| 560 | int i;
|
---|
| 561 |
|
---|
| 562 | /* Check name constraints for all certificates */
|
---|
| 563 | for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
|
---|
| 564 | X509 *x = sk_X509_value(ctx->chain, i);
|
---|
| 565 | int j;
|
---|
| 566 |
|
---|
| 567 | /* Ignore self issued certs unless last in chain */
|
---|
| 568 | if (i && (x->ex_flags & EXFLAG_SI))
|
---|
| 569 | continue;
|
---|
| 570 |
|
---|
| 571 | /*
|
---|
| 572 | * Proxy certificates policy has an extra constraint, where the
|
---|
| 573 | * certificate subject MUST be the issuer with a single CN entry
|
---|
| 574 | * added.
|
---|
| 575 | * (RFC 3820: 3.4, 4.1.3 (a)(4))
|
---|
| 576 | */
|
---|
| 577 | if (x->ex_flags & EXFLAG_PROXY) {
|
---|
| 578 | X509_NAME *tmpsubject = X509_get_subject_name(x);
|
---|
| 579 | X509_NAME *tmpissuer = X509_get_issuer_name(x);
|
---|
| 580 | X509_NAME_ENTRY *tmpentry = NULL;
|
---|
| 581 | int last_object_nid = 0;
|
---|
| 582 | int err = X509_V_OK;
|
---|
| 583 | int last_object_loc = X509_NAME_entry_count(tmpsubject) - 1;
|
---|
| 584 |
|
---|
| 585 | /* Check that there are at least two RDNs */
|
---|
| 586 | if (last_object_loc < 1) {
|
---|
| 587 | err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;
|
---|
| 588 | goto proxy_name_done;
|
---|
| 589 | }
|
---|
| 590 |
|
---|
| 591 | /*
|
---|
| 592 | * Check that there is exactly one more RDN in subject as
|
---|
| 593 | * there is in issuer.
|
---|
| 594 | */
|
---|
| 595 | if (X509_NAME_entry_count(tmpsubject)
|
---|
| 596 | != X509_NAME_entry_count(tmpissuer) + 1) {
|
---|
| 597 | err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;
|
---|
| 598 | goto proxy_name_done;
|
---|
| 599 | }
|
---|
| 600 |
|
---|
| 601 | /*
|
---|
| 602 | * Check that the last subject component isn't part of a
|
---|
| 603 | * multivalued RDN
|
---|
| 604 | */
|
---|
| 605 | if (X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject,
|
---|
| 606 | last_object_loc))
|
---|
| 607 | == X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject,
|
---|
| 608 | last_object_loc - 1))) {
|
---|
| 609 | err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;
|
---|
| 610 | goto proxy_name_done;
|
---|
| 611 | }
|
---|
| 612 |
|
---|
| 613 | /*
|
---|
| 614 | * Check that the last subject RDN is a commonName, and that
|
---|
| 615 | * all the previous RDNs match the issuer exactly
|
---|
| 616 | */
|
---|
| 617 | tmpsubject = X509_NAME_dup(tmpsubject);
|
---|
| 618 | if (tmpsubject == NULL) {
|
---|
| 619 | X509err(X509_F_CHECK_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
|
---|
| 620 | ctx->error = X509_V_ERR_OUT_OF_MEM;
|
---|
| 621 | return 0;
|
---|
| 622 | }
|
---|
| 623 |
|
---|
| 624 | tmpentry =
|
---|
| 625 | X509_NAME_delete_entry(tmpsubject, last_object_loc);
|
---|
| 626 | last_object_nid =
|
---|
| 627 | OBJ_obj2nid(X509_NAME_ENTRY_get_object(tmpentry));
|
---|
| 628 |
|
---|
| 629 | if (last_object_nid != NID_commonName
|
---|
| 630 | || X509_NAME_cmp(tmpsubject, tmpissuer) != 0) {
|
---|
| 631 | err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;
|
---|
| 632 | }
|
---|
| 633 |
|
---|
| 634 | X509_NAME_ENTRY_free(tmpentry);
|
---|
| 635 | X509_NAME_free(tmpsubject);
|
---|
| 636 |
|
---|
| 637 | proxy_name_done:
|
---|
| 638 | if (err != X509_V_OK
|
---|
| 639 | && !verify_cb_cert(ctx, x, i, err))
|
---|
| 640 | return 0;
|
---|
| 641 | }
|
---|
| 642 |
|
---|
| 643 | /*
|
---|
| 644 | * Check against constraints for all certificates higher in chain
|
---|
| 645 | * including trust anchor. Trust anchor not strictly speaking needed
|
---|
| 646 | * but if it includes constraints it is to be assumed it expects them
|
---|
| 647 | * to be obeyed.
|
---|
| 648 | */
|
---|
| 649 | for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
|
---|
| 650 | NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
|
---|
| 651 |
|
---|
| 652 | if (nc) {
|
---|
| 653 | int rv = NAME_CONSTRAINTS_check(x, nc);
|
---|
| 654 |
|
---|
| 655 | /* If EE certificate check commonName too */
|
---|
| 656 | if (rv == X509_V_OK && i == 0)
|
---|
| 657 | rv = NAME_CONSTRAINTS_check_CN(x, nc);
|
---|
| 658 |
|
---|
| 659 | switch (rv) {
|
---|
| 660 | case X509_V_OK:
|
---|
| 661 | break;
|
---|
| 662 | case X509_V_ERR_OUT_OF_MEM:
|
---|
| 663 | return 0;
|
---|
| 664 | default:
|
---|
| 665 | if (!verify_cb_cert(ctx, x, i, rv))
|
---|
| 666 | return 0;
|
---|
| 667 | break;
|
---|
| 668 | }
|
---|
| 669 | }
|
---|
| 670 | }
|
---|
| 671 | }
|
---|
| 672 | return 1;
|
---|
| 673 | }
|
---|
| 674 |
|
---|
| 675 | static int check_id_error(X509_STORE_CTX *ctx, int errcode)
|
---|
| 676 | {
|
---|
| 677 | return verify_cb_cert(ctx, ctx->cert, 0, errcode);
|
---|
| 678 | }
|
---|
| 679 |
|
---|
| 680 | static int check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)
|
---|
| 681 | {
|
---|
| 682 | int i;
|
---|
| 683 | int n = sk_OPENSSL_STRING_num(vpm->hosts);
|
---|
| 684 | char *name;
|
---|
| 685 |
|
---|
| 686 | if (vpm->peername != NULL) {
|
---|
| 687 | OPENSSL_free(vpm->peername);
|
---|
| 688 | vpm->peername = NULL;
|
---|
| 689 | }
|
---|
| 690 | for (i = 0; i < n; ++i) {
|
---|
| 691 | name = sk_OPENSSL_STRING_value(vpm->hosts, i);
|
---|
| 692 | if (X509_check_host(x, name, 0, vpm->hostflags, &vpm->peername) > 0)
|
---|
| 693 | return 1;
|
---|
| 694 | }
|
---|
| 695 | return n == 0;
|
---|
| 696 | }
|
---|
| 697 |
|
---|
| 698 | static int check_id(X509_STORE_CTX *ctx)
|
---|
| 699 | {
|
---|
| 700 | X509_VERIFY_PARAM *vpm = ctx->param;
|
---|
| 701 | X509 *x = ctx->cert;
|
---|
| 702 | if (vpm->hosts && check_hosts(x, vpm) <= 0) {
|
---|
| 703 | if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
|
---|
| 704 | return 0;
|
---|
| 705 | }
|
---|
| 706 | if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {
|
---|
| 707 | if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
|
---|
| 708 | return 0;
|
---|
| 709 | }
|
---|
| 710 | if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
|
---|
| 711 | if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
|
---|
| 712 | return 0;
|
---|
| 713 | }
|
---|
| 714 | return 1;
|
---|
| 715 | }
|
---|
| 716 |
|
---|
| 717 | static int check_trust(X509_STORE_CTX *ctx, int num_untrusted)
|
---|
| 718 | {
|
---|
| 719 | int i;
|
---|
| 720 | X509 *x = NULL;
|
---|
| 721 | X509 *mx;
|
---|
| 722 | SSL_DANE *dane = ctx->dane;
|
---|
| 723 | int num = sk_X509_num(ctx->chain);
|
---|
| 724 | int trust;
|
---|
| 725 |
|
---|
| 726 | /*
|
---|
| 727 | * Check for a DANE issuer at depth 1 or greater, if it is a DANE-TA(2)
|
---|
| 728 | * match, we're done, otherwise we'll merely record the match depth.
|
---|
| 729 | */
|
---|
| 730 | if (DANETLS_HAS_TA(dane) && num_untrusted > 0 && num_untrusted < num) {
|
---|
| 731 | switch (trust = check_dane_issuer(ctx, num_untrusted)) {
|
---|
| 732 | case X509_TRUST_TRUSTED:
|
---|
| 733 | case X509_TRUST_REJECTED:
|
---|
| 734 | return trust;
|
---|
| 735 | }
|
---|
| 736 | }
|
---|
| 737 |
|
---|
| 738 | /*
|
---|
| 739 | * Check trusted certificates in chain at depth num_untrusted and up.
|
---|
| 740 | * Note, that depths 0..num_untrusted-1 may also contain trusted
|
---|
| 741 | * certificates, but the caller is expected to have already checked those,
|
---|
| 742 | * and wants to incrementally check just any added since.
|
---|
| 743 | */
|
---|
| 744 | for (i = num_untrusted; i < num; i++) {
|
---|
| 745 | x = sk_X509_value(ctx->chain, i);
|
---|
| 746 | trust = X509_check_trust(x, ctx->param->trust, 0);
|
---|
| 747 | /* If explicitly trusted return trusted */
|
---|
| 748 | if (trust == X509_TRUST_TRUSTED)
|
---|
| 749 | goto trusted;
|
---|
| 750 | if (trust == X509_TRUST_REJECTED)
|
---|
| 751 | goto rejected;
|
---|
| 752 | }
|
---|
| 753 |
|
---|
| 754 | /*
|
---|
| 755 | * If we are looking at a trusted certificate, and accept partial chains,
|
---|
| 756 | * the chain is PKIX trusted.
|
---|
| 757 | */
|
---|
| 758 | if (num_untrusted < num) {
|
---|
| 759 | if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
|
---|
| 760 | goto trusted;
|
---|
| 761 | return X509_TRUST_UNTRUSTED;
|
---|
| 762 | }
|
---|
| 763 |
|
---|
| 764 | if (num_untrusted == num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
|
---|
| 765 | /*
|
---|
| 766 | * Last-resort call with no new trusted certificates, check the leaf
|
---|
| 767 | * for a direct trust store match.
|
---|
| 768 | */
|
---|
| 769 | i = 0;
|
---|
| 770 | x = sk_X509_value(ctx->chain, i);
|
---|
| 771 | mx = lookup_cert_match(ctx, x);
|
---|
| 772 | if (!mx)
|
---|
| 773 | return X509_TRUST_UNTRUSTED;
|
---|
| 774 |
|
---|
| 775 | /*
|
---|
| 776 | * Check explicit auxiliary trust/reject settings. If none are set,
|
---|
| 777 | * we'll accept X509_TRUST_UNTRUSTED when not self-signed.
|
---|
| 778 | */
|
---|
| 779 | trust = X509_check_trust(mx, ctx->param->trust, 0);
|
---|
| 780 | if (trust == X509_TRUST_REJECTED) {
|
---|
| 781 | X509_free(mx);
|
---|
| 782 | goto rejected;
|
---|
| 783 | }
|
---|
| 784 |
|
---|
| 785 | /* Replace leaf with trusted match */
|
---|
| 786 | (void) sk_X509_set(ctx->chain, 0, mx);
|
---|
| 787 | X509_free(x);
|
---|
| 788 | ctx->num_untrusted = 0;
|
---|
| 789 | goto trusted;
|
---|
| 790 | }
|
---|
| 791 |
|
---|
| 792 | /*
|
---|
| 793 | * If no trusted certs in chain at all return untrusted and allow
|
---|
| 794 | * standard (no issuer cert) etc errors to be indicated.
|
---|
| 795 | */
|
---|
| 796 | return X509_TRUST_UNTRUSTED;
|
---|
| 797 |
|
---|
| 798 | rejected:
|
---|
| 799 | if (!verify_cb_cert(ctx, x, i, X509_V_ERR_CERT_REJECTED))
|
---|
| 800 | return X509_TRUST_REJECTED;
|
---|
| 801 | return X509_TRUST_UNTRUSTED;
|
---|
| 802 |
|
---|
| 803 | trusted:
|
---|
| 804 | if (!DANETLS_ENABLED(dane))
|
---|
| 805 | return X509_TRUST_TRUSTED;
|
---|
| 806 | if (dane->pdpth < 0)
|
---|
| 807 | dane->pdpth = num_untrusted;
|
---|
| 808 | /* With DANE, PKIX alone is not trusted until we have both */
|
---|
| 809 | if (dane->mdpth >= 0)
|
---|
| 810 | return X509_TRUST_TRUSTED;
|
---|
| 811 | return X509_TRUST_UNTRUSTED;
|
---|
| 812 | }
|
---|
| 813 |
|
---|
| 814 | static int check_revocation(X509_STORE_CTX *ctx)
|
---|
| 815 | {
|
---|
| 816 | int i = 0, last = 0, ok = 0;
|
---|
| 817 | if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
|
---|
| 818 | return 1;
|
---|
| 819 | if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
|
---|
| 820 | last = sk_X509_num(ctx->chain) - 1;
|
---|
| 821 | else {
|
---|
| 822 | /* If checking CRL paths this isn't the EE certificate */
|
---|
| 823 | if (ctx->parent)
|
---|
| 824 | return 1;
|
---|
| 825 | last = 0;
|
---|
| 826 | }
|
---|
| 827 | for (i = 0; i <= last; i++) {
|
---|
| 828 | ctx->error_depth = i;
|
---|
| 829 | ok = check_cert(ctx);
|
---|
| 830 | if (!ok)
|
---|
| 831 | return ok;
|
---|
| 832 | }
|
---|
| 833 | return 1;
|
---|
| 834 | }
|
---|
| 835 |
|
---|
| 836 | static int check_cert(X509_STORE_CTX *ctx)
|
---|
| 837 | {
|
---|
| 838 | X509_CRL *crl = NULL, *dcrl = NULL;
|
---|
| 839 | int ok = 0;
|
---|
| 840 | int cnum = ctx->error_depth;
|
---|
| 841 | X509 *x = sk_X509_value(ctx->chain, cnum);
|
---|
| 842 |
|
---|
| 843 | ctx->current_cert = x;
|
---|
| 844 | ctx->current_issuer = NULL;
|
---|
| 845 | ctx->current_crl_score = 0;
|
---|
| 846 | ctx->current_reasons = 0;
|
---|
| 847 |
|
---|
| 848 | if (x->ex_flags & EXFLAG_PROXY)
|
---|
| 849 | return 1;
|
---|
| 850 |
|
---|
| 851 | while (ctx->current_reasons != CRLDP_ALL_REASONS) {
|
---|
| 852 | unsigned int last_reasons = ctx->current_reasons;
|
---|
| 853 |
|
---|
| 854 | /* Try to retrieve relevant CRL */
|
---|
| 855 | if (ctx->get_crl)
|
---|
| 856 | ok = ctx->get_crl(ctx, &crl, x);
|
---|
| 857 | else
|
---|
| 858 | ok = get_crl_delta(ctx, &crl, &dcrl, x);
|
---|
| 859 | /*
|
---|
| 860 | * If error looking up CRL, nothing we can do except notify callback
|
---|
| 861 | */
|
---|
| 862 | if (!ok) {
|
---|
| 863 | ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL);
|
---|
| 864 | goto done;
|
---|
| 865 | }
|
---|
| 866 | ctx->current_crl = crl;
|
---|
| 867 | ok = ctx->check_crl(ctx, crl);
|
---|
| 868 | if (!ok)
|
---|
| 869 | goto done;
|
---|
| 870 |
|
---|
| 871 | if (dcrl) {
|
---|
| 872 | ok = ctx->check_crl(ctx, dcrl);
|
---|
| 873 | if (!ok)
|
---|
| 874 | goto done;
|
---|
| 875 | ok = ctx->cert_crl(ctx, dcrl, x);
|
---|
| 876 | if (!ok)
|
---|
| 877 | goto done;
|
---|
| 878 | } else
|
---|
| 879 | ok = 1;
|
---|
| 880 |
|
---|
| 881 | /* Don't look in full CRL if delta reason is removefromCRL */
|
---|
| 882 | if (ok != 2) {
|
---|
| 883 | ok = ctx->cert_crl(ctx, crl, x);
|
---|
| 884 | if (!ok)
|
---|
| 885 | goto done;
|
---|
| 886 | }
|
---|
| 887 |
|
---|
| 888 | X509_CRL_free(crl);
|
---|
| 889 | X509_CRL_free(dcrl);
|
---|
| 890 | crl = NULL;
|
---|
| 891 | dcrl = NULL;
|
---|
| 892 | /*
|
---|
| 893 | * If reasons not updated we won't get anywhere by another iteration,
|
---|
| 894 | * so exit loop.
|
---|
| 895 | */
|
---|
| 896 | if (last_reasons == ctx->current_reasons) {
|
---|
| 897 | ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL);
|
---|
| 898 | goto done;
|
---|
| 899 | }
|
---|
| 900 | }
|
---|
| 901 | done:
|
---|
| 902 | X509_CRL_free(crl);
|
---|
| 903 | X509_CRL_free(dcrl);
|
---|
| 904 |
|
---|
| 905 | ctx->current_crl = NULL;
|
---|
| 906 | return ok;
|
---|
| 907 | }
|
---|
| 908 |
|
---|
| 909 | /* Check CRL times against values in X509_STORE_CTX */
|
---|
| 910 |
|
---|
| 911 | static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
|
---|
| 912 | {
|
---|
| 913 | time_t *ptime;
|
---|
| 914 | int i;
|
---|
| 915 |
|
---|
| 916 | if (notify)
|
---|
| 917 | ctx->current_crl = crl;
|
---|
| 918 | if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
|
---|
| 919 | ptime = &ctx->param->check_time;
|
---|
| 920 | else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
|
---|
| 921 | return 1;
|
---|
| 922 | else
|
---|
| 923 | ptime = NULL;
|
---|
| 924 |
|
---|
| 925 | i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
|
---|
| 926 | if (i == 0) {
|
---|
| 927 | if (!notify)
|
---|
| 928 | return 0;
|
---|
| 929 | if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD))
|
---|
| 930 | return 0;
|
---|
| 931 | }
|
---|
| 932 |
|
---|
| 933 | if (i > 0) {
|
---|
| 934 | if (!notify)
|
---|
| 935 | return 0;
|
---|
| 936 | if (!verify_cb_crl(ctx, X509_V_ERR_CRL_NOT_YET_VALID))
|
---|
| 937 | return 0;
|
---|
| 938 | }
|
---|
| 939 |
|
---|
| 940 | if (X509_CRL_get0_nextUpdate(crl)) {
|
---|
| 941 | i = X509_cmp_time(X509_CRL_get0_nextUpdate(crl), ptime);
|
---|
| 942 |
|
---|
| 943 | if (i == 0) {
|
---|
| 944 | if (!notify)
|
---|
| 945 | return 0;
|
---|
| 946 | if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD))
|
---|
| 947 | return 0;
|
---|
| 948 | }
|
---|
| 949 | /* Ignore expiry of base CRL is delta is valid */
|
---|
| 950 | if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
|
---|
| 951 | if (!notify)
|
---|
| 952 | return 0;
|
---|
| 953 | if (!verify_cb_crl(ctx, X509_V_ERR_CRL_HAS_EXPIRED))
|
---|
| 954 | return 0;
|
---|
| 955 | }
|
---|
| 956 | }
|
---|
| 957 |
|
---|
| 958 | if (notify)
|
---|
| 959 | ctx->current_crl = NULL;
|
---|
| 960 |
|
---|
| 961 | return 1;
|
---|
| 962 | }
|
---|
| 963 |
|
---|
| 964 | static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
|
---|
| 965 | X509 **pissuer, int *pscore, unsigned int *preasons,
|
---|
| 966 | STACK_OF(X509_CRL) *crls)
|
---|
| 967 | {
|
---|
| 968 | int i, crl_score, best_score = *pscore;
|
---|
| 969 | unsigned int reasons, best_reasons = 0;
|
---|
| 970 | X509 *x = ctx->current_cert;
|
---|
| 971 | X509_CRL *crl, *best_crl = NULL;
|
---|
| 972 | X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
|
---|
| 973 |
|
---|
| 974 | for (i = 0; i < sk_X509_CRL_num(crls); i++) {
|
---|
| 975 | crl = sk_X509_CRL_value(crls, i);
|
---|
| 976 | reasons = *preasons;
|
---|
| 977 | crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
|
---|
| 978 | if (crl_score < best_score || crl_score == 0)
|
---|
| 979 | continue;
|
---|
| 980 | /* If current CRL is equivalent use it if it is newer */
|
---|
| 981 | if (crl_score == best_score && best_crl != NULL) {
|
---|
| 982 | int day, sec;
|
---|
| 983 | if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
|
---|
| 984 | X509_CRL_get0_lastUpdate(crl)) == 0)
|
---|
| 985 | continue;
|
---|
| 986 | /*
|
---|
| 987 | * ASN1_TIME_diff never returns inconsistent signs for |day|
|
---|
| 988 | * and |sec|.
|
---|
| 989 | */
|
---|
| 990 | if (day <= 0 && sec <= 0)
|
---|
| 991 | continue;
|
---|
| 992 | }
|
---|
| 993 | best_crl = crl;
|
---|
| 994 | best_crl_issuer = crl_issuer;
|
---|
| 995 | best_score = crl_score;
|
---|
| 996 | best_reasons = reasons;
|
---|
| 997 | }
|
---|
| 998 |
|
---|
| 999 | if (best_crl) {
|
---|
| 1000 | X509_CRL_free(*pcrl);
|
---|
| 1001 | *pcrl = best_crl;
|
---|
| 1002 | *pissuer = best_crl_issuer;
|
---|
| 1003 | *pscore = best_score;
|
---|
| 1004 | *preasons = best_reasons;
|
---|
| 1005 | X509_CRL_up_ref(best_crl);
|
---|
| 1006 | X509_CRL_free(*pdcrl);
|
---|
| 1007 | *pdcrl = NULL;
|
---|
| 1008 | get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
|
---|
| 1009 | }
|
---|
| 1010 |
|
---|
| 1011 | if (best_score >= CRL_SCORE_VALID)
|
---|
| 1012 | return 1;
|
---|
| 1013 |
|
---|
| 1014 | return 0;
|
---|
| 1015 | }
|
---|
| 1016 |
|
---|
| 1017 | /*
|
---|
| 1018 | * Compare two CRL extensions for delta checking purposes. They should be
|
---|
| 1019 | * both present or both absent. If both present all fields must be identical.
|
---|
| 1020 | */
|
---|
| 1021 |
|
---|
| 1022 | static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
|
---|
| 1023 | {
|
---|
| 1024 | ASN1_OCTET_STRING *exta, *extb;
|
---|
| 1025 | int i;
|
---|
| 1026 | i = X509_CRL_get_ext_by_NID(a, nid, -1);
|
---|
| 1027 | if (i >= 0) {
|
---|
| 1028 | /* Can't have multiple occurrences */
|
---|
| 1029 | if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
|
---|
| 1030 | return 0;
|
---|
| 1031 | exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
|
---|
| 1032 | } else
|
---|
| 1033 | exta = NULL;
|
---|
| 1034 |
|
---|
| 1035 | i = X509_CRL_get_ext_by_NID(b, nid, -1);
|
---|
| 1036 |
|
---|
| 1037 | if (i >= 0) {
|
---|
| 1038 |
|
---|
| 1039 | if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
|
---|
| 1040 | return 0;
|
---|
| 1041 | extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
|
---|
| 1042 | } else
|
---|
| 1043 | extb = NULL;
|
---|
| 1044 |
|
---|
| 1045 | if (!exta && !extb)
|
---|
| 1046 | return 1;
|
---|
| 1047 |
|
---|
| 1048 | if (!exta || !extb)
|
---|
| 1049 | return 0;
|
---|
| 1050 |
|
---|
| 1051 | if (ASN1_OCTET_STRING_cmp(exta, extb))
|
---|
| 1052 | return 0;
|
---|
| 1053 |
|
---|
| 1054 | return 1;
|
---|
| 1055 | }
|
---|
| 1056 |
|
---|
| 1057 | /* See if a base and delta are compatible */
|
---|
| 1058 |
|
---|
| 1059 | static int check_delta_base(X509_CRL *delta, X509_CRL *base)
|
---|
| 1060 | {
|
---|
| 1061 | /* Delta CRL must be a delta */
|
---|
| 1062 | if (!delta->base_crl_number)
|
---|
| 1063 | return 0;
|
---|
| 1064 | /* Base must have a CRL number */
|
---|
| 1065 | if (!base->crl_number)
|
---|
| 1066 | return 0;
|
---|
| 1067 | /* Issuer names must match */
|
---|
| 1068 | if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta)))
|
---|
| 1069 | return 0;
|
---|
| 1070 | /* AKID and IDP must match */
|
---|
| 1071 | if (!crl_extension_match(delta, base, NID_authority_key_identifier))
|
---|
| 1072 | return 0;
|
---|
| 1073 | if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
|
---|
| 1074 | return 0;
|
---|
| 1075 | /* Delta CRL base number must not exceed Full CRL number. */
|
---|
| 1076 | if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
|
---|
| 1077 | return 0;
|
---|
| 1078 | /* Delta CRL number must exceed full CRL number */
|
---|
| 1079 | if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
|
---|
| 1080 | return 1;
|
---|
| 1081 | return 0;
|
---|
| 1082 | }
|
---|
| 1083 |
|
---|
| 1084 | /*
|
---|
| 1085 | * For a given base CRL find a delta... maybe extend to delta scoring or
|
---|
| 1086 | * retrieve a chain of deltas...
|
---|
| 1087 | */
|
---|
| 1088 |
|
---|
| 1089 | static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
|
---|
| 1090 | X509_CRL *base, STACK_OF(X509_CRL) *crls)
|
---|
| 1091 | {
|
---|
| 1092 | X509_CRL *delta;
|
---|
| 1093 | int i;
|
---|
| 1094 | if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
|
---|
| 1095 | return;
|
---|
| 1096 | if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
|
---|
| 1097 | return;
|
---|
| 1098 | for (i = 0; i < sk_X509_CRL_num(crls); i++) {
|
---|
| 1099 | delta = sk_X509_CRL_value(crls, i);
|
---|
| 1100 | if (check_delta_base(delta, base)) {
|
---|
| 1101 | if (check_crl_time(ctx, delta, 0))
|
---|
| 1102 | *pscore |= CRL_SCORE_TIME_DELTA;
|
---|
| 1103 | X509_CRL_up_ref(delta);
|
---|
| 1104 | *dcrl = delta;
|
---|
| 1105 | return;
|
---|
| 1106 | }
|
---|
| 1107 | }
|
---|
| 1108 | *dcrl = NULL;
|
---|
| 1109 | }
|
---|
| 1110 |
|
---|
| 1111 | /*
|
---|
| 1112 | * For a given CRL return how suitable it is for the supplied certificate
|
---|
| 1113 | * 'x'. The return value is a mask of several criteria. If the issuer is not
|
---|
| 1114 | * the certificate issuer this is returned in *pissuer. The reasons mask is
|
---|
| 1115 | * also used to determine if the CRL is suitable: if no new reasons the CRL
|
---|
| 1116 | * is rejected, otherwise reasons is updated.
|
---|
| 1117 | */
|
---|
| 1118 |
|
---|
| 1119 | static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
|
---|
| 1120 | unsigned int *preasons, X509_CRL *crl, X509 *x)
|
---|
| 1121 | {
|
---|
| 1122 |
|
---|
| 1123 | int crl_score = 0;
|
---|
| 1124 | unsigned int tmp_reasons = *preasons, crl_reasons;
|
---|
| 1125 |
|
---|
| 1126 | /* First see if we can reject CRL straight away */
|
---|
| 1127 |
|
---|
| 1128 | /* Invalid IDP cannot be processed */
|
---|
| 1129 | if (crl->idp_flags & IDP_INVALID)
|
---|
| 1130 | return 0;
|
---|
| 1131 | /* Reason codes or indirect CRLs need extended CRL support */
|
---|
| 1132 | if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
|
---|
| 1133 | if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
|
---|
| 1134 | return 0;
|
---|
| 1135 | } else if (crl->idp_flags & IDP_REASONS) {
|
---|
| 1136 | /* If no new reasons reject */
|
---|
| 1137 | if (!(crl->idp_reasons & ~tmp_reasons))
|
---|
| 1138 | return 0;
|
---|
| 1139 | }
|
---|
| 1140 | /* Don't process deltas at this stage */
|
---|
| 1141 | else if (crl->base_crl_number)
|
---|
| 1142 | return 0;
|
---|
| 1143 | /* If issuer name doesn't match certificate need indirect CRL */
|
---|
| 1144 | if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
|
---|
| 1145 | if (!(crl->idp_flags & IDP_INDIRECT))
|
---|
| 1146 | return 0;
|
---|
| 1147 | } else
|
---|
| 1148 | crl_score |= CRL_SCORE_ISSUER_NAME;
|
---|
| 1149 |
|
---|
| 1150 | if (!(crl->flags & EXFLAG_CRITICAL))
|
---|
| 1151 | crl_score |= CRL_SCORE_NOCRITICAL;
|
---|
| 1152 |
|
---|
| 1153 | /* Check expiry */
|
---|
| 1154 | if (check_crl_time(ctx, crl, 0))
|
---|
| 1155 | crl_score |= CRL_SCORE_TIME;
|
---|
| 1156 |
|
---|
| 1157 | /* Check authority key ID and locate certificate issuer */
|
---|
| 1158 | crl_akid_check(ctx, crl, pissuer, &crl_score);
|
---|
| 1159 |
|
---|
| 1160 | /* If we can't locate certificate issuer at this point forget it */
|
---|
| 1161 |
|
---|
| 1162 | if (!(crl_score & CRL_SCORE_AKID))
|
---|
| 1163 | return 0;
|
---|
| 1164 |
|
---|
| 1165 | /* Check cert for matching CRL distribution points */
|
---|
| 1166 |
|
---|
| 1167 | if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
|
---|
| 1168 | /* If no new reasons reject */
|
---|
| 1169 | if (!(crl_reasons & ~tmp_reasons))
|
---|
| 1170 | return 0;
|
---|
| 1171 | tmp_reasons |= crl_reasons;
|
---|
| 1172 | crl_score |= CRL_SCORE_SCOPE;
|
---|
| 1173 | }
|
---|
| 1174 |
|
---|
| 1175 | *preasons = tmp_reasons;
|
---|
| 1176 |
|
---|
| 1177 | return crl_score;
|
---|
| 1178 |
|
---|
| 1179 | }
|
---|
| 1180 |
|
---|
| 1181 | static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
|
---|
| 1182 | X509 **pissuer, int *pcrl_score)
|
---|
| 1183 | {
|
---|
| 1184 | X509 *crl_issuer = NULL;
|
---|
| 1185 | X509_NAME *cnm = X509_CRL_get_issuer(crl);
|
---|
| 1186 | int cidx = ctx->error_depth;
|
---|
| 1187 | int i;
|
---|
| 1188 |
|
---|
| 1189 | if (cidx != sk_X509_num(ctx->chain) - 1)
|
---|
| 1190 | cidx++;
|
---|
| 1191 |
|
---|
| 1192 | crl_issuer = sk_X509_value(ctx->chain, cidx);
|
---|
| 1193 |
|
---|
| 1194 | if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
|
---|
| 1195 | if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
|
---|
| 1196 | *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT;
|
---|
| 1197 | *pissuer = crl_issuer;
|
---|
| 1198 | return;
|
---|
| 1199 | }
|
---|
| 1200 | }
|
---|
| 1201 |
|
---|
| 1202 | for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) {
|
---|
| 1203 | crl_issuer = sk_X509_value(ctx->chain, cidx);
|
---|
| 1204 | if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
|
---|
| 1205 | continue;
|
---|
| 1206 | if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
|
---|
| 1207 | *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;
|
---|
| 1208 | *pissuer = crl_issuer;
|
---|
| 1209 | return;
|
---|
| 1210 | }
|
---|
| 1211 | }
|
---|
| 1212 |
|
---|
| 1213 | /* Anything else needs extended CRL support */
|
---|
| 1214 |
|
---|
| 1215 | if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
|
---|
| 1216 | return;
|
---|
| 1217 |
|
---|
| 1218 | /*
|
---|
| 1219 | * Otherwise the CRL issuer is not on the path. Look for it in the set of
|
---|
| 1220 | * untrusted certificates.
|
---|
| 1221 | */
|
---|
| 1222 | for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
|
---|
| 1223 | crl_issuer = sk_X509_value(ctx->untrusted, i);
|
---|
| 1224 | if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
|
---|
| 1225 | continue;
|
---|
| 1226 | if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
|
---|
| 1227 | *pissuer = crl_issuer;
|
---|
| 1228 | *pcrl_score |= CRL_SCORE_AKID;
|
---|
| 1229 | return;
|
---|
| 1230 | }
|
---|
| 1231 | }
|
---|
| 1232 | }
|
---|
| 1233 |
|
---|
| 1234 | /*
|
---|
| 1235 | * Check the path of a CRL issuer certificate. This creates a new
|
---|
| 1236 | * X509_STORE_CTX and populates it with most of the parameters from the
|
---|
| 1237 | * parent. This could be optimised somewhat since a lot of path checking will
|
---|
| 1238 | * be duplicated by the parent, but this will rarely be used in practice.
|
---|
| 1239 | */
|
---|
| 1240 |
|
---|
| 1241 | static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
|
---|
| 1242 | {
|
---|
| 1243 | X509_STORE_CTX crl_ctx;
|
---|
| 1244 | int ret;
|
---|
| 1245 |
|
---|
| 1246 | /* Don't allow recursive CRL path validation */
|
---|
| 1247 | if (ctx->parent)
|
---|
| 1248 | return 0;
|
---|
| 1249 | if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
|
---|
| 1250 | return -1;
|
---|
| 1251 |
|
---|
| 1252 | crl_ctx.crls = ctx->crls;
|
---|
| 1253 | /* Copy verify params across */
|
---|
| 1254 | X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
|
---|
| 1255 |
|
---|
| 1256 | crl_ctx.parent = ctx;
|
---|
| 1257 | crl_ctx.verify_cb = ctx->verify_cb;
|
---|
| 1258 |
|
---|
| 1259 | /* Verify CRL issuer */
|
---|
| 1260 | ret = X509_verify_cert(&crl_ctx);
|
---|
| 1261 | if (ret <= 0)
|
---|
| 1262 | goto err;
|
---|
| 1263 |
|
---|
| 1264 | /* Check chain is acceptable */
|
---|
| 1265 | ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
|
---|
| 1266 | err:
|
---|
| 1267 | X509_STORE_CTX_cleanup(&crl_ctx);
|
---|
| 1268 | return ret;
|
---|
| 1269 | }
|
---|
| 1270 |
|
---|
| 1271 | /*
|
---|
| 1272 | * RFC3280 says nothing about the relationship between CRL path and
|
---|
| 1273 | * certificate path, which could lead to situations where a certificate could
|
---|
| 1274 | * be revoked or validated by a CA not authorised to do so. RFC5280 is more
|
---|
| 1275 | * strict and states that the two paths must end in the same trust anchor,
|
---|
| 1276 | * though some discussions remain... until this is resolved we use the
|
---|
| 1277 | * RFC5280 version
|
---|
| 1278 | */
|
---|
| 1279 |
|
---|
| 1280 | static int check_crl_chain(X509_STORE_CTX *ctx,
|
---|
| 1281 | STACK_OF(X509) *cert_path,
|
---|
| 1282 | STACK_OF(X509) *crl_path)
|
---|
| 1283 | {
|
---|
| 1284 | X509 *cert_ta, *crl_ta;
|
---|
| 1285 | cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
|
---|
| 1286 | crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
|
---|
| 1287 | if (!X509_cmp(cert_ta, crl_ta))
|
---|
| 1288 | return 1;
|
---|
| 1289 | return 0;
|
---|
| 1290 | }
|
---|
| 1291 |
|
---|
| 1292 | /*-
|
---|
| 1293 | * Check for match between two dist point names: three separate cases.
|
---|
| 1294 | * 1. Both are relative names and compare X509_NAME types.
|
---|
| 1295 | * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES.
|
---|
| 1296 | * 3. Both are full names and compare two GENERAL_NAMES.
|
---|
| 1297 | * 4. One is NULL: automatic match.
|
---|
| 1298 | */
|
---|
| 1299 |
|
---|
| 1300 | static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
|
---|
| 1301 | {
|
---|
| 1302 | X509_NAME *nm = NULL;
|
---|
| 1303 | GENERAL_NAMES *gens = NULL;
|
---|
| 1304 | GENERAL_NAME *gena, *genb;
|
---|
| 1305 | int i, j;
|
---|
| 1306 | if (!a || !b)
|
---|
| 1307 | return 1;
|
---|
| 1308 | if (a->type == 1) {
|
---|
| 1309 | if (!a->dpname)
|
---|
| 1310 | return 0;
|
---|
| 1311 | /* Case 1: two X509_NAME */
|
---|
| 1312 | if (b->type == 1) {
|
---|
| 1313 | if (!b->dpname)
|
---|
| 1314 | return 0;
|
---|
| 1315 | if (!X509_NAME_cmp(a->dpname, b->dpname))
|
---|
| 1316 | return 1;
|
---|
| 1317 | else
|
---|
| 1318 | return 0;
|
---|
| 1319 | }
|
---|
| 1320 | /* Case 2: set name and GENERAL_NAMES appropriately */
|
---|
| 1321 | nm = a->dpname;
|
---|
| 1322 | gens = b->name.fullname;
|
---|
| 1323 | } else if (b->type == 1) {
|
---|
| 1324 | if (!b->dpname)
|
---|
| 1325 | return 0;
|
---|
| 1326 | /* Case 2: set name and GENERAL_NAMES appropriately */
|
---|
| 1327 | gens = a->name.fullname;
|
---|
| 1328 | nm = b->dpname;
|
---|
| 1329 | }
|
---|
| 1330 |
|
---|
| 1331 | /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
|
---|
| 1332 | if (nm) {
|
---|
| 1333 | for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
|
---|
| 1334 | gena = sk_GENERAL_NAME_value(gens, i);
|
---|
| 1335 | if (gena->type != GEN_DIRNAME)
|
---|
| 1336 | continue;
|
---|
| 1337 | if (!X509_NAME_cmp(nm, gena->d.directoryName))
|
---|
| 1338 | return 1;
|
---|
| 1339 | }
|
---|
| 1340 | return 0;
|
---|
| 1341 | }
|
---|
| 1342 |
|
---|
| 1343 | /* Else case 3: two GENERAL_NAMES */
|
---|
| 1344 |
|
---|
| 1345 | for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
|
---|
| 1346 | gena = sk_GENERAL_NAME_value(a->name.fullname, i);
|
---|
| 1347 | for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
|
---|
| 1348 | genb = sk_GENERAL_NAME_value(b->name.fullname, j);
|
---|
| 1349 | if (!GENERAL_NAME_cmp(gena, genb))
|
---|
| 1350 | return 1;
|
---|
| 1351 | }
|
---|
| 1352 | }
|
---|
| 1353 |
|
---|
| 1354 | return 0;
|
---|
| 1355 |
|
---|
| 1356 | }
|
---|
| 1357 |
|
---|
| 1358 | static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
|
---|
| 1359 | {
|
---|
| 1360 | int i;
|
---|
| 1361 | X509_NAME *nm = X509_CRL_get_issuer(crl);
|
---|
| 1362 | /* If no CRLissuer return is successful iff don't need a match */
|
---|
| 1363 | if (!dp->CRLissuer)
|
---|
| 1364 | return ! !(crl_score & CRL_SCORE_ISSUER_NAME);
|
---|
| 1365 | for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
|
---|
| 1366 | GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
|
---|
| 1367 | if (gen->type != GEN_DIRNAME)
|
---|
| 1368 | continue;
|
---|
| 1369 | if (!X509_NAME_cmp(gen->d.directoryName, nm))
|
---|
| 1370 | return 1;
|
---|
| 1371 | }
|
---|
| 1372 | return 0;
|
---|
| 1373 | }
|
---|
| 1374 |
|
---|
| 1375 | /* Check CRLDP and IDP */
|
---|
| 1376 |
|
---|
| 1377 | static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
|
---|
| 1378 | unsigned int *preasons)
|
---|
| 1379 | {
|
---|
| 1380 | int i;
|
---|
| 1381 | if (crl->idp_flags & IDP_ONLYATTR)
|
---|
| 1382 | return 0;
|
---|
| 1383 | if (x->ex_flags & EXFLAG_CA) {
|
---|
| 1384 | if (crl->idp_flags & IDP_ONLYUSER)
|
---|
| 1385 | return 0;
|
---|
| 1386 | } else {
|
---|
| 1387 | if (crl->idp_flags & IDP_ONLYCA)
|
---|
| 1388 | return 0;
|
---|
| 1389 | }
|
---|
| 1390 | *preasons = crl->idp_reasons;
|
---|
| 1391 | for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
|
---|
| 1392 | DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
|
---|
| 1393 | if (crldp_check_crlissuer(dp, crl, crl_score)) {
|
---|
| 1394 | if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
|
---|
| 1395 | *preasons &= dp->dp_reasons;
|
---|
| 1396 | return 1;
|
---|
| 1397 | }
|
---|
| 1398 | }
|
---|
| 1399 | }
|
---|
| 1400 | if ((!crl->idp || !crl->idp->distpoint)
|
---|
| 1401 | && (crl_score & CRL_SCORE_ISSUER_NAME))
|
---|
| 1402 | return 1;
|
---|
| 1403 | return 0;
|
---|
| 1404 | }
|
---|
| 1405 |
|
---|
| 1406 | /*
|
---|
| 1407 | * Retrieve CRL corresponding to current certificate. If deltas enabled try
|
---|
| 1408 | * to find a delta CRL too
|
---|
| 1409 | */
|
---|
| 1410 |
|
---|
| 1411 | static int get_crl_delta(X509_STORE_CTX *ctx,
|
---|
| 1412 | X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
|
---|
| 1413 | {
|
---|
| 1414 | int ok;
|
---|
| 1415 | X509 *issuer = NULL;
|
---|
| 1416 | int crl_score = 0;
|
---|
| 1417 | unsigned int reasons;
|
---|
| 1418 | X509_CRL *crl = NULL, *dcrl = NULL;
|
---|
| 1419 | STACK_OF(X509_CRL) *skcrl;
|
---|
| 1420 | X509_NAME *nm = X509_get_issuer_name(x);
|
---|
| 1421 |
|
---|
| 1422 | reasons = ctx->current_reasons;
|
---|
| 1423 | ok = get_crl_sk(ctx, &crl, &dcrl,
|
---|
| 1424 | &issuer, &crl_score, &reasons, ctx->crls);
|
---|
| 1425 | if (ok)
|
---|
| 1426 | goto done;
|
---|
| 1427 |
|
---|
| 1428 | /* Lookup CRLs from store */
|
---|
| 1429 |
|
---|
| 1430 | skcrl = ctx->lookup_crls(ctx, nm);
|
---|
| 1431 |
|
---|
| 1432 | /* If no CRLs found and a near match from get_crl_sk use that */
|
---|
| 1433 | if (!skcrl && crl)
|
---|
| 1434 | goto done;
|
---|
| 1435 |
|
---|
| 1436 | get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
|
---|
| 1437 |
|
---|
| 1438 | sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
|
---|
| 1439 |
|
---|
| 1440 | done:
|
---|
| 1441 | /* If we got any kind of CRL use it and return success */
|
---|
| 1442 | if (crl) {
|
---|
| 1443 | ctx->current_issuer = issuer;
|
---|
| 1444 | ctx->current_crl_score = crl_score;
|
---|
| 1445 | ctx->current_reasons = reasons;
|
---|
| 1446 | *pcrl = crl;
|
---|
| 1447 | *pdcrl = dcrl;
|
---|
| 1448 | return 1;
|
---|
| 1449 | }
|
---|
| 1450 | return 0;
|
---|
| 1451 | }
|
---|
| 1452 |
|
---|
| 1453 | /* Check CRL validity */
|
---|
| 1454 | static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
|
---|
| 1455 | {
|
---|
| 1456 | X509 *issuer = NULL;
|
---|
| 1457 | EVP_PKEY *ikey = NULL;
|
---|
| 1458 | int cnum = ctx->error_depth;
|
---|
| 1459 | int chnum = sk_X509_num(ctx->chain) - 1;
|
---|
| 1460 |
|
---|
| 1461 | /* if we have an alternative CRL issuer cert use that */
|
---|
| 1462 | if (ctx->current_issuer)
|
---|
| 1463 | issuer = ctx->current_issuer;
|
---|
| 1464 | /*
|
---|
| 1465 | * Else find CRL issuer: if not last certificate then issuer is next
|
---|
| 1466 | * certificate in chain.
|
---|
| 1467 | */
|
---|
| 1468 | else if (cnum < chnum)
|
---|
| 1469 | issuer = sk_X509_value(ctx->chain, cnum + 1);
|
---|
| 1470 | else {
|
---|
| 1471 | issuer = sk_X509_value(ctx->chain, chnum);
|
---|
| 1472 | /* If not self signed, can't check signature */
|
---|
| 1473 | if (!ctx->check_issued(ctx, issuer, issuer) &&
|
---|
| 1474 | !verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER))
|
---|
| 1475 | return 0;
|
---|
| 1476 | }
|
---|
| 1477 |
|
---|
| 1478 | if (issuer == NULL)
|
---|
| 1479 | return 1;
|
---|
| 1480 |
|
---|
| 1481 | /*
|
---|
| 1482 | * Skip most tests for deltas because they have already been done
|
---|
| 1483 | */
|
---|
| 1484 | if (!crl->base_crl_number) {
|
---|
| 1485 | /* Check for cRLSign bit if keyUsage present */
|
---|
| 1486 | if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
|
---|
| 1487 | !(issuer->ex_kusage & KU_CRL_SIGN) &&
|
---|
| 1488 | !verify_cb_crl(ctx, X509_V_ERR_KEYUSAGE_NO_CRL_SIGN))
|
---|
| 1489 | return 0;
|
---|
| 1490 |
|
---|
| 1491 | if (!(ctx->current_crl_score & CRL_SCORE_SCOPE) &&
|
---|
| 1492 | !verify_cb_crl(ctx, X509_V_ERR_DIFFERENT_CRL_SCOPE))
|
---|
| 1493 | return 0;
|
---|
| 1494 |
|
---|
| 1495 | if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH) &&
|
---|
| 1496 | check_crl_path(ctx, ctx->current_issuer) <= 0 &&
|
---|
| 1497 | !verify_cb_crl(ctx, X509_V_ERR_CRL_PATH_VALIDATION_ERROR))
|
---|
| 1498 | return 0;
|
---|
| 1499 |
|
---|
| 1500 | if ((crl->idp_flags & IDP_INVALID) &&
|
---|
| 1501 | !verify_cb_crl(ctx, X509_V_ERR_INVALID_EXTENSION))
|
---|
| 1502 | return 0;
|
---|
| 1503 | }
|
---|
| 1504 |
|
---|
| 1505 | if (!(ctx->current_crl_score & CRL_SCORE_TIME) &&
|
---|
| 1506 | !check_crl_time(ctx, crl, 1))
|
---|
| 1507 | return 0;
|
---|
| 1508 |
|
---|
| 1509 | /* Attempt to get issuer certificate public key */
|
---|
| 1510 | ikey = X509_get0_pubkey(issuer);
|
---|
| 1511 |
|
---|
| 1512 | if (!ikey &&
|
---|
| 1513 | !verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
|
---|
| 1514 | return 0;
|
---|
| 1515 |
|
---|
| 1516 | if (ikey) {
|
---|
| 1517 | int rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
|
---|
| 1518 |
|
---|
| 1519 | if (rv != X509_V_OK && !verify_cb_crl(ctx, rv))
|
---|
| 1520 | return 0;
|
---|
| 1521 | /* Verify CRL signature */
|
---|
| 1522 | if (X509_CRL_verify(crl, ikey) <= 0 &&
|
---|
| 1523 | !verify_cb_crl(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE))
|
---|
| 1524 | return 0;
|
---|
| 1525 | }
|
---|
| 1526 | return 1;
|
---|
| 1527 | }
|
---|
| 1528 |
|
---|
| 1529 | /* Check certificate against CRL */
|
---|
| 1530 | static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
|
---|
| 1531 | {
|
---|
| 1532 | X509_REVOKED *rev;
|
---|
| 1533 |
|
---|
| 1534 | /*
|
---|
| 1535 | * The rules changed for this... previously if a CRL contained unhandled
|
---|
| 1536 | * critical extensions it could still be used to indicate a certificate
|
---|
| 1537 | * was revoked. This has since been changed since critical extensions can
|
---|
| 1538 | * change the meaning of CRL entries.
|
---|
| 1539 | */
|
---|
| 1540 | if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
|
---|
| 1541 | && (crl->flags & EXFLAG_CRITICAL) &&
|
---|
| 1542 | !verify_cb_crl(ctx, X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION))
|
---|
| 1543 | return 0;
|
---|
| 1544 | /*
|
---|
| 1545 | * Look for serial number of certificate in CRL. If found, make sure
|
---|
| 1546 | * reason is not removeFromCRL.
|
---|
| 1547 | */
|
---|
| 1548 | if (X509_CRL_get0_by_cert(crl, &rev, x)) {
|
---|
| 1549 | if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
|
---|
| 1550 | return 2;
|
---|
| 1551 | if (!verify_cb_crl(ctx, X509_V_ERR_CERT_REVOKED))
|
---|
| 1552 | return 0;
|
---|
| 1553 | }
|
---|
| 1554 |
|
---|
| 1555 | return 1;
|
---|
| 1556 | }
|
---|
| 1557 |
|
---|
| 1558 | static int check_policy(X509_STORE_CTX *ctx)
|
---|
| 1559 | {
|
---|
| 1560 | int ret;
|
---|
| 1561 |
|
---|
| 1562 | if (ctx->parent)
|
---|
| 1563 | return 1;
|
---|
| 1564 | /*
|
---|
| 1565 | * With DANE, the trust anchor might be a bare public key, not a
|
---|
| 1566 | * certificate! In that case our chain does not have the trust anchor
|
---|
| 1567 | * certificate as a top-most element. This comports well with RFC5280
|
---|
| 1568 | * chain verification, since there too, the trust anchor is not part of the
|
---|
| 1569 | * chain to be verified. In particular, X509_policy_check() does not look
|
---|
| 1570 | * at the TA cert, but assumes that it is present as the top-most chain
|
---|
| 1571 | * element. We therefore temporarily push a NULL cert onto the chain if it
|
---|
| 1572 | * was verified via a bare public key, and pop it off right after the
|
---|
| 1573 | * X509_policy_check() call.
|
---|
| 1574 | */
|
---|
| 1575 | if (ctx->bare_ta_signed && !sk_X509_push(ctx->chain, NULL)) {
|
---|
| 1576 | X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE);
|
---|
| 1577 | ctx->error = X509_V_ERR_OUT_OF_MEM;
|
---|
| 1578 | return 0;
|
---|
| 1579 | }
|
---|
| 1580 | ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
|
---|
| 1581 | ctx->param->policies, ctx->param->flags);
|
---|
| 1582 | if (ctx->bare_ta_signed)
|
---|
| 1583 | sk_X509_pop(ctx->chain);
|
---|
| 1584 |
|
---|
| 1585 | if (ret == X509_PCY_TREE_INTERNAL) {
|
---|
| 1586 | X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE);
|
---|
| 1587 | ctx->error = X509_V_ERR_OUT_OF_MEM;
|
---|
| 1588 | return 0;
|
---|
| 1589 | }
|
---|
| 1590 | /* Invalid or inconsistent extensions */
|
---|
| 1591 | if (ret == X509_PCY_TREE_INVALID) {
|
---|
| 1592 | int i;
|
---|
| 1593 |
|
---|
| 1594 | /* Locate certificates with bad extensions and notify callback. */
|
---|
| 1595 | for (i = 1; i < sk_X509_num(ctx->chain); i++) {
|
---|
| 1596 | X509 *x = sk_X509_value(ctx->chain, i);
|
---|
| 1597 |
|
---|
| 1598 | if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
|
---|
| 1599 | continue;
|
---|
| 1600 | if (!verify_cb_cert(ctx, x, i,
|
---|
| 1601 | X509_V_ERR_INVALID_POLICY_EXTENSION))
|
---|
| 1602 | return 0;
|
---|
| 1603 | }
|
---|
| 1604 | return 1;
|
---|
| 1605 | }
|
---|
| 1606 | if (ret == X509_PCY_TREE_FAILURE) {
|
---|
| 1607 | ctx->current_cert = NULL;
|
---|
| 1608 | ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
|
---|
| 1609 | return ctx->verify_cb(0, ctx);
|
---|
| 1610 | }
|
---|
| 1611 | if (ret != X509_PCY_TREE_VALID) {
|
---|
| 1612 | X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
|
---|
| 1613 | return 0;
|
---|
| 1614 | }
|
---|
| 1615 |
|
---|
| 1616 | if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
|
---|
| 1617 | ctx->current_cert = NULL;
|
---|
| 1618 | /*
|
---|
| 1619 | * Verification errors need to be "sticky", a callback may have allowed
|
---|
| 1620 | * an SSL handshake to continue despite an error, and we must then
|
---|
| 1621 | * remain in an error state. Therefore, we MUST NOT clear earlier
|
---|
| 1622 | * verification errors by setting the error to X509_V_OK.
|
---|
| 1623 | */
|
---|
| 1624 | if (!ctx->verify_cb(2, ctx))
|
---|
| 1625 | return 0;
|
---|
| 1626 | }
|
---|
| 1627 |
|
---|
| 1628 | return 1;
|
---|
| 1629 | }
|
---|
| 1630 |
|
---|
| 1631 | /*-
|
---|
| 1632 | * Check certificate validity times.
|
---|
| 1633 | * If depth >= 0, invoke verification callbacks on error, otherwise just return
|
---|
| 1634 | * the validation status.
|
---|
| 1635 | *
|
---|
| 1636 | * Return 1 on success, 0 otherwise.
|
---|
| 1637 | */
|
---|
| 1638 | int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
|
---|
| 1639 | {
|
---|
| 1640 | time_t *ptime;
|
---|
| 1641 | int i;
|
---|
| 1642 |
|
---|
| 1643 | if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
|
---|
| 1644 | ptime = &ctx->param->check_time;
|
---|
| 1645 | else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
|
---|
| 1646 | return 1;
|
---|
| 1647 | else
|
---|
| 1648 | ptime = NULL;
|
---|
| 1649 |
|
---|
| 1650 | i = X509_cmp_time(X509_get0_notBefore(x), ptime);
|
---|
| 1651 | if (i >= 0 && depth < 0)
|
---|
| 1652 | return 0;
|
---|
| 1653 | if (i == 0 && !verify_cb_cert(ctx, x, depth,
|
---|
| 1654 | X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD))
|
---|
| 1655 | return 0;
|
---|
| 1656 | if (i > 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID))
|
---|
| 1657 | return 0;
|
---|
| 1658 |
|
---|
| 1659 | i = X509_cmp_time(X509_get0_notAfter(x), ptime);
|
---|
| 1660 | if (i <= 0 && depth < 0)
|
---|
| 1661 | return 0;
|
---|
| 1662 | if (i == 0 && !verify_cb_cert(ctx, x, depth,
|
---|
| 1663 | X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD))
|
---|
| 1664 | return 0;
|
---|
| 1665 | if (i < 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_HAS_EXPIRED))
|
---|
| 1666 | return 0;
|
---|
| 1667 | return 1;
|
---|
| 1668 | }
|
---|
| 1669 |
|
---|
| 1670 | static int internal_verify(X509_STORE_CTX *ctx)
|
---|
| 1671 | {
|
---|
| 1672 | int n = sk_X509_num(ctx->chain) - 1;
|
---|
| 1673 | X509 *xi = sk_X509_value(ctx->chain, n);
|
---|
| 1674 | X509 *xs;
|
---|
| 1675 |
|
---|
| 1676 | /*
|
---|
| 1677 | * With DANE-verified bare public key TA signatures, it remains only to
|
---|
| 1678 | * check the timestamps of the top certificate. We report the issuer as
|
---|
| 1679 | * NULL, since all we have is a bare key.
|
---|
| 1680 | */
|
---|
| 1681 | if (ctx->bare_ta_signed) {
|
---|
| 1682 | xs = xi;
|
---|
| 1683 | xi = NULL;
|
---|
| 1684 | goto check_cert;
|
---|
| 1685 | }
|
---|
| 1686 |
|
---|
| 1687 | if (ctx->check_issued(ctx, xi, xi))
|
---|
| 1688 | xs = xi;
|
---|
| 1689 | else {
|
---|
| 1690 | if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
|
---|
| 1691 | xs = xi;
|
---|
| 1692 | goto check_cert;
|
---|
| 1693 | }
|
---|
| 1694 | if (n <= 0)
|
---|
| 1695 | return verify_cb_cert(ctx, xi, 0,
|
---|
| 1696 | X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE);
|
---|
| 1697 | n--;
|
---|
| 1698 | ctx->error_depth = n;
|
---|
| 1699 | xs = sk_X509_value(ctx->chain, n);
|
---|
| 1700 | }
|
---|
| 1701 |
|
---|
| 1702 | /*
|
---|
| 1703 | * Do not clear ctx->error=0, it must be "sticky", only the user's callback
|
---|
| 1704 | * is allowed to reset errors (at its own peril).
|
---|
| 1705 | */
|
---|
| 1706 | while (n >= 0) {
|
---|
| 1707 | EVP_PKEY *pkey;
|
---|
| 1708 |
|
---|
| 1709 | /*
|
---|
| 1710 | * Skip signature check for self signed certificates unless explicitly
|
---|
| 1711 | * asked for. It doesn't add any security and just wastes time. If
|
---|
| 1712 | * the issuer's public key is unusable, report the issuer certificate
|
---|
| 1713 | * and its depth (rather than the depth of the subject).
|
---|
| 1714 | */
|
---|
| 1715 | if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
|
---|
| 1716 | if ((pkey = X509_get0_pubkey(xi)) == NULL) {
|
---|
| 1717 | if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,
|
---|
| 1718 | X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
|
---|
| 1719 | return 0;
|
---|
| 1720 | } else if (X509_verify(xs, pkey) <= 0) {
|
---|
| 1721 | if (!verify_cb_cert(ctx, xs, n,
|
---|
| 1722 | X509_V_ERR_CERT_SIGNATURE_FAILURE))
|
---|
| 1723 | return 0;
|
---|
| 1724 | }
|
---|
| 1725 | }
|
---|
| 1726 |
|
---|
| 1727 | check_cert:
|
---|
| 1728 | /* Calls verify callback as needed */
|
---|
| 1729 | if (!x509_check_cert_time(ctx, xs, n))
|
---|
| 1730 | return 0;
|
---|
| 1731 |
|
---|
| 1732 | /*
|
---|
| 1733 | * Signal success at this depth. However, the previous error (if any)
|
---|
| 1734 | * is retained.
|
---|
| 1735 | */
|
---|
| 1736 | ctx->current_issuer = xi;
|
---|
| 1737 | ctx->current_cert = xs;
|
---|
| 1738 | ctx->error_depth = n;
|
---|
| 1739 | if (!ctx->verify_cb(1, ctx))
|
---|
| 1740 | return 0;
|
---|
| 1741 |
|
---|
| 1742 | if (--n >= 0) {
|
---|
| 1743 | xi = xs;
|
---|
| 1744 | xs = sk_X509_value(ctx->chain, n);
|
---|
| 1745 | }
|
---|
| 1746 | }
|
---|
| 1747 | return 1;
|
---|
| 1748 | }
|
---|
| 1749 |
|
---|
| 1750 | int X509_cmp_current_time(const ASN1_TIME *ctm)
|
---|
| 1751 | {
|
---|
| 1752 | return X509_cmp_time(ctm, NULL);
|
---|
| 1753 | }
|
---|
| 1754 |
|
---|
| 1755 | int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
|
---|
| 1756 | {
|
---|
| 1757 | char *str;
|
---|
| 1758 | ASN1_TIME atm;
|
---|
| 1759 | long offset;
|
---|
| 1760 | char buff1[24], buff2[24], *p;
|
---|
| 1761 | int i, j, remaining;
|
---|
| 1762 |
|
---|
| 1763 | p = buff1;
|
---|
| 1764 | remaining = ctm->length;
|
---|
| 1765 | str = (char *)ctm->data;
|
---|
| 1766 | /*
|
---|
| 1767 | * Note that the following (historical) code allows much more slack in the
|
---|
| 1768 | * time format than RFC5280. In RFC5280, the representation is fixed:
|
---|
| 1769 | * UTCTime: YYMMDDHHMMSSZ
|
---|
| 1770 | * GeneralizedTime: YYYYMMDDHHMMSSZ
|
---|
| 1771 | */
|
---|
| 1772 | if (ctm->type == V_ASN1_UTCTIME) {
|
---|
| 1773 | /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */
|
---|
| 1774 | int min_length = sizeof("YYMMDDHHMMZ") - 1;
|
---|
| 1775 | int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1;
|
---|
| 1776 | if (remaining < min_length || remaining > max_length)
|
---|
| 1777 | return 0;
|
---|
| 1778 | memcpy(p, str, 10);
|
---|
| 1779 | p += 10;
|
---|
| 1780 | str += 10;
|
---|
| 1781 | remaining -= 10;
|
---|
| 1782 | } else {
|
---|
| 1783 | /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */
|
---|
| 1784 | int min_length = sizeof("YYYYMMDDHHMMZ") - 1;
|
---|
| 1785 | int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1;
|
---|
| 1786 | if (remaining < min_length || remaining > max_length)
|
---|
| 1787 | return 0;
|
---|
| 1788 | memcpy(p, str, 12);
|
---|
| 1789 | p += 12;
|
---|
| 1790 | str += 12;
|
---|
| 1791 | remaining -= 12;
|
---|
| 1792 | }
|
---|
| 1793 |
|
---|
| 1794 | if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
|
---|
| 1795 | *(p++) = '0';
|
---|
| 1796 | *(p++) = '0';
|
---|
| 1797 | } else {
|
---|
| 1798 | /* SS (seconds) */
|
---|
| 1799 | if (remaining < 2)
|
---|
| 1800 | return 0;
|
---|
| 1801 | *(p++) = *(str++);
|
---|
| 1802 | *(p++) = *(str++);
|
---|
| 1803 | remaining -= 2;
|
---|
| 1804 | /*
|
---|
| 1805 | * Skip any (up to three) fractional seconds...
|
---|
| 1806 | * TODO(emilia): in RFC5280, fractional seconds are forbidden.
|
---|
| 1807 | * Can we just kill them altogether?
|
---|
| 1808 | */
|
---|
| 1809 | if (remaining && *str == '.') {
|
---|
| 1810 | str++;
|
---|
| 1811 | remaining--;
|
---|
| 1812 | for (i = 0; i < 3 && remaining; i++, str++, remaining--) {
|
---|
| 1813 | if (*str < '0' || *str > '9')
|
---|
| 1814 | break;
|
---|
| 1815 | }
|
---|
| 1816 | }
|
---|
| 1817 |
|
---|
| 1818 | }
|
---|
| 1819 | *(p++) = 'Z';
|
---|
| 1820 | *(p++) = '\0';
|
---|
| 1821 |
|
---|
| 1822 | /* We now need either a terminating 'Z' or an offset. */
|
---|
| 1823 | if (!remaining)
|
---|
| 1824 | return 0;
|
---|
| 1825 | if (*str == 'Z') {
|
---|
| 1826 | if (remaining != 1)
|
---|
| 1827 | return 0;
|
---|
| 1828 | offset = 0;
|
---|
| 1829 | } else {
|
---|
| 1830 | /* (+-)HHMM */
|
---|
| 1831 | if ((*str != '+') && (*str != '-'))
|
---|
| 1832 | return 0;
|
---|
| 1833 | /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */
|
---|
| 1834 | if (remaining != 5)
|
---|
| 1835 | return 0;
|
---|
| 1836 | if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' ||
|
---|
| 1837 | str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9')
|
---|
| 1838 | return 0;
|
---|
| 1839 | offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
|
---|
| 1840 | offset += (str[3] - '0') * 10 + (str[4] - '0');
|
---|
| 1841 | if (*str == '-')
|
---|
| 1842 | offset = -offset;
|
---|
| 1843 | }
|
---|
| 1844 | atm.type = ctm->type;
|
---|
| 1845 | atm.flags = 0;
|
---|
| 1846 | atm.length = sizeof(buff2);
|
---|
| 1847 | atm.data = (unsigned char *)buff2;
|
---|
| 1848 |
|
---|
| 1849 | if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL)
|
---|
| 1850 | return 0;
|
---|
| 1851 |
|
---|
| 1852 | if (ctm->type == V_ASN1_UTCTIME) {
|
---|
| 1853 | i = (buff1[0] - '0') * 10 + (buff1[1] - '0');
|
---|
| 1854 | if (i < 50)
|
---|
| 1855 | i += 100; /* cf. RFC 2459 */
|
---|
| 1856 | j = (buff2[0] - '0') * 10 + (buff2[1] - '0');
|
---|
| 1857 | if (j < 50)
|
---|
| 1858 | j += 100;
|
---|
| 1859 |
|
---|
| 1860 | if (i < j)
|
---|
| 1861 | return -1;
|
---|
| 1862 | if (i > j)
|
---|
| 1863 | return 1;
|
---|
| 1864 | }
|
---|
| 1865 | i = strcmp(buff1, buff2);
|
---|
| 1866 | if (i == 0) /* wait a second then return younger :-) */
|
---|
| 1867 | return -1;
|
---|
| 1868 | else
|
---|
| 1869 | return i;
|
---|
| 1870 | }
|
---|
| 1871 |
|
---|
| 1872 | ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
|
---|
| 1873 | {
|
---|
| 1874 | return X509_time_adj(s, adj, NULL);
|
---|
| 1875 | }
|
---|
| 1876 |
|
---|
| 1877 | ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
|
---|
| 1878 | {
|
---|
| 1879 | return X509_time_adj_ex(s, 0, offset_sec, in_tm);
|
---|
| 1880 | }
|
---|
| 1881 |
|
---|
| 1882 | ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
|
---|
| 1883 | int offset_day, long offset_sec, time_t *in_tm)
|
---|
| 1884 | {
|
---|
| 1885 | time_t t;
|
---|
| 1886 |
|
---|
| 1887 | if (in_tm)
|
---|
| 1888 | t = *in_tm;
|
---|
| 1889 | else
|
---|
| 1890 | time(&t);
|
---|
| 1891 |
|
---|
| 1892 | if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
|
---|
| 1893 | if (s->type == V_ASN1_UTCTIME)
|
---|
| 1894 | return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec);
|
---|
| 1895 | if (s->type == V_ASN1_GENERALIZEDTIME)
|
---|
| 1896 | return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec);
|
---|
| 1897 | }
|
---|
| 1898 | return ASN1_TIME_adj(s, t, offset_day, offset_sec);
|
---|
| 1899 | }
|
---|
| 1900 |
|
---|
| 1901 | int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
|
---|
| 1902 | {
|
---|
| 1903 | EVP_PKEY *ktmp = NULL, *ktmp2;
|
---|
| 1904 | int i, j;
|
---|
| 1905 |
|
---|
| 1906 | if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey))
|
---|
| 1907 | return 1;
|
---|
| 1908 |
|
---|
| 1909 | for (i = 0; i < sk_X509_num(chain); i++) {
|
---|
| 1910 | ktmp = X509_get0_pubkey(sk_X509_value(chain, i));
|
---|
| 1911 | if (ktmp == NULL) {
|
---|
| 1912 | X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
|
---|
| 1913 | X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
|
---|
| 1914 | return 0;
|
---|
| 1915 | }
|
---|
| 1916 | if (!EVP_PKEY_missing_parameters(ktmp))
|
---|
| 1917 | break;
|
---|
| 1918 | }
|
---|
| 1919 | if (ktmp == NULL) {
|
---|
| 1920 | X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
|
---|
| 1921 | X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
|
---|
| 1922 | return 0;
|
---|
| 1923 | }
|
---|
| 1924 |
|
---|
| 1925 | /* first, populate the other certs */
|
---|
| 1926 | for (j = i - 1; j >= 0; j--) {
|
---|
| 1927 | ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j));
|
---|
| 1928 | EVP_PKEY_copy_parameters(ktmp2, ktmp);
|
---|
| 1929 | }
|
---|
| 1930 |
|
---|
| 1931 | if (pkey != NULL)
|
---|
| 1932 | EVP_PKEY_copy_parameters(pkey, ktmp);
|
---|
| 1933 | return 1;
|
---|
| 1934 | }
|
---|
| 1935 |
|
---|
| 1936 | /* Make a delta CRL as the diff between two full CRLs */
|
---|
| 1937 |
|
---|
| 1938 | X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
|
---|
| 1939 | EVP_PKEY *skey, const EVP_MD *md, unsigned int flags)
|
---|
| 1940 | {
|
---|
| 1941 | X509_CRL *crl = NULL;
|
---|
| 1942 | int i;
|
---|
| 1943 | STACK_OF(X509_REVOKED) *revs = NULL;
|
---|
| 1944 | /* CRLs can't be delta already */
|
---|
| 1945 | if (base->base_crl_number || newer->base_crl_number) {
|
---|
| 1946 | X509err(X509_F_X509_CRL_DIFF, X509_R_CRL_ALREADY_DELTA);
|
---|
| 1947 | return NULL;
|
---|
| 1948 | }
|
---|
| 1949 | /* Base and new CRL must have a CRL number */
|
---|
| 1950 | if (!base->crl_number || !newer->crl_number) {
|
---|
| 1951 | X509err(X509_F_X509_CRL_DIFF, X509_R_NO_CRL_NUMBER);
|
---|
| 1952 | return NULL;
|
---|
| 1953 | }
|
---|
| 1954 | /* Issuer names must match */
|
---|
| 1955 | if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
|
---|
| 1956 | X509err(X509_F_X509_CRL_DIFF, X509_R_ISSUER_MISMATCH);
|
---|
| 1957 | return NULL;
|
---|
| 1958 | }
|
---|
| 1959 | /* AKID and IDP must match */
|
---|
| 1960 | if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
|
---|
| 1961 | X509err(X509_F_X509_CRL_DIFF, X509_R_AKID_MISMATCH);
|
---|
| 1962 | return NULL;
|
---|
| 1963 | }
|
---|
| 1964 | if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {
|
---|
| 1965 | X509err(X509_F_X509_CRL_DIFF, X509_R_IDP_MISMATCH);
|
---|
| 1966 | return NULL;
|
---|
| 1967 | }
|
---|
| 1968 | /* Newer CRL number must exceed full CRL number */
|
---|
| 1969 | if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
|
---|
| 1970 | X509err(X509_F_X509_CRL_DIFF, X509_R_NEWER_CRL_NOT_NEWER);
|
---|
| 1971 | return NULL;
|
---|
| 1972 | }
|
---|
| 1973 | /* CRLs must verify */
|
---|
| 1974 | if (skey && (X509_CRL_verify(base, skey) <= 0 ||
|
---|
| 1975 | X509_CRL_verify(newer, skey) <= 0)) {
|
---|
| 1976 | X509err(X509_F_X509_CRL_DIFF, X509_R_CRL_VERIFY_FAILURE);
|
---|
| 1977 | return NULL;
|
---|
| 1978 | }
|
---|
| 1979 | /* Create new CRL */
|
---|
| 1980 | crl = X509_CRL_new();
|
---|
| 1981 | if (crl == NULL || !X509_CRL_set_version(crl, 1))
|
---|
| 1982 | goto memerr;
|
---|
| 1983 | /* Set issuer name */
|
---|
| 1984 | if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
|
---|
| 1985 | goto memerr;
|
---|
| 1986 |
|
---|
| 1987 | if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer)))
|
---|
| 1988 | goto memerr;
|
---|
| 1989 | if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer)))
|
---|
| 1990 | goto memerr;
|
---|
| 1991 |
|
---|
| 1992 | /* Set base CRL number: must be critical */
|
---|
| 1993 |
|
---|
| 1994 | if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0))
|
---|
| 1995 | goto memerr;
|
---|
| 1996 |
|
---|
| 1997 | /*
|
---|
| 1998 | * Copy extensions across from newest CRL to delta: this will set CRL
|
---|
| 1999 | * number to correct value too.
|
---|
| 2000 | */
|
---|
| 2001 |
|
---|
| 2002 | for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
|
---|
| 2003 | X509_EXTENSION *ext;
|
---|
| 2004 | ext = X509_CRL_get_ext(newer, i);
|
---|
| 2005 | if (!X509_CRL_add_ext(crl, ext, -1))
|
---|
| 2006 | goto memerr;
|
---|
| 2007 | }
|
---|
| 2008 |
|
---|
| 2009 | /* Go through revoked entries, copying as needed */
|
---|
| 2010 |
|
---|
| 2011 | revs = X509_CRL_get_REVOKED(newer);
|
---|
| 2012 |
|
---|
| 2013 | for (i = 0; i < sk_X509_REVOKED_num(revs); i++) {
|
---|
| 2014 | X509_REVOKED *rvn, *rvtmp;
|
---|
| 2015 | rvn = sk_X509_REVOKED_value(revs, i);
|
---|
| 2016 | /*
|
---|
| 2017 | * Add only if not also in base. TODO: need something cleverer here
|
---|
| 2018 | * for some more complex CRLs covering multiple CAs.
|
---|
| 2019 | */
|
---|
| 2020 | if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) {
|
---|
| 2021 | rvtmp = X509_REVOKED_dup(rvn);
|
---|
| 2022 | if (!rvtmp)
|
---|
| 2023 | goto memerr;
|
---|
| 2024 | if (!X509_CRL_add0_revoked(crl, rvtmp)) {
|
---|
| 2025 | X509_REVOKED_free(rvtmp);
|
---|
| 2026 | goto memerr;
|
---|
| 2027 | }
|
---|
| 2028 | }
|
---|
| 2029 | }
|
---|
| 2030 | /* TODO: optionally prune deleted entries */
|
---|
| 2031 |
|
---|
| 2032 | if (skey && md && !X509_CRL_sign(crl, skey, md))
|
---|
| 2033 | goto memerr;
|
---|
| 2034 |
|
---|
| 2035 | return crl;
|
---|
| 2036 |
|
---|
| 2037 | memerr:
|
---|
| 2038 | X509err(X509_F_X509_CRL_DIFF, ERR_R_MALLOC_FAILURE);
|
---|
| 2039 | X509_CRL_free(crl);
|
---|
| 2040 | return NULL;
|
---|
| 2041 | }
|
---|
| 2042 |
|
---|
| 2043 | int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
|
---|
| 2044 | {
|
---|
| 2045 | return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
|
---|
| 2046 | }
|
---|
| 2047 |
|
---|
| 2048 | void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
|
---|
| 2049 | {
|
---|
| 2050 | return CRYPTO_get_ex_data(&ctx->ex_data, idx);
|
---|
| 2051 | }
|
---|
| 2052 |
|
---|
| 2053 | int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
|
---|
| 2054 | {
|
---|
| 2055 | return ctx->error;
|
---|
| 2056 | }
|
---|
| 2057 |
|
---|
| 2058 | void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
|
---|
| 2059 | {
|
---|
| 2060 | ctx->error = err;
|
---|
| 2061 | }
|
---|
| 2062 |
|
---|
| 2063 | int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
|
---|
| 2064 | {
|
---|
| 2065 | return ctx->error_depth;
|
---|
| 2066 | }
|
---|
| 2067 |
|
---|
| 2068 | void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth)
|
---|
| 2069 | {
|
---|
| 2070 | ctx->error_depth = depth;
|
---|
| 2071 | }
|
---|
| 2072 |
|
---|
| 2073 | X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
|
---|
| 2074 | {
|
---|
| 2075 | return ctx->current_cert;
|
---|
| 2076 | }
|
---|
| 2077 |
|
---|
| 2078 | void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x)
|
---|
| 2079 | {
|
---|
| 2080 | ctx->current_cert = x;
|
---|
| 2081 | }
|
---|
| 2082 |
|
---|
| 2083 | STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
|
---|
| 2084 | {
|
---|
| 2085 | return ctx->chain;
|
---|
| 2086 | }
|
---|
| 2087 |
|
---|
| 2088 | STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
|
---|
| 2089 | {
|
---|
| 2090 | if (!ctx->chain)
|
---|
| 2091 | return NULL;
|
---|
| 2092 | return X509_chain_up_ref(ctx->chain);
|
---|
| 2093 | }
|
---|
| 2094 |
|
---|
| 2095 | X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
|
---|
| 2096 | {
|
---|
| 2097 | return ctx->current_issuer;
|
---|
| 2098 | }
|
---|
| 2099 |
|
---|
| 2100 | X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
|
---|
| 2101 | {
|
---|
| 2102 | return ctx->current_crl;
|
---|
| 2103 | }
|
---|
| 2104 |
|
---|
| 2105 | X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
|
---|
| 2106 | {
|
---|
| 2107 | return ctx->parent;
|
---|
| 2108 | }
|
---|
| 2109 |
|
---|
| 2110 | void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
|
---|
| 2111 | {
|
---|
| 2112 | ctx->cert = x;
|
---|
| 2113 | }
|
---|
| 2114 |
|
---|
| 2115 | void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
|
---|
| 2116 | {
|
---|
| 2117 | ctx->crls = sk;
|
---|
| 2118 | }
|
---|
| 2119 |
|
---|
| 2120 | int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
|
---|
| 2121 | {
|
---|
| 2122 | /*
|
---|
| 2123 | * XXX: Why isn't this function always used to set the associated trust?
|
---|
| 2124 | * Should there even be a VPM->trust field at all? Or should the trust
|
---|
| 2125 | * always be inferred from the purpose by X509_STORE_CTX_init().
|
---|
| 2126 | */
|
---|
| 2127 | return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
|
---|
| 2128 | }
|
---|
| 2129 |
|
---|
| 2130 | int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
|
---|
| 2131 | {
|
---|
| 2132 | /*
|
---|
| 2133 | * XXX: See above, this function would only be needed when the default
|
---|
| 2134 | * trust for the purpose needs an override in a corner case.
|
---|
| 2135 | */
|
---|
| 2136 | return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
|
---|
| 2137 | }
|
---|
| 2138 |
|
---|
| 2139 | /*
|
---|
| 2140 | * This function is used to set the X509_STORE_CTX purpose and trust values.
|
---|
| 2141 | * This is intended to be used when another structure has its own trust and
|
---|
| 2142 | * purpose values which (if set) will be inherited by the ctx. If they aren't
|
---|
| 2143 | * set then we will usually have a default purpose in mind which should then
|
---|
| 2144 | * be used to set the trust value. An example of this is SSL use: an SSL
|
---|
| 2145 | * structure will have its own purpose and trust settings which the
|
---|
| 2146 | * application can set: if they aren't set then we use the default of SSL
|
---|
| 2147 | * client/server.
|
---|
| 2148 | */
|
---|
| 2149 |
|
---|
| 2150 | int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
|
---|
| 2151 | int purpose, int trust)
|
---|
| 2152 | {
|
---|
| 2153 | int idx;
|
---|
| 2154 | /* If purpose not set use default */
|
---|
| 2155 | if (!purpose)
|
---|
| 2156 | purpose = def_purpose;
|
---|
| 2157 | /* If we have a purpose then check it is valid */
|
---|
| 2158 | if (purpose) {
|
---|
| 2159 | X509_PURPOSE *ptmp;
|
---|
| 2160 | idx = X509_PURPOSE_get_by_id(purpose);
|
---|
| 2161 | if (idx == -1) {
|
---|
| 2162 | X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
|
---|
| 2163 | X509_R_UNKNOWN_PURPOSE_ID);
|
---|
| 2164 | return 0;
|
---|
| 2165 | }
|
---|
| 2166 | ptmp = X509_PURPOSE_get0(idx);
|
---|
| 2167 | if (ptmp->trust == X509_TRUST_DEFAULT) {
|
---|
| 2168 | idx = X509_PURPOSE_get_by_id(def_purpose);
|
---|
| 2169 | /*
|
---|
| 2170 | * XXX: In the two callers above def_purpose is always 0, which is
|
---|
| 2171 | * not a known value, so idx will always be -1. How is the
|
---|
| 2172 | * X509_TRUST_DEFAULT case actually supposed to be handled?
|
---|
| 2173 | */
|
---|
| 2174 | if (idx == -1) {
|
---|
| 2175 | X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
|
---|
| 2176 | X509_R_UNKNOWN_PURPOSE_ID);
|
---|
| 2177 | return 0;
|
---|
| 2178 | }
|
---|
| 2179 | ptmp = X509_PURPOSE_get0(idx);
|
---|
| 2180 | }
|
---|
| 2181 | /* If trust not set then get from purpose default */
|
---|
| 2182 | if (!trust)
|
---|
| 2183 | trust = ptmp->trust;
|
---|
| 2184 | }
|
---|
| 2185 | if (trust) {
|
---|
| 2186 | idx = X509_TRUST_get_by_id(trust);
|
---|
| 2187 | if (idx == -1) {
|
---|
| 2188 | X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
|
---|
| 2189 | X509_R_UNKNOWN_TRUST_ID);
|
---|
| 2190 | return 0;
|
---|
| 2191 | }
|
---|
| 2192 | }
|
---|
| 2193 |
|
---|
| 2194 | if (purpose && !ctx->param->purpose)
|
---|
| 2195 | ctx->param->purpose = purpose;
|
---|
| 2196 | if (trust && !ctx->param->trust)
|
---|
| 2197 | ctx->param->trust = trust;
|
---|
| 2198 | return 1;
|
---|
| 2199 | }
|
---|
| 2200 |
|
---|
| 2201 | X509_STORE_CTX *X509_STORE_CTX_new(void)
|
---|
| 2202 | {
|
---|
| 2203 | X509_STORE_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
|
---|
| 2204 |
|
---|
| 2205 | if (ctx == NULL) {
|
---|
| 2206 | X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE);
|
---|
| 2207 | return NULL;
|
---|
| 2208 | }
|
---|
| 2209 | return ctx;
|
---|
| 2210 | }
|
---|
| 2211 |
|
---|
| 2212 | void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
|
---|
| 2213 | {
|
---|
| 2214 | if (ctx == NULL)
|
---|
| 2215 | return;
|
---|
| 2216 |
|
---|
| 2217 | X509_STORE_CTX_cleanup(ctx);
|
---|
| 2218 | OPENSSL_free(ctx);
|
---|
| 2219 | }
|
---|
| 2220 |
|
---|
| 2221 | int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
|
---|
| 2222 | STACK_OF(X509) *chain)
|
---|
| 2223 | {
|
---|
| 2224 | int ret = 1;
|
---|
| 2225 |
|
---|
| 2226 | ctx->ctx = store;
|
---|
| 2227 | ctx->cert = x509;
|
---|
| 2228 | ctx->untrusted = chain;
|
---|
| 2229 | ctx->crls = NULL;
|
---|
| 2230 | ctx->num_untrusted = 0;
|
---|
| 2231 | ctx->other_ctx = NULL;
|
---|
| 2232 | ctx->valid = 0;
|
---|
| 2233 | ctx->chain = NULL;
|
---|
| 2234 | ctx->error = 0;
|
---|
| 2235 | ctx->explicit_policy = 0;
|
---|
| 2236 | ctx->error_depth = 0;
|
---|
| 2237 | ctx->current_cert = NULL;
|
---|
| 2238 | ctx->current_issuer = NULL;
|
---|
| 2239 | ctx->current_crl = NULL;
|
---|
| 2240 | ctx->current_crl_score = 0;
|
---|
| 2241 | ctx->current_reasons = 0;
|
---|
| 2242 | ctx->tree = NULL;
|
---|
| 2243 | ctx->parent = NULL;
|
---|
| 2244 | ctx->dane = NULL;
|
---|
| 2245 | ctx->bare_ta_signed = 0;
|
---|
| 2246 | /* Zero ex_data to make sure we're cleanup-safe */
|
---|
| 2247 | memset(&ctx->ex_data, 0, sizeof(ctx->ex_data));
|
---|
| 2248 |
|
---|
| 2249 | /* store->cleanup is always 0 in OpenSSL, if set must be idempotent */
|
---|
| 2250 | if (store)
|
---|
| 2251 | ctx->cleanup = store->cleanup;
|
---|
| 2252 | else
|
---|
| 2253 | ctx->cleanup = 0;
|
---|
| 2254 |
|
---|
| 2255 | if (store && store->check_issued)
|
---|
| 2256 | ctx->check_issued = store->check_issued;
|
---|
| 2257 | else
|
---|
| 2258 | ctx->check_issued = check_issued;
|
---|
| 2259 |
|
---|
| 2260 | if (store && store->get_issuer)
|
---|
| 2261 | ctx->get_issuer = store->get_issuer;
|
---|
| 2262 | else
|
---|
| 2263 | ctx->get_issuer = X509_STORE_CTX_get1_issuer;
|
---|
| 2264 |
|
---|
| 2265 | if (store && store->verify_cb)
|
---|
| 2266 | ctx->verify_cb = store->verify_cb;
|
---|
| 2267 | else
|
---|
| 2268 | ctx->verify_cb = null_callback;
|
---|
| 2269 |
|
---|
| 2270 | if (store && store->verify)
|
---|
| 2271 | ctx->verify = store->verify;
|
---|
| 2272 | else
|
---|
| 2273 | ctx->verify = internal_verify;
|
---|
| 2274 |
|
---|
| 2275 | if (store && store->check_revocation)
|
---|
| 2276 | ctx->check_revocation = store->check_revocation;
|
---|
| 2277 | else
|
---|
| 2278 | ctx->check_revocation = check_revocation;
|
---|
| 2279 |
|
---|
| 2280 | if (store && store->get_crl)
|
---|
| 2281 | ctx->get_crl = store->get_crl;
|
---|
| 2282 | else
|
---|
| 2283 | ctx->get_crl = NULL;
|
---|
| 2284 |
|
---|
| 2285 | if (store && store->check_crl)
|
---|
| 2286 | ctx->check_crl = store->check_crl;
|
---|
| 2287 | else
|
---|
| 2288 | ctx->check_crl = check_crl;
|
---|
| 2289 |
|
---|
| 2290 | if (store && store->cert_crl)
|
---|
| 2291 | ctx->cert_crl = store->cert_crl;
|
---|
| 2292 | else
|
---|
| 2293 | ctx->cert_crl = cert_crl;
|
---|
| 2294 |
|
---|
| 2295 | if (store && store->check_policy)
|
---|
| 2296 | ctx->check_policy = store->check_policy;
|
---|
| 2297 | else
|
---|
| 2298 | ctx->check_policy = check_policy;
|
---|
| 2299 |
|
---|
| 2300 | if (store && store->lookup_certs)
|
---|
| 2301 | ctx->lookup_certs = store->lookup_certs;
|
---|
| 2302 | else
|
---|
| 2303 | ctx->lookup_certs = X509_STORE_CTX_get1_certs;
|
---|
| 2304 |
|
---|
| 2305 | if (store && store->lookup_crls)
|
---|
| 2306 | ctx->lookup_crls = store->lookup_crls;
|
---|
| 2307 | else
|
---|
| 2308 | ctx->lookup_crls = X509_STORE_CTX_get1_crls;
|
---|
| 2309 |
|
---|
| 2310 | ctx->param = X509_VERIFY_PARAM_new();
|
---|
| 2311 | if (ctx->param == NULL) {
|
---|
| 2312 | X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
|
---|
| 2313 | goto err;
|
---|
| 2314 | }
|
---|
| 2315 |
|
---|
| 2316 | /*
|
---|
| 2317 | * Inherit callbacks and flags from X509_STORE if not set use defaults.
|
---|
| 2318 | */
|
---|
| 2319 | if (store)
|
---|
| 2320 | ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
|
---|
| 2321 | else
|
---|
| 2322 | ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE;
|
---|
| 2323 |
|
---|
| 2324 | if (ret)
|
---|
| 2325 | ret = X509_VERIFY_PARAM_inherit(ctx->param,
|
---|
| 2326 | X509_VERIFY_PARAM_lookup("default"));
|
---|
| 2327 |
|
---|
| 2328 | if (ret == 0) {
|
---|
| 2329 | X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
|
---|
| 2330 | goto err;
|
---|
| 2331 | }
|
---|
| 2332 |
|
---|
| 2333 | /*
|
---|
| 2334 | * XXX: For now, continue to inherit trust from VPM, but infer from the
|
---|
| 2335 | * purpose if this still yields the default value.
|
---|
| 2336 | */
|
---|
| 2337 | if (ctx->param->trust == X509_TRUST_DEFAULT) {
|
---|
| 2338 | int idx = X509_PURPOSE_get_by_id(ctx->param->purpose);
|
---|
| 2339 | X509_PURPOSE *xp = X509_PURPOSE_get0(idx);
|
---|
| 2340 |
|
---|
| 2341 | if (xp != NULL)
|
---|
| 2342 | ctx->param->trust = X509_PURPOSE_get_trust(xp);
|
---|
| 2343 | }
|
---|
| 2344 |
|
---|
| 2345 | if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
|
---|
| 2346 | &ctx->ex_data))
|
---|
| 2347 | return 1;
|
---|
| 2348 | X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
|
---|
| 2349 |
|
---|
| 2350 | err:
|
---|
| 2351 | /*
|
---|
| 2352 | * On error clean up allocated storage, if the store context was not
|
---|
| 2353 | * allocated with X509_STORE_CTX_new() this is our last chance to do so.
|
---|
| 2354 | */
|
---|
| 2355 | X509_STORE_CTX_cleanup(ctx);
|
---|
| 2356 | return 0;
|
---|
| 2357 | }
|
---|
| 2358 |
|
---|
| 2359 | /*
|
---|
| 2360 | * Set alternative lookup method: just a STACK of trusted certificates. This
|
---|
| 2361 | * avoids X509_STORE nastiness where it isn't needed.
|
---|
| 2362 | */
|
---|
| 2363 | void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
|
---|
| 2364 | {
|
---|
| 2365 | ctx->other_ctx = sk;
|
---|
| 2366 | ctx->get_issuer = get_issuer_sk;
|
---|
| 2367 | ctx->lookup_certs = lookup_certs_sk;
|
---|
| 2368 | }
|
---|
| 2369 |
|
---|
| 2370 | void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
|
---|
| 2371 | {
|
---|
| 2372 | /*
|
---|
| 2373 | * We need to be idempotent because, unfortunately, free() also calls
|
---|
| 2374 | * cleanup(), so the natural call sequence new(), init(), cleanup(), free()
|
---|
| 2375 | * calls cleanup() for the same object twice! Thus we must zero the
|
---|
| 2376 | * pointers below after they're freed!
|
---|
| 2377 | */
|
---|
| 2378 | /* Seems to always be 0 in OpenSSL, do this at most once. */
|
---|
| 2379 | if (ctx->cleanup != NULL) {
|
---|
| 2380 | ctx->cleanup(ctx);
|
---|
| 2381 | ctx->cleanup = NULL;
|
---|
| 2382 | }
|
---|
| 2383 | if (ctx->param != NULL) {
|
---|
| 2384 | if (ctx->parent == NULL)
|
---|
| 2385 | X509_VERIFY_PARAM_free(ctx->param);
|
---|
| 2386 | ctx->param = NULL;
|
---|
| 2387 | }
|
---|
| 2388 | X509_policy_tree_free(ctx->tree);
|
---|
| 2389 | ctx->tree = NULL;
|
---|
| 2390 | sk_X509_pop_free(ctx->chain, X509_free);
|
---|
| 2391 | ctx->chain = NULL;
|
---|
| 2392 | CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
|
---|
| 2393 | memset(&ctx->ex_data, 0, sizeof(ctx->ex_data));
|
---|
| 2394 | }
|
---|
| 2395 |
|
---|
| 2396 | void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
|
---|
| 2397 | {
|
---|
| 2398 | X509_VERIFY_PARAM_set_depth(ctx->param, depth);
|
---|
| 2399 | }
|
---|
| 2400 |
|
---|
| 2401 | void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
|
---|
| 2402 | {
|
---|
| 2403 | X509_VERIFY_PARAM_set_flags(ctx->param, flags);
|
---|
| 2404 | }
|
---|
| 2405 |
|
---|
| 2406 | void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
|
---|
| 2407 | time_t t)
|
---|
| 2408 | {
|
---|
| 2409 | X509_VERIFY_PARAM_set_time(ctx->param, t);
|
---|
| 2410 | }
|
---|
| 2411 |
|
---|
| 2412 | X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
|
---|
| 2413 | {
|
---|
| 2414 | return ctx->cert;
|
---|
| 2415 | }
|
---|
| 2416 |
|
---|
| 2417 | STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
|
---|
| 2418 | {
|
---|
| 2419 | return ctx->untrusted;
|
---|
| 2420 | }
|
---|
| 2421 |
|
---|
| 2422 | void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
|
---|
| 2423 | {
|
---|
| 2424 | ctx->untrusted = sk;
|
---|
| 2425 | }
|
---|
| 2426 |
|
---|
| 2427 | void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
|
---|
| 2428 | {
|
---|
| 2429 | sk_X509_pop_free(ctx->chain, X509_free);
|
---|
| 2430 | ctx->chain = sk;
|
---|
| 2431 | }
|
---|
| 2432 |
|
---|
| 2433 | void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
|
---|
| 2434 | X509_STORE_CTX_verify_cb verify_cb)
|
---|
| 2435 | {
|
---|
| 2436 | ctx->verify_cb = verify_cb;
|
---|
| 2437 | }
|
---|
| 2438 |
|
---|
| 2439 | X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx)
|
---|
| 2440 | {
|
---|
| 2441 | return ctx->verify_cb;
|
---|
| 2442 | }
|
---|
| 2443 |
|
---|
| 2444 | void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx,
|
---|
| 2445 | X509_STORE_CTX_verify_fn verify)
|
---|
| 2446 | {
|
---|
| 2447 | ctx->verify = verify;
|
---|
| 2448 | }
|
---|
| 2449 |
|
---|
| 2450 | X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx)
|
---|
| 2451 | {
|
---|
| 2452 | return ctx->verify;
|
---|
| 2453 | }
|
---|
| 2454 |
|
---|
| 2455 | X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx)
|
---|
| 2456 | {
|
---|
| 2457 | return ctx->get_issuer;
|
---|
| 2458 | }
|
---|
| 2459 |
|
---|
| 2460 | X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx)
|
---|
| 2461 | {
|
---|
| 2462 | return ctx->check_issued;
|
---|
| 2463 | }
|
---|
| 2464 |
|
---|
| 2465 | X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx)
|
---|
| 2466 | {
|
---|
| 2467 | return ctx->check_revocation;
|
---|
| 2468 | }
|
---|
| 2469 |
|
---|
| 2470 | X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx)
|
---|
| 2471 | {
|
---|
| 2472 | return ctx->get_crl;
|
---|
| 2473 | }
|
---|
| 2474 |
|
---|
| 2475 | X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx)
|
---|
| 2476 | {
|
---|
| 2477 | return ctx->check_crl;
|
---|
| 2478 | }
|
---|
| 2479 |
|
---|
| 2480 | X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx)
|
---|
| 2481 | {
|
---|
| 2482 | return ctx->cert_crl;
|
---|
| 2483 | }
|
---|
| 2484 |
|
---|
| 2485 | X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx)
|
---|
| 2486 | {
|
---|
| 2487 | return ctx->check_policy;
|
---|
| 2488 | }
|
---|
| 2489 |
|
---|
| 2490 | X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx)
|
---|
| 2491 | {
|
---|
| 2492 | return ctx->lookup_certs;
|
---|
| 2493 | }
|
---|
| 2494 |
|
---|
| 2495 | X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx)
|
---|
| 2496 | {
|
---|
| 2497 | return ctx->lookup_crls;
|
---|
| 2498 | }
|
---|
| 2499 |
|
---|
| 2500 | X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx)
|
---|
| 2501 | {
|
---|
| 2502 | return ctx->cleanup;
|
---|
| 2503 | }
|
---|
| 2504 |
|
---|
| 2505 | X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
|
---|
| 2506 | {
|
---|
| 2507 | return ctx->tree;
|
---|
| 2508 | }
|
---|
| 2509 |
|
---|
| 2510 | int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
|
---|
| 2511 | {
|
---|
| 2512 | return ctx->explicit_policy;
|
---|
| 2513 | }
|
---|
| 2514 |
|
---|
| 2515 | int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)
|
---|
| 2516 | {
|
---|
| 2517 | return ctx->num_untrusted;
|
---|
| 2518 | }
|
---|
| 2519 |
|
---|
| 2520 | int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
|
---|
| 2521 | {
|
---|
| 2522 | const X509_VERIFY_PARAM *param;
|
---|
| 2523 | param = X509_VERIFY_PARAM_lookup(name);
|
---|
| 2524 | if (!param)
|
---|
| 2525 | return 0;
|
---|
| 2526 | return X509_VERIFY_PARAM_inherit(ctx->param, param);
|
---|
| 2527 | }
|
---|
| 2528 |
|
---|
| 2529 | X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
|
---|
| 2530 | {
|
---|
| 2531 | return ctx->param;
|
---|
| 2532 | }
|
---|
| 2533 |
|
---|
| 2534 | void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
|
---|
| 2535 | {
|
---|
| 2536 | X509_VERIFY_PARAM_free(ctx->param);
|
---|
| 2537 | ctx->param = param;
|
---|
| 2538 | }
|
---|
| 2539 |
|
---|
| 2540 | void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane)
|
---|
| 2541 | {
|
---|
| 2542 | ctx->dane = dane;
|
---|
| 2543 | }
|
---|
| 2544 |
|
---|
| 2545 | static unsigned char *dane_i2d(
|
---|
| 2546 | X509 *cert,
|
---|
| 2547 | uint8_t selector,
|
---|
| 2548 | unsigned int *i2dlen)
|
---|
| 2549 | {
|
---|
| 2550 | unsigned char *buf = NULL;
|
---|
| 2551 | int len;
|
---|
| 2552 |
|
---|
| 2553 | /*
|
---|
| 2554 | * Extract ASN.1 DER form of certificate or public key.
|
---|
| 2555 | */
|
---|
| 2556 | switch (selector) {
|
---|
| 2557 | case DANETLS_SELECTOR_CERT:
|
---|
| 2558 | len = i2d_X509(cert, &buf);
|
---|
| 2559 | break;
|
---|
| 2560 | case DANETLS_SELECTOR_SPKI:
|
---|
| 2561 | len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf);
|
---|
| 2562 | break;
|
---|
| 2563 | default:
|
---|
| 2564 | X509err(X509_F_DANE_I2D, X509_R_BAD_SELECTOR);
|
---|
| 2565 | return NULL;
|
---|
| 2566 | }
|
---|
| 2567 |
|
---|
| 2568 | if (len < 0 || buf == NULL) {
|
---|
| 2569 | X509err(X509_F_DANE_I2D, ERR_R_MALLOC_FAILURE);
|
---|
| 2570 | return NULL;
|
---|
| 2571 | }
|
---|
| 2572 |
|
---|
| 2573 | *i2dlen = (unsigned int)len;
|
---|
| 2574 | return buf;
|
---|
| 2575 | }
|
---|
| 2576 |
|
---|
| 2577 | #define DANETLS_NONE 256 /* impossible uint8_t */
|
---|
| 2578 |
|
---|
| 2579 | static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth)
|
---|
| 2580 | {
|
---|
| 2581 | SSL_DANE *dane = ctx->dane;
|
---|
| 2582 | unsigned usage = DANETLS_NONE;
|
---|
| 2583 | unsigned selector = DANETLS_NONE;
|
---|
| 2584 | unsigned ordinal = DANETLS_NONE;
|
---|
| 2585 | unsigned mtype = DANETLS_NONE;
|
---|
| 2586 | unsigned char *i2dbuf = NULL;
|
---|
| 2587 | unsigned int i2dlen = 0;
|
---|
| 2588 | unsigned char mdbuf[EVP_MAX_MD_SIZE];
|
---|
| 2589 | unsigned char *cmpbuf = NULL;
|
---|
| 2590 | unsigned int cmplen = 0;
|
---|
| 2591 | int i;
|
---|
| 2592 | int recnum;
|
---|
| 2593 | int matched = 0;
|
---|
| 2594 | danetls_record *t = NULL;
|
---|
| 2595 | uint32_t mask;
|
---|
| 2596 |
|
---|
| 2597 | mask = (depth == 0) ? DANETLS_EE_MASK : DANETLS_TA_MASK;
|
---|
| 2598 |
|
---|
| 2599 | /*
|
---|
| 2600 | * The trust store is not applicable with DANE-TA(2)
|
---|
| 2601 | */
|
---|
| 2602 | if (depth >= ctx->num_untrusted)
|
---|
| 2603 | mask &= DANETLS_PKIX_MASK;
|
---|
| 2604 |
|
---|
| 2605 | /*
|
---|
| 2606 | * If we've previously matched a PKIX-?? record, no need to test any
|
---|
| 2607 | * further PKIX-?? records, it remains to just build the PKIX chain.
|
---|
| 2608 | * Had the match been a DANE-?? record, we'd be done already.
|
---|
| 2609 | */
|
---|
| 2610 | if (dane->mdpth >= 0)
|
---|
| 2611 | mask &= ~DANETLS_PKIX_MASK;
|
---|
| 2612 |
|
---|
| 2613 | /*-
|
---|
| 2614 | * https://tools.ietf.org/html/rfc7671#section-5.1
|
---|
| 2615 | * https://tools.ietf.org/html/rfc7671#section-5.2
|
---|
| 2616 | * https://tools.ietf.org/html/rfc7671#section-5.3
|
---|
| 2617 | * https://tools.ietf.org/html/rfc7671#section-5.4
|
---|
| 2618 | *
|
---|
| 2619 | * We handle DANE-EE(3) records first as they require no chain building
|
---|
| 2620 | * and no expiration or hostname checks. We also process digests with
|
---|
| 2621 | * higher ordinals first and ignore lower priorities except Full(0) which
|
---|
| 2622 | * is always processed (last). If none match, we then process PKIX-EE(1).
|
---|
| 2623 | *
|
---|
| 2624 | * NOTE: This relies on DANE usages sorting before the corresponding PKIX
|
---|
| 2625 | * usages in SSL_dane_tlsa_add(), and also on descending sorting of digest
|
---|
| 2626 | * priorities. See twin comment in ssl/ssl_lib.c.
|
---|
| 2627 | *
|
---|
| 2628 | * We expect that most TLSA RRsets will have just a single usage, so we
|
---|
| 2629 | * don't go out of our way to cache multiple selector-specific i2d buffers
|
---|
| 2630 | * across usages, but if the selector happens to remain the same as switch
|
---|
| 2631 | * usages, that's OK. Thus, a set of "3 1 1", "3 0 1", "1 1 1", "1 0 1",
|
---|
| 2632 | * records would result in us generating each of the certificate and public
|
---|
| 2633 | * key DER forms twice, but more typically we'd just see multiple "3 1 1"
|
---|
| 2634 | * or multiple "3 0 1" records.
|
---|
| 2635 | *
|
---|
| 2636 | * As soon as we find a match at any given depth, we stop, because either
|
---|
| 2637 | * we've matched a DANE-?? record and the peer is authenticated, or, after
|
---|
| 2638 | * exhausting all DANE-?? records, we've matched a PKIX-?? record, which is
|
---|
| 2639 | * sufficient for DANE, and what remains to do is ordinary PKIX validation.
|
---|
| 2640 | */
|
---|
| 2641 | recnum = (dane->umask & mask) ? sk_danetls_record_num(dane->trecs) : 0;
|
---|
| 2642 | for (i = 0; matched == 0 && i < recnum; ++i) {
|
---|
| 2643 | t = sk_danetls_record_value(dane->trecs, i);
|
---|
| 2644 | if ((DANETLS_USAGE_BIT(t->usage) & mask) == 0)
|
---|
| 2645 | continue;
|
---|
| 2646 | if (t->usage != usage) {
|
---|
| 2647 | usage = t->usage;
|
---|
| 2648 |
|
---|
| 2649 | /* Reset digest agility for each usage/selector pair */
|
---|
| 2650 | mtype = DANETLS_NONE;
|
---|
| 2651 | ordinal = dane->dctx->mdord[t->mtype];
|
---|
| 2652 | }
|
---|
| 2653 | if (t->selector != selector) {
|
---|
| 2654 | selector = t->selector;
|
---|
| 2655 |
|
---|
| 2656 | /* Update per-selector state */
|
---|
| 2657 | OPENSSL_free(i2dbuf);
|
---|
| 2658 | i2dbuf = dane_i2d(cert, selector, &i2dlen);
|
---|
| 2659 | if (i2dbuf == NULL)
|
---|
| 2660 | return -1;
|
---|
| 2661 |
|
---|
| 2662 | /* Reset digest agility for each usage/selector pair */
|
---|
| 2663 | mtype = DANETLS_NONE;
|
---|
| 2664 | ordinal = dane->dctx->mdord[t->mtype];
|
---|
| 2665 | } else if (t->mtype != DANETLS_MATCHING_FULL) {
|
---|
| 2666 | /*-
|
---|
| 2667 | * Digest agility:
|
---|
| 2668 | *
|
---|
| 2669 | * <https://tools.ietf.org/html/rfc7671#section-9>
|
---|
| 2670 | *
|
---|
| 2671 | * For a fixed selector, after processing all records with the
|
---|
| 2672 | * highest mtype ordinal, ignore all mtypes with lower ordinals
|
---|
| 2673 | * other than "Full".
|
---|
| 2674 | */
|
---|
| 2675 | if (dane->dctx->mdord[t->mtype] < ordinal)
|
---|
| 2676 | continue;
|
---|
| 2677 | }
|
---|
| 2678 |
|
---|
| 2679 | /*
|
---|
| 2680 | * Each time we hit a (new selector or) mtype, re-compute the relevant
|
---|
| 2681 | * digest, more complex caching is not worth the code space.
|
---|
| 2682 | */
|
---|
| 2683 | if (t->mtype != mtype) {
|
---|
| 2684 | const EVP_MD *md = dane->dctx->mdevp[mtype = t->mtype];
|
---|
| 2685 | cmpbuf = i2dbuf;
|
---|
| 2686 | cmplen = i2dlen;
|
---|
| 2687 |
|
---|
| 2688 | if (md != NULL) {
|
---|
| 2689 | cmpbuf = mdbuf;
|
---|
| 2690 | if (!EVP_Digest(i2dbuf, i2dlen, cmpbuf, &cmplen, md, 0)) {
|
---|
| 2691 | matched = -1;
|
---|
| 2692 | break;
|
---|
| 2693 | }
|
---|
| 2694 | }
|
---|
| 2695 | }
|
---|
| 2696 |
|
---|
| 2697 | /*
|
---|
| 2698 | * Squirrel away the certificate and depth if we have a match. Any
|
---|
| 2699 | * DANE match is dispositive, but with PKIX we still need to build a
|
---|
| 2700 | * full chain.
|
---|
| 2701 | */
|
---|
| 2702 | if (cmplen == t->dlen &&
|
---|
| 2703 | memcmp(cmpbuf, t->data, cmplen) == 0) {
|
---|
| 2704 | if (DANETLS_USAGE_BIT(usage) & DANETLS_DANE_MASK)
|
---|
| 2705 | matched = 1;
|
---|
| 2706 | if (matched || dane->mdpth < 0) {
|
---|
| 2707 | dane->mdpth = depth;
|
---|
| 2708 | dane->mtlsa = t;
|
---|
| 2709 | OPENSSL_free(dane->mcert);
|
---|
| 2710 | dane->mcert = cert;
|
---|
| 2711 | X509_up_ref(cert);
|
---|
| 2712 | }
|
---|
| 2713 | break;
|
---|
| 2714 | }
|
---|
| 2715 | }
|
---|
| 2716 |
|
---|
| 2717 | /* Clear the one-element DER cache */
|
---|
| 2718 | OPENSSL_free(i2dbuf);
|
---|
| 2719 | return matched;
|
---|
| 2720 | }
|
---|
| 2721 |
|
---|
| 2722 | static int check_dane_issuer(X509_STORE_CTX *ctx, int depth)
|
---|
| 2723 | {
|
---|
| 2724 | SSL_DANE *dane = ctx->dane;
|
---|
| 2725 | int matched = 0;
|
---|
| 2726 | X509 *cert;
|
---|
| 2727 |
|
---|
| 2728 | if (!DANETLS_HAS_TA(dane) || depth == 0)
|
---|
| 2729 | return X509_TRUST_UNTRUSTED;
|
---|
| 2730 |
|
---|
| 2731 | /*
|
---|
| 2732 | * Record any DANE trust-anchor matches, for the first depth to test, if
|
---|
| 2733 | * there's one at that depth. (This'll be false for length 1 chains looking
|
---|
| 2734 | * for an exact match for the leaf certificate).
|
---|
| 2735 | */
|
---|
| 2736 | cert = sk_X509_value(ctx->chain, depth);
|
---|
| 2737 | if (cert != NULL && (matched = dane_match(ctx, cert, depth)) < 0)
|
---|
| 2738 | return X509_TRUST_REJECTED;
|
---|
| 2739 | if (matched > 0) {
|
---|
| 2740 | ctx->num_untrusted = depth - 1;
|
---|
| 2741 | return X509_TRUST_TRUSTED;
|
---|
| 2742 | }
|
---|
| 2743 |
|
---|
| 2744 | return X509_TRUST_UNTRUSTED;
|
---|
| 2745 | }
|
---|
| 2746 |
|
---|
| 2747 | static int check_dane_pkeys(X509_STORE_CTX *ctx)
|
---|
| 2748 | {
|
---|
| 2749 | SSL_DANE *dane = ctx->dane;
|
---|
| 2750 | danetls_record *t;
|
---|
| 2751 | int num = ctx->num_untrusted;
|
---|
| 2752 | X509 *cert = sk_X509_value(ctx->chain, num - 1);
|
---|
| 2753 | int recnum = sk_danetls_record_num(dane->trecs);
|
---|
| 2754 | int i;
|
---|
| 2755 |
|
---|
| 2756 | for (i = 0; i < recnum; ++i) {
|
---|
| 2757 | t = sk_danetls_record_value(dane->trecs, i);
|
---|
| 2758 | if (t->usage != DANETLS_USAGE_DANE_TA ||
|
---|
| 2759 | t->selector != DANETLS_SELECTOR_SPKI ||
|
---|
| 2760 | t->mtype != DANETLS_MATCHING_FULL ||
|
---|
| 2761 | X509_verify(cert, t->spki) <= 0)
|
---|
| 2762 | continue;
|
---|
| 2763 |
|
---|
| 2764 | /* Clear any PKIX-?? matches that failed to extend to a full chain */
|
---|
| 2765 | X509_free(dane->mcert);
|
---|
| 2766 | dane->mcert = NULL;
|
---|
| 2767 |
|
---|
| 2768 | /* Record match via a bare TA public key */
|
---|
| 2769 | ctx->bare_ta_signed = 1;
|
---|
| 2770 | dane->mdpth = num - 1;
|
---|
| 2771 | dane->mtlsa = t;
|
---|
| 2772 |
|
---|
| 2773 | /* Prune any excess chain certificates */
|
---|
| 2774 | num = sk_X509_num(ctx->chain);
|
---|
| 2775 | for (; num > ctx->num_untrusted; --num)
|
---|
| 2776 | X509_free(sk_X509_pop(ctx->chain));
|
---|
| 2777 |
|
---|
| 2778 | return X509_TRUST_TRUSTED;
|
---|
| 2779 | }
|
---|
| 2780 |
|
---|
| 2781 | return X509_TRUST_UNTRUSTED;
|
---|
| 2782 | }
|
---|
| 2783 |
|
---|
| 2784 | static void dane_reset(SSL_DANE *dane)
|
---|
| 2785 | {
|
---|
| 2786 | /*
|
---|
| 2787 | * Reset state to verify another chain, or clear after failure.
|
---|
| 2788 | */
|
---|
| 2789 | X509_free(dane->mcert);
|
---|
| 2790 | dane->mcert = NULL;
|
---|
| 2791 | dane->mtlsa = NULL;
|
---|
| 2792 | dane->mdpth = -1;
|
---|
| 2793 | dane->pdpth = -1;
|
---|
| 2794 | }
|
---|
| 2795 |
|
---|
| 2796 | static int check_leaf_suiteb(X509_STORE_CTX *ctx, X509 *cert)
|
---|
| 2797 | {
|
---|
| 2798 | int err = X509_chain_check_suiteb(NULL, cert, NULL, ctx->param->flags);
|
---|
| 2799 |
|
---|
| 2800 | if (err == X509_V_OK)
|
---|
| 2801 | return 1;
|
---|
| 2802 | return verify_cb_cert(ctx, cert, 0, err);
|
---|
| 2803 | }
|
---|
| 2804 |
|
---|
| 2805 | static int dane_verify(X509_STORE_CTX *ctx)
|
---|
| 2806 | {
|
---|
| 2807 | X509 *cert = ctx->cert;
|
---|
| 2808 | SSL_DANE *dane = ctx->dane;
|
---|
| 2809 | int matched;
|
---|
| 2810 | int done;
|
---|
| 2811 |
|
---|
| 2812 | dane_reset(dane);
|
---|
| 2813 |
|
---|
| 2814 | /*-
|
---|
| 2815 | * When testing the leaf certificate, if we match a DANE-EE(3) record,
|
---|
| 2816 | * dane_match() returns 1 and we're done. If however we match a PKIX-EE(1)
|
---|
| 2817 | * record, the match depth and matching TLSA record are recorded, but the
|
---|
| 2818 | * return value is 0, because we still need to find a PKIX trust-anchor.
|
---|
| 2819 | * Therefore, when DANE authentication is enabled (required), we're done
|
---|
| 2820 | * if:
|
---|
| 2821 | * + matched < 0, internal error.
|
---|
| 2822 | * + matched == 1, we matched a DANE-EE(3) record
|
---|
| 2823 | * + matched == 0, mdepth < 0 (no PKIX-EE match) and there are no
|
---|
| 2824 | * DANE-TA(2) or PKIX-TA(0) to test.
|
---|
| 2825 | */
|
---|
| 2826 | matched = dane_match(ctx, ctx->cert, 0);
|
---|
| 2827 | done = matched != 0 || (!DANETLS_HAS_TA(dane) && dane->mdpth < 0);
|
---|
| 2828 |
|
---|
| 2829 | if (done)
|
---|
| 2830 | X509_get_pubkey_parameters(NULL, ctx->chain);
|
---|
| 2831 |
|
---|
| 2832 | if (matched > 0) {
|
---|
| 2833 | /* Callback invoked as needed */
|
---|
| 2834 | if (!check_leaf_suiteb(ctx, cert))
|
---|
| 2835 | return 0;
|
---|
| 2836 | /* Callback invoked as needed */
|
---|
| 2837 | if ((dane->flags & DANE_FLAG_NO_DANE_EE_NAMECHECKS) == 0 &&
|
---|
| 2838 | !check_id(ctx))
|
---|
| 2839 | return 0;
|
---|
| 2840 | /* Bypass internal_verify(), issue depth 0 success callback */
|
---|
| 2841 | ctx->error_depth = 0;
|
---|
| 2842 | ctx->current_cert = cert;
|
---|
| 2843 | return ctx->verify_cb(1, ctx);
|
---|
| 2844 | }
|
---|
| 2845 |
|
---|
| 2846 | if (matched < 0) {
|
---|
| 2847 | ctx->error_depth = 0;
|
---|
| 2848 | ctx->current_cert = cert;
|
---|
| 2849 | ctx->error = X509_V_ERR_OUT_OF_MEM;
|
---|
| 2850 | return -1;
|
---|
| 2851 | }
|
---|
| 2852 |
|
---|
| 2853 | if (done) {
|
---|
| 2854 | /* Fail early, TA-based success is not possible */
|
---|
| 2855 | if (!check_leaf_suiteb(ctx, cert))
|
---|
| 2856 | return 0;
|
---|
| 2857 | return verify_cb_cert(ctx, cert, 0, X509_V_ERR_DANE_NO_MATCH);
|
---|
| 2858 | }
|
---|
| 2859 |
|
---|
| 2860 | /*
|
---|
| 2861 | * Chain verification for usages 0/1/2. TLSA record matching of depth > 0
|
---|
| 2862 | * certificates happens in-line with building the rest of the chain.
|
---|
| 2863 | */
|
---|
| 2864 | return verify_chain(ctx);
|
---|
| 2865 | }
|
---|
| 2866 |
|
---|
| 2867 | /* Get issuer, without duplicate suppression */
|
---|
| 2868 | static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert)
|
---|
| 2869 | {
|
---|
| 2870 | STACK_OF(X509) *saved_chain = ctx->chain;
|
---|
| 2871 | int ok;
|
---|
| 2872 |
|
---|
| 2873 | ctx->chain = NULL;
|
---|
| 2874 | ok = ctx->get_issuer(issuer, ctx, cert);
|
---|
| 2875 | ctx->chain = saved_chain;
|
---|
| 2876 |
|
---|
| 2877 | return ok;
|
---|
| 2878 | }
|
---|
| 2879 |
|
---|
| 2880 | static int build_chain(X509_STORE_CTX *ctx)
|
---|
| 2881 | {
|
---|
| 2882 | SSL_DANE *dane = ctx->dane;
|
---|
| 2883 | int num = sk_X509_num(ctx->chain);
|
---|
| 2884 | X509 *cert = sk_X509_value(ctx->chain, num - 1);
|
---|
| 2885 | int ss = cert_self_signed(cert);
|
---|
| 2886 | STACK_OF(X509) *sktmp = NULL;
|
---|
| 2887 | unsigned int search;
|
---|
| 2888 | int may_trusted = 0;
|
---|
| 2889 | int may_alternate = 0;
|
---|
| 2890 | int trust = X509_TRUST_UNTRUSTED;
|
---|
| 2891 | int alt_untrusted = 0;
|
---|
| 2892 | int depth;
|
---|
| 2893 | int ok = 0;
|
---|
| 2894 | int i;
|
---|
| 2895 |
|
---|
| 2896 | /* Our chain starts with a single untrusted element. */
|
---|
| 2897 | OPENSSL_assert(num == 1 && ctx->num_untrusted == num);
|
---|
| 2898 |
|
---|
| 2899 | #define S_DOUNTRUSTED (1 << 0) /* Search untrusted chain */
|
---|
| 2900 | #define S_DOTRUSTED (1 << 1) /* Search trusted store */
|
---|
| 2901 | #define S_DOALTERNATE (1 << 2) /* Retry with pruned alternate chain */
|
---|
| 2902 | /*
|
---|
| 2903 | * Set up search policy, untrusted if possible, trusted-first if enabled.
|
---|
| 2904 | * If we're doing DANE and not doing PKIX-TA/PKIX-EE, we never look in the
|
---|
| 2905 | * trust_store, otherwise we might look there first. If not trusted-first,
|
---|
| 2906 | * and alternate chains are not disabled, try building an alternate chain
|
---|
| 2907 | * if no luck with untrusted first.
|
---|
| 2908 | */
|
---|
| 2909 | search = (ctx->untrusted != NULL) ? S_DOUNTRUSTED : 0;
|
---|
| 2910 | if (DANETLS_HAS_PKIX(dane) || !DANETLS_HAS_DANE(dane)) {
|
---|
| 2911 | if (search == 0 || ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
|
---|
| 2912 | search |= S_DOTRUSTED;
|
---|
| 2913 | else if (!(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS))
|
---|
| 2914 | may_alternate = 1;
|
---|
| 2915 | may_trusted = 1;
|
---|
| 2916 | }
|
---|
| 2917 |
|
---|
| 2918 | /*
|
---|
| 2919 | * Shallow-copy the stack of untrusted certificates (with TLS, this is
|
---|
| 2920 | * typically the content of the peer's certificate message) so can make
|
---|
| 2921 | * multiple passes over it, while free to remove elements as we go.
|
---|
| 2922 | */
|
---|
| 2923 | if (ctx->untrusted && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
|
---|
| 2924 | X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
|
---|
| 2925 | ctx->error = X509_V_ERR_OUT_OF_MEM;
|
---|
| 2926 | return 0;
|
---|
| 2927 | }
|
---|
| 2928 |
|
---|
| 2929 | /*
|
---|
| 2930 | * If we got any "DANE-TA(2) Cert(0) Full(0)" trust-anchors from DNS, add
|
---|
| 2931 | * them to our working copy of the untrusted certificate stack. Since the
|
---|
| 2932 | * caller of X509_STORE_CTX_init() may have provided only a leaf cert with
|
---|
| 2933 | * no corresponding stack of untrusted certificates, we may need to create
|
---|
| 2934 | * an empty stack first. [ At present only the ssl library provides DANE
|
---|
| 2935 | * support, and ssl_verify_cert_chain() always provides a non-null stack
|
---|
| 2936 | * containing at least the leaf certificate, but we must be prepared for
|
---|
| 2937 | * this to change. ]
|
---|
| 2938 | */
|
---|
| 2939 | if (DANETLS_ENABLED(dane) && dane->certs != NULL) {
|
---|
| 2940 | if (sktmp == NULL && (sktmp = sk_X509_new_null()) == NULL) {
|
---|
| 2941 | X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
|
---|
| 2942 | ctx->error = X509_V_ERR_OUT_OF_MEM;
|
---|
| 2943 | return 0;
|
---|
| 2944 | }
|
---|
| 2945 | for (i = 0; i < sk_X509_num(dane->certs); ++i) {
|
---|
| 2946 | if (!sk_X509_push(sktmp, sk_X509_value(dane->certs, i))) {
|
---|
| 2947 | sk_X509_free(sktmp);
|
---|
| 2948 | X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
|
---|
| 2949 | ctx->error = X509_V_ERR_OUT_OF_MEM;
|
---|
| 2950 | return 0;
|
---|
| 2951 | }
|
---|
| 2952 | }
|
---|
| 2953 | }
|
---|
| 2954 |
|
---|
| 2955 | /*
|
---|
| 2956 | * Still absurdly large, but arithmetically safe, a lower hard upper bound
|
---|
| 2957 | * might be reasonable.
|
---|
| 2958 | */
|
---|
| 2959 | if (ctx->param->depth > INT_MAX/2)
|
---|
| 2960 | ctx->param->depth = INT_MAX/2;
|
---|
| 2961 |
|
---|
| 2962 | /*
|
---|
| 2963 | * Try to Extend the chain until we reach an ultimately trusted issuer.
|
---|
| 2964 | * Build chains up to one longer the limit, later fail if we hit the limit,
|
---|
| 2965 | * with an X509_V_ERR_CERT_CHAIN_TOO_LONG error code.
|
---|
| 2966 | */
|
---|
| 2967 | depth = ctx->param->depth + 1;
|
---|
| 2968 |
|
---|
| 2969 | while (search != 0) {
|
---|
| 2970 | X509 *x;
|
---|
| 2971 | X509 *xtmp = NULL;
|
---|
| 2972 |
|
---|
| 2973 | /*
|
---|
| 2974 | * Look in the trust store if enabled for first lookup, or we've run
|
---|
| 2975 | * out of untrusted issuers and search here is not disabled. When we
|
---|
| 2976 | * reach the depth limit, we stop extending the chain, if by that point
|
---|
| 2977 | * we've not found a trust-anchor, any trusted chain would be too long.
|
---|
| 2978 | *
|
---|
| 2979 | * The error reported to the application verify callback is at the
|
---|
| 2980 | * maximal valid depth with the current certificate equal to the last
|
---|
| 2981 | * not ultimately-trusted issuer. For example, with verify_depth = 0,
|
---|
| 2982 | * the callback will report errors at depth=1 when the immediate issuer
|
---|
| 2983 | * of the leaf certificate is not a trust anchor. No attempt will be
|
---|
| 2984 | * made to locate an issuer for that certificate, since such a chain
|
---|
| 2985 | * would be a-priori too long.
|
---|
| 2986 | */
|
---|
| 2987 | if ((search & S_DOTRUSTED) != 0) {
|
---|
| 2988 | i = num = sk_X509_num(ctx->chain);
|
---|
| 2989 | if ((search & S_DOALTERNATE) != 0) {
|
---|
| 2990 | /*
|
---|
| 2991 | * As high up the chain as we can, look for an alternative
|
---|
| 2992 | * trusted issuer of an untrusted certificate that currently
|
---|
| 2993 | * has an untrusted issuer. We use the alt_untrusted variable
|
---|
| 2994 | * to track how far up the chain we find the first match. It
|
---|
| 2995 | * is only if and when we find a match, that we prune the chain
|
---|
| 2996 | * and reset ctx->num_untrusted to the reduced count of
|
---|
| 2997 | * untrusted certificates. While we're searching for such a
|
---|
| 2998 | * match (which may never be found), it is neither safe nor
|
---|
| 2999 | * wise to preemptively modify either the chain or
|
---|
| 3000 | * ctx->num_untrusted.
|
---|
| 3001 | *
|
---|
| 3002 | * Note, like ctx->num_untrusted, alt_untrusted is a count of
|
---|
| 3003 | * untrusted certificates, not a "depth".
|
---|
| 3004 | */
|
---|
| 3005 | i = alt_untrusted;
|
---|
| 3006 | }
|
---|
| 3007 | x = sk_X509_value(ctx->chain, i-1);
|
---|
| 3008 |
|
---|
| 3009 | ok = (depth < num) ? 0 : get_issuer(&xtmp, ctx, x);
|
---|
| 3010 |
|
---|
| 3011 | if (ok < 0) {
|
---|
| 3012 | trust = X509_TRUST_REJECTED;
|
---|
| 3013 | ctx->error = X509_V_ERR_STORE_LOOKUP;
|
---|
| 3014 | search = 0;
|
---|
| 3015 | continue;
|
---|
| 3016 | }
|
---|
| 3017 |
|
---|
| 3018 | if (ok > 0) {
|
---|
| 3019 | /*
|
---|
| 3020 | * Alternative trusted issuer for a mid-chain untrusted cert?
|
---|
| 3021 | * Pop the untrusted cert's successors and retry. We might now
|
---|
| 3022 | * be able to complete a valid chain via the trust store. Note
|
---|
| 3023 | * that despite the current trust-store match we might still
|
---|
| 3024 | * fail complete the chain to a suitable trust-anchor, in which
|
---|
| 3025 | * case we may prune some more untrusted certificates and try
|
---|
| 3026 | * again. Thus the S_DOALTERNATE bit may yet be turned on
|
---|
| 3027 | * again with an even shorter untrusted chain!
|
---|
| 3028 | *
|
---|
| 3029 | * If in the process we threw away our matching PKIX-TA trust
|
---|
| 3030 | * anchor, reset DANE trust. We might find a suitable trusted
|
---|
| 3031 | * certificate among the ones from the trust store.
|
---|
| 3032 | */
|
---|
| 3033 | if ((search & S_DOALTERNATE) != 0) {
|
---|
| 3034 | OPENSSL_assert(num > i && i > 0 && ss == 0);
|
---|
| 3035 | search &= ~S_DOALTERNATE;
|
---|
| 3036 | for (; num > i; --num)
|
---|
| 3037 | X509_free(sk_X509_pop(ctx->chain));
|
---|
| 3038 | ctx->num_untrusted = num;
|
---|
| 3039 |
|
---|
| 3040 | if (DANETLS_ENABLED(dane) &&
|
---|
| 3041 | dane->mdpth >= ctx->num_untrusted) {
|
---|
| 3042 | dane->mdpth = -1;
|
---|
| 3043 | X509_free(dane->mcert);
|
---|
| 3044 | dane->mcert = NULL;
|
---|
| 3045 | }
|
---|
| 3046 | if (DANETLS_ENABLED(dane) &&
|
---|
| 3047 | dane->pdpth >= ctx->num_untrusted)
|
---|
| 3048 | dane->pdpth = -1;
|
---|
| 3049 | }
|
---|
| 3050 |
|
---|
| 3051 | /*
|
---|
| 3052 | * Self-signed untrusted certificates get replaced by their
|
---|
| 3053 | * trusted matching issuer. Otherwise, grow the chain.
|
---|
| 3054 | */
|
---|
| 3055 | if (ss == 0) {
|
---|
| 3056 | if (!sk_X509_push(ctx->chain, x = xtmp)) {
|
---|
| 3057 | X509_free(xtmp);
|
---|
| 3058 | X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
|
---|
| 3059 | trust = X509_TRUST_REJECTED;
|
---|
| 3060 | ctx->error = X509_V_ERR_OUT_OF_MEM;
|
---|
| 3061 | search = 0;
|
---|
| 3062 | continue;
|
---|
| 3063 | }
|
---|
| 3064 | ss = cert_self_signed(x);
|
---|
| 3065 | } else if (num == ctx->num_untrusted) {
|
---|
| 3066 | /*
|
---|
| 3067 | * We have a self-signed certificate that has the same
|
---|
| 3068 | * subject name (and perhaps keyid and/or serial number) as
|
---|
| 3069 | * a trust-anchor. We must have an exact match to avoid
|
---|
| 3070 | * possible impersonation via key substitution etc.
|
---|
| 3071 | */
|
---|
| 3072 | if (X509_cmp(x, xtmp) != 0) {
|
---|
| 3073 | /* Self-signed untrusted mimic. */
|
---|
| 3074 | X509_free(xtmp);
|
---|
| 3075 | ok = 0;
|
---|
| 3076 | } else {
|
---|
| 3077 | X509_free(x);
|
---|
| 3078 | ctx->num_untrusted = --num;
|
---|
| 3079 | (void) sk_X509_set(ctx->chain, num, x = xtmp);
|
---|
| 3080 | }
|
---|
| 3081 | }
|
---|
| 3082 |
|
---|
| 3083 | /*
|
---|
| 3084 | * We've added a new trusted certificate to the chain, recheck
|
---|
| 3085 | * trust. If not done, and not self-signed look deeper.
|
---|
| 3086 | * Whether or not we're doing "trusted first", we no longer
|
---|
| 3087 | * look for untrusted certificates from the peer's chain.
|
---|
| 3088 | *
|
---|
| 3089 | * At this point ctx->num_trusted and num must reflect the
|
---|
| 3090 | * correct number of untrusted certificates, since the DANE
|
---|
| 3091 | * logic in check_trust() depends on distinguishing CAs from
|
---|
| 3092 | * "the wire" from CAs from the trust store. In particular, the
|
---|
| 3093 | * certificate at depth "num" should be the new trusted
|
---|
| 3094 | * certificate with ctx->num_untrusted <= num.
|
---|
| 3095 | */
|
---|
| 3096 | if (ok) {
|
---|
| 3097 | OPENSSL_assert(ctx->num_untrusted <= num);
|
---|
| 3098 | search &= ~S_DOUNTRUSTED;
|
---|
| 3099 | switch (trust = check_trust(ctx, num)) {
|
---|
| 3100 | case X509_TRUST_TRUSTED:
|
---|
| 3101 | case X509_TRUST_REJECTED:
|
---|
| 3102 | search = 0;
|
---|
| 3103 | continue;
|
---|
| 3104 | }
|
---|
| 3105 | if (ss == 0)
|
---|
| 3106 | continue;
|
---|
| 3107 | }
|
---|
| 3108 | }
|
---|
| 3109 |
|
---|
| 3110 | /*
|
---|
| 3111 | * No dispositive decision, and either self-signed or no match, if
|
---|
| 3112 | * we were doing untrusted-first, and alt-chains are not disabled,
|
---|
| 3113 | * do that, by repeatedly losing one untrusted element at a time,
|
---|
| 3114 | * and trying to extend the shorted chain.
|
---|
| 3115 | */
|
---|
| 3116 | if ((search & S_DOUNTRUSTED) == 0) {
|
---|
| 3117 | /* Continue search for a trusted issuer of a shorter chain? */
|
---|
| 3118 | if ((search & S_DOALTERNATE) != 0 && --alt_untrusted > 0)
|
---|
| 3119 | continue;
|
---|
| 3120 | /* Still no luck and no fallbacks left? */
|
---|
| 3121 | if (!may_alternate || (search & S_DOALTERNATE) != 0 ||
|
---|
| 3122 | ctx->num_untrusted < 2)
|
---|
| 3123 | break;
|
---|
| 3124 | /* Search for a trusted issuer of a shorter chain */
|
---|
| 3125 | search |= S_DOALTERNATE;
|
---|
| 3126 | alt_untrusted = ctx->num_untrusted - 1;
|
---|
| 3127 | ss = 0;
|
---|
| 3128 | }
|
---|
| 3129 | }
|
---|
| 3130 |
|
---|
| 3131 | /*
|
---|
| 3132 | * Extend chain with peer-provided certificates
|
---|
| 3133 | */
|
---|
| 3134 | if ((search & S_DOUNTRUSTED) != 0) {
|
---|
| 3135 | num = sk_X509_num(ctx->chain);
|
---|
| 3136 | OPENSSL_assert(num == ctx->num_untrusted);
|
---|
| 3137 | x = sk_X509_value(ctx->chain, num-1);
|
---|
| 3138 |
|
---|
| 3139 | /*
|
---|
| 3140 | * Once we run out of untrusted issuers, we stop looking for more
|
---|
| 3141 | * and start looking only in the trust store if enabled.
|
---|
| 3142 | */
|
---|
| 3143 | xtmp = (ss || depth < num) ? NULL : find_issuer(ctx, sktmp, x);
|
---|
| 3144 | if (xtmp == NULL) {
|
---|
| 3145 | search &= ~S_DOUNTRUSTED;
|
---|
| 3146 | if (may_trusted)
|
---|
| 3147 | search |= S_DOTRUSTED;
|
---|
| 3148 | continue;
|
---|
| 3149 | }
|
---|
| 3150 |
|
---|
| 3151 | /* Drop this issuer from future consideration */
|
---|
| 3152 | (void) sk_X509_delete_ptr(sktmp, xtmp);
|
---|
| 3153 |
|
---|
| 3154 | if (!sk_X509_push(ctx->chain, xtmp)) {
|
---|
| 3155 | X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
|
---|
| 3156 | trust = X509_TRUST_REJECTED;
|
---|
| 3157 | ctx->error = X509_V_ERR_OUT_OF_MEM;
|
---|
| 3158 | search = 0;
|
---|
| 3159 | continue;
|
---|
| 3160 | }
|
---|
| 3161 |
|
---|
| 3162 | X509_up_ref(x = xtmp);
|
---|
| 3163 | ++ctx->num_untrusted;
|
---|
| 3164 | ss = cert_self_signed(xtmp);
|
---|
| 3165 |
|
---|
| 3166 | /*
|
---|
| 3167 | * Check for DANE-TA trust of the topmost untrusted certificate.
|
---|
| 3168 | */
|
---|
| 3169 | switch (trust = check_dane_issuer(ctx, ctx->num_untrusted - 1)) {
|
---|
| 3170 | case X509_TRUST_TRUSTED:
|
---|
| 3171 | case X509_TRUST_REJECTED:
|
---|
| 3172 | search = 0;
|
---|
| 3173 | continue;
|
---|
| 3174 | }
|
---|
| 3175 | }
|
---|
| 3176 | }
|
---|
| 3177 | sk_X509_free(sktmp);
|
---|
| 3178 |
|
---|
| 3179 | /*
|
---|
| 3180 | * Last chance to make a trusted chain, either bare DANE-TA public-key
|
---|
| 3181 | * signers, or else direct leaf PKIX trust.
|
---|
| 3182 | */
|
---|
| 3183 | num = sk_X509_num(ctx->chain);
|
---|
| 3184 | if (num <= depth) {
|
---|
| 3185 | if (trust == X509_TRUST_UNTRUSTED && DANETLS_HAS_DANE_TA(dane))
|
---|
| 3186 | trust = check_dane_pkeys(ctx);
|
---|
| 3187 | if (trust == X509_TRUST_UNTRUSTED && num == ctx->num_untrusted)
|
---|
| 3188 | trust = check_trust(ctx, num);
|
---|
| 3189 | }
|
---|
| 3190 |
|
---|
| 3191 | switch (trust) {
|
---|
| 3192 | case X509_TRUST_TRUSTED:
|
---|
| 3193 | return 1;
|
---|
| 3194 | case X509_TRUST_REJECTED:
|
---|
| 3195 | /* Callback already issued */
|
---|
| 3196 | return 0;
|
---|
| 3197 | case X509_TRUST_UNTRUSTED:
|
---|
| 3198 | default:
|
---|
| 3199 | num = sk_X509_num(ctx->chain);
|
---|
| 3200 | if (num > depth)
|
---|
| 3201 | return verify_cb_cert(ctx, NULL, num-1,
|
---|
| 3202 | X509_V_ERR_CERT_CHAIN_TOO_LONG);
|
---|
| 3203 | if (DANETLS_ENABLED(dane) &&
|
---|
| 3204 | (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0))
|
---|
| 3205 | return verify_cb_cert(ctx, NULL, num-1, X509_V_ERR_DANE_NO_MATCH);
|
---|
| 3206 | if (ss && sk_X509_num(ctx->chain) == 1)
|
---|
| 3207 | return verify_cb_cert(ctx, NULL, num-1,
|
---|
| 3208 | X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
|
---|
| 3209 | if (ss)
|
---|
| 3210 | return verify_cb_cert(ctx, NULL, num-1,
|
---|
| 3211 | X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN);
|
---|
| 3212 | if (ctx->num_untrusted < num)
|
---|
| 3213 | return verify_cb_cert(ctx, NULL, num-1,
|
---|
| 3214 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT);
|
---|
| 3215 | return verify_cb_cert(ctx, NULL, num-1,
|
---|
| 3216 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY);
|
---|
| 3217 | }
|
---|
| 3218 | }
|
---|
| 3219 |
|
---|
| 3220 | static const int minbits_table[] = { 80, 112, 128, 192, 256 };
|
---|
| 3221 | static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
|
---|
| 3222 |
|
---|
| 3223 | /*
|
---|
| 3224 | * Check whether the public key of ``cert`` meets the security level of
|
---|
| 3225 | * ``ctx``.
|
---|
| 3226 | *
|
---|
| 3227 | * Returns 1 on success, 0 otherwise.
|
---|
| 3228 | */
|
---|
| 3229 | static int check_key_level(X509_STORE_CTX *ctx, X509 *cert)
|
---|
| 3230 | {
|
---|
| 3231 | EVP_PKEY *pkey = X509_get0_pubkey(cert);
|
---|
| 3232 | int level = ctx->param->auth_level;
|
---|
| 3233 |
|
---|
| 3234 | /* Unsupported or malformed keys are not secure */
|
---|
| 3235 | if (pkey == NULL)
|
---|
| 3236 | return 0;
|
---|
| 3237 |
|
---|
| 3238 | if (level <= 0)
|
---|
| 3239 | return 1;
|
---|
| 3240 | if (level > NUM_AUTH_LEVELS)
|
---|
| 3241 | level = NUM_AUTH_LEVELS;
|
---|
| 3242 |
|
---|
| 3243 | return EVP_PKEY_security_bits(pkey) >= minbits_table[level - 1];
|
---|
| 3244 | }
|
---|
| 3245 |
|
---|
| 3246 | /*
|
---|
| 3247 | * Check whether the signature digest algorithm of ``cert`` meets the security
|
---|
| 3248 | * level of ``ctx``. Should not be checked for trust anchors (whether
|
---|
| 3249 | * self-signed or otherwise).
|
---|
| 3250 | *
|
---|
| 3251 | * Returns 1 on success, 0 otherwise.
|
---|
| 3252 | */
|
---|
| 3253 | static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
|
---|
| 3254 | {
|
---|
| 3255 | int nid = X509_get_signature_nid(cert);
|
---|
| 3256 | int mdnid = NID_undef;
|
---|
| 3257 | int secbits = -1;
|
---|
| 3258 | int level = ctx->param->auth_level;
|
---|
| 3259 |
|
---|
| 3260 | if (level <= 0)
|
---|
| 3261 | return 1;
|
---|
| 3262 | if (level > NUM_AUTH_LEVELS)
|
---|
| 3263 | level = NUM_AUTH_LEVELS;
|
---|
| 3264 |
|
---|
| 3265 | /* Lookup signature algorithm digest */
|
---|
| 3266 | if (nid && OBJ_find_sigid_algs(nid, &mdnid, NULL)) {
|
---|
| 3267 | const EVP_MD *md;
|
---|
| 3268 |
|
---|
| 3269 | /* Assume 4 bits of collision resistance for each hash octet */
|
---|
| 3270 | if (mdnid != NID_undef && (md = EVP_get_digestbynid(mdnid)) != NULL)
|
---|
| 3271 | secbits = EVP_MD_size(md) * 4;
|
---|
| 3272 | }
|
---|
| 3273 |
|
---|
| 3274 | return secbits >= minbits_table[level - 1];
|
---|
| 3275 | }
|
---|