[331] | 1 | /*
|
---|
| 2 | * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #include <stdio.h>
|
---|
| 11 |
|
---|
| 12 | #include "internal/cryptlib.h"
|
---|
| 13 | #include <openssl/crypto.h>
|
---|
| 14 | #include <openssl/lhash.h>
|
---|
| 15 | #include <openssl/buffer.h>
|
---|
| 16 | #include <openssl/x509.h>
|
---|
| 17 | #include <openssl/x509v3.h>
|
---|
| 18 | #include "internal/x509_int.h"
|
---|
| 19 |
|
---|
| 20 | #include "x509_lcl.h"
|
---|
| 21 |
|
---|
| 22 | /* X509_VERIFY_PARAM functions */
|
---|
| 23 |
|
---|
| 24 | #define SET_HOST 0
|
---|
| 25 | #define ADD_HOST 1
|
---|
| 26 |
|
---|
| 27 | static char *str_copy(const char *s)
|
---|
| 28 | {
|
---|
| 29 | return OPENSSL_strdup(s);
|
---|
| 30 | }
|
---|
| 31 |
|
---|
| 32 | static void str_free(char *s)
|
---|
| 33 | {
|
---|
| 34 | OPENSSL_free(s);
|
---|
| 35 | }
|
---|
| 36 |
|
---|
| 37 | static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode,
|
---|
| 38 | const char *name, size_t namelen)
|
---|
| 39 | {
|
---|
| 40 | char *copy;
|
---|
| 41 |
|
---|
| 42 | /*
|
---|
| 43 | * Refuse names with embedded NUL bytes, except perhaps as final byte.
|
---|
| 44 | * XXX: Do we need to push an error onto the error stack?
|
---|
| 45 | */
|
---|
| 46 | if (namelen == 0 || name == NULL)
|
---|
| 47 | namelen = name ? strlen(name) : 0;
|
---|
| 48 | else if (name && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen))
|
---|
| 49 | return 0;
|
---|
| 50 | if (namelen > 0 && name[namelen - 1] == '\0')
|
---|
| 51 | --namelen;
|
---|
| 52 |
|
---|
| 53 | if (mode == SET_HOST) {
|
---|
| 54 | sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);
|
---|
| 55 | vpm->hosts = NULL;
|
---|
| 56 | }
|
---|
| 57 | if (name == NULL || namelen == 0)
|
---|
| 58 | return 1;
|
---|
| 59 |
|
---|
| 60 | copy = OPENSSL_strndup(name, namelen);
|
---|
| 61 | if (copy == NULL)
|
---|
| 62 | return 0;
|
---|
| 63 |
|
---|
| 64 | if (vpm->hosts == NULL &&
|
---|
| 65 | (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
|
---|
| 66 | OPENSSL_free(copy);
|
---|
| 67 | return 0;
|
---|
| 68 | }
|
---|
| 69 |
|
---|
| 70 | if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {
|
---|
| 71 | OPENSSL_free(copy);
|
---|
| 72 | if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {
|
---|
| 73 | sk_OPENSSL_STRING_free(vpm->hosts);
|
---|
| 74 | vpm->hosts = NULL;
|
---|
| 75 | }
|
---|
| 76 | return 0;
|
---|
| 77 | }
|
---|
| 78 |
|
---|
| 79 | return 1;
|
---|
| 80 | }
|
---|
| 81 |
|
---|
| 82 | static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
|
---|
| 83 | {
|
---|
| 84 | if (!param)
|
---|
| 85 | return;
|
---|
| 86 | param->name = NULL;
|
---|
| 87 | param->purpose = 0;
|
---|
| 88 | param->trust = X509_TRUST_DEFAULT;
|
---|
| 89 | /*
|
---|
| 90 | * param->inh_flags = X509_VP_FLAG_DEFAULT;
|
---|
| 91 | */
|
---|
| 92 | param->inh_flags = 0;
|
---|
| 93 | param->flags = 0;
|
---|
| 94 | param->depth = -1;
|
---|
| 95 | param->auth_level = -1; /* -1 means unset, 0 is explicit */
|
---|
| 96 | sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
|
---|
| 97 | param->policies = NULL;
|
---|
| 98 | sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
|
---|
| 99 | param->hosts = NULL;
|
---|
| 100 | OPENSSL_free(param->peername);
|
---|
| 101 | param->peername = NULL;
|
---|
| 102 | OPENSSL_free(param->email);
|
---|
| 103 | param->email = NULL;
|
---|
| 104 | param->emaillen = 0;
|
---|
| 105 | OPENSSL_free(param->ip);
|
---|
| 106 | param->ip = NULL;
|
---|
| 107 | param->iplen = 0;
|
---|
| 108 | }
|
---|
| 109 |
|
---|
| 110 | X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
|
---|
| 111 | {
|
---|
| 112 | X509_VERIFY_PARAM *param;
|
---|
| 113 |
|
---|
| 114 | param = OPENSSL_zalloc(sizeof(*param));
|
---|
| 115 | if (param == NULL)
|
---|
| 116 | return NULL;
|
---|
| 117 | x509_verify_param_zero(param);
|
---|
| 118 | return param;
|
---|
| 119 | }
|
---|
| 120 |
|
---|
| 121 | void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
|
---|
| 122 | {
|
---|
| 123 | if (!param)
|
---|
| 124 | return;
|
---|
| 125 | x509_verify_param_zero(param);
|
---|
| 126 | OPENSSL_free(param);
|
---|
| 127 | }
|
---|
| 128 |
|
---|
| 129 | /*-
|
---|
| 130 | * This function determines how parameters are "inherited" from one structure
|
---|
| 131 | * to another. There are several different ways this can happen.
|
---|
| 132 | *
|
---|
| 133 | * 1. If a child structure needs to have its values initialized from a parent
|
---|
| 134 | * they are simply copied across. For example SSL_CTX copied to SSL.
|
---|
| 135 | * 2. If the structure should take on values only if they are currently unset.
|
---|
| 136 | * For example the values in an SSL structure will take appropriate value
|
---|
| 137 | * for SSL servers or clients but only if the application has not set new
|
---|
| 138 | * ones.
|
---|
| 139 | *
|
---|
| 140 | * The "inh_flags" field determines how this function behaves.
|
---|
| 141 | *
|
---|
| 142 | * Normally any values which are set in the default are not copied from the
|
---|
| 143 | * destination and verify flags are ORed together.
|
---|
| 144 | *
|
---|
| 145 | * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
|
---|
| 146 | * to the destination. Effectively the values in "to" become default values
|
---|
| 147 | * which will be used only if nothing new is set in "from".
|
---|
| 148 | *
|
---|
| 149 | * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
|
---|
| 150 | * they are set or not. Flags is still Ored though.
|
---|
| 151 | *
|
---|
| 152 | * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
|
---|
| 153 | * of ORed.
|
---|
| 154 | *
|
---|
| 155 | * If X509_VP_FLAG_LOCKED is set then no values are copied.
|
---|
| 156 | *
|
---|
| 157 | * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
|
---|
| 158 | * after the next call.
|
---|
| 159 | */
|
---|
| 160 |
|
---|
| 161 | /* Macro to test if a field should be copied from src to dest */
|
---|
| 162 |
|
---|
| 163 | #define test_x509_verify_param_copy(field, def) \
|
---|
| 164 | (to_overwrite || \
|
---|
| 165 | ((src->field != def) && (to_default || (dest->field == def))))
|
---|
| 166 |
|
---|
| 167 | /* Macro to test and copy a field if necessary */
|
---|
| 168 |
|
---|
| 169 | #define x509_verify_param_copy(field, def) \
|
---|
| 170 | if (test_x509_verify_param_copy(field, def)) \
|
---|
| 171 | dest->field = src->field
|
---|
| 172 |
|
---|
| 173 | int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
|
---|
| 174 | const X509_VERIFY_PARAM *src)
|
---|
| 175 | {
|
---|
| 176 | unsigned long inh_flags;
|
---|
| 177 | int to_default, to_overwrite;
|
---|
| 178 | if (!src)
|
---|
| 179 | return 1;
|
---|
| 180 | inh_flags = dest->inh_flags | src->inh_flags;
|
---|
| 181 |
|
---|
| 182 | if (inh_flags & X509_VP_FLAG_ONCE)
|
---|
| 183 | dest->inh_flags = 0;
|
---|
| 184 |
|
---|
| 185 | if (inh_flags & X509_VP_FLAG_LOCKED)
|
---|
| 186 | return 1;
|
---|
| 187 |
|
---|
| 188 | if (inh_flags & X509_VP_FLAG_DEFAULT)
|
---|
| 189 | to_default = 1;
|
---|
| 190 | else
|
---|
| 191 | to_default = 0;
|
---|
| 192 |
|
---|
| 193 | if (inh_flags & X509_VP_FLAG_OVERWRITE)
|
---|
| 194 | to_overwrite = 1;
|
---|
| 195 | else
|
---|
| 196 | to_overwrite = 0;
|
---|
| 197 |
|
---|
| 198 | x509_verify_param_copy(purpose, 0);
|
---|
| 199 | x509_verify_param_copy(trust, X509_TRUST_DEFAULT);
|
---|
| 200 | x509_verify_param_copy(depth, -1);
|
---|
| 201 | x509_verify_param_copy(auth_level, -1);
|
---|
| 202 |
|
---|
| 203 | /* If overwrite or check time not set, copy across */
|
---|
| 204 |
|
---|
| 205 | if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {
|
---|
| 206 | dest->check_time = src->check_time;
|
---|
| 207 | dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
|
---|
| 208 | /* Don't need to copy flag: that is done below */
|
---|
| 209 | }
|
---|
| 210 |
|
---|
| 211 | if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
|
---|
| 212 | dest->flags = 0;
|
---|
| 213 |
|
---|
| 214 | dest->flags |= src->flags;
|
---|
| 215 |
|
---|
| 216 | if (test_x509_verify_param_copy(policies, NULL)) {
|
---|
| 217 | if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
|
---|
| 218 | return 0;
|
---|
| 219 | }
|
---|
| 220 |
|
---|
| 221 | /* Copy the host flags if and only if we're copying the host list */
|
---|
| 222 | if (test_x509_verify_param_copy(hosts, NULL)) {
|
---|
| 223 | sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
|
---|
| 224 | dest->hosts = NULL;
|
---|
| 225 | if (src->hosts) {
|
---|
| 226 | dest->hosts =
|
---|
| 227 | sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free);
|
---|
| 228 | if (dest->hosts == NULL)
|
---|
| 229 | return 0;
|
---|
| 230 | dest->hostflags = src->hostflags;
|
---|
| 231 | }
|
---|
| 232 | }
|
---|
| 233 |
|
---|
| 234 | if (test_x509_verify_param_copy(email, NULL)) {
|
---|
| 235 | if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen))
|
---|
| 236 | return 0;
|
---|
| 237 | }
|
---|
| 238 |
|
---|
| 239 | if (test_x509_verify_param_copy(ip, NULL)) {
|
---|
| 240 | if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen))
|
---|
| 241 | return 0;
|
---|
| 242 | }
|
---|
| 243 |
|
---|
| 244 | return 1;
|
---|
| 245 | }
|
---|
| 246 |
|
---|
| 247 | int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
|
---|
| 248 | const X509_VERIFY_PARAM *from)
|
---|
| 249 | {
|
---|
| 250 | unsigned long save_flags = to->inh_flags;
|
---|
| 251 | int ret;
|
---|
| 252 | to->inh_flags |= X509_VP_FLAG_DEFAULT;
|
---|
| 253 | ret = X509_VERIFY_PARAM_inherit(to, from);
|
---|
| 254 | to->inh_flags = save_flags;
|
---|
| 255 | return ret;
|
---|
| 256 | }
|
---|
| 257 |
|
---|
| 258 | static int int_x509_param_set1(char **pdest, size_t *pdestlen,
|
---|
| 259 | const char *src, size_t srclen)
|
---|
| 260 | {
|
---|
| 261 | void *tmp;
|
---|
| 262 | if (src) {
|
---|
| 263 | if (srclen == 0)
|
---|
| 264 | srclen = strlen(src);
|
---|
| 265 |
|
---|
| 266 | tmp = OPENSSL_memdup(src, srclen);
|
---|
| 267 | if (tmp == NULL)
|
---|
| 268 | return 0;
|
---|
| 269 | } else {
|
---|
| 270 | tmp = NULL;
|
---|
| 271 | srclen = 0;
|
---|
| 272 | }
|
---|
| 273 | OPENSSL_free(*pdest);
|
---|
| 274 | *pdest = tmp;
|
---|
| 275 | if (pdestlen != NULL)
|
---|
| 276 | *pdestlen = srclen;
|
---|
| 277 | return 1;
|
---|
| 278 | }
|
---|
| 279 |
|
---|
| 280 | int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
|
---|
| 281 | {
|
---|
| 282 | OPENSSL_free(param->name);
|
---|
| 283 | param->name = OPENSSL_strdup(name);
|
---|
| 284 | if (param->name)
|
---|
| 285 | return 1;
|
---|
| 286 | return 0;
|
---|
| 287 | }
|
---|
| 288 |
|
---|
| 289 | int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
|
---|
| 290 | {
|
---|
| 291 | param->flags |= flags;
|
---|
| 292 | if (flags & X509_V_FLAG_POLICY_MASK)
|
---|
| 293 | param->flags |= X509_V_FLAG_POLICY_CHECK;
|
---|
| 294 | return 1;
|
---|
| 295 | }
|
---|
| 296 |
|
---|
| 297 | int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
|
---|
| 298 | unsigned long flags)
|
---|
| 299 | {
|
---|
| 300 | param->flags &= ~flags;
|
---|
| 301 | return 1;
|
---|
| 302 | }
|
---|
| 303 |
|
---|
| 304 | unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
|
---|
| 305 | {
|
---|
| 306 | return param->flags;
|
---|
| 307 | }
|
---|
| 308 |
|
---|
| 309 | uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param)
|
---|
| 310 | {
|
---|
| 311 | return param->inh_flags;
|
---|
| 312 | }
|
---|
| 313 |
|
---|
| 314 | int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, uint32_t flags)
|
---|
| 315 | {
|
---|
| 316 | param->inh_flags = flags;
|
---|
| 317 | return 1;
|
---|
| 318 | }
|
---|
| 319 |
|
---|
| 320 | int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
|
---|
| 321 | {
|
---|
| 322 | return X509_PURPOSE_set(¶m->purpose, purpose);
|
---|
| 323 | }
|
---|
| 324 |
|
---|
| 325 | int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
|
---|
| 326 | {
|
---|
| 327 | return X509_TRUST_set(¶m->trust, trust);
|
---|
| 328 | }
|
---|
| 329 |
|
---|
| 330 | void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
|
---|
| 331 | {
|
---|
| 332 | param->depth = depth;
|
---|
| 333 | }
|
---|
| 334 |
|
---|
| 335 | void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level)
|
---|
| 336 | {
|
---|
| 337 | param->auth_level = auth_level;
|
---|
| 338 | }
|
---|
| 339 |
|
---|
| 340 | time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param)
|
---|
| 341 | {
|
---|
| 342 | return param->check_time;
|
---|
| 343 | }
|
---|
| 344 |
|
---|
| 345 | void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
|
---|
| 346 | {
|
---|
| 347 | param->check_time = t;
|
---|
| 348 | param->flags |= X509_V_FLAG_USE_CHECK_TIME;
|
---|
| 349 | }
|
---|
| 350 |
|
---|
| 351 | int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
|
---|
| 352 | ASN1_OBJECT *policy)
|
---|
| 353 | {
|
---|
| 354 | if (!param->policies) {
|
---|
| 355 | param->policies = sk_ASN1_OBJECT_new_null();
|
---|
| 356 | if (!param->policies)
|
---|
| 357 | return 0;
|
---|
| 358 | }
|
---|
| 359 | if (!sk_ASN1_OBJECT_push(param->policies, policy))
|
---|
| 360 | return 0;
|
---|
| 361 | return 1;
|
---|
| 362 | }
|
---|
| 363 |
|
---|
| 364 | int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
|
---|
| 365 | STACK_OF(ASN1_OBJECT) *policies)
|
---|
| 366 | {
|
---|
| 367 | int i;
|
---|
| 368 | ASN1_OBJECT *oid, *doid;
|
---|
| 369 |
|
---|
| 370 | if (!param)
|
---|
| 371 | return 0;
|
---|
| 372 | sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
|
---|
| 373 |
|
---|
| 374 | if (!policies) {
|
---|
| 375 | param->policies = NULL;
|
---|
| 376 | return 1;
|
---|
| 377 | }
|
---|
| 378 |
|
---|
| 379 | param->policies = sk_ASN1_OBJECT_new_null();
|
---|
| 380 | if (!param->policies)
|
---|
| 381 | return 0;
|
---|
| 382 |
|
---|
| 383 | for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) {
|
---|
| 384 | oid = sk_ASN1_OBJECT_value(policies, i);
|
---|
| 385 | doid = OBJ_dup(oid);
|
---|
| 386 | if (!doid)
|
---|
| 387 | return 0;
|
---|
| 388 | if (!sk_ASN1_OBJECT_push(param->policies, doid)) {
|
---|
| 389 | ASN1_OBJECT_free(doid);
|
---|
| 390 | return 0;
|
---|
| 391 | }
|
---|
| 392 | }
|
---|
| 393 | param->flags |= X509_V_FLAG_POLICY_CHECK;
|
---|
| 394 | return 1;
|
---|
| 395 | }
|
---|
| 396 |
|
---|
| 397 | int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
|
---|
| 398 | const char *name, size_t namelen)
|
---|
| 399 | {
|
---|
| 400 | return int_x509_param_set_hosts(param, SET_HOST, name, namelen);
|
---|
| 401 | }
|
---|
| 402 |
|
---|
| 403 | int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
|
---|
| 404 | const char *name, size_t namelen)
|
---|
| 405 | {
|
---|
| 406 | return int_x509_param_set_hosts(param, ADD_HOST, name, namelen);
|
---|
| 407 | }
|
---|
| 408 |
|
---|
| 409 | void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
|
---|
| 410 | unsigned int flags)
|
---|
| 411 | {
|
---|
| 412 | param->hostflags = flags;
|
---|
| 413 | }
|
---|
| 414 |
|
---|
| 415 | char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
|
---|
| 416 | {
|
---|
| 417 | return param->peername;
|
---|
| 418 | }
|
---|
| 419 |
|
---|
| 420 | /*
|
---|
| 421 | * Move peername from one param structure to another, freeing any name present
|
---|
| 422 | * at the target. If the source is a NULL parameter structure, free and zero
|
---|
| 423 | * the target peername.
|
---|
| 424 | */
|
---|
| 425 | void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *to,
|
---|
| 426 | X509_VERIFY_PARAM *from)
|
---|
| 427 | {
|
---|
| 428 | char *peername = (from != NULL) ? from->peername : NULL;
|
---|
| 429 |
|
---|
| 430 | if (to->peername != peername) {
|
---|
| 431 | OPENSSL_free(to->peername);
|
---|
| 432 | to->peername = peername;
|
---|
| 433 | }
|
---|
| 434 | if (from)
|
---|
| 435 | from->peername = NULL;
|
---|
| 436 | }
|
---|
| 437 |
|
---|
| 438 | int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
|
---|
| 439 | const char *email, size_t emaillen)
|
---|
| 440 | {
|
---|
| 441 | return int_x509_param_set1(¶m->email, ¶m->emaillen,
|
---|
| 442 | email, emaillen);
|
---|
| 443 | }
|
---|
| 444 |
|
---|
| 445 | int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
|
---|
| 446 | const unsigned char *ip, size_t iplen)
|
---|
| 447 | {
|
---|
| 448 | if (iplen != 0 && iplen != 4 && iplen != 16)
|
---|
| 449 | return 0;
|
---|
| 450 | return int_x509_param_set1((char **)¶m->ip, ¶m->iplen,
|
---|
| 451 | (char *)ip, iplen);
|
---|
| 452 | }
|
---|
| 453 |
|
---|
| 454 | int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
|
---|
| 455 | {
|
---|
| 456 | unsigned char ipout[16];
|
---|
| 457 | size_t iplen;
|
---|
| 458 |
|
---|
| 459 | iplen = (size_t)a2i_ipadd(ipout, ipasc);
|
---|
| 460 | if (iplen == 0)
|
---|
| 461 | return 0;
|
---|
| 462 | return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);
|
---|
| 463 | }
|
---|
| 464 |
|
---|
| 465 | int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
|
---|
| 466 | {
|
---|
| 467 | return param->depth;
|
---|
| 468 | }
|
---|
| 469 |
|
---|
| 470 | int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param)
|
---|
| 471 | {
|
---|
| 472 | return param->auth_level;
|
---|
| 473 | }
|
---|
| 474 |
|
---|
| 475 | const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
|
---|
| 476 | {
|
---|
| 477 | return param->name;
|
---|
| 478 | }
|
---|
| 479 |
|
---|
| 480 | #define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0
|
---|
| 481 |
|
---|
| 482 | /*
|
---|
| 483 | * Default verify parameters: these are used for various applications and can
|
---|
| 484 | * be overridden by the user specified table. NB: the 'name' field *must* be
|
---|
| 485 | * in alphabetical order because it will be searched using OBJ_search.
|
---|
| 486 | */
|
---|
| 487 |
|
---|
| 488 | static const X509_VERIFY_PARAM default_table[] = {
|
---|
| 489 | {
|
---|
| 490 | "default", /* X509 default parameters */
|
---|
| 491 | 0, /* Check time */
|
---|
| 492 | 0, /* internal flags */
|
---|
| 493 | X509_V_FLAG_TRUSTED_FIRST, /* flags */
|
---|
| 494 | 0, /* purpose */
|
---|
| 495 | 0, /* trust */
|
---|
| 496 | 100, /* depth */
|
---|
| 497 | -1, /* auth_level */
|
---|
| 498 | NULL, /* policies */
|
---|
| 499 | vpm_empty_id},
|
---|
| 500 | {
|
---|
| 501 | "pkcs7", /* S/MIME sign parameters */
|
---|
| 502 | 0, /* Check time */
|
---|
| 503 | 0, /* internal flags */
|
---|
| 504 | 0, /* flags */
|
---|
| 505 | X509_PURPOSE_SMIME_SIGN, /* purpose */
|
---|
| 506 | X509_TRUST_EMAIL, /* trust */
|
---|
| 507 | -1, /* depth */
|
---|
| 508 | -1, /* auth_level */
|
---|
| 509 | NULL, /* policies */
|
---|
| 510 | vpm_empty_id},
|
---|
| 511 | {
|
---|
| 512 | "smime_sign", /* S/MIME sign parameters */
|
---|
| 513 | 0, /* Check time */
|
---|
| 514 | 0, /* internal flags */
|
---|
| 515 | 0, /* flags */
|
---|
| 516 | X509_PURPOSE_SMIME_SIGN, /* purpose */
|
---|
| 517 | X509_TRUST_EMAIL, /* trust */
|
---|
| 518 | -1, /* depth */
|
---|
| 519 | -1, /* auth_level */
|
---|
| 520 | NULL, /* policies */
|
---|
| 521 | vpm_empty_id},
|
---|
| 522 | {
|
---|
| 523 | "ssl_client", /* SSL/TLS client parameters */
|
---|
| 524 | 0, /* Check time */
|
---|
| 525 | 0, /* internal flags */
|
---|
| 526 | 0, /* flags */
|
---|
| 527 | X509_PURPOSE_SSL_CLIENT, /* purpose */
|
---|
| 528 | X509_TRUST_SSL_CLIENT, /* trust */
|
---|
| 529 | -1, /* depth */
|
---|
| 530 | -1, /* auth_level */
|
---|
| 531 | NULL, /* policies */
|
---|
| 532 | vpm_empty_id},
|
---|
| 533 | {
|
---|
| 534 | "ssl_server", /* SSL/TLS server parameters */
|
---|
| 535 | 0, /* Check time */
|
---|
| 536 | 0, /* internal flags */
|
---|
| 537 | 0, /* flags */
|
---|
| 538 | X509_PURPOSE_SSL_SERVER, /* purpose */
|
---|
| 539 | X509_TRUST_SSL_SERVER, /* trust */
|
---|
| 540 | -1, /* depth */
|
---|
| 541 | -1, /* auth_level */
|
---|
| 542 | NULL, /* policies */
|
---|
| 543 | vpm_empty_id}
|
---|
| 544 | };
|
---|
| 545 |
|
---|
| 546 | static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
|
---|
| 547 |
|
---|
| 548 | static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
|
---|
| 549 | {
|
---|
| 550 | return strcmp(a->name, b->name);
|
---|
| 551 | }
|
---|
| 552 |
|
---|
| 553 | DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
|
---|
| 554 | IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
|
---|
| 555 |
|
---|
| 556 | static int param_cmp(const X509_VERIFY_PARAM *const *a,
|
---|
| 557 | const X509_VERIFY_PARAM *const *b)
|
---|
| 558 | {
|
---|
| 559 | return strcmp((*a)->name, (*b)->name);
|
---|
| 560 | }
|
---|
| 561 |
|
---|
| 562 | int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
|
---|
| 563 | {
|
---|
| 564 | int idx;
|
---|
| 565 | X509_VERIFY_PARAM *ptmp;
|
---|
| 566 | if (param_table == NULL) {
|
---|
| 567 | param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
|
---|
| 568 | if (param_table == NULL)
|
---|
| 569 | return 0;
|
---|
| 570 | } else {
|
---|
| 571 | idx = sk_X509_VERIFY_PARAM_find(param_table, param);
|
---|
| 572 | if (idx != -1) {
|
---|
| 573 | ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
|
---|
| 574 | X509_VERIFY_PARAM_free(ptmp);
|
---|
| 575 | (void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
|
---|
| 576 | }
|
---|
| 577 | }
|
---|
| 578 | if (!sk_X509_VERIFY_PARAM_push(param_table, param))
|
---|
| 579 | return 0;
|
---|
| 580 | return 1;
|
---|
| 581 | }
|
---|
| 582 |
|
---|
| 583 | int X509_VERIFY_PARAM_get_count(void)
|
---|
| 584 | {
|
---|
| 585 | int num = OSSL_NELEM(default_table);
|
---|
| 586 | if (param_table)
|
---|
| 587 | num += sk_X509_VERIFY_PARAM_num(param_table);
|
---|
| 588 | return num;
|
---|
| 589 | }
|
---|
| 590 |
|
---|
| 591 | const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
|
---|
| 592 | {
|
---|
| 593 | int num = OSSL_NELEM(default_table);
|
---|
| 594 | if (id < num)
|
---|
| 595 | return default_table + id;
|
---|
| 596 | return sk_X509_VERIFY_PARAM_value(param_table, id - num);
|
---|
| 597 | }
|
---|
| 598 |
|
---|
| 599 | const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
|
---|
| 600 | {
|
---|
| 601 | int idx;
|
---|
| 602 | X509_VERIFY_PARAM pm;
|
---|
| 603 |
|
---|
| 604 | pm.name = (char *)name;
|
---|
| 605 | if (param_table) {
|
---|
| 606 | idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
|
---|
| 607 | if (idx != -1)
|
---|
| 608 | return sk_X509_VERIFY_PARAM_value(param_table, idx);
|
---|
| 609 | }
|
---|
| 610 | return OBJ_bsearch_table(&pm, default_table, OSSL_NELEM(default_table));
|
---|
| 611 | }
|
---|
| 612 |
|
---|
| 613 | void X509_VERIFY_PARAM_table_cleanup(void)
|
---|
| 614 | {
|
---|
| 615 | sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free);
|
---|
| 616 | param_table = NULL;
|
---|
| 617 | }
|
---|