1 /* Copyright (C) 1995-1998 Eric Young ([email protected])
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young ([email protected]).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson ([email protected]).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young ([email protected])"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson ([email protected])"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <ctype.h>
58 #include <limits.h>
59 #include <string.h>
60 #include <time.h>
61
62 #include <openssl/asn1.h>
63 #include <openssl/err.h>
64 #include <openssl/evp.h>
65 #include <openssl/mem.h>
66 #include <openssl/obj.h>
67 #include <openssl/thread.h>
68 #include <openssl/x509.h>
69
70 #include "../internal.h"
71 #include "internal.h"
72
73 static CRYPTO_EX_DATA_CLASS g_ex_data_class =
74 CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
75
76 // CRL score values
77
78 // No unhandled critical extensions
79 #define CRL_SCORE_NOCRITICAL 0x100
80
81 // certificate is within CRL scope
82 #define CRL_SCORE_SCOPE 0x080
83
84 // CRL times valid
85 #define CRL_SCORE_TIME 0x040
86
87 // Issuer name matches certificate
88 #define CRL_SCORE_ISSUER_NAME 0x020
89
90 // If this score or above CRL is probably valid
91 #define CRL_SCORE_VALID \
92 (CRL_SCORE_NOCRITICAL | CRL_SCORE_TIME | CRL_SCORE_SCOPE)
93
94 // CRL issuer is certificate issuer
95 #define CRL_SCORE_ISSUER_CERT 0x018
96
97 // CRL issuer is on certificate path
98 #define CRL_SCORE_SAME_PATH 0x008
99
100 // CRL issuer matches CRL AKID
101 #define CRL_SCORE_AKID 0x004
102
103 static int null_callback(int ok, X509_STORE_CTX *e);
104 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
105 static int check_chain_extensions(X509_STORE_CTX *ctx);
106 static int check_name_constraints(X509_STORE_CTX *ctx);
107 static int check_id(X509_STORE_CTX *ctx);
108 static int check_trust(X509_STORE_CTX *ctx);
109 static int check_revocation(X509_STORE_CTX *ctx);
110 static int check_cert(X509_STORE_CTX *ctx);
111 static int check_policy(X509_STORE_CTX *ctx);
112
113 static X509 *get_trusted_issuer(X509_STORE_CTX *ctx, X509 *x);
114 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, X509_CRL *crl,
115 X509 *x);
116 static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x);
117 static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
118 int *pcrl_score);
119 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score);
120 static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl);
121 static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
122
123 static int internal_verify(X509_STORE_CTX *ctx);
124
null_callback(int ok,X509_STORE_CTX * e)125 static int null_callback(int ok, X509_STORE_CTX *e) { return ok; }
126
127 // cert_self_signed checks if |x| is self-signed. If |x| is valid, it returns
128 // one and sets |*out_is_self_signed| to the result. If |x| is invalid, it
129 // returns zero.
cert_self_signed(X509 * x,int * out_is_self_signed)130 static int cert_self_signed(X509 *x, int *out_is_self_signed) {
131 if (!x509v3_cache_extensions(x)) {
132 return 0;
133 }
134 *out_is_self_signed = (x->ex_flags & EXFLAG_SS) != 0;
135 return 1;
136 }
137
call_verify_cb(int ok,X509_STORE_CTX * ctx)138 static int call_verify_cb(int ok, X509_STORE_CTX *ctx) {
139 ok = ctx->verify_cb(ok, ctx);
140 // Historically, callbacks returning values like -1 would be treated as a mix
141 // of success or failure. Insert that callers check correctly.
142 //
143 // TODO(davidben): Also use this wrapper to constrain which errors may be
144 // suppressed, and ensure all |verify_cb| calls remember to fill in an error.
145 BSSL_CHECK(ok == 0 || ok == 1);
146 return ok;
147 }
148
149 // Given a certificate try and find an exact match in the store
lookup_cert_match(X509_STORE_CTX * ctx,X509 * x)150 static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) {
151 STACK_OF(X509) *certs;
152 X509 *xtmp = NULL;
153 size_t i;
154 // Lookup all certs with matching subject name
155 certs = X509_STORE_CTX_get1_certs(ctx, X509_get_subject_name(x));
156 if (certs == NULL) {
157 return NULL;
158 }
159 // Look for exact match
160 for (i = 0; i < sk_X509_num(certs); i++) {
161 xtmp = sk_X509_value(certs, i);
162 if (!X509_cmp(xtmp, x)) {
163 break;
164 }
165 }
166 if (i < sk_X509_num(certs)) {
167 X509_up_ref(xtmp);
168 } else {
169 xtmp = NULL;
170 }
171 sk_X509_pop_free(certs, X509_free);
172 return xtmp;
173 }
174
X509_verify_cert(X509_STORE_CTX * ctx)175 int X509_verify_cert(X509_STORE_CTX *ctx) {
176 X509 *chain_ss = NULL;
177 int bad_chain = 0;
178 X509_VERIFY_PARAM *param = ctx->param;
179 int i, ok = 0;
180 int j, retry, trust;
181 STACK_OF(X509) *sktmp = NULL;
182
183 if (ctx->cert == NULL) {
184 OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
185 ctx->error = X509_V_ERR_INVALID_CALL;
186 return 0;
187 }
188
189 if (ctx->chain != NULL) {
190 // This X509_STORE_CTX has already been used to verify a cert. We
191 // cannot do another one.
192 OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
193 ctx->error = X509_V_ERR_INVALID_CALL;
194 return 0;
195 }
196
197 if (ctx->param->flags &
198 (X509_V_FLAG_EXTENDED_CRL_SUPPORT | X509_V_FLAG_USE_DELTAS)) {
199 // We do not support indirect or delta CRLs. The flags still exist for
200 // compatibility with bindings libraries, but to ensure we do not
201 // inadvertently skip a CRL check that the caller expects, fail closed.
202 OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
203 ctx->error = X509_V_ERR_INVALID_CALL;
204 return 0;
205 }
206
207 // first we make sure the chain we are going to build is present and that
208 // the first entry is in place
209 ctx->chain = sk_X509_new_null();
210 if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
211 ctx->error = X509_V_ERR_OUT_OF_MEM;
212 goto end;
213 }
214 X509_up_ref(ctx->cert);
215 ctx->last_untrusted = 1;
216
217 // We use a temporary STACK so we can chop and hack at it.
218 if (ctx->untrusted != NULL && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
219 ctx->error = X509_V_ERR_OUT_OF_MEM;
220 goto end;
221 }
222
223 int num = (int)sk_X509_num(ctx->chain);
224 X509 *x = sk_X509_value(ctx->chain, num - 1);
225 // |param->depth| does not include the leaf certificate or the trust anchor,
226 // so the maximum size is 2 more.
227 int max_chain = param->depth >= INT_MAX - 2 ? INT_MAX : param->depth + 2;
228
229 for (;;) {
230 if (num >= max_chain) {
231 // FIXME: If this happens, we should take note of it and, if appropriate,
232 // use the X509_V_ERR_CERT_CHAIN_TOO_LONG error code later.
233 break;
234 }
235
236 int is_self_signed;
237 if (!cert_self_signed(x, &is_self_signed)) {
238 ctx->error = X509_V_ERR_INVALID_EXTENSION;
239 goto end;
240 }
241
242 // If we are self signed, we break
243 if (is_self_signed) {
244 break;
245 }
246 // If asked see if we can find issuer in trusted store first
247 if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
248 X509 *issuer = get_trusted_issuer(ctx, x);
249 if (issuer != NULL) {
250 // Free the certificate. It will be picked up again later.
251 X509_free(issuer);
252 break;
253 }
254 }
255
256 // If we were passed a cert chain, use it first
257 if (sktmp != NULL) {
258 X509 *issuer = find_issuer(ctx, sktmp, x);
259 if (issuer != NULL) {
260 if (!sk_X509_push(ctx->chain, issuer)) {
261 ctx->error = X509_V_ERR_OUT_OF_MEM;
262 goto end;
263 }
264 X509_up_ref(issuer);
265 (void)sk_X509_delete_ptr(sktmp, issuer);
266 ctx->last_untrusted++;
267 x = issuer;
268 num++;
269 // reparse the full chain for the next one
270 continue;
271 }
272 }
273 break;
274 }
275
276 // Remember how many untrusted certs we have
277 j = num;
278 // at this point, chain should contain a list of untrusted certificates.
279 // We now need to add at least one trusted one, if possible, otherwise we
280 // complain.
281
282 do {
283 // Examine last certificate in chain and see if it is self signed.
284 i = (int)sk_X509_num(ctx->chain);
285 x = sk_X509_value(ctx->chain, i - 1);
286
287 int is_self_signed;
288 if (!cert_self_signed(x, &is_self_signed)) {
289 ctx->error = X509_V_ERR_INVALID_EXTENSION;
290 goto end;
291 }
292
293 if (is_self_signed) {
294 // we have a self signed certificate
295 if (sk_X509_num(ctx->chain) == 1) {
296 // We have a single self signed certificate: see if we can
297 // find it in the store. We must have an exact match to avoid
298 // possible impersonation.
299 X509 *issuer = get_trusted_issuer(ctx, x);
300 if (issuer == NULL || X509_cmp(x, issuer) != 0) {
301 X509_free(issuer);
302 ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
303 ctx->current_cert = x;
304 ctx->error_depth = i - 1;
305 bad_chain = 1;
306 if (!call_verify_cb(0, ctx)) {
307 goto end;
308 }
309 } else {
310 // We have a match: replace certificate with store
311 // version so we get any trust settings.
312 X509_free(x);
313 x = issuer;
314 (void)sk_X509_set(ctx->chain, i - 1, x);
315 ctx->last_untrusted = 0;
316 }
317 } else {
318 // extract and save self signed certificate for later use
319 chain_ss = sk_X509_pop(ctx->chain);
320 ctx->last_untrusted--;
321 num--;
322 j--;
323 x = sk_X509_value(ctx->chain, num - 1);
324 }
325 }
326 // We now lookup certs from the certificate store
327 for (;;) {
328 if (num >= max_chain) {
329 // FIXME: If this happens, we should take note of it and, if
330 // appropriate, use the X509_V_ERR_CERT_CHAIN_TOO_LONG error code later.
331 break;
332 }
333 if (!cert_self_signed(x, &is_self_signed)) {
334 ctx->error = X509_V_ERR_INVALID_EXTENSION;
335 goto end;
336 }
337 // If we are self signed, we break
338 if (is_self_signed) {
339 break;
340 }
341 X509 *issuer = get_trusted_issuer(ctx, x);
342 if (issuer == NULL) {
343 break;
344 }
345 x = issuer;
346 if (!sk_X509_push(ctx->chain, x)) {
347 X509_free(issuer);
348 ctx->error = X509_V_ERR_OUT_OF_MEM;
349 goto end;
350 }
351 num++;
352 }
353
354 // we now have our chain, lets check it...
355 trust = check_trust(ctx);
356
357 // If explicitly rejected error
358 if (trust == X509_TRUST_REJECTED) {
359 goto end;
360 }
361 // If it's not explicitly trusted then check if there is an alternative
362 // chain that could be used. We only do this if we haven't already
363 // checked via TRUSTED_FIRST and the user hasn't switched off alternate
364 // chain checking
365 retry = 0;
366 if (trust != X509_TRUST_TRUSTED &&
367 !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) &&
368 !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
369 while (j-- > 1) {
370 X509 *issuer =
371 get_trusted_issuer(ctx, sk_X509_value(ctx->chain, j - 1));
372 // Check if we found an alternate chain
373 if (issuer != NULL) {
374 // Free up the found cert we'll add it again later
375 X509_free(issuer);
376
377 // Dump all the certs above this point - we've found an
378 // alternate chain
379 while (num > j) {
380 X509_free(sk_X509_pop(ctx->chain));
381 num--;
382 }
383 ctx->last_untrusted = (int)sk_X509_num(ctx->chain);
384 retry = 1;
385 break;
386 }
387 }
388 }
389 } while (retry);
390
391 // If not explicitly trusted then indicate error unless it's a single
392 // self signed certificate in which case we've indicated an error already
393 // and set bad_chain == 1
394 if (trust != X509_TRUST_TRUSTED && !bad_chain) {
395 if (chain_ss == NULL ||
396 !x509_check_issued_with_callback(ctx, x, chain_ss)) {
397 if (ctx->last_untrusted >= num) {
398 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
399 } else {
400 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
401 }
402 ctx->current_cert = x;
403 } else {
404 if (!sk_X509_push(ctx->chain, chain_ss)) {
405 ctx->error = X509_V_ERR_OUT_OF_MEM;
406 goto end;
407 }
408 num++;
409 ctx->last_untrusted = num;
410 ctx->current_cert = chain_ss;
411 ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
412 chain_ss = NULL;
413 }
414
415 ctx->error_depth = num - 1;
416 bad_chain = 1;
417 if (!call_verify_cb(0, ctx)) {
418 goto end;
419 }
420 }
421
422 // We have the chain complete: now we need to check its purpose
423 if (!check_chain_extensions(ctx) || //
424 !check_id(ctx) ||
425 // We check revocation status after copying parameters because they may be
426 // needed for CRL signature verification.
427 !check_revocation(ctx) || //
428 !internal_verify(ctx) || //
429 !check_name_constraints(ctx) ||
430 // TODO(davidben): Does |check_policy| still need to be conditioned on
431 // |!bad_chain|? DoS concerns have been resolved.
432 (!bad_chain && !check_policy(ctx))) {
433 goto end;
434 }
435
436 ok = 1;
437
438 end:
439 sk_X509_free(sktmp);
440 X509_free(chain_ss);
441
442 // Safety net, error returns must set ctx->error
443 if (!ok && ctx->error == X509_V_OK) {
444 ctx->error = X509_V_ERR_UNSPECIFIED;
445 }
446 return ok;
447 }
448
449 // Given a STACK_OF(X509) find the issuer of cert (if any)
450
find_issuer(X509_STORE_CTX * ctx,STACK_OF (X509)* sk,X509 * x)451 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) {
452 size_t i;
453 X509 *issuer;
454 for (i = 0; i < sk_X509_num(sk); i++) {
455 issuer = sk_X509_value(sk, i);
456 if (x509_check_issued_with_callback(ctx, x, issuer)) {
457 return issuer;
458 }
459 }
460 return NULL;
461 }
462
463 // Given a possible certificate and issuer check them
464
x509_check_issued_with_callback(X509_STORE_CTX * ctx,X509 * x,X509 * issuer)465 int x509_check_issued_with_callback(X509_STORE_CTX *ctx, X509 *x,
466 X509 *issuer) {
467 int ret;
468 ret = X509_check_issued(issuer, x);
469 if (ret == X509_V_OK) {
470 return 1;
471 }
472 // If we haven't asked for issuer errors don't set ctx
473 if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) {
474 return 0;
475 }
476
477 ctx->error = ret;
478 ctx->current_cert = x;
479 return call_verify_cb(0, ctx);
480 }
481
get_trusted_issuer(X509_STORE_CTX * ctx,X509 * x)482 static X509 *get_trusted_issuer(X509_STORE_CTX *ctx, X509 *x) {
483 X509 *issuer;
484 if (ctx->trusted_stack != NULL) {
485 // Ignore the store and use the configured stack instead.
486 issuer = find_issuer(ctx, ctx->trusted_stack, x);
487 if (issuer != NULL) {
488 X509_up_ref(issuer);
489 }
490 return issuer;
491 }
492
493 if (!X509_STORE_CTX_get1_issuer(&issuer, ctx, x)) {
494 return NULL;
495 }
496 return issuer;
497 }
498
499 // Check a certificate chains extensions for consistency with the supplied
500 // purpose
501
check_chain_extensions(X509_STORE_CTX * ctx)502 static int check_chain_extensions(X509_STORE_CTX *ctx) {
503 int plen = 0;
504 int purpose = ctx->param->purpose;
505
506 // Check all untrusted certificates
507 for (int i = 0; i < ctx->last_untrusted; i++) {
508 X509 *x = sk_X509_value(ctx->chain, i);
509 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
510 (x->ex_flags & EXFLAG_CRITICAL)) {
511 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
512 ctx->error_depth = i;
513 ctx->current_cert = x;
514 if (!call_verify_cb(0, ctx)) {
515 return 0;
516 }
517 }
518
519 int must_be_ca = i > 0;
520 if (must_be_ca && !X509_check_ca(x)) {
521 ctx->error = X509_V_ERR_INVALID_CA;
522 ctx->error_depth = i;
523 ctx->current_cert = x;
524 if (!call_verify_cb(0, ctx)) {
525 return 0;
526 }
527 }
528 if (ctx->param->purpose > 0 &&
529 X509_check_purpose(x, purpose, must_be_ca) != 1) {
530 ctx->error = X509_V_ERR_INVALID_PURPOSE;
531 ctx->error_depth = i;
532 ctx->current_cert = x;
533 if (!call_verify_cb(0, ctx)) {
534 return 0;
535 }
536 }
537 // Check pathlen if not self issued
538 if (i > 1 && !(x->ex_flags & EXFLAG_SI) && x->ex_pathlen != -1 &&
539 plen > x->ex_pathlen + 1) {
540 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
541 ctx->error_depth = i;
542 ctx->current_cert = x;
543 if (!call_verify_cb(0, ctx)) {
544 return 0;
545 }
546 }
547 // Increment path length if not self issued
548 if (!(x->ex_flags & EXFLAG_SI)) {
549 plen++;
550 }
551 }
552
553 return 1;
554 }
555
reject_dns_name_in_common_name(X509 * x509)556 static int reject_dns_name_in_common_name(X509 *x509) {
557 const X509_NAME *name = X509_get_subject_name(x509);
558 int i = -1;
559 for (;;) {
560 i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
561 if (i == -1) {
562 return X509_V_OK;
563 }
564
565 const X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
566 const ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(entry);
567 unsigned char *idval;
568 int idlen = ASN1_STRING_to_UTF8(&idval, common_name);
569 if (idlen < 0) {
570 return X509_V_ERR_OUT_OF_MEM;
571 }
572 // Only process attributes that look like host names. Note it is
573 // important that this check be mirrored in |X509_check_host|.
574 int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen);
575 OPENSSL_free(idval);
576 if (looks_like_dns) {
577 return X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS;
578 }
579 }
580 }
581
check_name_constraints(X509_STORE_CTX * ctx)582 static int check_name_constraints(X509_STORE_CTX *ctx) {
583 int i, j, rv;
584 int has_name_constraints = 0;
585 // Check name constraints for all certificates
586 for (i = (int)sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
587 X509 *x = sk_X509_value(ctx->chain, i);
588 // Ignore self issued certs unless last in chain
589 if (i && (x->ex_flags & EXFLAG_SI)) {
590 continue;
591 }
592 // Check against constraints for all certificates higher in chain
593 // including trust anchor. Trust anchor not strictly speaking needed
594 // but if it includes constraints it is to be assumed it expects them
595 // to be obeyed.
596 for (j = (int)sk_X509_num(ctx->chain) - 1; j > i; j--) {
597 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
598 if (nc) {
599 has_name_constraints = 1;
600 rv = NAME_CONSTRAINTS_check(x, nc);
601 switch (rv) {
602 case X509_V_OK:
603 continue;
604 case X509_V_ERR_OUT_OF_MEM:
605 ctx->error = rv;
606 return 0;
607 default:
608 ctx->error = rv;
609 ctx->error_depth = i;
610 ctx->current_cert = x;
611 if (!call_verify_cb(0, ctx)) {
612 return 0;
613 }
614 break;
615 }
616 }
617 }
618 }
619
620 // Name constraints do not match against the common name, but
621 // |X509_check_host| still implements the legacy behavior where, on
622 // certificates lacking a SAN list, DNS-like names in the common name are
623 // checked instead.
624 //
625 // While we could apply the name constraints to the common name, name
626 // constraints are rare enough that can hold such certificates to a higher
627 // standard. Note this does not make "DNS-like" heuristic failures any
628 // worse. A decorative common-name misidentified as a DNS name would fail
629 // the name constraint anyway.
630 X509 *leaf = sk_X509_value(ctx->chain, 0);
631 if (has_name_constraints && leaf->altname == NULL) {
632 rv = reject_dns_name_in_common_name(leaf);
633 switch (rv) {
634 case X509_V_OK:
635 break;
636 case X509_V_ERR_OUT_OF_MEM:
637 ctx->error = rv;
638 return 0;
639 default:
640 ctx->error = rv;
641 ctx->error_depth = i;
642 ctx->current_cert = leaf;
643 if (!call_verify_cb(0, ctx)) {
644 return 0;
645 }
646 break;
647 }
648 }
649
650 return 1;
651 }
652
check_id_error(X509_STORE_CTX * ctx,int errcode)653 static int check_id_error(X509_STORE_CTX *ctx, int errcode) {
654 ctx->error = errcode;
655 ctx->current_cert = ctx->cert;
656 ctx->error_depth = 0;
657 return call_verify_cb(0, ctx);
658 }
659
check_hosts(X509 * x,X509_VERIFY_PARAM * param)660 static int check_hosts(X509 *x, X509_VERIFY_PARAM *param) {
661 size_t i;
662 size_t n = sk_OPENSSL_STRING_num(param->hosts);
663 char *name;
664
665 for (i = 0; i < n; ++i) {
666 name = sk_OPENSSL_STRING_value(param->hosts, i);
667 if (X509_check_host(x, name, strlen(name), param->hostflags, NULL) > 0) {
668 return 1;
669 }
670 }
671 return n == 0;
672 }
673
check_id(X509_STORE_CTX * ctx)674 static int check_id(X509_STORE_CTX *ctx) {
675 X509_VERIFY_PARAM *vpm = ctx->param;
676 X509 *x = ctx->cert;
677 if (vpm->poison) {
678 if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL)) {
679 return 0;
680 }
681 }
682 if (vpm->hosts && check_hosts(x, vpm) <= 0) {
683 if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) {
684 return 0;
685 }
686 }
687 if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {
688 if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH)) {
689 return 0;
690 }
691 }
692 if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
693 if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH)) {
694 return 0;
695 }
696 }
697 return 1;
698 }
699
check_trust(X509_STORE_CTX * ctx)700 static int check_trust(X509_STORE_CTX *ctx) {
701 X509 *x = NULL;
702 // Check all trusted certificates in chain
703 for (size_t i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
704 x = sk_X509_value(ctx->chain, i);
705 int trust = X509_check_trust(x, ctx->param->trust, 0);
706 // If explicitly trusted return trusted
707 if (trust == X509_TRUST_TRUSTED) {
708 return X509_TRUST_TRUSTED;
709 }
710 // If explicitly rejected notify callback and reject if not
711 // overridden.
712 if (trust == X509_TRUST_REJECTED) {
713 ctx->error_depth = (int)i;
714 ctx->current_cert = x;
715 ctx->error = X509_V_ERR_CERT_REJECTED;
716 if (!call_verify_cb(0, ctx)) {
717 return X509_TRUST_REJECTED;
718 }
719 }
720 }
721 // If we accept partial chains and have at least one trusted certificate
722 // return success.
723 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
724 X509 *mx;
725 if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain)) {
726 return X509_TRUST_TRUSTED;
727 }
728 x = sk_X509_value(ctx->chain, 0);
729 mx = lookup_cert_match(ctx, x);
730 if (mx) {
731 (void)sk_X509_set(ctx->chain, 0, mx);
732 X509_free(x);
733 ctx->last_untrusted = 0;
734 return X509_TRUST_TRUSTED;
735 }
736 }
737
738 // If no trusted certs in chain at all return untrusted and allow
739 // standard (no issuer cert) etc errors to be indicated.
740 return X509_TRUST_UNTRUSTED;
741 }
742
check_revocation(X509_STORE_CTX * ctx)743 static int check_revocation(X509_STORE_CTX *ctx) {
744 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) {
745 return 1;
746 }
747 int last;
748 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) {
749 last = (int)sk_X509_num(ctx->chain) - 1;
750 } else {
751 last = 0;
752 }
753 for (int i = 0; i <= last; i++) {
754 ctx->error_depth = i;
755 if (!check_cert(ctx)) {
756 return 0;
757 }
758 }
759 return 1;
760 }
761
check_cert(X509_STORE_CTX * ctx)762 static int check_cert(X509_STORE_CTX *ctx) {
763 X509_CRL *crl = NULL;
764 int ok = 0, cnum = ctx->error_depth;
765 X509 *x = sk_X509_value(ctx->chain, cnum);
766 ctx->current_cert = x;
767 ctx->current_crl_issuer = NULL;
768 ctx->current_crl_score = 0;
769
770 // Try to retrieve the relevant CRL. Note that |get_crl| sets
771 // |current_crl_issuer| and |current_crl_score|, which |check_crl| then reads.
772 //
773 // TODO(davidben): The awkward internal calling convention is a historical
774 // artifact of when these functions were user-overridable callbacks, even
775 // though there was no way to set them correctly. These callbacks have since
776 // been removed, so we can pass input and output parameters more directly.
777 if (!get_crl(ctx, &crl, x)) {
778 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
779 ok = call_verify_cb(0, ctx);
780 goto err;
781 }
782
783 ctx->current_crl = crl;
784 if (!check_crl(ctx, crl) || //
785 !cert_crl(ctx, crl, x)) {
786 goto err;
787 }
788
789 ok = 1;
790
791 err:
792 X509_CRL_free(crl);
793 ctx->current_crl = NULL;
794 return ok;
795 }
796
797 // Check CRL times against values in X509_STORE_CTX
check_crl_time(X509_STORE_CTX * ctx,X509_CRL * crl,int notify)798 static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) {
799 if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) {
800 return 1;
801 }
802
803 if (notify) {
804 ctx->current_crl = crl;
805 }
806 int64_t ptime;
807 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) {
808 ptime = ctx->param->check_time;
809 } else {
810 ptime = time(NULL);
811 }
812
813 int i = X509_cmp_time_posix(X509_CRL_get0_lastUpdate(crl), ptime);
814 if (i == 0) {
815 if (!notify) {
816 return 0;
817 }
818 ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
819 if (!call_verify_cb(0, ctx)) {
820 return 0;
821 }
822 }
823
824 if (i > 0) {
825 if (!notify) {
826 return 0;
827 }
828 ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
829 if (!call_verify_cb(0, ctx)) {
830 return 0;
831 }
832 }
833
834 if (X509_CRL_get0_nextUpdate(crl)) {
835 i = X509_cmp_time_posix(X509_CRL_get0_nextUpdate(crl), ptime);
836
837 if (i == 0) {
838 if (!notify) {
839 return 0;
840 }
841 ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
842 if (!call_verify_cb(0, ctx)) {
843 return 0;
844 }
845 }
846 if (i < 0) {
847 if (!notify) {
848 return 0;
849 }
850 ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
851 if (!call_verify_cb(0, ctx)) {
852 return 0;
853 }
854 }
855 }
856
857 if (notify) {
858 ctx->current_crl = NULL;
859 }
860
861 return 1;
862 }
863
get_crl_sk(X509_STORE_CTX * ctx,X509_CRL ** pcrl,X509 ** pissuer,int * pscore,STACK_OF (X509_CRL)* crls)864 static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 **pissuer,
865 int *pscore, STACK_OF(X509_CRL) *crls) {
866 int crl_score, best_score = *pscore;
867 X509 *x = ctx->current_cert;
868 X509_CRL *best_crl = NULL;
869 X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
870
871 for (size_t i = 0; i < sk_X509_CRL_num(crls); i++) {
872 X509_CRL *crl = sk_X509_CRL_value(crls, i);
873 crl_score = get_crl_score(ctx, &crl_issuer, crl, x);
874 if (crl_score < best_score || crl_score == 0) {
875 continue;
876 }
877 // If current CRL is equivalent use it if it is newer
878 if (crl_score == best_score && best_crl != NULL) {
879 int day, sec;
880 if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
881 X509_CRL_get0_lastUpdate(crl)) == 0) {
882 continue;
883 }
884 // ASN1_TIME_diff never returns inconsistent signs for |day|
885 // and |sec|.
886 if (day <= 0 && sec <= 0) {
887 continue;
888 }
889 }
890 best_crl = crl;
891 best_crl_issuer = crl_issuer;
892 best_score = crl_score;
893 }
894
895 if (best_crl) {
896 if (*pcrl) {
897 X509_CRL_free(*pcrl);
898 }
899 *pcrl = best_crl;
900 *pissuer = best_crl_issuer;
901 *pscore = best_score;
902 X509_CRL_up_ref(best_crl);
903 }
904
905 if (best_score >= CRL_SCORE_VALID) {
906 return 1;
907 }
908
909 return 0;
910 }
911
912 // For a given CRL return how suitable it is for the supplied certificate
913 // 'x'. The return value is a mask of several criteria. If the issuer is not
914 // the certificate issuer this is returned in *pissuer.
get_crl_score(X509_STORE_CTX * ctx,X509 ** pissuer,X509_CRL * crl,X509 * x)915 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, X509_CRL *crl,
916 X509 *x) {
917 int crl_score = 0;
918
919 // First see if we can reject CRL straight away
920
921 // Invalid IDP cannot be processed
922 if (crl->idp_flags & IDP_INVALID) {
923 return 0;
924 }
925 // Reason codes and indirect CRLs are not supported.
926 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) {
927 return 0;
928 }
929 // We do not support indirect CRLs, so the issuer names must match.
930 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
931 return 0;
932 }
933 crl_score |= CRL_SCORE_ISSUER_NAME;
934
935 if (!(crl->flags & EXFLAG_CRITICAL)) {
936 crl_score |= CRL_SCORE_NOCRITICAL;
937 }
938
939 // Check expiry
940 if (check_crl_time(ctx, crl, 0)) {
941 crl_score |= CRL_SCORE_TIME;
942 }
943
944 // Check authority key ID and locate certificate issuer
945 if (!crl_akid_check(ctx, crl, pissuer, &crl_score)) {
946 // If we can't locate certificate issuer at this point forget it
947 return 0;
948 }
949
950 // Check cert for matching CRL distribution points
951 if (crl_crldp_check(x, crl, crl_score)) {
952 crl_score |= CRL_SCORE_SCOPE;
953 }
954
955 return crl_score;
956 }
957
crl_akid_check(X509_STORE_CTX * ctx,X509_CRL * crl,X509 ** pissuer,int * pcrl_score)958 static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
959 int *pcrl_score) {
960 X509 *crl_issuer = NULL;
961 X509_NAME *cnm = X509_CRL_get_issuer(crl);
962 int cidx = ctx->error_depth;
963
964 if ((size_t)cidx != sk_X509_num(ctx->chain) - 1) {
965 cidx++;
966 }
967
968 crl_issuer = sk_X509_value(ctx->chain, cidx);
969
970 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
971 *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT;
972 *pissuer = crl_issuer;
973 return 1;
974 }
975
976 for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) {
977 crl_issuer = sk_X509_value(ctx->chain, cidx);
978 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) {
979 continue;
980 }
981 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
982 *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;
983 *pissuer = crl_issuer;
984 return 1;
985 }
986 }
987
988 return 0;
989 }
990
991 // Check for match between two dist point names: three separate cases. 1.
992 // Both are relative names and compare X509_NAME types. 2. One full, one
993 // relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and
994 // compare two GENERAL_NAMES. 4. One is NULL: automatic match.
idp_check_dp(DIST_POINT_NAME * a,DIST_POINT_NAME * b)995 static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) {
996 X509_NAME *nm = NULL;
997 GENERAL_NAMES *gens = NULL;
998 GENERAL_NAME *gena, *genb;
999 size_t i, j;
1000 if (!a || !b) {
1001 return 1;
1002 }
1003 if (a->type == 1) {
1004 if (!a->dpname) {
1005 return 0;
1006 }
1007 // Case 1: two X509_NAME
1008 if (b->type == 1) {
1009 if (!b->dpname) {
1010 return 0;
1011 }
1012 if (!X509_NAME_cmp(a->dpname, b->dpname)) {
1013 return 1;
1014 } else {
1015 return 0;
1016 }
1017 }
1018 // Case 2: set name and GENERAL_NAMES appropriately
1019 nm = a->dpname;
1020 gens = b->name.fullname;
1021 } else if (b->type == 1) {
1022 if (!b->dpname) {
1023 return 0;
1024 }
1025 // Case 2: set name and GENERAL_NAMES appropriately
1026 gens = a->name.fullname;
1027 nm = b->dpname;
1028 }
1029
1030 // Handle case 2 with one GENERAL_NAMES and one X509_NAME
1031 if (nm) {
1032 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1033 gena = sk_GENERAL_NAME_value(gens, i);
1034 if (gena->type != GEN_DIRNAME) {
1035 continue;
1036 }
1037 if (!X509_NAME_cmp(nm, gena->d.directoryName)) {
1038 return 1;
1039 }
1040 }
1041 return 0;
1042 }
1043
1044 // Else case 3: two GENERAL_NAMES
1045
1046 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
1047 gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1048 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
1049 genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1050 if (!GENERAL_NAME_cmp(gena, genb)) {
1051 return 1;
1052 }
1053 }
1054 }
1055
1056 return 0;
1057 }
1058
1059 // Check CRLDP and IDP
crl_crldp_check(X509 * x,X509_CRL * crl,int crl_score)1060 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score) {
1061 if (crl->idp_flags & IDP_ONLYATTR) {
1062 return 0;
1063 }
1064 if (x->ex_flags & EXFLAG_CA) {
1065 if (crl->idp_flags & IDP_ONLYUSER) {
1066 return 0;
1067 }
1068 } else {
1069 if (crl->idp_flags & IDP_ONLYCA) {
1070 return 0;
1071 }
1072 }
1073 for (size_t i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
1074 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1075 // Skip distribution points with a reasons field or a CRL issuer:
1076 //
1077 // We do not support CRLs partitioned by reason code. RFC 5280 requires CAs
1078 // include at least one DistributionPoint that covers all reasons.
1079 //
1080 // We also do not support indirect CRLs, and a CRL issuer can only match
1081 // indirect CRLs (RFC 5280, section 6.3.3, step b.1).
1082 // support.
1083 if (dp->reasons != NULL && dp->CRLissuer != NULL &&
1084 (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint))) {
1085 return 1;
1086 }
1087 }
1088
1089 // If the CRL does not specify an issuing distribution point, allow it to
1090 // match anything.
1091 //
1092 // TODO(davidben): Does this match RFC 5280? It's hard to follow because RFC
1093 // 5280 starts from distribution points, while this starts from CRLs.
1094 return !crl->idp || !crl->idp->distpoint;
1095 }
1096
1097 // Retrieve CRL corresponding to current certificate.
get_crl(X509_STORE_CTX * ctx,X509_CRL ** pcrl,X509 * x)1098 static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) {
1099 X509 *issuer = NULL;
1100 int crl_score = 0;
1101 X509_CRL *crl = NULL;
1102 if (get_crl_sk(ctx, &crl, &issuer, &crl_score, ctx->crls)) {
1103 goto done;
1104 }
1105
1106 // Lookup CRLs from store
1107 STACK_OF(X509_CRL) *skcrl =
1108 X509_STORE_CTX_get1_crls(ctx, X509_get_issuer_name(x));
1109
1110 // If no CRLs found and a near match from get_crl_sk use that
1111 if (!skcrl && crl) {
1112 goto done;
1113 }
1114
1115 get_crl_sk(ctx, &crl, &issuer, &crl_score, skcrl);
1116
1117 sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1118
1119 done:
1120
1121 // If we got any kind of CRL use it and return success
1122 if (crl) {
1123 ctx->current_crl_issuer = issuer;
1124 ctx->current_crl_score = crl_score;
1125 *pcrl = crl;
1126 return 1;
1127 }
1128
1129 return 0;
1130 }
1131
1132 // Check CRL validity
check_crl(X509_STORE_CTX * ctx,X509_CRL * crl)1133 static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) {
1134 X509 *issuer = NULL;
1135 int cnum = ctx->error_depth;
1136 int chnum = (int)sk_X509_num(ctx->chain) - 1;
1137 // If we have an alternative CRL issuer cert use that. Otherwise, it is the
1138 // issuer of the current certificate.
1139 if (ctx->current_crl_issuer) {
1140 issuer = ctx->current_crl_issuer;
1141 } else if (cnum < chnum) {
1142 issuer = sk_X509_value(ctx->chain, cnum + 1);
1143 } else {
1144 issuer = sk_X509_value(ctx->chain, chnum);
1145 // If not self signed, can't check signature
1146 if (!x509_check_issued_with_callback(ctx, issuer, issuer)) {
1147 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1148 if (!call_verify_cb(0, ctx)) {
1149 return 0;
1150 }
1151 }
1152 }
1153
1154 if (issuer) {
1155 // Check for cRLSign bit if keyUsage present
1156 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1157 !(issuer->ex_kusage & X509v3_KU_CRL_SIGN)) {
1158 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1159 if (!call_verify_cb(0, ctx)) {
1160 return 0;
1161 }
1162 }
1163
1164 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1165 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1166 if (!call_verify_cb(0, ctx)) {
1167 return 0;
1168 }
1169 }
1170
1171 if (crl->idp_flags & IDP_INVALID) {
1172 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1173 if (!call_verify_cb(0, ctx)) {
1174 return 0;
1175 }
1176 }
1177
1178 if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
1179 if (!check_crl_time(ctx, crl, 1)) {
1180 return 0;
1181 }
1182 }
1183
1184 // Attempt to get issuer certificate public key
1185 EVP_PKEY *ikey = X509_get0_pubkey(issuer);
1186 if (!ikey) {
1187 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1188 if (!call_verify_cb(0, ctx)) {
1189 return 0;
1190 }
1191 } else {
1192 // Verify CRL signature
1193 if (X509_CRL_verify(crl, ikey) <= 0) {
1194 ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
1195 if (!call_verify_cb(0, ctx)) {
1196 return 0;
1197 }
1198 }
1199 }
1200 }
1201
1202 return 1;
1203 }
1204
1205 // Check certificate against CRL
cert_crl(X509_STORE_CTX * ctx,X509_CRL * crl,X509 * x)1206 static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) {
1207 // The rules changed for this... previously if a CRL contained unhandled
1208 // critical extensions it could still be used to indicate a certificate
1209 // was revoked. This has since been changed since critical extension can
1210 // change the meaning of CRL entries.
1211 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
1212 (crl->flags & EXFLAG_CRITICAL)) {
1213 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1214 if (!call_verify_cb(0, ctx)) {
1215 return 0;
1216 }
1217 }
1218 // Look for serial number of certificate in CRL.
1219 X509_REVOKED *rev;
1220 if (X509_CRL_get0_by_cert(crl, &rev, x)) {
1221 ctx->error = X509_V_ERR_CERT_REVOKED;
1222 if (!call_verify_cb(0, ctx)) {
1223 return 0;
1224 }
1225 }
1226
1227 return 1;
1228 }
1229
check_policy(X509_STORE_CTX * ctx)1230 static int check_policy(X509_STORE_CTX *ctx) {
1231 X509 *current_cert = NULL;
1232 int ret = X509_policy_check(ctx->chain, ctx->param->policies,
1233 ctx->param->flags, ¤t_cert);
1234 if (ret != X509_V_OK) {
1235 ctx->current_cert = current_cert;
1236 ctx->error = ret;
1237 if (ret == X509_V_ERR_OUT_OF_MEM) {
1238 return 0;
1239 }
1240 return call_verify_cb(0, ctx);
1241 }
1242
1243 return 1;
1244 }
1245
check_cert_time(X509_STORE_CTX * ctx,X509 * x)1246 static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) {
1247 if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) {
1248 return 1;
1249 }
1250
1251 int64_t ptime;
1252 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) {
1253 ptime = ctx->param->check_time;
1254 } else {
1255 ptime = time(NULL);
1256 }
1257
1258 int i = X509_cmp_time_posix(X509_get_notBefore(x), ptime);
1259 if (i == 0) {
1260 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1261 ctx->current_cert = x;
1262 if (!call_verify_cb(0, ctx)) {
1263 return 0;
1264 }
1265 }
1266
1267 if (i > 0) {
1268 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1269 ctx->current_cert = x;
1270 if (!call_verify_cb(0, ctx)) {
1271 return 0;
1272 }
1273 }
1274
1275 i = X509_cmp_time_posix(X509_get_notAfter(x), ptime);
1276 if (i == 0) {
1277 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1278 ctx->current_cert = x;
1279 if (!call_verify_cb(0, ctx)) {
1280 return 0;
1281 }
1282 }
1283
1284 if (i < 0) {
1285 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1286 ctx->current_cert = x;
1287 if (!call_verify_cb(0, ctx)) {
1288 return 0;
1289 }
1290 }
1291
1292 return 1;
1293 }
1294
internal_verify(X509_STORE_CTX * ctx)1295 static int internal_verify(X509_STORE_CTX *ctx) {
1296 // TODO(davidben): This logic is incredibly confusing. Rewrite this:
1297 //
1298 // First, don't allow the verify callback to suppress
1299 // X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, which will simplify the
1300 // signature check. Then replace jumping into the middle of the loop. It's
1301 // trying to ensure that all certificates see |check_cert_time|, then checking
1302 // the root's self signature when requested, but not breaking partial chains
1303 // in the process.
1304 int n = (int)sk_X509_num(ctx->chain);
1305 ctx->error_depth = n - 1;
1306 n--;
1307 X509 *xi = sk_X509_value(ctx->chain, n);
1308 X509 *xs;
1309 if (x509_check_issued_with_callback(ctx, xi, xi)) {
1310 xs = xi;
1311 } else {
1312 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
1313 xs = xi;
1314 goto check_cert;
1315 }
1316 if (n <= 0) {
1317 ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1318 ctx->current_cert = xi;
1319 return call_verify_cb(0, ctx);
1320 }
1321 n--;
1322 ctx->error_depth = n;
1323 xs = sk_X509_value(ctx->chain, n);
1324 }
1325
1326 // ctx->error=0; not needed
1327 while (n >= 0) {
1328 ctx->error_depth = n;
1329
1330 // Skip signature check for self signed certificates unless
1331 // explicitly asked for. It doesn't add any security and just wastes
1332 // time.
1333 if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
1334 EVP_PKEY *pkey = X509_get0_pubkey(xi);
1335 if (pkey == NULL) {
1336 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1337 ctx->current_cert = xi;
1338 if (!call_verify_cb(0, ctx)) {
1339 return 0;
1340 }
1341 } else if (X509_verify(xs, pkey) <= 0) {
1342 ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
1343 ctx->current_cert = xs;
1344 if (!call_verify_cb(0, ctx)) {
1345 return 0;
1346 }
1347 }
1348 }
1349
1350 check_cert:
1351 if (!check_cert_time(ctx, xs)) {
1352 return 0;
1353 }
1354
1355 // The last error (if any) is still in the error value
1356 ctx->current_cert = xs;
1357 if (!call_verify_cb(1, ctx)) {
1358 return 0;
1359 }
1360
1361 n--;
1362 if (n >= 0) {
1363 xi = xs;
1364 xs = sk_X509_value(ctx->chain, n);
1365 }
1366 }
1367
1368 return 1;
1369 }
1370
X509_cmp_current_time(const ASN1_TIME * ctm)1371 int X509_cmp_current_time(const ASN1_TIME *ctm) {
1372 return X509_cmp_time_posix(ctm, time(NULL));
1373 }
1374
X509_cmp_time(const ASN1_TIME * ctm,const time_t * cmp_time)1375 int X509_cmp_time(const ASN1_TIME *ctm, const time_t *cmp_time) {
1376 int64_t compare_time = (cmp_time == NULL) ? time(NULL) : *cmp_time;
1377 return X509_cmp_time_posix(ctm, compare_time);
1378 }
1379
X509_cmp_time_posix(const ASN1_TIME * ctm,int64_t cmp_time)1380 int X509_cmp_time_posix(const ASN1_TIME *ctm, int64_t cmp_time) {
1381 int64_t ctm_time;
1382 if (!ASN1_TIME_to_posix(ctm, &ctm_time)) {
1383 return 0;
1384 }
1385 // The return value 0 is reserved for errors.
1386 return (ctm_time - cmp_time <= 0) ? -1 : 1;
1387 }
1388
X509_gmtime_adj(ASN1_TIME * s,long offset_sec)1389 ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec) {
1390 return X509_time_adj(s, offset_sec, NULL);
1391 }
1392
X509_time_adj(ASN1_TIME * s,long offset_sec,const time_t * in_tm)1393 ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, const time_t *in_tm) {
1394 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1395 }
1396
X509_time_adj_ex(ASN1_TIME * s,int offset_day,long offset_sec,const time_t * in_tm)1397 ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec,
1398 const time_t *in_tm) {
1399 int64_t t = 0;
1400
1401 if (in_tm) {
1402 t = *in_tm;
1403 } else {
1404 t = time(NULL);
1405 }
1406
1407 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1408 }
1409
X509_STORE_CTX_get_ex_new_index(long argl,void * argp,CRYPTO_EX_unused * unused,CRYPTO_EX_dup * dup_unused,CRYPTO_EX_free * free_func)1410 int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
1411 CRYPTO_EX_unused *unused,
1412 CRYPTO_EX_dup *dup_unused,
1413 CRYPTO_EX_free *free_func) {
1414 return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func);
1415 }
1416
X509_STORE_CTX_set_ex_data(X509_STORE_CTX * ctx,int idx,void * data)1417 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) {
1418 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
1419 }
1420
X509_STORE_CTX_get_ex_data(X509_STORE_CTX * ctx,int idx)1421 void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) {
1422 return CRYPTO_get_ex_data(&ctx->ex_data, idx);
1423 }
1424
X509_STORE_CTX_get_error(const X509_STORE_CTX * ctx)1425 int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx) { return ctx->error; }
1426
X509_STORE_CTX_set_error(X509_STORE_CTX * ctx,int err)1427 void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) {
1428 ctx->error = err;
1429 }
1430
X509_STORE_CTX_get_error_depth(const X509_STORE_CTX * ctx)1431 int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx) {
1432 return ctx->error_depth;
1433 }
1434
X509_STORE_CTX_get_current_cert(const X509_STORE_CTX * ctx)1435 X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx) {
1436 return ctx->current_cert;
1437 }
1438
STACK_OF(X509)1439 STACK_OF(X509) *X509_STORE_CTX_get_chain(const X509_STORE_CTX *ctx) {
1440 return ctx->chain;
1441 }
1442
STACK_OF(X509)1443 STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx) {
1444 return ctx->chain;
1445 }
1446
STACK_OF(X509)1447 STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx) {
1448 if (!ctx->chain) {
1449 return NULL;
1450 }
1451 return X509_chain_up_ref(ctx->chain);
1452 }
1453
X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX * ctx)1454 X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx) {
1455 return ctx->current_crl;
1456 }
1457
X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX * ctx)1458 X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx) {
1459 // In OpenSSL, an |X509_STORE_CTX| sometimes has a parent context during CRL
1460 // path validation for indirect CRLs. We require the CRL to be issued
1461 // somewhere along the certificate path, so this is always NULL.
1462 return NULL;
1463 }
1464
X509_STORE_CTX_set_chain(X509_STORE_CTX * ctx,STACK_OF (X509)* sk)1465 void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) {
1466 ctx->untrusted = sk;
1467 }
1468
STACK_OF(X509)1469 STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx) {
1470 return ctx->untrusted;
1471 }
1472
X509_STORE_CTX_set0_crls(X509_STORE_CTX * ctx,STACK_OF (X509_CRL)* sk)1473 void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) {
1474 ctx->crls = sk;
1475 }
1476
X509_STORE_CTX_set_purpose(X509_STORE_CTX * ctx,int purpose)1477 int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) {
1478 // If |purpose| is zero, this function historically silently did nothing.
1479 if (purpose == 0) {
1480 return 1;
1481 }
1482
1483 const X509_PURPOSE *pobj = X509_PURPOSE_get0(purpose);
1484 if (pobj == NULL) {
1485 OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
1486 return 0;
1487 }
1488
1489 int trust = X509_PURPOSE_get_trust(pobj);
1490 if (!X509_STORE_CTX_set_trust(ctx, trust)) {
1491 return 0;
1492 }
1493
1494 if (ctx->param->purpose == 0) {
1495 ctx->param->purpose = purpose;
1496 }
1497 return 1;
1498 }
1499
X509_STORE_CTX_set_trust(X509_STORE_CTX * ctx,int trust)1500 int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) {
1501 // If |trust| is zero, this function historically silently did nothing.
1502 if (trust == 0) {
1503 return 1;
1504 }
1505
1506 if (!X509_is_valid_trust_id(trust)) {
1507 OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID);
1508 return 0;
1509 }
1510
1511 if (ctx->param->trust == 0) {
1512 ctx->param->trust = trust;
1513 }
1514 return 1;
1515 }
1516
X509_STORE_CTX_new(void)1517 X509_STORE_CTX *X509_STORE_CTX_new(void) {
1518 return OPENSSL_zalloc(sizeof(X509_STORE_CTX));
1519 }
1520
X509_STORE_CTX_free(X509_STORE_CTX * ctx)1521 void X509_STORE_CTX_free(X509_STORE_CTX *ctx) {
1522 if (ctx == NULL) {
1523 return;
1524 }
1525 X509_STORE_CTX_cleanup(ctx);
1526 OPENSSL_free(ctx);
1527 }
1528
X509_STORE_CTX_init(X509_STORE_CTX * ctx,X509_STORE * store,X509 * x509,STACK_OF (X509)* chain)1529 int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1530 STACK_OF(X509) *chain) {
1531 X509_STORE_CTX_cleanup(ctx);
1532
1533 ctx->ctx = store;
1534 ctx->cert = x509;
1535 ctx->untrusted = chain;
1536
1537 CRYPTO_new_ex_data(&ctx->ex_data);
1538
1539 if (store == NULL) {
1540 OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);
1541 goto err;
1542 }
1543
1544 ctx->param = X509_VERIFY_PARAM_new();
1545 if (!ctx->param) {
1546 goto err;
1547 }
1548
1549 // Inherit callbacks and flags from X509_STORE.
1550
1551 ctx->verify_cb = store->verify_cb;
1552
1553 if (!X509_VERIFY_PARAM_inherit(ctx->param, store->param) ||
1554 !X509_VERIFY_PARAM_inherit(ctx->param,
1555 X509_VERIFY_PARAM_lookup("default"))) {
1556 goto err;
1557 }
1558
1559 if (store->verify_cb) {
1560 ctx->verify_cb = store->verify_cb;
1561 } else {
1562 ctx->verify_cb = null_callback;
1563 }
1564
1565 return 1;
1566
1567 err:
1568 CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data);
1569 if (ctx->param != NULL) {
1570 X509_VERIFY_PARAM_free(ctx->param);
1571 }
1572
1573 OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
1574 return 0;
1575 }
1576
1577 // Set alternative lookup method: just a STACK of trusted certificates. This
1578 // avoids X509_STORE nastiness where it isn't needed.
1579
X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX * ctx,STACK_OF (X509)* sk)1580 void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx,
1581 STACK_OF(X509) *sk) {
1582 ctx->trusted_stack = sk;
1583 }
1584
X509_STORE_CTX_trusted_stack(X509_STORE_CTX * ctx,STACK_OF (X509)* sk)1585 void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) {
1586 X509_STORE_CTX_set0_trusted_stack(ctx, sk);
1587 }
1588
X509_STORE_CTX_cleanup(X509_STORE_CTX * ctx)1589 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) {
1590 CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));
1591 X509_VERIFY_PARAM_free(ctx->param);
1592 sk_X509_pop_free(ctx->chain, X509_free);
1593 OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
1594 }
1595
X509_STORE_CTX_set_depth(X509_STORE_CTX * ctx,int depth)1596 void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) {
1597 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
1598 }
1599
X509_STORE_CTX_set_flags(X509_STORE_CTX * ctx,unsigned long flags)1600 void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) {
1601 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
1602 }
1603
X509_STORE_CTX_set_time_posix(X509_STORE_CTX * ctx,unsigned long flags,int64_t t)1604 void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, unsigned long flags,
1605 int64_t t) {
1606 X509_VERIFY_PARAM_set_time_posix(ctx->param, t);
1607 }
1608
X509_STORE_CTX_set_time(X509_STORE_CTX * ctx,unsigned long flags,time_t t)1609 void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
1610 time_t t) {
1611 X509_STORE_CTX_set_time_posix(ctx, flags, t);
1612 }
1613
X509_STORE_CTX_get0_cert(const X509_STORE_CTX * ctx)1614 X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx) { return ctx->cert; }
1615
X509_STORE_CTX_set_verify_cb(X509_STORE_CTX * ctx,int (* verify_cb)(int,X509_STORE_CTX *))1616 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
1617 int (*verify_cb)(int, X509_STORE_CTX *)) {
1618 ctx->verify_cb = verify_cb;
1619 }
1620
X509_STORE_CTX_set_default(X509_STORE_CTX * ctx,const char * name)1621 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) {
1622 const X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_lookup(name);
1623 if (!param) {
1624 return 0;
1625 }
1626 return X509_VERIFY_PARAM_inherit(ctx->param, param);
1627 }
1628
X509_STORE_CTX_get0_param(X509_STORE_CTX * ctx)1629 X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) {
1630 return ctx->param;
1631 }
1632
X509_STORE_CTX_set0_param(X509_STORE_CTX * ctx,X509_VERIFY_PARAM * param)1633 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) {
1634 if (ctx->param) {
1635 X509_VERIFY_PARAM_free(ctx->param);
1636 }
1637 ctx->param = param;
1638 }
1639