1 /* Copyright (C) 1995-1998 Eric Young ([email protected])
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young ([email protected]).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson ([email protected]).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young ([email protected])"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson ([email protected])"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <ctype.h>
58 #include <limits.h>
59 #include <string.h>
60 #include <time.h>
61
62 #include <openssl/asn1.h>
63 #include <openssl/err.h>
64 #include <openssl/evp.h>
65 #include <openssl/mem.h>
66 #include <openssl/obj.h>
67 #include <openssl/thread.h>
68 #include <openssl/x509.h>
69
70 #include "../internal.h"
71 #include "internal.h"
72
73 static CRYPTO_EX_DATA_CLASS g_ex_data_class =
74 CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
75
76 // CRL score values
77
78 // No unhandled critical extensions
79 #define CRL_SCORE_NOCRITICAL 0x100
80
81 // certificate is within CRL scope
82 #define CRL_SCORE_SCOPE 0x080
83
84 // CRL times valid
85 #define CRL_SCORE_TIME 0x040
86
87 // Issuer name matches certificate
88 #define CRL_SCORE_ISSUER_NAME 0x020
89
90 // If this score or above CRL is probably valid
91 #define CRL_SCORE_VALID \
92 (CRL_SCORE_NOCRITICAL | CRL_SCORE_TIME | CRL_SCORE_SCOPE)
93
94 // CRL issuer is certificate issuer
95 #define CRL_SCORE_ISSUER_CERT 0x018
96
97 // CRL issuer is on certificate path
98 #define CRL_SCORE_SAME_PATH 0x008
99
100 // CRL issuer matches CRL AKID
101 #define CRL_SCORE_AKID 0x004
102
103 static int null_callback(int ok, X509_STORE_CTX *e);
104 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
105 static int check_chain_extensions(X509_STORE_CTX *ctx);
106 static int check_name_constraints(X509_STORE_CTX *ctx);
107 static int check_id(X509_STORE_CTX *ctx);
108 static int check_trust(X509_STORE_CTX *ctx);
109 static int check_revocation(X509_STORE_CTX *ctx);
110 static int check_cert(X509_STORE_CTX *ctx);
111 static int check_policy(X509_STORE_CTX *ctx);
112
113 static X509 *get_trusted_issuer(X509_STORE_CTX *ctx, X509 *x);
114 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, X509_CRL *crl,
115 X509 *x);
116 static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x);
117 static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
118 int *pcrl_score);
119 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score);
120 static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
121
122 static int internal_verify(X509_STORE_CTX *ctx);
123
null_callback(int ok,X509_STORE_CTX * e)124 static int null_callback(int ok, X509_STORE_CTX *e) { return ok; }
125
126 // cert_self_signed checks if |x| is self-signed. If |x| is valid, it returns
127 // one and sets |*out_is_self_signed| to the result. If |x| is invalid, it
128 // returns zero.
cert_self_signed(X509 * x,int * out_is_self_signed)129 static int cert_self_signed(X509 *x, int *out_is_self_signed) {
130 if (!x509v3_cache_extensions(x)) {
131 return 0;
132 }
133 *out_is_self_signed = (x->ex_flags & EXFLAG_SS) != 0;
134 return 1;
135 }
136
call_verify_cb(int ok,X509_STORE_CTX * ctx)137 static int call_verify_cb(int ok, X509_STORE_CTX *ctx) {
138 ok = ctx->verify_cb(ok, ctx);
139 // Historically, callbacks returning values like -1 would be treated as a mix
140 // of success or failure. Insert that callers check correctly.
141 //
142 // TODO(davidben): Also use this wrapper to constrain which errors may be
143 // suppressed, and ensure all |verify_cb| calls remember to fill in an error.
144 BSSL_CHECK(ok == 0 || ok == 1);
145 return ok;
146 }
147
148 // Given a certificate try and find an exact match in the store
lookup_cert_match(X509_STORE_CTX * ctx,X509 * x)149 static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) {
150 STACK_OF(X509) *certs;
151 X509 *xtmp = NULL;
152 size_t i;
153 // Lookup all certs with matching subject name
154 certs = X509_STORE_CTX_get1_certs(ctx, X509_get_subject_name(x));
155 if (certs == NULL) {
156 return NULL;
157 }
158 // Look for exact match
159 for (i = 0; i < sk_X509_num(certs); i++) {
160 xtmp = sk_X509_value(certs, i);
161 if (!X509_cmp(xtmp, x)) {
162 break;
163 }
164 }
165 if (i < sk_X509_num(certs)) {
166 X509_up_ref(xtmp);
167 } else {
168 xtmp = NULL;
169 }
170 sk_X509_pop_free(certs, X509_free);
171 return xtmp;
172 }
173
X509_verify_cert(X509_STORE_CTX * ctx)174 int X509_verify_cert(X509_STORE_CTX *ctx) {
175 X509 *chain_ss = NULL;
176 int bad_chain = 0;
177 X509_VERIFY_PARAM *param = ctx->param;
178 int i, ok = 0;
179 int j, retry, trust;
180 STACK_OF(X509) *sktmp = NULL;
181
182 if (ctx->cert == NULL) {
183 OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
184 ctx->error = X509_V_ERR_INVALID_CALL;
185 return 0;
186 }
187
188 if (ctx->chain != NULL) {
189 // This X509_STORE_CTX has already been used to verify a cert. We
190 // cannot do another one.
191 OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
192 ctx->error = X509_V_ERR_INVALID_CALL;
193 return 0;
194 }
195
196 if (ctx->param->flags &
197 (X509_V_FLAG_EXTENDED_CRL_SUPPORT | X509_V_FLAG_USE_DELTAS)) {
198 // We do not support indirect or delta CRLs. The flags still exist for
199 // compatibility with bindings libraries, but to ensure we do not
200 // inadvertently skip a CRL check that the caller expects, fail closed.
201 OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
202 ctx->error = X509_V_ERR_INVALID_CALL;
203 return 0;
204 }
205
206 // first we make sure the chain we are going to build is present and that
207 // the first entry is in place
208 ctx->chain = sk_X509_new_null();
209 if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
210 ctx->error = X509_V_ERR_OUT_OF_MEM;
211 goto end;
212 }
213 X509_up_ref(ctx->cert);
214 ctx->last_untrusted = 1;
215
216 // We use a temporary STACK so we can chop and hack at it.
217 if (ctx->untrusted != NULL && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
218 ctx->error = X509_V_ERR_OUT_OF_MEM;
219 goto end;
220 }
221
222 int num = (int)sk_X509_num(ctx->chain);
223 X509 *x = sk_X509_value(ctx->chain, num - 1);
224 // |param->depth| does not include the leaf certificate or the trust anchor,
225 // so the maximum size is 2 more.
226 int max_chain = param->depth >= INT_MAX - 2 ? INT_MAX : param->depth + 2;
227
228 for (;;) {
229 if (num >= max_chain) {
230 // FIXME: If this happens, we should take note of it and, if appropriate,
231 // use the X509_V_ERR_CERT_CHAIN_TOO_LONG error code later.
232 break;
233 }
234
235 int is_self_signed;
236 if (!cert_self_signed(x, &is_self_signed)) {
237 ctx->error = X509_V_ERR_INVALID_EXTENSION;
238 goto end;
239 }
240
241 // If we are self signed, we break
242 if (is_self_signed) {
243 break;
244 }
245 // If asked see if we can find issuer in trusted store first
246 if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
247 X509 *issuer = get_trusted_issuer(ctx, x);
248 if (issuer != NULL) {
249 // Free the certificate. It will be picked up again later.
250 X509_free(issuer);
251 break;
252 }
253 }
254
255 // If we were passed a cert chain, use it first
256 if (sktmp != NULL) {
257 X509 *issuer = find_issuer(ctx, sktmp, x);
258 if (issuer != NULL) {
259 if (!sk_X509_push(ctx->chain, issuer)) {
260 ctx->error = X509_V_ERR_OUT_OF_MEM;
261 goto end;
262 }
263 X509_up_ref(issuer);
264 (void)sk_X509_delete_ptr(sktmp, issuer);
265 ctx->last_untrusted++;
266 x = issuer;
267 num++;
268 // reparse the full chain for the next one
269 continue;
270 }
271 }
272 break;
273 }
274
275 // Remember how many untrusted certs we have
276 j = num;
277 // at this point, chain should contain a list of untrusted certificates.
278 // We now need to add at least one trusted one, if possible, otherwise we
279 // complain.
280
281 do {
282 // Examine last certificate in chain and see if it is self signed.
283 i = (int)sk_X509_num(ctx->chain);
284 x = sk_X509_value(ctx->chain, i - 1);
285
286 int is_self_signed;
287 if (!cert_self_signed(x, &is_self_signed)) {
288 ctx->error = X509_V_ERR_INVALID_EXTENSION;
289 goto end;
290 }
291
292 if (is_self_signed) {
293 // we have a self signed certificate
294 if (sk_X509_num(ctx->chain) == 1) {
295 // We have a single self signed certificate: see if we can
296 // find it in the store. We must have an exact match to avoid
297 // possible impersonation.
298 X509 *issuer = get_trusted_issuer(ctx, x);
299 if (issuer == NULL || X509_cmp(x, issuer) != 0) {
300 X509_free(issuer);
301 ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
302 ctx->current_cert = x;
303 ctx->error_depth = i - 1;
304 bad_chain = 1;
305 if (!call_verify_cb(0, ctx)) {
306 goto end;
307 }
308 } else {
309 // We have a match: replace certificate with store
310 // version so we get any trust settings.
311 X509_free(x);
312 x = issuer;
313 (void)sk_X509_set(ctx->chain, i - 1, x);
314 ctx->last_untrusted = 0;
315 }
316 } else {
317 // extract and save self signed certificate for later use
318 chain_ss = sk_X509_pop(ctx->chain);
319 ctx->last_untrusted--;
320 num--;
321 j--;
322 x = sk_X509_value(ctx->chain, num - 1);
323 }
324 }
325 // We now lookup certs from the certificate store
326 for (;;) {
327 if (num >= max_chain) {
328 // FIXME: If this happens, we should take note of it and, if
329 // appropriate, use the X509_V_ERR_CERT_CHAIN_TOO_LONG error code later.
330 break;
331 }
332 if (!cert_self_signed(x, &is_self_signed)) {
333 ctx->error = X509_V_ERR_INVALID_EXTENSION;
334 goto end;
335 }
336 // If we are self signed, we break
337 if (is_self_signed) {
338 break;
339 }
340 X509 *issuer = get_trusted_issuer(ctx, x);
341 if (issuer == NULL) {
342 break;
343 }
344 x = issuer;
345 if (!sk_X509_push(ctx->chain, x)) {
346 X509_free(issuer);
347 ctx->error = X509_V_ERR_OUT_OF_MEM;
348 goto end;
349 }
350 num++;
351 }
352
353 // we now have our chain, lets check it...
354 trust = check_trust(ctx);
355
356 // If explicitly rejected error
357 if (trust == X509_TRUST_REJECTED) {
358 goto end;
359 }
360 // If it's not explicitly trusted then check if there is an alternative
361 // chain that could be used. We only do this if we haven't already
362 // checked via TRUSTED_FIRST and the user hasn't switched off alternate
363 // chain checking
364 retry = 0;
365 if (trust != X509_TRUST_TRUSTED &&
366 !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) &&
367 !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
368 while (j-- > 1) {
369 X509 *issuer =
370 get_trusted_issuer(ctx, sk_X509_value(ctx->chain, j - 1));
371 // Check if we found an alternate chain
372 if (issuer != NULL) {
373 // Free up the found cert we'll add it again later
374 X509_free(issuer);
375
376 // Dump all the certs above this point - we've found an
377 // alternate chain
378 while (num > j) {
379 X509_free(sk_X509_pop(ctx->chain));
380 num--;
381 }
382 ctx->last_untrusted = (int)sk_X509_num(ctx->chain);
383 retry = 1;
384 break;
385 }
386 }
387 }
388 } while (retry);
389
390 // If not explicitly trusted then indicate error unless it's a single
391 // self signed certificate in which case we've indicated an error already
392 // and set bad_chain == 1
393 if (trust != X509_TRUST_TRUSTED && !bad_chain) {
394 if (chain_ss == NULL ||
395 !x509_check_issued_with_callback(ctx, x, chain_ss)) {
396 if (ctx->last_untrusted >= num) {
397 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
398 } else {
399 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
400 }
401 ctx->current_cert = x;
402 } else {
403 if (!sk_X509_push(ctx->chain, chain_ss)) {
404 ctx->error = X509_V_ERR_OUT_OF_MEM;
405 goto end;
406 }
407 num++;
408 ctx->last_untrusted = num;
409 ctx->current_cert = chain_ss;
410 ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
411 chain_ss = NULL;
412 }
413
414 ctx->error_depth = num - 1;
415 bad_chain = 1;
416 if (!call_verify_cb(0, ctx)) {
417 goto end;
418 }
419 }
420
421 // We have the chain complete: now we need to check its purpose
422 if (!check_chain_extensions(ctx) || //
423 !check_id(ctx) ||
424 // We check revocation status after copying parameters because they may be
425 // needed for CRL signature verification.
426 !check_revocation(ctx) || //
427 !internal_verify(ctx) || //
428 !check_name_constraints(ctx) ||
429 // TODO(davidben): Does |check_policy| still need to be conditioned on
430 // |!bad_chain|? DoS concerns have been resolved.
431 (!bad_chain && !check_policy(ctx))) {
432 goto end;
433 }
434
435 ok = 1;
436
437 end:
438 sk_X509_free(sktmp);
439 X509_free(chain_ss);
440
441 // Safety net, error returns must set ctx->error
442 if (!ok && ctx->error == X509_V_OK) {
443 ctx->error = X509_V_ERR_UNSPECIFIED;
444 }
445 return ok;
446 }
447
448 // Given a STACK_OF(X509) find the issuer of cert (if any)
449
find_issuer(X509_STORE_CTX * ctx,STACK_OF (X509)* sk,X509 * x)450 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) {
451 size_t i;
452 X509 *issuer;
453 for (i = 0; i < sk_X509_num(sk); i++) {
454 issuer = sk_X509_value(sk, i);
455 if (x509_check_issued_with_callback(ctx, x, issuer)) {
456 return issuer;
457 }
458 }
459 return NULL;
460 }
461
462 // Given a possible certificate and issuer check them
463
x509_check_issued_with_callback(X509_STORE_CTX * ctx,X509 * x,X509 * issuer)464 int x509_check_issued_with_callback(X509_STORE_CTX *ctx, X509 *x,
465 X509 *issuer) {
466 int ret;
467 ret = X509_check_issued(issuer, x);
468 if (ret == X509_V_OK) {
469 return 1;
470 }
471 // If we haven't asked for issuer errors don't set ctx
472 if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) {
473 return 0;
474 }
475
476 ctx->error = ret;
477 ctx->current_cert = x;
478 return call_verify_cb(0, ctx);
479 }
480
get_trusted_issuer(X509_STORE_CTX * ctx,X509 * x)481 static X509 *get_trusted_issuer(X509_STORE_CTX *ctx, X509 *x) {
482 X509 *issuer;
483 if (ctx->trusted_stack != NULL) {
484 // Ignore the store and use the configured stack instead.
485 issuer = find_issuer(ctx, ctx->trusted_stack, x);
486 if (issuer != NULL) {
487 X509_up_ref(issuer);
488 }
489 return issuer;
490 }
491
492 if (!X509_STORE_CTX_get1_issuer(&issuer, ctx, x)) {
493 return NULL;
494 }
495 return issuer;
496 }
497
498 // Check a certificate chains extensions for consistency with the supplied
499 // purpose
500
check_chain_extensions(X509_STORE_CTX * ctx)501 static int check_chain_extensions(X509_STORE_CTX *ctx) {
502 int plen = 0;
503 int purpose = ctx->param->purpose;
504
505 // Check all untrusted certificates
506 for (int i = 0; i < ctx->last_untrusted; i++) {
507 X509 *x = sk_X509_value(ctx->chain, i);
508 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
509 (x->ex_flags & EXFLAG_CRITICAL)) {
510 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
511 ctx->error_depth = i;
512 ctx->current_cert = x;
513 if (!call_verify_cb(0, ctx)) {
514 return 0;
515 }
516 }
517
518 int must_be_ca = i > 0;
519 if (must_be_ca && !X509_check_ca(x)) {
520 ctx->error = X509_V_ERR_INVALID_CA;
521 ctx->error_depth = i;
522 ctx->current_cert = x;
523 if (!call_verify_cb(0, ctx)) {
524 return 0;
525 }
526 }
527 if (ctx->param->purpose > 0 &&
528 X509_check_purpose(x, purpose, must_be_ca) != 1) {
529 ctx->error = X509_V_ERR_INVALID_PURPOSE;
530 ctx->error_depth = i;
531 ctx->current_cert = x;
532 if (!call_verify_cb(0, ctx)) {
533 return 0;
534 }
535 }
536 // Check pathlen if not self issued
537 if (i > 1 && !(x->ex_flags & EXFLAG_SI) && x->ex_pathlen != -1 &&
538 plen > x->ex_pathlen + 1) {
539 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
540 ctx->error_depth = i;
541 ctx->current_cert = x;
542 if (!call_verify_cb(0, ctx)) {
543 return 0;
544 }
545 }
546 // Increment path length if not self issued
547 if (!(x->ex_flags & EXFLAG_SI)) {
548 plen++;
549 }
550 }
551
552 return 1;
553 }
554
reject_dns_name_in_common_name(X509 * x509)555 static int reject_dns_name_in_common_name(X509 *x509) {
556 const X509_NAME *name = X509_get_subject_name(x509);
557 int i = -1;
558 for (;;) {
559 i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
560 if (i == -1) {
561 return X509_V_OK;
562 }
563
564 const X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
565 const ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(entry);
566 unsigned char *idval;
567 int idlen = ASN1_STRING_to_UTF8(&idval, common_name);
568 if (idlen < 0) {
569 return X509_V_ERR_OUT_OF_MEM;
570 }
571 // Only process attributes that look like host names. Note it is
572 // important that this check be mirrored in |X509_check_host|.
573 int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen);
574 OPENSSL_free(idval);
575 if (looks_like_dns) {
576 return X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS;
577 }
578 }
579 }
580
check_name_constraints(X509_STORE_CTX * ctx)581 static int check_name_constraints(X509_STORE_CTX *ctx) {
582 int i, j, rv;
583 int has_name_constraints = 0;
584 // Check name constraints for all certificates
585 for (i = (int)sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
586 X509 *x = sk_X509_value(ctx->chain, i);
587 // Ignore self issued certs unless last in chain
588 if (i && (x->ex_flags & EXFLAG_SI)) {
589 continue;
590 }
591 // Check against constraints for all certificates higher in chain
592 // including trust anchor. Trust anchor not strictly speaking needed
593 // but if it includes constraints it is to be assumed it expects them
594 // to be obeyed.
595 for (j = (int)sk_X509_num(ctx->chain) - 1; j > i; j--) {
596 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
597 if (nc) {
598 has_name_constraints = 1;
599 rv = NAME_CONSTRAINTS_check(x, nc);
600 switch (rv) {
601 case X509_V_OK:
602 continue;
603 case X509_V_ERR_OUT_OF_MEM:
604 ctx->error = rv;
605 return 0;
606 default:
607 ctx->error = rv;
608 ctx->error_depth = i;
609 ctx->current_cert = x;
610 if (!call_verify_cb(0, ctx)) {
611 return 0;
612 }
613 break;
614 }
615 }
616 }
617 }
618
619 // Name constraints do not match against the common name, but
620 // |X509_check_host| still implements the legacy behavior where, on
621 // certificates lacking a SAN list, DNS-like names in the common name are
622 // checked instead.
623 //
624 // While we could apply the name constraints to the common name, name
625 // constraints are rare enough that can hold such certificates to a higher
626 // standard. Note this does not make "DNS-like" heuristic failures any
627 // worse. A decorative common-name misidentified as a DNS name would fail
628 // the name constraint anyway.
629 X509 *leaf = sk_X509_value(ctx->chain, 0);
630 if (has_name_constraints && leaf->altname == NULL) {
631 rv = reject_dns_name_in_common_name(leaf);
632 switch (rv) {
633 case X509_V_OK:
634 break;
635 case X509_V_ERR_OUT_OF_MEM:
636 ctx->error = rv;
637 return 0;
638 default:
639 ctx->error = rv;
640 ctx->error_depth = i;
641 ctx->current_cert = leaf;
642 if (!call_verify_cb(0, ctx)) {
643 return 0;
644 }
645 break;
646 }
647 }
648
649 return 1;
650 }
651
check_id_error(X509_STORE_CTX * ctx,int errcode)652 static int check_id_error(X509_STORE_CTX *ctx, int errcode) {
653 ctx->error = errcode;
654 ctx->current_cert = ctx->cert;
655 ctx->error_depth = 0;
656 return call_verify_cb(0, ctx);
657 }
658
check_hosts(X509 * x,X509_VERIFY_PARAM * param)659 static int check_hosts(X509 *x, X509_VERIFY_PARAM *param) {
660 size_t i;
661 size_t n = sk_OPENSSL_STRING_num(param->hosts);
662 char *name;
663
664 for (i = 0; i < n; ++i) {
665 name = sk_OPENSSL_STRING_value(param->hosts, i);
666 if (X509_check_host(x, name, strlen(name), param->hostflags, NULL) > 0) {
667 return 1;
668 }
669 }
670 return n == 0;
671 }
672
check_id(X509_STORE_CTX * ctx)673 static int check_id(X509_STORE_CTX *ctx) {
674 X509_VERIFY_PARAM *vpm = ctx->param;
675 X509 *x = ctx->cert;
676 if (vpm->poison) {
677 if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL)) {
678 return 0;
679 }
680 }
681 if (vpm->hosts && check_hosts(x, vpm) <= 0) {
682 if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) {
683 return 0;
684 }
685 }
686 if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {
687 if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH)) {
688 return 0;
689 }
690 }
691 if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
692 if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH)) {
693 return 0;
694 }
695 }
696 return 1;
697 }
698
check_trust(X509_STORE_CTX * ctx)699 static int check_trust(X509_STORE_CTX *ctx) {
700 X509 *x = NULL;
701 // Check all trusted certificates in chain
702 for (size_t i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
703 x = sk_X509_value(ctx->chain, i);
704 int trust = X509_check_trust(x, ctx->param->trust, 0);
705 // If explicitly trusted return trusted
706 if (trust == X509_TRUST_TRUSTED) {
707 return X509_TRUST_TRUSTED;
708 }
709 // If explicitly rejected notify callback and reject if not
710 // overridden.
711 if (trust == X509_TRUST_REJECTED) {
712 ctx->error_depth = (int)i;
713 ctx->current_cert = x;
714 ctx->error = X509_V_ERR_CERT_REJECTED;
715 if (!call_verify_cb(0, ctx)) {
716 return X509_TRUST_REJECTED;
717 }
718 }
719 }
720 // If we accept partial chains and have at least one trusted certificate
721 // return success.
722 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
723 X509 *mx;
724 if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain)) {
725 return X509_TRUST_TRUSTED;
726 }
727 x = sk_X509_value(ctx->chain, 0);
728 mx = lookup_cert_match(ctx, x);
729 if (mx) {
730 (void)sk_X509_set(ctx->chain, 0, mx);
731 X509_free(x);
732 ctx->last_untrusted = 0;
733 return X509_TRUST_TRUSTED;
734 }
735 }
736
737 // If no trusted certs in chain at all return untrusted and allow
738 // standard (no issuer cert) etc errors to be indicated.
739 return X509_TRUST_UNTRUSTED;
740 }
741
check_revocation(X509_STORE_CTX * ctx)742 static int check_revocation(X509_STORE_CTX *ctx) {
743 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) {
744 return 1;
745 }
746 int last;
747 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) {
748 last = (int)sk_X509_num(ctx->chain) - 1;
749 } else {
750 last = 0;
751 }
752 for (int i = 0; i <= last; i++) {
753 ctx->error_depth = i;
754 if (!check_cert(ctx)) {
755 return 0;
756 }
757 }
758 return 1;
759 }
760
check_cert(X509_STORE_CTX * ctx)761 static int check_cert(X509_STORE_CTX *ctx) {
762 X509_CRL *crl = NULL;
763 int ok = 0, cnum = ctx->error_depth;
764 X509 *x = sk_X509_value(ctx->chain, cnum);
765 ctx->current_cert = x;
766 ctx->current_crl_issuer = NULL;
767 ctx->current_crl_score = 0;
768
769 // Try to retrieve the relevant CRL. Note that |get_crl| sets
770 // |current_crl_issuer| and |current_crl_score|, which |check_crl| then reads.
771 //
772 // TODO(davidben): Remove these callbacks. gRPC currently sets them, but
773 // implements them incorrectly. It is not actually possible to implement
774 // |get_crl| from outside the library.
775 if (!ctx->get_crl(ctx, &crl, x)) {
776 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
777 ok = call_verify_cb(0, ctx);
778 goto err;
779 }
780
781 ctx->current_crl = crl;
782 if (!ctx->check_crl(ctx, crl) || //
783 !cert_crl(ctx, crl, x)) {
784 goto err;
785 }
786
787 ok = 1;
788
789 err:
790 X509_CRL_free(crl);
791 ctx->current_crl = NULL;
792 return ok;
793 }
794
795 // Check CRL times against values in X509_STORE_CTX
check_crl_time(X509_STORE_CTX * ctx,X509_CRL * crl,int notify)796 static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) {
797 if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) {
798 return 1;
799 }
800
801 if (notify) {
802 ctx->current_crl = crl;
803 }
804 int64_t ptime;
805 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) {
806 ptime = ctx->param->check_time;
807 } else {
808 ptime = time(NULL);
809 }
810
811 int i = X509_cmp_time_posix(X509_CRL_get0_lastUpdate(crl), ptime);
812 if (i == 0) {
813 if (!notify) {
814 return 0;
815 }
816 ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
817 if (!call_verify_cb(0, ctx)) {
818 return 0;
819 }
820 }
821
822 if (i > 0) {
823 if (!notify) {
824 return 0;
825 }
826 ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
827 if (!call_verify_cb(0, ctx)) {
828 return 0;
829 }
830 }
831
832 if (X509_CRL_get0_nextUpdate(crl)) {
833 i = X509_cmp_time_posix(X509_CRL_get0_nextUpdate(crl), ptime);
834
835 if (i == 0) {
836 if (!notify) {
837 return 0;
838 }
839 ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
840 if (!call_verify_cb(0, ctx)) {
841 return 0;
842 }
843 }
844 if (i < 0) {
845 if (!notify) {
846 return 0;
847 }
848 ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
849 if (!call_verify_cb(0, ctx)) {
850 return 0;
851 }
852 }
853 }
854
855 if (notify) {
856 ctx->current_crl = NULL;
857 }
858
859 return 1;
860 }
861
get_crl_sk(X509_STORE_CTX * ctx,X509_CRL ** pcrl,X509 ** pissuer,int * pscore,STACK_OF (X509_CRL)* crls)862 static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 **pissuer,
863 int *pscore, STACK_OF(X509_CRL) *crls) {
864 int crl_score, best_score = *pscore;
865 X509 *x = ctx->current_cert;
866 X509_CRL *best_crl = NULL;
867 X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
868
869 for (size_t i = 0; i < sk_X509_CRL_num(crls); i++) {
870 X509_CRL *crl = sk_X509_CRL_value(crls, i);
871 crl_score = get_crl_score(ctx, &crl_issuer, crl, x);
872 if (crl_score < best_score || crl_score == 0) {
873 continue;
874 }
875 // If current CRL is equivalent use it if it is newer
876 if (crl_score == best_score && best_crl != NULL) {
877 int day, sec;
878 if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
879 X509_CRL_get0_lastUpdate(crl)) == 0) {
880 continue;
881 }
882 // ASN1_TIME_diff never returns inconsistent signs for |day|
883 // and |sec|.
884 if (day <= 0 && sec <= 0) {
885 continue;
886 }
887 }
888 best_crl = crl;
889 best_crl_issuer = crl_issuer;
890 best_score = crl_score;
891 }
892
893 if (best_crl) {
894 if (*pcrl) {
895 X509_CRL_free(*pcrl);
896 }
897 *pcrl = best_crl;
898 *pissuer = best_crl_issuer;
899 *pscore = best_score;
900 X509_CRL_up_ref(best_crl);
901 }
902
903 if (best_score >= CRL_SCORE_VALID) {
904 return 1;
905 }
906
907 return 0;
908 }
909
910 // For a given CRL return how suitable it is for the supplied certificate
911 // 'x'. The return value is a mask of several criteria. If the issuer is not
912 // the certificate issuer this is returned in *pissuer.
get_crl_score(X509_STORE_CTX * ctx,X509 ** pissuer,X509_CRL * crl,X509 * x)913 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, X509_CRL *crl,
914 X509 *x) {
915 int crl_score = 0;
916
917 // First see if we can reject CRL straight away
918
919 // Invalid IDP cannot be processed
920 if (crl->idp_flags & IDP_INVALID) {
921 return 0;
922 }
923 // Reason codes and indirect CRLs are not supported.
924 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) {
925 return 0;
926 }
927 // We do not support indirect CRLs, so the issuer names must match.
928 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
929 return 0;
930 }
931 crl_score |= CRL_SCORE_ISSUER_NAME;
932
933 if (!(crl->flags & EXFLAG_CRITICAL)) {
934 crl_score |= CRL_SCORE_NOCRITICAL;
935 }
936
937 // Check expiry
938 if (check_crl_time(ctx, crl, 0)) {
939 crl_score |= CRL_SCORE_TIME;
940 }
941
942 // Check authority key ID and locate certificate issuer
943 if (!crl_akid_check(ctx, crl, pissuer, &crl_score)) {
944 // If we can't locate certificate issuer at this point forget it
945 return 0;
946 }
947
948 // Check cert for matching CRL distribution points
949 if (crl_crldp_check(x, crl, crl_score)) {
950 crl_score |= CRL_SCORE_SCOPE;
951 }
952
953 return crl_score;
954 }
955
crl_akid_check(X509_STORE_CTX * ctx,X509_CRL * crl,X509 ** pissuer,int * pcrl_score)956 static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
957 int *pcrl_score) {
958 X509 *crl_issuer = NULL;
959 X509_NAME *cnm = X509_CRL_get_issuer(crl);
960 int cidx = ctx->error_depth;
961
962 if ((size_t)cidx != sk_X509_num(ctx->chain) - 1) {
963 cidx++;
964 }
965
966 crl_issuer = sk_X509_value(ctx->chain, cidx);
967
968 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
969 *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT;
970 *pissuer = crl_issuer;
971 return 1;
972 }
973
974 for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) {
975 crl_issuer = sk_X509_value(ctx->chain, cidx);
976 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) {
977 continue;
978 }
979 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
980 *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;
981 *pissuer = crl_issuer;
982 return 1;
983 }
984 }
985
986 return 0;
987 }
988
989 // Check for match between two dist point names: three separate cases. 1.
990 // Both are relative names and compare X509_NAME types. 2. One full, one
991 // relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and
992 // compare two GENERAL_NAMES. 4. One is NULL: automatic match.
idp_check_dp(DIST_POINT_NAME * a,DIST_POINT_NAME * b)993 static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) {
994 X509_NAME *nm = NULL;
995 GENERAL_NAMES *gens = NULL;
996 GENERAL_NAME *gena, *genb;
997 size_t i, j;
998 if (!a || !b) {
999 return 1;
1000 }
1001 if (a->type == 1) {
1002 if (!a->dpname) {
1003 return 0;
1004 }
1005 // Case 1: two X509_NAME
1006 if (b->type == 1) {
1007 if (!b->dpname) {
1008 return 0;
1009 }
1010 if (!X509_NAME_cmp(a->dpname, b->dpname)) {
1011 return 1;
1012 } else {
1013 return 0;
1014 }
1015 }
1016 // Case 2: set name and GENERAL_NAMES appropriately
1017 nm = a->dpname;
1018 gens = b->name.fullname;
1019 } else if (b->type == 1) {
1020 if (!b->dpname) {
1021 return 0;
1022 }
1023 // Case 2: set name and GENERAL_NAMES appropriately
1024 gens = a->name.fullname;
1025 nm = b->dpname;
1026 }
1027
1028 // Handle case 2 with one GENERAL_NAMES and one X509_NAME
1029 if (nm) {
1030 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1031 gena = sk_GENERAL_NAME_value(gens, i);
1032 if (gena->type != GEN_DIRNAME) {
1033 continue;
1034 }
1035 if (!X509_NAME_cmp(nm, gena->d.directoryName)) {
1036 return 1;
1037 }
1038 }
1039 return 0;
1040 }
1041
1042 // Else case 3: two GENERAL_NAMES
1043
1044 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
1045 gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1046 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
1047 genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1048 if (!GENERAL_NAME_cmp(gena, genb)) {
1049 return 1;
1050 }
1051 }
1052 }
1053
1054 return 0;
1055 }
1056
1057 // Check CRLDP and IDP
crl_crldp_check(X509 * x,X509_CRL * crl,int crl_score)1058 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score) {
1059 if (crl->idp_flags & IDP_ONLYATTR) {
1060 return 0;
1061 }
1062 if (x->ex_flags & EXFLAG_CA) {
1063 if (crl->idp_flags & IDP_ONLYUSER) {
1064 return 0;
1065 }
1066 } else {
1067 if (crl->idp_flags & IDP_ONLYCA) {
1068 return 0;
1069 }
1070 }
1071 for (size_t i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
1072 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1073 // Skip distribution points with a reasons field or a CRL issuer:
1074 //
1075 // We do not support CRLs partitioned by reason code. RFC 5280 requires CAs
1076 // include at least one DistributionPoint that covers all reasons.
1077 //
1078 // We also do not support indirect CRLs, and a CRL issuer can only match
1079 // indirect CRLs (RFC 5280, section 6.3.3, step b.1).
1080 // support.
1081 if (dp->reasons != NULL && dp->CRLissuer != NULL &&
1082 (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint))) {
1083 return 1;
1084 }
1085 }
1086
1087 // If the CRL does not specify an issuing distribution point, allow it to
1088 // match anything.
1089 //
1090 // TODO(davidben): Does this match RFC 5280? It's hard to follow because RFC
1091 // 5280 starts from distribution points, while this starts from CRLs.
1092 return !crl->idp || !crl->idp->distpoint;
1093 }
1094
1095 // Retrieve CRL corresponding to current certificate.
get_crl(X509_STORE_CTX * ctx,X509_CRL ** pcrl,X509 * x)1096 static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) {
1097 X509 *issuer = NULL;
1098 int crl_score = 0;
1099 X509_CRL *crl = NULL;
1100 if (get_crl_sk(ctx, &crl, &issuer, &crl_score, ctx->crls)) {
1101 goto done;
1102 }
1103
1104 // Lookup CRLs from store
1105 STACK_OF(X509_CRL) *skcrl =
1106 X509_STORE_CTX_get1_crls(ctx, X509_get_issuer_name(x));
1107
1108 // If no CRLs found and a near match from get_crl_sk use that
1109 if (!skcrl && crl) {
1110 goto done;
1111 }
1112
1113 get_crl_sk(ctx, &crl, &issuer, &crl_score, skcrl);
1114
1115 sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1116
1117 done:
1118
1119 // If we got any kind of CRL use it and return success
1120 if (crl) {
1121 ctx->current_crl_issuer = issuer;
1122 ctx->current_crl_score = crl_score;
1123 *pcrl = crl;
1124 return 1;
1125 }
1126
1127 return 0;
1128 }
1129
1130 // Check CRL validity
check_crl(X509_STORE_CTX * ctx,X509_CRL * crl)1131 static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) {
1132 X509 *issuer = NULL;
1133 int cnum = ctx->error_depth;
1134 int chnum = (int)sk_X509_num(ctx->chain) - 1;
1135 // If we have an alternative CRL issuer cert use that. Otherwise, it is the
1136 // issuer of the current certificate.
1137 if (ctx->current_crl_issuer) {
1138 issuer = ctx->current_crl_issuer;
1139 } else if (cnum < chnum) {
1140 issuer = sk_X509_value(ctx->chain, cnum + 1);
1141 } else {
1142 issuer = sk_X509_value(ctx->chain, chnum);
1143 // If not self signed, can't check signature
1144 if (!x509_check_issued_with_callback(ctx, issuer, issuer)) {
1145 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1146 if (!call_verify_cb(0, ctx)) {
1147 return 0;
1148 }
1149 }
1150 }
1151
1152 if (issuer) {
1153 // Check for cRLSign bit if keyUsage present
1154 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1155 !(issuer->ex_kusage & X509v3_KU_CRL_SIGN)) {
1156 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1157 if (!call_verify_cb(0, ctx)) {
1158 return 0;
1159 }
1160 }
1161
1162 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1163 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1164 if (!call_verify_cb(0, ctx)) {
1165 return 0;
1166 }
1167 }
1168
1169 if (crl->idp_flags & IDP_INVALID) {
1170 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1171 if (!call_verify_cb(0, ctx)) {
1172 return 0;
1173 }
1174 }
1175
1176 if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
1177 if (!check_crl_time(ctx, crl, 1)) {
1178 return 0;
1179 }
1180 }
1181
1182 // Attempt to get issuer certificate public key
1183 EVP_PKEY *ikey = X509_get0_pubkey(issuer);
1184 if (!ikey) {
1185 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1186 if (!call_verify_cb(0, ctx)) {
1187 return 0;
1188 }
1189 } else {
1190 // Verify CRL signature
1191 if (X509_CRL_verify(crl, ikey) <= 0) {
1192 ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
1193 if (!call_verify_cb(0, ctx)) {
1194 return 0;
1195 }
1196 }
1197 }
1198 }
1199
1200 return 1;
1201 }
1202
1203 // Check certificate against CRL
cert_crl(X509_STORE_CTX * ctx,X509_CRL * crl,X509 * x)1204 static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) {
1205 // The rules changed for this... previously if a CRL contained unhandled
1206 // critical extensions it could still be used to indicate a certificate
1207 // was revoked. This has since been changed since critical extension can
1208 // change the meaning of CRL entries.
1209 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
1210 (crl->flags & EXFLAG_CRITICAL)) {
1211 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1212 if (!call_verify_cb(0, ctx)) {
1213 return 0;
1214 }
1215 }
1216 // Look for serial number of certificate in CRL.
1217 X509_REVOKED *rev;
1218 if (X509_CRL_get0_by_cert(crl, &rev, x)) {
1219 ctx->error = X509_V_ERR_CERT_REVOKED;
1220 if (!call_verify_cb(0, ctx)) {
1221 return 0;
1222 }
1223 }
1224
1225 return 1;
1226 }
1227
check_policy(X509_STORE_CTX * ctx)1228 static int check_policy(X509_STORE_CTX *ctx) {
1229 X509 *current_cert = NULL;
1230 int ret = X509_policy_check(ctx->chain, ctx->param->policies,
1231 ctx->param->flags, ¤t_cert);
1232 if (ret != X509_V_OK) {
1233 ctx->current_cert = current_cert;
1234 ctx->error = ret;
1235 if (ret == X509_V_ERR_OUT_OF_MEM) {
1236 return 0;
1237 }
1238 return call_verify_cb(0, ctx);
1239 }
1240
1241 return 1;
1242 }
1243
check_cert_time(X509_STORE_CTX * ctx,X509 * x)1244 static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) {
1245 if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) {
1246 return 1;
1247 }
1248
1249 int64_t ptime;
1250 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) {
1251 ptime = ctx->param->check_time;
1252 } else {
1253 ptime = time(NULL);
1254 }
1255
1256 int i = X509_cmp_time_posix(X509_get_notBefore(x), ptime);
1257 if (i == 0) {
1258 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1259 ctx->current_cert = x;
1260 if (!call_verify_cb(0, ctx)) {
1261 return 0;
1262 }
1263 }
1264
1265 if (i > 0) {
1266 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1267 ctx->current_cert = x;
1268 if (!call_verify_cb(0, ctx)) {
1269 return 0;
1270 }
1271 }
1272
1273 i = X509_cmp_time_posix(X509_get_notAfter(x), ptime);
1274 if (i == 0) {
1275 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1276 ctx->current_cert = x;
1277 if (!call_verify_cb(0, ctx)) {
1278 return 0;
1279 }
1280 }
1281
1282 if (i < 0) {
1283 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1284 ctx->current_cert = x;
1285 if (!call_verify_cb(0, ctx)) {
1286 return 0;
1287 }
1288 }
1289
1290 return 1;
1291 }
1292
internal_verify(X509_STORE_CTX * ctx)1293 static int internal_verify(X509_STORE_CTX *ctx) {
1294 // TODO(davidben): This logic is incredibly confusing. Rewrite this:
1295 //
1296 // First, don't allow the verify callback to suppress
1297 // X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, which will simplify the
1298 // signature check. Then replace jumping into the middle of the loop. It's
1299 // trying to ensure that all certificates see |check_cert_time|, then checking
1300 // the root's self signature when requested, but not breaking partial chains
1301 // in the process.
1302 int n = (int)sk_X509_num(ctx->chain);
1303 ctx->error_depth = n - 1;
1304 n--;
1305 X509 *xi = sk_X509_value(ctx->chain, n);
1306 X509 *xs;
1307 if (x509_check_issued_with_callback(ctx, xi, xi)) {
1308 xs = xi;
1309 } else {
1310 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
1311 xs = xi;
1312 goto check_cert;
1313 }
1314 if (n <= 0) {
1315 ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1316 ctx->current_cert = xi;
1317 return call_verify_cb(0, ctx);
1318 }
1319 n--;
1320 ctx->error_depth = n;
1321 xs = sk_X509_value(ctx->chain, n);
1322 }
1323
1324 // ctx->error=0; not needed
1325 while (n >= 0) {
1326 ctx->error_depth = n;
1327
1328 // Skip signature check for self signed certificates unless
1329 // explicitly asked for. It doesn't add any security and just wastes
1330 // time.
1331 if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
1332 EVP_PKEY *pkey = X509_get0_pubkey(xi);
1333 if (pkey == NULL) {
1334 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1335 ctx->current_cert = xi;
1336 if (!call_verify_cb(0, ctx)) {
1337 return 0;
1338 }
1339 } else if (X509_verify(xs, pkey) <= 0) {
1340 ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
1341 ctx->current_cert = xs;
1342 if (!call_verify_cb(0, ctx)) {
1343 return 0;
1344 }
1345 }
1346 }
1347
1348 check_cert:
1349 if (!check_cert_time(ctx, xs)) {
1350 return 0;
1351 }
1352
1353 // The last error (if any) is still in the error value
1354 ctx->current_cert = xs;
1355 if (!call_verify_cb(1, ctx)) {
1356 return 0;
1357 }
1358
1359 n--;
1360 if (n >= 0) {
1361 xi = xs;
1362 xs = sk_X509_value(ctx->chain, n);
1363 }
1364 }
1365
1366 return 1;
1367 }
1368
X509_cmp_current_time(const ASN1_TIME * ctm)1369 int X509_cmp_current_time(const ASN1_TIME *ctm) {
1370 return X509_cmp_time_posix(ctm, time(NULL));
1371 }
1372
X509_cmp_time(const ASN1_TIME * ctm,const time_t * cmp_time)1373 int X509_cmp_time(const ASN1_TIME *ctm, const time_t *cmp_time) {
1374 int64_t compare_time = (cmp_time == NULL) ? time(NULL) : *cmp_time;
1375 return X509_cmp_time_posix(ctm, compare_time);
1376 }
1377
X509_cmp_time_posix(const ASN1_TIME * ctm,int64_t cmp_time)1378 int X509_cmp_time_posix(const ASN1_TIME *ctm, int64_t cmp_time) {
1379 int64_t ctm_time;
1380 if (!ASN1_TIME_to_posix(ctm, &ctm_time)) {
1381 return 0;
1382 }
1383 // The return value 0 is reserved for errors.
1384 return (ctm_time - cmp_time <= 0) ? -1 : 1;
1385 }
1386
X509_gmtime_adj(ASN1_TIME * s,long offset_sec)1387 ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec) {
1388 return X509_time_adj(s, offset_sec, NULL);
1389 }
1390
X509_time_adj(ASN1_TIME * s,long offset_sec,const time_t * in_tm)1391 ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, const time_t *in_tm) {
1392 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1393 }
1394
X509_time_adj_ex(ASN1_TIME * s,int offset_day,long offset_sec,const time_t * in_tm)1395 ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec,
1396 const time_t *in_tm) {
1397 int64_t t = 0;
1398
1399 if (in_tm) {
1400 t = *in_tm;
1401 } else {
1402 t = time(NULL);
1403 }
1404
1405 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1406 }
1407
X509_STORE_CTX_get_ex_new_index(long argl,void * argp,CRYPTO_EX_unused * unused,CRYPTO_EX_dup * dup_unused,CRYPTO_EX_free * free_func)1408 int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
1409 CRYPTO_EX_unused *unused,
1410 CRYPTO_EX_dup *dup_unused,
1411 CRYPTO_EX_free *free_func) {
1412 return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func);
1413 }
1414
X509_STORE_CTX_set_ex_data(X509_STORE_CTX * ctx,int idx,void * data)1415 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) {
1416 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
1417 }
1418
X509_STORE_CTX_get_ex_data(X509_STORE_CTX * ctx,int idx)1419 void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) {
1420 return CRYPTO_get_ex_data(&ctx->ex_data, idx);
1421 }
1422
X509_STORE_CTX_get_error(const X509_STORE_CTX * ctx)1423 int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx) { return ctx->error; }
1424
X509_STORE_CTX_set_error(X509_STORE_CTX * ctx,int err)1425 void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) {
1426 ctx->error = err;
1427 }
1428
X509_STORE_CTX_get_error_depth(const X509_STORE_CTX * ctx)1429 int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx) {
1430 return ctx->error_depth;
1431 }
1432
X509_STORE_CTX_get_current_cert(const X509_STORE_CTX * ctx)1433 X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx) {
1434 return ctx->current_cert;
1435 }
1436
STACK_OF(X509)1437 STACK_OF(X509) *X509_STORE_CTX_get_chain(const X509_STORE_CTX *ctx) {
1438 return ctx->chain;
1439 }
1440
STACK_OF(X509)1441 STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx) {
1442 return ctx->chain;
1443 }
1444
STACK_OF(X509)1445 STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx) {
1446 if (!ctx->chain) {
1447 return NULL;
1448 }
1449 return X509_chain_up_ref(ctx->chain);
1450 }
1451
X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX * ctx)1452 X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx) {
1453 return ctx->current_crl;
1454 }
1455
X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX * ctx)1456 X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx) {
1457 // In OpenSSL, an |X509_STORE_CTX| sometimes has a parent context during CRL
1458 // path validation for indirect CRLs. We require the CRL to be issued
1459 // somewhere along the certificate path, so this is always NULL.
1460 return NULL;
1461 }
1462
X509_STORE_CTX_set_chain(X509_STORE_CTX * ctx,STACK_OF (X509)* sk)1463 void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) {
1464 ctx->untrusted = sk;
1465 }
1466
STACK_OF(X509)1467 STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx) {
1468 return ctx->untrusted;
1469 }
1470
X509_STORE_CTX_set0_crls(X509_STORE_CTX * ctx,STACK_OF (X509_CRL)* sk)1471 void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) {
1472 ctx->crls = sk;
1473 }
1474
X509_STORE_CTX_set_purpose(X509_STORE_CTX * ctx,int purpose)1475 int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) {
1476 // If |purpose| is zero, this function historically silently did nothing.
1477 if (purpose == 0) {
1478 return 1;
1479 }
1480
1481 const X509_PURPOSE *pobj = X509_PURPOSE_get0(purpose);
1482 if (pobj == NULL) {
1483 OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
1484 return 0;
1485 }
1486
1487 int trust = X509_PURPOSE_get_trust(pobj);
1488 if (!X509_STORE_CTX_set_trust(ctx, trust)) {
1489 return 0;
1490 }
1491
1492 if (ctx->param->purpose == 0) {
1493 ctx->param->purpose = purpose;
1494 }
1495 return 1;
1496 }
1497
X509_STORE_CTX_set_trust(X509_STORE_CTX * ctx,int trust)1498 int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) {
1499 // If |trust| is zero, this function historically silently did nothing.
1500 if (trust == 0) {
1501 return 1;
1502 }
1503
1504 if (!X509_is_valid_trust_id(trust)) {
1505 OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID);
1506 return 0;
1507 }
1508
1509 if (ctx->param->trust == 0) {
1510 ctx->param->trust = trust;
1511 }
1512 return 1;
1513 }
1514
X509_STORE_CTX_new(void)1515 X509_STORE_CTX *X509_STORE_CTX_new(void) {
1516 return OPENSSL_zalloc(sizeof(X509_STORE_CTX));
1517 }
1518
X509_STORE_CTX_free(X509_STORE_CTX * ctx)1519 void X509_STORE_CTX_free(X509_STORE_CTX *ctx) {
1520 if (ctx == NULL) {
1521 return;
1522 }
1523 X509_STORE_CTX_cleanup(ctx);
1524 OPENSSL_free(ctx);
1525 }
1526
X509_STORE_CTX_init(X509_STORE_CTX * ctx,X509_STORE * store,X509 * x509,STACK_OF (X509)* chain)1527 int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
1528 STACK_OF(X509) *chain) {
1529 X509_STORE_CTX_cleanup(ctx);
1530
1531 ctx->ctx = store;
1532 ctx->cert = x509;
1533 ctx->untrusted = chain;
1534
1535 CRYPTO_new_ex_data(&ctx->ex_data);
1536
1537 if (store == NULL) {
1538 OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);
1539 goto err;
1540 }
1541
1542 ctx->param = X509_VERIFY_PARAM_new();
1543 if (!ctx->param) {
1544 goto err;
1545 }
1546
1547 // Inherit callbacks and flags from X509_STORE.
1548
1549 ctx->verify_cb = store->verify_cb;
1550
1551 if (!X509_VERIFY_PARAM_inherit(ctx->param, store->param) ||
1552 !X509_VERIFY_PARAM_inherit(ctx->param,
1553 X509_VERIFY_PARAM_lookup("default"))) {
1554 goto err;
1555 }
1556
1557 if (store->verify_cb) {
1558 ctx->verify_cb = store->verify_cb;
1559 } else {
1560 ctx->verify_cb = null_callback;
1561 }
1562
1563 if (store->get_crl) {
1564 ctx->get_crl = store->get_crl;
1565 } else {
1566 ctx->get_crl = get_crl;
1567 }
1568
1569 if (store->check_crl) {
1570 ctx->check_crl = store->check_crl;
1571 } else {
1572 ctx->check_crl = check_crl;
1573 }
1574
1575 return 1;
1576
1577 err:
1578 CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data);
1579 if (ctx->param != NULL) {
1580 X509_VERIFY_PARAM_free(ctx->param);
1581 }
1582
1583 OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
1584 return 0;
1585 }
1586
1587 // Set alternative lookup method: just a STACK of trusted certificates. This
1588 // avoids X509_STORE nastiness where it isn't needed.
1589
X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX * ctx,STACK_OF (X509)* sk)1590 void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx,
1591 STACK_OF(X509) *sk) {
1592 ctx->trusted_stack = sk;
1593 }
1594
X509_STORE_CTX_trusted_stack(X509_STORE_CTX * ctx,STACK_OF (X509)* sk)1595 void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) {
1596 X509_STORE_CTX_set0_trusted_stack(ctx, sk);
1597 }
1598
X509_STORE_CTX_cleanup(X509_STORE_CTX * ctx)1599 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) {
1600 CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));
1601 X509_VERIFY_PARAM_free(ctx->param);
1602 sk_X509_pop_free(ctx->chain, X509_free);
1603 OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
1604 }
1605
X509_STORE_CTX_set_depth(X509_STORE_CTX * ctx,int depth)1606 void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) {
1607 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
1608 }
1609
X509_STORE_CTX_set_flags(X509_STORE_CTX * ctx,unsigned long flags)1610 void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) {
1611 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
1612 }
1613
X509_STORE_CTX_set_time_posix(X509_STORE_CTX * ctx,unsigned long flags,int64_t t)1614 void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, unsigned long flags,
1615 int64_t t) {
1616 X509_VERIFY_PARAM_set_time_posix(ctx->param, t);
1617 }
1618
X509_STORE_CTX_set_time(X509_STORE_CTX * ctx,unsigned long flags,time_t t)1619 void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
1620 time_t t) {
1621 X509_STORE_CTX_set_time_posix(ctx, flags, t);
1622 }
1623
X509_STORE_CTX_get0_cert(const X509_STORE_CTX * ctx)1624 X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx) { return ctx->cert; }
1625
X509_STORE_CTX_set_verify_cb(X509_STORE_CTX * ctx,int (* verify_cb)(int,X509_STORE_CTX *))1626 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
1627 int (*verify_cb)(int, X509_STORE_CTX *)) {
1628 ctx->verify_cb = verify_cb;
1629 }
1630
X509_STORE_CTX_set_default(X509_STORE_CTX * ctx,const char * name)1631 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) {
1632 const X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_lookup(name);
1633 if (!param) {
1634 return 0;
1635 }
1636 return X509_VERIFY_PARAM_inherit(ctx->param, param);
1637 }
1638
X509_STORE_CTX_get0_param(X509_STORE_CTX * ctx)1639 X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) {
1640 return ctx->param;
1641 }
1642
X509_STORE_CTX_set0_param(X509_STORE_CTX * ctx,X509_VERIFY_PARAM * param)1643 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) {
1644 if (ctx->param) {
1645 X509_VERIFY_PARAM_free(ctx->param);
1646 }
1647 ctx->param = param;
1648 }
1649