static int null_callback(int ok,X509_STORE_CTX *e);
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
-static int check_chain_purpose(X509_STORE_CTX *ctx);
+static int check_chain_extensions(X509_STORE_CTX *ctx);
static int check_trust(X509_STORE_CTX *ctx);
static int check_revocation(X509_STORE_CTX *ctx);
static int check_cert(X509_STORE_CTX *ctx);
static int check_policy(X509_STORE_CTX *ctx);
static int internal_verify(X509_STORE_CTX *ctx);
-const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
+const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
static int null_callback(int ok, X509_STORE_CTX *e)
X509_VERIFY_PARAM *param = ctx->param;
int depth,i,ok=0;
int num;
- int (*cb)();
+ int (*cb)(int xok,X509_STORE_CTX *xctx);
STACK_OF(X509) *sktmp=NULL;
if (ctx->cert == NULL)
{
goto end;
}
CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
- sk_X509_delete_ptr(sktmp,xtmp);
+ (void)sk_X509_delete_ptr(sktmp,xtmp);
ctx->last_untrusted++;
x=xtmp;
num++;
*/
X509_free(x);
x = xtmp;
- sk_X509_set(ctx->chain, i - 1, x);
+ (void)sk_X509_set(ctx->chain, i - 1, x);
ctx->last_untrusted=0;
}
}
}
/* We have the chain complete: now we need to check its purpose */
- if (param->purpose > 0) ok = check_chain_purpose(ctx);
+ ok = check_chain_extensions(ctx);
if (!ok) goto end;
ok=internal_verify(ctx);
if(!ok) goto end;
+#ifndef OPENSSL_NO_RFC3779
+ /* RFC 3779 path validation, now that CRL check has been done */
+ ok = v3_asid_validate_path(ctx);
+ if (!ok) goto end;
+ ok = v3_addr_validate_path(ctx);
+ if (!ok) goto end;
+#endif
+
/* If we get this far evaluate policies */
if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
ok = ctx->check_policy(ctx);
* with the supplied purpose
*/
-static int check_chain_purpose(X509_STORE_CTX *ctx)
+static int check_chain_extensions(X509_STORE_CTX *ctx)
{
#ifdef OPENSSL_NO_CHAIN_VERIFY
return 1;
#else
- int i, ok=0;
+ int i, ok=0, must_be_ca, plen = 0;
X509 *x;
- int (*cb)();
+ int (*cb)(int xok,X509_STORE_CTX *xctx);
+ int proxy_path_length = 0;
+ int allow_proxy_certs =
+ !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
cb=ctx->verify_cb;
+
+ /* must_be_ca can have 1 of 3 values:
+ -1: we accept both CA and non-CA certificates, to allow direct
+ use of self-signed certificates (which are marked as CA).
+ 0: we only accept non-CA certificates. This is currently not
+ used, but the possibility is present for future extensions.
+ 1: we only accept CA certificates. This is currently used for
+ all certificates in the chain except the leaf certificate.
+ */
+ must_be_ca = -1;
+
+ /* A hack to keep people who don't want to modify their software
+ happy */
+ if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+ allow_proxy_certs = 1;
+
/* Check all untrusted certificates */
for (i = 0; i < ctx->last_untrusted; i++)
{
ok=cb(0,ctx);
if (!ok) goto end;
}
- ret = X509_check_purpose(x, ctx->param->purpose, i);
- if ((ret == 0)
- || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
- && (ret != 1)))
+ if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
{
- if (i)
+ ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
+ ctx->error_depth = i;
+ ctx->current_cert = x;
+ ok=cb(0,ctx);
+ if (!ok) goto end;
+ }
+ ret = X509_check_ca(x);
+ switch(must_be_ca)
+ {
+ case -1:
+ if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
+ && (ret != 1) && (ret != 0))
+ {
+ ret = 0;
ctx->error = X509_V_ERR_INVALID_CA;
+ }
else
- ctx->error = X509_V_ERR_INVALID_PURPOSE;
+ ret = 1;
+ break;
+ case 0:
+ if (ret != 0)
+ {
+ ret = 0;
+ ctx->error = X509_V_ERR_INVALID_NON_CA;
+ }
+ else
+ ret = 1;
+ break;
+ default:
+ if ((ret == 0)
+ || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
+ && (ret != 1)))
+ {
+ ret = 0;
+ ctx->error = X509_V_ERR_INVALID_CA;
+ }
+ else
+ ret = 1;
+ break;
+ }
+ if (ret == 0)
+ {
ctx->error_depth = i;
ctx->current_cert = x;
ok=cb(0,ctx);
if (!ok) goto end;
}
- /* Check pathlen */
- if ((i > 1) && (x->ex_pathlen != -1)
- && (i > (x->ex_pathlen + 1)))
+ if (ctx->param->purpose > 0)
+ {
+ ret = X509_check_purpose(x, ctx->param->purpose,
+ must_be_ca > 0);
+ if ((ret == 0)
+ || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
+ && (ret != 1)))
+ {
+ ctx->error = X509_V_ERR_INVALID_PURPOSE;
+ ctx->error_depth = i;
+ ctx->current_cert = x;
+ ok=cb(0,ctx);
+ if (!ok) goto end;
+ }
+ }
+ /* Check pathlen if not self issued */
+ if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
+ && (x->ex_pathlen != -1)
+ && (plen > (x->ex_pathlen + proxy_path_length + 1)))
{
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
ok=cb(0,ctx);
if (!ok) goto end;
}
+ /* Increment path length if not self issued */
+ if (!(x->ex_flags & EXFLAG_SI))
+ plen++;
+ /* If this certificate is a proxy certificate, the next
+ certificate must be another proxy certificate or a EE
+ certificate. If not, the next certificate must be a
+ CA certificate. */
+ if (x->ex_flags & EXFLAG_PROXY)
+ {
+ if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
+ {
+ ctx->error =
+ X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
+ ctx->error_depth = i;
+ ctx->current_cert = x;
+ ok=cb(0,ctx);
+ if (!ok) goto end;
+ }
+ proxy_path_length++;
+ must_be_ca = 0;
+ }
+ else
+ must_be_ca = 1;
}
ok = 1;
end:
#else
int i, ok;
X509 *x;
- int (*cb)();
+ int (*cb)(int xok,X509_STORE_CTX *xctx);
cb=ctx->verify_cb;
/* For now just check the last certificate in the chain */
i = sk_X509_num(ctx->chain) - 1;
}
}
- if (!check_crl_time(ctx, crl, 1))
+ ok = check_crl_time(ctx, crl, 1);
+ if (!ok)
goto err;
ok = 1;
ctx->param->policies, ctx->param->flags);
if (ret == 0)
{
- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
return 0;
}
/* Invalid or inconsistent extensions */
int ok=0,n;
X509 *xs,*xi;
EVP_PKEY *pkey=NULL;
- int (*cb)();
+ int (*cb)(int xok,X509_STORE_CTX *xctx);
cb=ctx->verify_cb;
xs->valid = 1;
- if (!check_cert_time(ctx, xs))
+ ok = check_cert_time(ctx, xs);
+ if (!ok)
goto end;
/* The last error (if any) is still in the error value */
+ ctx->current_issuer=xi;
ctx->current_cert=xs;
ok=(*cb)(1,ctx);
if (!ok) goto end;
offset=0;
else
{
- if ((*str != '+') && (str[5] != '-'))
+ if ((*str != '+') && (*str != '-'))
return 0;
offset=((str[1]-'0')*10+(str[2]-'0'))*60;
offset+=(str[3]-'0')*10+(str[4]-'0');
atm.length=sizeof(buff2);
atm.data=(unsigned char *)buff2;
- X509_time_adj(&atm,-offset*60, cmp_time);
+ if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
+ return 0;
if (ctm->type == V_ASN1_UTCTIME)
{
void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
{
if (ctx->cleanup) ctx->cleanup(ctx);
- X509_VERIFY_PARAM_free(ctx->param);
- if (ctx->tree)
+ if (ctx->param != NULL)
+ {
+ X509_VERIFY_PARAM_free(ctx->param);
+ ctx->param=NULL;
+ }
+ if (ctx->tree != NULL)
+ {
X509_policy_tree_free(ctx->tree);
+ ctx->tree=NULL;
+ }
if (ctx->chain != NULL)
{
sk_X509_pop_free(ctx->chain,X509_free);
projects / oweals / openssl.git / blobdiff