-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
+/*
+ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
*
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include <stdio.h>
static int check_policy(X509_STORE_CTX *ctx);
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
static int check_dane_issuer(X509_STORE_CTX *ctx, int depth);
+static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
+static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert);
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
unsigned int *preasons, X509_CRL *crl, X509 *x);
return xtmp;
}
+/*-
+ * Inform the verify callback of an error.
+ * If B<x> is not NULL it is the error cert, otherwise use the chain cert at
+ * B<depth>.
+ * If B<err> is not X509_V_OK, that's the error value, otherwise leave
+ * unchanged (presumably set by the caller).
+ *
+ * Returns 0 to abort verification with an error, non-zero to continue.
+ */
+static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err)
+{
+ ctx->error_depth = depth;
+ ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth);
+ if (err != X509_V_OK)
+ ctx->error = err;
+ return ctx->verify_cb(0, ctx);
+}
+
+/*-
+ * Inform the verify callback of an error, CRL-specific variant. Here, the
+ * error depth and certificate are already set, we just specify the error
+ * number.
+ *
+ * Returns 0 to abort verification with an error, non-zero to continue.
+ */
+static int verify_cb_crl(X509_STORE_CTX *ctx, int err)
+{
+ ctx->error = err;
+ return ctx->verify_cb(0, ctx);
+}
+
+static int check_auth_level(X509_STORE_CTX *ctx)
+{
+ int i;
+ int num = sk_X509_num(ctx->chain);
+
+ if (ctx->param->auth_level <= 0)
+ return 1;
+
+ for (i = 0; i < num; ++i) {
+ X509 *cert = sk_X509_value(ctx->chain, i);
+
+ /*
+ * We've already checked the security of the leaf key, so here we only
+ * check the security of issuer keys.
+ */
+ if (i > 0 && !check_key_level(ctx, cert) &&
+ verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL) == 0)
+ return 0;
+ /*
+ * We also check the signature algorithm security of all certificates
+ * except those of the trust anchor at index num-1.
+ */
+ if (i < num - 1 && !check_sig_level(ctx, cert) &&
+ verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK) == 0)
+ return 0;
+ }
+ return 1;
+}
+
static int verify_chain(X509_STORE_CTX *ctx)
{
int err;
*/
if ((ok = build_chain(ctx)) == 0 ||
(ok = check_chain_extensions(ctx)) == 0 ||
+ (ok = check_auth_level(ctx)) == 0 ||
(ok = check_name_constraints(ctx)) == 0 ||
(ok = check_id(ctx)) == 0 || 1)
X509_get_pubkey_parameters(NULL, ctx->chain);
err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
ctx->param->flags);
if (err != X509_V_OK) {
- ctx->error = err;
- ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
- if ((ok = ctx->verify_cb(0, ctx)) == 0)
+ if ((ok = verify_cb_cert(ctx, NULL, ctx->error_depth, err)) == 0)
return ok;
}
#ifndef OPENSSL_NO_RFC3779
/* RFC 3779 path validation, now that CRL check has been done */
- if ((ok = v3_asid_validate_path(ctx)) == 0)
+ if ((ok = X509v3_asid_validate_path(ctx)) == 0)
return ok;
- if ((ok = v3_addr_validate_path(ctx)) == 0)
+ if ((ok = X509v3_addr_validate_path(ctx)) == 0)
return ok;
#endif
int X509_verify_cert(X509_STORE_CTX *ctx)
{
- struct dane_st *dane = (struct dane_st *)ctx->dane;
+ SSL_DANE *dane = ctx->dane;
+ int ret;
if (ctx->cert == NULL) {
X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
+ ctx->error = X509_V_ERR_INVALID_CALL;
return -1;
}
* cannot do another one.
*/
X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ ctx->error = X509_V_ERR_INVALID_CALL;
return -1;
}
if (((ctx->chain = sk_X509_new_null()) == NULL) ||
(!sk_X509_push(ctx->chain, ctx->cert))) {
X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
return -1;
}
X509_up_ref(ctx->cert);
ctx->num_untrusted = 1;
+ /* If the peer's public key is too weak, we can stop early. */
+ if (!check_key_level(ctx, ctx->cert) &&
+ !verify_cb_cert(ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL))
+ return 0;
+
+ if (DANETLS_ENABLED(dane))
+ ret = dane_verify(ctx);
+ else
+ ret = verify_chain(ctx);
+
/*
- * If dane->trecs is an empty stack, we'll fail, since the user enabled
- * DANE. If none of the TLSA records were usable, and it makes sense to
- * keep going with an unauthenticated handshake, they can handle that in
- * the verify callback, or not set SSL_VERIFY_PEER.
+ * Safety-net. If we are returning an error, we must also set ctx->error,
+ * so that the chain is not considered verified should the error be ignored
+ * (e.g. TLS with SSL_VERIFY_NONE).
*/
- if (DANETLS_ENABLED(dane))
- return dane_verify(ctx);
- return verify_chain(ctx);
+ if (ret <= 0 && ctx->error == X509_V_OK)
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return ret;
}
/*
* Given a STACK_OF(X509) find the issuer of cert (if any)
*/
-
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
{
int i;
- X509 *issuer, *rv = NULL;;
+
for (i = 0; i < sk_X509_num(sk); i++) {
- issuer = sk_X509_value(sk, i);
- if (ctx->check_issued(ctx, x, issuer)) {
- rv = issuer;
- if (x509_check_cert_time(ctx, rv, 1))
- break;
- }
+ X509 *issuer = sk_X509_value(sk, i);
+
+ if (!ctx->check_issued(ctx, x, issuer))
+ continue;
+ if (x509_check_cert_time(ctx, issuer, -1))
+ return issuer;
}
- return rv;
+ return NULL;
}
/* Given a possible certificate and issuer check them */
}
}
- if (ret == X509_V_OK)
- return 1;
- /* If we haven't asked for issuer errors don't set ctx */
- if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
- return 0;
-
- ctx->error = ret;
- ctx->current_cert = x;
- ctx->current_issuer = issuer;
- return ctx->verify_cb(0, ctx);
+ return (ret == X509_V_OK);
}
/* Alternative lookup method: look from a STACK stored in other_ctx */
break;
}
- ctx->error = X509_V_ERR_INVALID_PURPOSE;
- ctx->error_depth = depth;
- ctx->current_cert = x;
- return ctx->verify_cb(0, ctx);
+ return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE);
}
/*
} else {
allow_proxy_certs =
! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
- /*
- * A hack to keep people who don't want to modify their software
- * happy
- */
- if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
- allow_proxy_certs = 1;
purpose = ctx->param->purpose;
}
x = sk_X509_value(ctx->chain, i);
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
&& (x->ex_flags & EXFLAG_CRITICAL)) {
- ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
- ctx->error_depth = i;
- ctx->current_cert = x;
- if (!ctx->verify_cb(0, ctx))
+ if (!verify_cb_cert(ctx, x, i,
+ X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION))
return 0;
}
if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
- ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
- ctx->error_depth = i;
- ctx->current_cert = x;
- if (!ctx->verify_cb(0, ctx))
+ if (!verify_cb_cert(ctx, x, i,
+ X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED))
return 0;
}
ret = X509_check_ca(x);
ret = 1;
break;
default:
+ /* X509_V_FLAG_X509_STRICT is implicit for intermediate CAs */
if ((ret == 0)
- || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
+ || ((i + 1 < num || ctx->param->flags & X509_V_FLAG_X509_STRICT)
&& (ret != 1))) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_CA;
ret = 1;
break;
}
- if (ret == 0) {
- ctx->error_depth = i;
- ctx->current_cert = x;
- if (!ctx->verify_cb(0, ctx))
- return 0;
- }
- if (purpose > 0) {
- if (!check_purpose(ctx, x, purpose, i, must_be_ca))
- return 0;
- }
+ if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK))
+ return 0;
+ /* check_purpose() makes the callback as needed */
+ if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
+ return 0;
/* Check pathlen if not self issued */
if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
&& (x->ex_pathlen != -1)
&& (plen > (x->ex_pathlen + proxy_path_length + 1))) {
- ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
- ctx->error_depth = i;
- ctx->current_cert = x;
- if (!ctx->verify_cb(0, ctx))
+ if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
return 0;
}
/* Increment path length if not self issued */
* the next certificate must be a CA certificate.
*/
if (x->ex_flags & EXFLAG_PROXY) {
- if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
- ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
- ctx->error_depth = i;
- ctx->current_cert = x;
- if (!ctx->verify_cb(0, ctx))
- return 0;
+ /*
+ * RFC3820, 4.1.3 (b)(1) stipulates that if pCPathLengthConstraint
+ * is less than max_path_length, the former should be copied to
+ * the latter, and 4.1.4 (a) stipulates that max_path_length
+ * should be verified to be larger than zero and decrement it.
+ *
+ * Because we're checking the certs in the reverse order, we start
+ * with verifying that proxy_path_length isn't larger than pcPLC,
+ * and copy the latter to the former if it is, and finally,
+ * increment proxy_path_length.
+ */
+ if (x->ex_pcpathlen != -1) {
+ if (proxy_path_length > x->ex_pcpathlen) {
+ if (!verify_cb_cert(ctx, x, i,
+ X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED))
+ return 0;
+ }
+ proxy_path_length = x->ex_pcpathlen;
}
proxy_path_length++;
must_be_ca = 0;
static int check_name_constraints(X509_STORE_CTX *ctx)
{
- X509 *x;
- int i, j, rv;
+ int i;
+
/* Check name constraints for all certificates */
for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
- x = sk_X509_value(ctx->chain, i);
+ X509 *x = sk_X509_value(ctx->chain, i);
+ int j;
+
/* Ignore self issued certs unless last in chain */
if (i && (x->ex_flags & EXFLAG_SI))
continue;
+
+ /*
+ * Proxy certificates policy has an extra constraint, where the
+ * certificate subject MUST be the issuer with a single CN entry
+ * added.
+ * (RFC 3820: 3.4, 4.1.3 (a)(4))
+ */
+ if (x->ex_flags & EXFLAG_PROXY) {
+ X509_NAME *tmpsubject = X509_get_subject_name(x);
+ X509_NAME *tmpissuer = X509_get_issuer_name(x);
+ X509_NAME_ENTRY *tmpentry = NULL;
+ int last_object_nid = 0;
+ int err = X509_V_OK;
+ int last_object_loc = X509_NAME_entry_count(tmpsubject) - 1;
+
+ /* Check that there are at least two RDNs */
+ if (last_object_loc < 1) {
+ err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;
+ goto proxy_name_done;
+ }
+
+ /*
+ * Check that there is exactly one more RDN in subject as
+ * there is in issuer.
+ */
+ if (X509_NAME_entry_count(tmpsubject)
+ != X509_NAME_entry_count(tmpissuer) + 1) {
+ err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;
+ goto proxy_name_done;
+ }
+
+ /*
+ * Check that the last subject component isn't part of a
+ * multivalued RDN
+ */
+ if (X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject,
+ last_object_loc))
+ == X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject,
+ last_object_loc - 1))) {
+ err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;
+ goto proxy_name_done;
+ }
+
+ /*
+ * Check that the last subject RDN is a commonName, and that
+ * all the previous RDNs match the issuer exactly
+ */
+ tmpsubject = X509_NAME_dup(tmpsubject);
+ if (tmpsubject == NULL) {
+ X509err(X509_F_CHECK_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
+ return 0;
+ }
+
+ tmpentry =
+ X509_NAME_delete_entry(tmpsubject, last_object_loc);
+ last_object_nid =
+ OBJ_obj2nid(X509_NAME_ENTRY_get_object(tmpentry));
+
+ if (last_object_nid != NID_commonName
+ || X509_NAME_cmp(tmpsubject, tmpissuer) != 0) {
+ err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;
+ }
+
+ X509_NAME_ENTRY_free(tmpentry);
+ X509_NAME_free(tmpsubject);
+
+ proxy_name_done:
+ if (err != X509_V_OK
+ && !verify_cb_cert(ctx, x, i, err))
+ return 0;
+ }
+
/*
* Check against constraints for all certificates higher in chain
* including trust anchor. Trust anchor not strictly speaking needed
*/
for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
+
if (nc) {
- rv = NAME_CONSTRAINTS_check(x, nc);
- if (rv != X509_V_OK) {
- ctx->error = rv;
- ctx->error_depth = i;
- ctx->current_cert = x;
- if (!ctx->verify_cb(0, ctx))
+ int rv = NAME_CONSTRAINTS_check(x, nc);
+
+ /* If EE certificate check commonName too */
+ if (rv == X509_V_OK && i == 0)
+ rv = NAME_CONSTRAINTS_check_CN(x, nc);
+
+ switch (rv) {
+ case X509_V_OK:
+ break;
+ case X509_V_ERR_OUT_OF_MEM:
+ return 0;
+ default:
+ if (!verify_cb_cert(ctx, x, i, rv))
return 0;
+ break;
}
}
}
static int check_id_error(X509_STORE_CTX *ctx, int errcode)
{
- ctx->error = errcode;
- ctx->current_cert = ctx->cert;
- ctx->error_depth = 0;
- return ctx->verify_cb(0, ctx);
+ return verify_cb_cert(ctx, ctx->cert, 0, errcode);
}
static int check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)
static int check_trust(X509_STORE_CTX *ctx, int num_untrusted)
{
- int i, ok = 0;
+ int i;
X509 *x = NULL;
X509 *mx;
- struct dane_st *dane = (struct dane_st *)ctx->dane;
+ SSL_DANE *dane = ctx->dane;
int num = sk_X509_num(ctx->chain);
int trust;
return X509_TRUST_UNTRUSTED;
rejected:
- ctx->error_depth = i;
- ctx->current_cert = x;
- ctx->error = X509_V_ERR_CERT_REJECTED;
- ok = ctx->verify_cb(0, ctx);
- if (!ok)
+ if (!verify_cb_cert(ctx, x, i, X509_V_ERR_CERT_REJECTED))
return X509_TRUST_REJECTED;
return X509_TRUST_UNTRUSTED;
static int check_cert(X509_STORE_CTX *ctx)
{
X509_CRL *crl = NULL, *dcrl = NULL;
- X509 *x = NULL;
- int ok = 0, cnum = 0;
- unsigned int last_reasons = 0;
- cnum = ctx->error_depth;
- x = sk_X509_value(ctx->chain, cnum);
+ int ok = 0;
+ int cnum = ctx->error_depth;
+ X509 *x = sk_X509_value(ctx->chain, cnum);
+
ctx->current_cert = x;
ctx->current_issuer = NULL;
ctx->current_crl_score = 0;
ctx->current_reasons = 0;
+
while (ctx->current_reasons != CRLDP_ALL_REASONS) {
- last_reasons = ctx->current_reasons;
+ unsigned int last_reasons = ctx->current_reasons;
+
/* Try to retrieve relevant CRL */
if (ctx->get_crl)
ok = ctx->get_crl(ctx, &crl, x);
* If error looking up CRL, nothing we can do except notify callback
*/
if (!ok) {
- ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
- ok = ctx->verify_cb(0, ctx);
- goto err;
+ ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL);
+ goto done;
}
ctx->current_crl = crl;
ok = ctx->check_crl(ctx, crl);
if (!ok)
- goto err;
+ goto done;
if (dcrl) {
ok = ctx->check_crl(ctx, dcrl);
if (!ok)
- goto err;
+ goto done;
ok = ctx->cert_crl(ctx, dcrl, x);
if (!ok)
- goto err;
+ goto done;
} else
ok = 1;
if (ok != 2) {
ok = ctx->cert_crl(ctx, crl, x);
if (!ok)
- goto err;
+ goto done;
}
X509_CRL_free(crl);
* so exit loop.
*/
if (last_reasons == ctx->current_reasons) {
- ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
- ok = ctx->verify_cb(0, ctx);
- goto err;
+ ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL);
+ goto done;
}
}
- err:
+ done:
X509_CRL_free(crl);
X509_CRL_free(dcrl);
ctx->current_crl = NULL;
return ok;
-
}
/* Check CRL times against values in X509_STORE_CTX */
{
time_t *ptime;
int i;
+
if (notify)
ctx->current_crl = crl;
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
if (i == 0) {
if (!notify)
return 0;
- ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
- if (!ctx->verify_cb(0, ctx))
+ if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD))
return 0;
}
if (i > 0) {
if (!notify)
return 0;
- ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
- if (!ctx->verify_cb(0, ctx))
+ if (!verify_cb_crl(ctx, X509_V_ERR_CRL_NOT_YET_VALID))
return 0;
}
if (i == 0) {
if (!notify)
return 0;
- ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
- if (!ctx->verify_cb(0, ctx))
+ if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD))
return 0;
}
/* Ignore expiry of base CRL is delta is valid */
if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
if (!notify)
return 0;
- ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
- if (!ctx->verify_cb(0, ctx))
+ if (!verify_cb_crl(ctx, X509_V_ERR_CRL_HAS_EXPIRED))
return 0;
}
}
{
X509_STORE_CTX crl_ctx;
int ret;
+
/* Don't allow recursive CRL path validation */
if (ctx->parent)
return 0;
/* Verify CRL issuer */
ret = X509_verify_cert(&crl_ctx);
-
if (ret <= 0)
goto err;
/* Check chain is acceptable */
-
ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
err:
X509_STORE_CTX_cleanup(&crl_ctx);
X509_CRL *crl = NULL, *dcrl = NULL;
STACK_OF(X509_CRL) *skcrl;
X509_NAME *nm = X509_get_issuer_name(x);
+
reasons = ctx->current_reasons;
ok = get_crl_sk(ctx, &crl, &dcrl,
&issuer, &crl_score, &reasons, ctx->crls);
-
if (ok)
goto done;
sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
done:
-
/* If we got any kind of CRL use it and return success */
if (crl) {
ctx->current_issuer = issuer;
*pdcrl = dcrl;
return 1;
}
-
return 0;
}
{
X509 *issuer = NULL;
EVP_PKEY *ikey = NULL;
- int ok = 0, chnum, cnum;
- cnum = ctx->error_depth;
- chnum = sk_X509_num(ctx->chain) - 1;
+ int cnum = ctx->error_depth;
+ int chnum = sk_X509_num(ctx->chain) - 1;
+
/* if we have an alternative CRL issuer cert use that */
if (ctx->current_issuer)
issuer = ctx->current_issuer;
-
/*
* Else find CRL issuer: if not last certificate then issuer is next
* certificate in chain.
else {
issuer = sk_X509_value(ctx->chain, chnum);
/* If not self signed, can't check signature */
- if (!ctx->check_issued(ctx, issuer, issuer)) {
- ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
- ok = ctx->verify_cb(0, ctx);
- if (!ok)
- goto err;
- }
+ if (!ctx->check_issued(ctx, issuer, issuer) &&
+ !verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER))
+ return 0;
}
- if (issuer) {
- /*
- * Skip most tests for deltas because they have already been done
- */
- if (!crl->base_crl_number) {
- /* Check for cRLSign bit if keyUsage present */
- if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
- !(issuer->ex_kusage & KU_CRL_SIGN)) {
- ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
- ok = ctx->verify_cb(0, ctx);
- if (!ok)
- goto err;
- }
+ if (issuer == NULL)
+ return 1;
- if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
- ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
- ok = ctx->verify_cb(0, ctx);
- if (!ok)
- goto err;
- }
+ /*
+ * Skip most tests for deltas because they have already been done
+ */
+ if (!crl->base_crl_number) {
+ /* Check for cRLSign bit if keyUsage present */
+ if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
+ !(issuer->ex_kusage & KU_CRL_SIGN) &&
+ !verify_cb_crl(ctx, X509_V_ERR_KEYUSAGE_NO_CRL_SIGN))
+ return 0;
- if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
- if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
- ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
- ok = ctx->verify_cb(0, ctx);
- if (!ok)
- goto err;
- }
- }
+ if (!(ctx->current_crl_score & CRL_SCORE_SCOPE) &&
+ !verify_cb_crl(ctx, X509_V_ERR_DIFFERENT_CRL_SCOPE))
+ return 0;
- if (crl->idp_flags & IDP_INVALID) {
- ctx->error = X509_V_ERR_INVALID_EXTENSION;
- ok = ctx->verify_cb(0, ctx);
- if (!ok)
- goto err;
- }
+ if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH) &&
+ check_crl_path(ctx, ctx->current_issuer) <= 0 &&
+ !verify_cb_crl(ctx, X509_V_ERR_CRL_PATH_VALIDATION_ERROR))
+ return 0;
- }
+ if ((crl->idp_flags & IDP_INVALID) &&
+ !verify_cb_crl(ctx, X509_V_ERR_INVALID_EXTENSION))
+ return 0;
+ }
- if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
- ok = check_crl_time(ctx, crl, 1);
- if (!ok)
- goto err;
- }
+ if (!(ctx->current_crl_score & CRL_SCORE_TIME) &&
+ !check_crl_time(ctx, crl, 1))
+ return 0;
- /* Attempt to get issuer certificate public key */
- ikey = X509_get0_pubkey(issuer);
+ /* Attempt to get issuer certificate public key */
+ ikey = X509_get0_pubkey(issuer);
- if (!ikey) {
- ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
- ok = ctx->verify_cb(0, ctx);
- if (!ok)
- goto err;
- } else {
- int rv;
- rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
- if (rv != X509_V_OK) {
- ctx->error = rv;
- ok = ctx->verify_cb(0, ctx);
- if (!ok)
- goto err;
- }
- /* Verify CRL signature */
- if (X509_CRL_verify(crl, ikey) <= 0) {
- ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
- ok = ctx->verify_cb(0, ctx);
- if (!ok)
- goto err;
- }
- }
- }
+ if (!ikey &&
+ !verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
+ return 0;
- ok = 1;
+ if (ikey) {
+ int rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
- err:
- return ok;
+ if (rv != X509_V_OK && !verify_cb_crl(ctx, rv))
+ return 0;
+ /* Verify CRL signature */
+ if (X509_CRL_verify(crl, ikey) <= 0 &&
+ !verify_cb_crl(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE))
+ return 0;
+ }
+ return 1;
}
/* Check certificate against CRL */
static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
{
- int ok;
X509_REVOKED *rev;
+
/*
* The rules changed for this... previously if a CRL contained unhandled
* critical extensions it could still be used to indicate a certificate
- * was revoked. This has since been changed since critical extension can
+ * was revoked. This has since been changed since critical extensions can
* change the meaning of CRL entries.
*/
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
- && (crl->flags & EXFLAG_CRITICAL)) {
- ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
- ok = ctx->verify_cb(0, ctx);
- if (!ok)
- return 0;
- }
+ && (crl->flags & EXFLAG_CRITICAL) &&
+ !verify_cb_crl(ctx, X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION))
+ return 0;
/*
- * Look for serial number of certificate in CRL If found make sure reason
- * is not removeFromCRL.
+ * Look for serial number of certificate in CRL. If found, make sure
+ * reason is not removeFromCRL.
*/
if (X509_CRL_get0_by_cert(crl, &rev, x)) {
if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
return 2;
- ctx->error = X509_V_ERR_CERT_REVOKED;
- ok = ctx->verify_cb(0, ctx);
- if (!ok)
+ if (!verify_cb_crl(ctx, X509_V_ERR_CERT_REVOKED))
return 0;
}
*/
if (ctx->bare_ta_signed && !sk_X509_push(ctx->chain, NULL)) {
X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE);
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
return 0;
}
ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
if (ret == X509_PCY_TREE_INTERNAL) {
X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE);
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
return 0;
}
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
- /*
- * Locate certificates with bad extensions and notify callback.
- */
- X509 *x;
int i;
+
+ /* Locate certificates with bad extensions and notify callback. */
for (i = 1; i < sk_X509_num(ctx->chain); i++) {
- x = sk_X509_value(ctx->chain, i);
+ X509 *x = sk_X509_value(ctx->chain, i);
+
if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
continue;
- ctx->current_cert = x;
- ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
- if (!ctx->verify_cb(0, ctx))
+ if (!verify_cb_cert(ctx, x, i,
+ X509_V_ERR_INVALID_POLICY_EXTENSION))
return 0;
}
return 1;
if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
ctx->current_cert = NULL;
- ctx->error = X509_V_OK;
+ /*
+ * Verification errors need to be "sticky", a callback may have allowed
+ * an SSL handshake to continue despite an error, and we must then
+ * remain in an error state. Therefore, we MUST NOT clear earlier
+ * verification errors by setting the error to X509_V_OK.
+ */
if (!ctx->verify_cb(2, ctx))
return 0;
}
return 1;
}
-int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
+/*-
+ * Check certificate validity times.
+ * If depth >= 0, invoke verification callbacks on error, otherwise just return
+ * the validation status.
+ *
+ * Return 1 on success, 0 otherwise.
+ */
+int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
{
time_t *ptime;
int i;
ptime = NULL;
i = X509_cmp_time(X509_get_notBefore(x), ptime);
- if (i == 0) {
- if (quiet)
- return 0;
- ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
- ctx->current_cert = x;
- if (!ctx->verify_cb(0, ctx))
- return 0;
- }
-
- if (i > 0) {
- if (quiet)
- return 0;
- ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
- ctx->current_cert = x;
- if (!ctx->verify_cb(0, ctx))
- return 0;
- }
+ if (i >= 0 && depth < 0)
+ return 0;
+ if (i == 0 && !verify_cb_cert(ctx, x, depth,
+ X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD))
+ return 0;
+ if (i > 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID))
+ return 0;
i = X509_cmp_time(X509_get_notAfter(x), ptime);
- if (i == 0) {
- if (quiet)
- return 0;
- ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
- ctx->current_cert = x;
- if (!ctx->verify_cb(0, ctx))
- return 0;
- }
-
- if (i < 0) {
- if (quiet)
- return 0;
- ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
- ctx->current_cert = x;
- if (!ctx->verify_cb(0, ctx))
- return 0;
- }
-
+ if (i <= 0 && depth < 0)
+ return 0;
+ if (i == 0 && !verify_cb_cert(ctx, x, depth,
+ X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD))
+ return 0;
+ if (i < 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_HAS_EXPIRED))
+ return 0;
return 1;
}
static int internal_verify(X509_STORE_CTX *ctx)
{
- int ok = 0, n;
- X509 *xs, *xi;
- EVP_PKEY *pkey = NULL;
-
- n = sk_X509_num(ctx->chain) - 1;
- ctx->error_depth = n;
- xi = sk_X509_value(ctx->chain, n);
+ int n = sk_X509_num(ctx->chain) - 1;
+ X509 *xi = sk_X509_value(ctx->chain, n);
+ X509 *xs;
/*
* With DANE-verified bare public key TA signatures, it remains only to
xs = xi;
goto check_cert;
}
- if (n <= 0) {
- ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
- ctx->current_cert = xi;
- ok = ctx->verify_cb(0, ctx);
- goto end;
- } else {
- n--;
- ctx->error_depth = n;
- xs = sk_X509_value(ctx->chain, n);
- }
+ if (n <= 0)
+ return verify_cb_cert(ctx, xi, 0,
+ X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE);
+ n--;
+ ctx->error_depth = n;
+ xs = sk_X509_value(ctx->chain, n);
}
/*
* is allowed to reset errors (at its own peril).
*/
while (n >= 0) {
- ctx->error_depth = n;
+ EVP_PKEY *pkey;
/*
- * Skip signature check for self signed certificates unless
- * explicitly asked for. It doesn't add any security and just wastes
- * time.
+ * Skip signature check for self signed certificates unless explicitly
+ * asked for. It doesn't add any security and just wastes time. If
+ * the issuer's public key is unusable, report the issuer certificate
+ * and its depth (rather than the depth of the subject).
*/
if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
if ((pkey = X509_get0_pubkey(xi)) == NULL) {
- ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
- ctx->current_cert = xi;
- ok = ctx->verify_cb(0, ctx);
- if (!ok)
- goto end;
+ if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,
+ X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
+ return 0;
} else if (X509_verify(xs, pkey) <= 0) {
- ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
- ctx->current_cert = xs;
- ok = ctx->verify_cb(0, ctx);
- if (!ok)
- goto end;
+ if (!verify_cb_cert(ctx, xs, n,
+ X509_V_ERR_CERT_SIGNATURE_FAILURE))
+ return 0;
}
}
check_cert:
- ok = x509_check_cert_time(ctx, xs, 0);
- if (!ok)
- goto end;
+ /* Calls verify callback as needed */
+ if (!x509_check_cert_time(ctx, xs, n))
+ return 0;
- /* The last error (if any) is still in the error value */
+ /*
+ * Signal success at this depth. However, the previous error (if any)
+ * is retained.
+ */
ctx->current_issuer = xi;
ctx->current_cert = xs;
- ok = ctx->verify_cb(1, ctx);
- if (!ok)
- goto end;
+ ctx->error_depth = n;
+ if (!ctx->verify_cb(1, ctx))
+ return 0;
- n--;
- if (n >= 0) {
+ if (--n >= 0) {
xi = xs;
xs = sk_X509_value(ctx->chain, n);
}
}
- ok = 1;
- end:
- return ok;
+ return 1;
}
int X509_cmp_current_time(const ASN1_TIME *ctm)
return ctx->error_depth;
}
+void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth)
+{
+ ctx->error_depth = depth;
+}
+
X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
{
return ctx->current_cert;
}
-STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
+void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x)
+{
+ ctx->current_cert = x;
+}
+
+STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
{
return ctx->chain;
}
ctx->cert = x;
}
-void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
-{
- ctx->untrusted = sk;
-}
-
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
{
ctx->crls = sk;
void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
{
- if (!ctx)
+ if (ctx == NULL)
return;
+
X509_STORE_CTX_cleanup(ctx);
OPENSSL_free(ctx);
}
/* Zero ex_data to make sure we're cleanup-safe */
memset(&ctx->ex_data, 0, sizeof(ctx->ex_data));
- if (store) {
- ctx->verify_cb = store->verify_cb;
- /* Seems to always be 0 in OpenSSL, else must be idempotent */
+ /* store->cleanup is always 0 in OpenSSL, if set must be idempotent */
+ if (store)
ctx->cleanup = store->cleanup;
- } else
+ else
ctx->cleanup = 0;
if (store && store->check_issued)
if (store && store->lookup_certs)
ctx->lookup_certs = store->lookup_certs;
else
- ctx->lookup_certs = X509_STORE_get1_certs;
+ ctx->lookup_certs = X509_STORE_CTX_get1_certs;
if (store && store->lookup_crls)
ctx->lookup_crls = store->lookup_crls;
else
- ctx->lookup_crls = X509_STORE_get1_crls;
+ ctx->lookup_crls = X509_STORE_CTX_get1_crls;
ctx->check_policy = check_policy;
* Set alternative lookup method: just a STACK of trusted certificates. This
* avoids X509_STORE nastiness where it isn't needed.
*/
-
-void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
{
ctx->other_ctx = sk;
ctx->get_issuer = get_issuer_sk;
}
void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
- int (*verify_cb) (int, X509_STORE_CTX *))
+ X509_STORE_CTX_verify_cb verify_cb)
{
ctx->verify_cb = verify_cb;
}
+X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx)
+{
+ return ctx->verify_cb;
+}
+
+X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
+{
+ return ctx->cert;
+}
+
+STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
+{
+ return ctx->untrusted;
+}
+
+void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+{
+ ctx->untrusted = sk;
+}
+
+void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+{
+ sk_X509_pop_free(ctx->chain, X509_free);
+ ctx->chain = sk;
+}
+
+void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx,
+ X509_STORE_CTX_verify verify)
+{
+ ctx->verify = verify;
+}
+
+X509_STORE_CTX_verify X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx)
+{
+ return ctx->verify;
+}
+
X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
{
return ctx->tree;
ctx->param = param;
}
-void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, struct dane_st *dane)
+void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane)
{
ctx->dane = dane;
}
static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth)
{
- struct dane_st *dane = (struct dane_st *)ctx->dane;
+ SSL_DANE *dane = ctx->dane;
unsigned usage = DANETLS_NONE;
unsigned selector = DANETLS_NONE;
unsigned ordinal = DANETLS_NONE;
/*
* If we've previously matched a PKIX-?? record, no need to test any
- * further PKIX-?? records, it remains to just build the PKIX chain.
+ * further PKIX-?? records, it remains to just build the PKIX chain.
* Had the match been a DANE-?? record, we'd be done already.
*/
if (dane->mdpth >= 0)
cmplen = i2dlen;
if (md != NULL) {
- cmpbuf = mdbuf;
- if (!EVP_Digest(i2dbuf, i2dlen, cmpbuf, &cmplen, md, 0)) {
- matched = -1;
+ cmpbuf = mdbuf;
+ if (!EVP_Digest(i2dbuf, i2dlen, cmpbuf, &cmplen, md, 0)) {
+ matched = -1;
break;
}
}
static int check_dane_issuer(X509_STORE_CTX *ctx, int depth)
{
- struct dane_st *dane = (struct dane_st *)ctx->dane;
+ SSL_DANE *dane = ctx->dane;
int matched = 0;
X509 *cert;
return X509_TRUST_UNTRUSTED;
/*
- * Record any DANE trust anchor matches, for the first depth to test, if
+ * Record any DANE trust-anchor matches, for the first depth to test, if
* there's one at that depth. (This'll be false for length 1 chains looking
* for an exact match for the leaf certificate).
*/
static int check_dane_pkeys(X509_STORE_CTX *ctx)
{
- struct dane_st *dane = (struct dane_st *)ctx->dane;
+ SSL_DANE *dane = ctx->dane;
danetls_record *t;
int num = ctx->num_untrusted;
X509 *cert = sk_X509_value(ctx->chain, num - 1);
return X509_TRUST_UNTRUSTED;
}
-static void dane_reset(struct dane_st *dane)
+static void dane_reset(SSL_DANE *dane)
{
/*
* Reset state to verify another chain, or clear after failure.
if (err == X509_V_OK)
return 1;
- ctx->current_cert = cert;
- ctx->error_depth = 0;
- ctx->error = err;
- return ctx->verify_cb(0, ctx);
+ return verify_cb_cert(ctx, cert, 0, err);
}
static int dane_verify(X509_STORE_CTX *ctx)
{
X509 *cert = ctx->cert;
- struct dane_st *dane = (struct dane_st *)ctx->dane;
+ SSL_DANE *dane = ctx->dane;
int matched;
int done;
dane_reset(dane);
+ /*-
+ * When testing the leaf certificate, if we match a DANE-EE(3) record,
+ * dane_match() returns 1 and we're done. If however we match a PKIX-EE(1)
+ * record, the match depth and matching TLSA record are recorded, but the
+ * return value is 0, because we still need to find a PKIX trust-anchor.
+ * Therefore, when DANE authentication is enabled (required), we're done
+ * if:
+ * + matched < 0, internal error.
+ * + matched == 1, we matched a DANE-EE(3) record
+ * + matched == 0, mdepth < 0 (no PKIX-EE match) and there are no
+ * DANE-TA(2) or PKIX-TA(0) to test.
+ */
matched = dane_match(ctx, ctx->cert, 0);
done = matched != 0 || (!DANETLS_HAS_TA(dane) && dane->mdpth < 0);
X509_get_pubkey_parameters(NULL, ctx->chain);
if (matched > 0) {
+ /* Callback invoked as needed */
if (!check_leaf_suiteb(ctx, cert))
return 0;
+ /* Callback invoked as needed */
+ if ((dane->flags & DANE_FLAG_NO_DANE_EE_NAMECHECKS) == 0 &&
+ !check_id(ctx))
+ return 0;
+ /* Bypass internal_verify(), issue depth 0 success callback */
ctx->error_depth = 0;
ctx->current_cert = cert;
return ctx->verify_cb(1, ctx);
/* Fail early, TA-based success is not possible */
if (!check_leaf_suiteb(ctx, cert))
return 0;
- ctx->current_cert = cert;
- ctx->error_depth = 0;
- ctx->error = X509_V_ERR_DANE_NO_MATCH;
- return ctx->verify_cb(0, ctx);
+ return verify_cb_cert(ctx, cert, 0, X509_V_ERR_DANE_NO_MATCH);
}
/*
return verify_chain(ctx);
}
+/* Get issuer, without duplicate suppression */
+static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert)
+{
+ STACK_OF(X509) *saved_chain = ctx->chain;
+ int ok;
+
+ ctx->chain = NULL;
+ ok = ctx->get_issuer(issuer, ctx, cert);
+ ctx->chain = saved_chain;
+
+ return ok;
+}
+
static int build_chain(X509_STORE_CTX *ctx)
{
- struct dane_st *dane = (struct dane_st *)ctx->dane;
+ SSL_DANE *dane = ctx->dane;
int num = sk_X509_num(ctx->chain);
X509 *cert = sk_X509_value(ctx->chain, num - 1);
int ss = cert_self_signed(cert);
*/
if (ctx->untrusted && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
return 0;
}
- /* Include any untrusted full certificates from DNS */
+ /*
+ * If we got any "DANE-TA(2) Cert(0) Full(0)" trust-anchors from DNS, add
+ * them to our working copy of the untrusted certificate stack. Since the
+ * caller of X509_STORE_CTX_init() may have provided only a leaf cert with
+ * no corresponding stack of untrusted certificates, we may need to create
+ * an empty stack first. [ At present only the ssl library provides DANE
+ * support, and ssl_verify_cert_chain() always provides a non-null stack
+ * containing at least the leaf certificate, but we must be prepared for
+ * this to change. ]
+ */
if (DANETLS_ENABLED(dane) && dane->certs != NULL) {
+ if (sktmp == NULL && (sktmp = sk_X509_new_null()) == NULL) {
+ X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
+ return 0;
+ }
for (i = 0; i < sk_X509_num(dane->certs); ++i) {
if (!sk_X509_push(sktmp, sk_X509_value(dane->certs, i))) {
sk_X509_free(sktmp);
X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
return 0;
}
}
/*
* Look in the trust store if enabled for first lookup, or we've run
- * out of untrusted issuers and search here is not disabled. When
- * we exceed the depth limit, we simulate absence of a match.
+ * out of untrusted issuers and search here is not disabled. When we
+ * reach the depth limit, we stop extending the chain, if by that point
+ * we've not found a trust-anchor, any trusted chain would be too long.
+ *
+ * The error reported to the application verify callback is at the
+ * maximal valid depth with the current certificate equal to the last
+ * not ultimately-trusted issuer. For example, with verify_depth = 0,
+ * the callback will report errors at depth=1 when the immediate issuer
+ * of the leaf certificate is not a trust anchor. No attempt will be
+ * made to locate an issuer for that certificate, since such a chain
+ * would be a-priori too long.
*/
if ((search & S_DOTRUSTED) != 0) {
- STACK_OF(X509) *hide = ctx->chain;
-
i = num = sk_X509_num(ctx->chain);
if ((search & S_DOALTERNATE) != 0) {
/*
}
x = sk_X509_value(ctx->chain, i-1);
- /* Suppress duplicate suppression */
- ctx->chain = NULL;
- ok = (depth < num) ? 0 : ctx->get_issuer(&xtmp, ctx, x);
- ctx->chain = hide;
+ ok = (depth < num) ? 0 : get_issuer(&xtmp, ctx, x);
if (ok < 0) {
trust = X509_TRUST_REJECTED;
+ ctx->error = X509_V_ERR_STORE_LOOKUP;
search = 0;
continue;
}
X509_free(xtmp);
X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
trust = X509_TRUST_REJECTED;
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
search = 0;
continue;
}
num = sk_X509_num(ctx->chain);
OPENSSL_assert(num == ctx->num_untrusted);
x = sk_X509_value(ctx->chain, num-1);
- xtmp = (depth < num) ? NULL : find_issuer(ctx, sktmp, x);
/*
* Once we run out of untrusted issuers, we stop looking for more
* and start looking only in the trust store if enabled.
*/
+ xtmp = (ss || depth < num) ? NULL : find_issuer(ctx, sktmp, x);
if (xtmp == NULL) {
search &= ~S_DOUNTRUSTED;
if (may_trusted)
continue;
}
- if (!sk_X509_push(ctx->chain, x = xtmp)) {
+ /* Drop this issuer from future consideration */
+ (void) sk_X509_delete_ptr(sktmp, xtmp);
+
+ if (!sk_X509_push(ctx->chain, xtmp)) {
X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
trust = X509_TRUST_REJECTED;
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
search = 0;
continue;
}
- X509_up_ref(x);
+
+ X509_up_ref(x = xtmp);
++ctx->num_untrusted;
ss = cert_self_signed(xtmp);
- /*
- * Not strictly necessary, but saves cycles looking at the same
- * certificates over and over.
- */
- (void) sk_X509_delete_ptr(sktmp, x);
-
/*
* Check for DANE-TA trust of the topmost untrusted certificate.
*/
case X509_TRUST_TRUSTED:
return 1;
case X509_TRUST_REJECTED:
+ /* Callback already issued */
return 0;
case X509_TRUST_UNTRUSTED:
default:
num = sk_X509_num(ctx->chain);
- ctx->current_cert = sk_X509_value(ctx->chain, num - 1);
- ctx->error_depth = num-1;
if (num > depth)
- ctx->error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
- else if (DANETLS_ENABLED(dane) &&
- (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0))
- ctx->error = X509_V_ERR_DANE_NO_MATCH;
- else if (ss && sk_X509_num(ctx->chain) == 1)
- ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
- else if (ss)
- ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
- else if (ctx->num_untrusted == num)
- ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
- else
- ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
- return ctx->verify_cb(0, ctx);
+ return verify_cb_cert(ctx, NULL, num-1,
+ X509_V_ERR_CERT_CHAIN_TOO_LONG);
+ if (DANETLS_ENABLED(dane) &&
+ (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0))
+ return verify_cb_cert(ctx, NULL, num-1, X509_V_ERR_DANE_NO_MATCH);
+ if (ss && sk_X509_num(ctx->chain) == 1)
+ return verify_cb_cert(ctx, NULL, num-1,
+ X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
+ if (ss)
+ return verify_cb_cert(ctx, NULL, num-1,
+ X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN);
+ if (ctx->num_untrusted < num)
+ return verify_cb_cert(ctx, NULL, num-1,
+ X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT);
+ return verify_cb_cert(ctx, NULL, num-1,
+ X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY);
+ }
+}
+
+static const int minbits_table[] = { 80, 112, 128, 192, 256 };
+static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
+
+/*
+ * Check whether the public key of ``cert`` meets the security level of
+ * ``ctx``.
+ *
+ * Returns 1 on success, 0 otherwise.
+ */
+static int check_key_level(X509_STORE_CTX *ctx, X509 *cert)
+{
+ EVP_PKEY *pkey = X509_get0_pubkey(cert);
+ int level = ctx->param->auth_level;
+
+ /* Unsupported or malformed keys are not secure */
+ if (pkey == NULL)
+ return 0;
+
+ if (level <= 0)
+ return 1;
+ if (level > NUM_AUTH_LEVELS)
+ level = NUM_AUTH_LEVELS;
+
+ return EVP_PKEY_security_bits(pkey) >= minbits_table[level - 1];
+}
+
+/*
+ * Check whether the signature digest algorithm of ``cert`` meets the security
+ * level of ``ctx``. Should not be checked for trust anchors (whether
+ * self-signed or otherwise).
+ *
+ * Returns 1 on success, 0 otherwise.
+ */
+static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
+{
+ int nid = X509_get_signature_nid(cert);
+ int mdnid = NID_undef;
+ int secbits = -1;
+ int level = ctx->param->auth_level;
+
+ if (level <= 0)
+ return 1;
+ if (level > NUM_AUTH_LEVELS)
+ level = NUM_AUTH_LEVELS;
+
+ /* Lookup signature algorithm digest */
+ if (nid && OBJ_find_sigid_algs(nid, &mdnid, NULL)) {
+ const EVP_MD *md;
+
+ /* Assume 4 bits of collision resistance for each hash octet */
+ if (mdnid != NID_undef && (md = EVP_get_digestbynid(mdnid)) != NULL)
+ secbits = EVP_MD_size(md) * 4;
}
+
+ return secbits >= minbits_table[level - 1];
}