grpc 1.53.0 → 1.54.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of grpc might be problematic. Click here for more details.

Files changed (685) hide show
  1. checksums.yaml +4 -4
  2. data/Makefile +80 -66
  3. data/include/grpc/event_engine/event_engine.h +30 -14
  4. data/include/grpc/grpc_security.h +4 -0
  5. data/include/grpc/impl/grpc_types.h +11 -2
  6. data/include/grpc/support/port_platform.h +4 -4
  7. data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +11 -0
  8. data/src/core/ext/filters/client_channel/backend_metric.cc +6 -0
  9. data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
  10. data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
  11. data/src/core/ext/filters/client_channel/client_channel.cc +848 -813
  12. data/src/core/ext/filters/client_channel/client_channel.h +131 -173
  13. data/src/core/ext/filters/client_channel/client_channel_internal.h +114 -0
  14. data/src/core/ext/filters/client_channel/config_selector.h +4 -3
  15. data/src/core/ext/filters/client_channel/http_proxy.cc +1 -1
  16. data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +6 -1
  17. data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +17 -18
  18. data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +134 -151
  19. data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +1 -15
  20. data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +14 -10
  21. data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +68 -30
  22. data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +11 -3
  23. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -1
  24. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -5
  25. data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +2 -2
  26. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +30 -38
  27. data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
  28. data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +20 -26
  29. data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +31 -179
  30. data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +1 -2
  31. data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +1 -2
  32. data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +4 -2
  33. data/src/core/ext/filters/client_channel/retry_filter.cc +95 -102
  34. data/src/core/ext/filters/client_channel/subchannel.cc +2 -4
  35. data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
  36. data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
  37. data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
  38. data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
  39. data/src/core/ext/filters/http/message_compress/compression_filter.cc +27 -11
  40. data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
  41. data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
  42. data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +7 -6
  43. data/src/core/ext/gcp/metadata_query.cc +142 -0
  44. data/src/core/ext/gcp/metadata_query.h +82 -0
  45. data/src/core/ext/transport/chttp2/server/chttp2_server.cc +70 -55
  46. data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +149 -60
  47. data/src/core/ext/transport/chttp2/transport/flow_control.cc +5 -2
  48. data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
  49. data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
  50. data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +42 -23
  51. data/src/core/ext/transport/chttp2/transport/hpack_parser.h +5 -3
  52. data/src/core/ext/transport/chttp2/transport/internal.h +18 -3
  53. data/src/core/ext/transport/chttp2/transport/parsing.cc +9 -2
  54. data/src/core/ext/transport/chttp2/transport/writing.cc +10 -5
  55. data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
  56. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +5 -3
  57. data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +22 -0
  58. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +5 -3
  59. data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +22 -0
  60. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +23 -5
  61. data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +94 -3
  62. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -2
  63. data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -0
  64. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +6 -3
  65. data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +22 -0
  66. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +24 -6
  67. data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +111 -12
  68. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +9 -7
  69. data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +27 -9
  70. data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +0 -1
  71. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +11 -7
  72. data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +56 -12
  73. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +5 -3
  74. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +24 -0
  75. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +5 -3
  76. data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +24 -0
  77. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +13 -2
  78. data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +49 -0
  79. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +24 -9
  80. data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +66 -12
  81. data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +191 -187
  82. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +139 -136
  83. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +31 -15
  84. data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +5 -0
  85. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +12 -9
  86. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +15 -0
  87. data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +54 -45
  88. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +135 -119
  89. data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +5 -0
  90. data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +100 -97
  91. data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +15 -18
  92. data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +272 -264
  93. data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +117 -117
  94. data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +5 -5
  95. data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +5 -5
  96. data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +5 -5
  97. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +12 -9
  98. data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +5 -0
  99. data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
  100. data/src/core/ext/xds/xds_client_stats.cc +29 -15
  101. data/src/core/ext/xds/xds_client_stats.h +24 -20
  102. data/src/core/ext/xds/xds_endpoint.cc +5 -2
  103. data/src/core/ext/xds/xds_endpoint.h +9 -1
  104. data/src/core/ext/xds/xds_http_rbac_filter.cc +1 -1
  105. data/src/core/ext/xds/xds_lb_policy_registry.cc +13 -0
  106. data/src/core/ext/xds/xds_transport_grpc.cc +1 -1
  107. data/src/core/{ext/filters/client_channel/resolver/dns/dns_resolver_selection.h → lib/backoff/random_early_detection.cc} +14 -12
  108. data/src/core/lib/backoff/random_early_detection.h +59 -0
  109. data/src/core/lib/channel/call_finalization.h +1 -1
  110. data/src/core/lib/channel/call_tracer.cc +51 -0
  111. data/src/core/lib/channel/call_tracer.h +101 -38
  112. data/src/core/lib/channel/connected_channel.cc +483 -1050
  113. data/src/core/lib/channel/context.h +8 -1
  114. data/src/core/lib/channel/promise_based_filter.cc +106 -42
  115. data/src/core/lib/channel/promise_based_filter.h +27 -13
  116. data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
  117. data/src/core/lib/config/config_vars.cc +151 -0
  118. data/src/core/lib/config/config_vars.h +127 -0
  119. data/src/core/lib/config/config_vars_non_generated.cc +51 -0
  120. data/src/core/lib/config/load_config.cc +66 -0
  121. data/src/core/lib/config/load_config.h +49 -0
  122. data/src/core/lib/debug/trace.cc +5 -6
  123. data/src/core/lib/debug/trace.h +0 -5
  124. data/src/core/lib/event_engine/event_engine.cc +37 -2
  125. data/src/core/lib/event_engine/handle_containers.h +7 -22
  126. data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
  127. data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +0 -4
  128. data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
  129. data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +48 -15
  130. data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +8 -8
  131. data/src/core/lib/event_engine/posix_engine/posix_engine.cc +6 -5
  132. data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +6 -3
  133. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +27 -18
  134. data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +0 -3
  135. data/src/core/lib/event_engine/resolved_address.cc +2 -1
  136. data/src/core/lib/event_engine/windows/win_socket.cc +0 -1
  137. data/src/core/lib/event_engine/windows/windows_endpoint.cc +129 -82
  138. data/src/core/lib/event_engine/windows/windows_endpoint.h +21 -5
  139. data/src/core/lib/event_engine/windows/windows_engine.cc +39 -18
  140. data/src/core/lib/event_engine/windows/windows_engine.h +2 -1
  141. data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
  142. data/src/core/lib/event_engine/windows/windows_listener.h +155 -0
  143. data/src/core/lib/experiments/config.cc +3 -10
  144. data/src/core/lib/experiments/experiments.cc +7 -0
  145. data/src/core/lib/experiments/experiments.h +9 -1
  146. data/src/core/lib/gpr/log.cc +15 -28
  147. data/src/core/lib/gprpp/fork.cc +8 -14
  148. data/src/core/lib/gprpp/orphanable.h +4 -3
  149. data/src/core/lib/gprpp/per_cpu.h +9 -3
  150. data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
  151. data/src/core/lib/gprpp/ref_counted.h +33 -34
  152. data/src/core/lib/gprpp/thd.h +16 -0
  153. data/src/core/lib/gprpp/time.cc +1 -0
  154. data/src/core/lib/gprpp/time.h +4 -4
  155. data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
  156. data/src/core/lib/iomgr/call_combiner.h +2 -2
  157. data/src/core/lib/iomgr/endpoint_cfstream.cc +4 -2
  158. data/src/core/lib/iomgr/endpoint_pair.h +2 -2
  159. data/src/core/lib/iomgr/endpoint_pair_posix.cc +2 -2
  160. data/src/core/lib/iomgr/endpoint_pair_windows.cc +1 -1
  161. data/src/core/lib/iomgr/ev_posix.cc +13 -53
  162. data/src/core/lib/iomgr/ev_posix.h +0 -3
  163. data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +103 -76
  164. data/src/core/lib/iomgr/iomgr.cc +4 -8
  165. data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
  166. data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
  167. data/src/core/lib/iomgr/pollset_windows.cc +1 -1
  168. data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -3
  169. data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
  170. data/src/core/lib/iomgr/tcp_posix.cc +0 -1
  171. data/src/core/lib/iomgr/tcp_server_posix.cc +5 -16
  172. data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
  173. data/src/core/lib/iomgr/tcp_windows.cc +12 -8
  174. data/src/core/lib/load_balancing/lb_policy.cc +9 -13
  175. data/src/core/lib/load_balancing/lb_policy.h +4 -2
  176. data/src/core/lib/promise/activity.cc +22 -6
  177. data/src/core/lib/promise/activity.h +61 -24
  178. data/src/core/lib/promise/cancel_callback.h +77 -0
  179. data/src/core/lib/promise/detail/basic_seq.h +1 -1
  180. data/src/core/lib/promise/detail/promise_factory.h +4 -0
  181. data/src/core/lib/promise/for_each.h +176 -0
  182. data/src/core/lib/promise/if.h +9 -0
  183. data/src/core/lib/promise/interceptor_list.h +23 -2
  184. data/src/core/lib/promise/latch.h +89 -3
  185. data/src/core/lib/promise/loop.h +13 -9
  186. data/src/core/lib/promise/map.h +7 -0
  187. data/src/core/lib/promise/party.cc +286 -0
  188. data/src/core/lib/promise/party.h +499 -0
  189. data/src/core/lib/promise/pipe.h +197 -57
  190. data/src/core/lib/promise/poll.h +48 -0
  191. data/src/core/lib/promise/promise.h +2 -2
  192. data/src/core/lib/resource_quota/arena.cc +19 -3
  193. data/src/core/lib/resource_quota/arena.h +119 -5
  194. data/src/core/lib/resource_quota/memory_quota.cc +1 -1
  195. data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +12 -35
  196. data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
  197. data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +0 -59
  198. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +10 -5
  199. data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
  200. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
  201. data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
  202. data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
  203. data/src/core/lib/security/security_connector/ssl_utils.cc +11 -25
  204. data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +12 -0
  205. data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
  206. data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
  207. data/src/core/lib/slice/slice.cc +1 -1
  208. data/src/core/lib/surface/builtins.cc +2 -0
  209. data/src/core/lib/surface/call.cc +926 -1024
  210. data/src/core/lib/surface/call.h +10 -0
  211. data/src/core/lib/surface/lame_client.cc +1 -0
  212. data/src/core/lib/surface/version.cc +2 -2
  213. data/src/core/lib/transport/batch_builder.cc +179 -0
  214. data/src/core/lib/transport/batch_builder.h +468 -0
  215. data/src/core/lib/transport/bdp_estimator.cc +7 -7
  216. data/src/core/lib/transport/bdp_estimator.h +10 -6
  217. data/src/core/lib/transport/custom_metadata.h +30 -0
  218. data/src/core/lib/transport/metadata_batch.cc +9 -6
  219. data/src/core/lib/transport/metadata_batch.h +58 -16
  220. data/src/core/lib/transport/parsed_metadata.h +3 -3
  221. data/src/core/lib/transport/timeout_encoding.cc +6 -1
  222. data/src/core/lib/transport/transport.cc +30 -2
  223. data/src/core/lib/transport/transport.h +70 -14
  224. data/src/core/lib/transport/transport_impl.h +7 -0
  225. data/src/core/lib/transport/transport_op_string.cc +52 -42
  226. data/src/core/plugin_registry/grpc_plugin_registry.cc +2 -2
  227. data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
  228. data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
  229. data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
  230. data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
  231. data/src/core/tsi/ssl_transport_security.cc +4 -2
  232. data/src/ruby/lib/grpc/version.rb +1 -1
  233. data/third_party/abseil-cpp/absl/base/config.h +1 -1
  234. data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
  235. data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
  236. data/third_party/abseil-cpp/absl/flags/config.h +68 -0
  237. data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
  238. data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
  239. data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
  240. data/{src/core/lib/gprpp/global_config_custom.h → third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc} +11 -14
  241. data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
  242. data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
  243. data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
  244. data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
  245. data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
  246. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
  247. data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
  248. data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
  249. data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
  250. data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
  251. data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
  252. data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
  253. data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
  254. data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
  255. data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
  256. data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
  257. data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
  258. data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
  259. data/third_party/boringssl-with-bazel/err_data.c +728 -712
  260. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
  261. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
  262. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
  263. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
  264. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
  265. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
  266. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
  267. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +174 -194
  268. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
  269. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
  270. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
  271. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +110 -131
  272. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +130 -116
  273. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
  274. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +93 -181
  275. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
  276. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
  277. data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
  278. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
  279. data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
  280. data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +133 -88
  281. data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
  282. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +791 -791
  283. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +526 -526
  284. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
  285. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
  286. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
  287. data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
  288. data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
  289. data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +11 -7
  290. data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +4 -4
  291. data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +15 -9
  292. data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +4 -4
  293. data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +17 -10
  294. data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -3
  295. data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
  296. data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -6
  297. data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +2 -0
  298. data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +9 -5
  299. data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
  300. data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
  301. data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
  302. data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
  303. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
  304. data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
  305. data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
  306. data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +0 -2
  307. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
  308. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
  309. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
  310. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
  311. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
  312. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
  313. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
  314. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
  315. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +6 -12
  316. data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -11
  317. data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +6 -10
  318. data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +0 -1
  319. data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +12 -0
  320. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +74 -0
  321. data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
  322. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
  323. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
  324. data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
  325. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
  326. data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
  327. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
  328. data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
  329. data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
  330. data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
  331. data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +16 -27
  332. data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
  333. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
  334. data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
  335. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
  336. data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
  337. data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
  338. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +39 -16
  339. data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
  340. data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +3 -3
  341. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +11 -36
  342. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +214 -99
  343. data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +21 -5
  344. data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
  345. data/third_party/boringssl-with-bazel/src/crypto/err/err.c +83 -60
  346. data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +46 -12
  347. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
  348. data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
  349. data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
  350. data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
  351. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +19 -25
  352. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +96 -45
  353. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
  354. data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
  355. data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
  356. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +5 -5
  357. data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
  358. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
  359. data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
  360. data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +135 -244
  361. data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
  362. data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
  363. data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +29 -15
  364. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
  365. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
  366. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
  367. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
  368. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
  369. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +35 -27
  370. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
  371. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
  372. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
  373. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
  374. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +1 -1
  375. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
  376. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
  377. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +0 -1
  378. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
  379. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
  380. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +86 -31
  381. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +11 -6
  382. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +4 -5
  383. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
  384. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
  385. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
  386. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +19 -108
  387. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
  388. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
  389. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
  390. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
  391. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
  392. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
  393. data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
  394. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
  395. data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
  396. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
  397. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +21 -6
  398. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +56 -0
  399. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
  400. data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
  401. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +25 -25
  402. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +91 -17
  403. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +5 -5
  404. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +34 -12
  405. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +54 -23
  406. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +44 -60
  407. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
  408. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +60 -53
  409. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
  410. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +48 -36
  411. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +2 -8
  412. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +2 -7
  413. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -3
  414. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +0 -1
  415. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +8 -0
  416. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +42 -14
  417. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
  418. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
  419. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -15
  420. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
  421. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +2 -4
  422. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +71 -43
  423. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +14 -16
  424. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -4
  425. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
  426. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +16 -8
  427. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
  428. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
  429. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +9 -38
  430. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +73 -59
  431. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -45
  432. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
  433. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +22 -0
  434. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +63 -52
  435. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +107 -62
  436. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +58 -31
  437. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
  438. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +523 -422
  439. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
  440. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
  441. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
  442. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
  443. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
  444. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
  445. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +19 -6
  446. data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +32 -14
  447. data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
  448. data/third_party/boringssl-with-bazel/src/crypto/internal.h +373 -18
  449. data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +61 -0
  450. data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +205 -0
  451. data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
  452. data/third_party/boringssl-with-bazel/src/crypto/mem.c +220 -13
  453. data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +19 -7
  454. data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +13 -1
  455. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
  456. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
  457. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +629 -613
  458. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
  459. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
  460. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
  461. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
  462. data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
  463. data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
  464. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +0 -3
  465. data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -66
  466. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
  467. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
  468. data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
  469. data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +1 -0
  470. data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
  471. data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
  472. data/third_party/boringssl-with-bazel/src/crypto/refcount_c11.c +0 -2
  473. data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +3 -4
  474. data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
  475. data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +61 -27
  476. data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +10 -13
  477. data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +10 -13
  478. data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +66 -34
  479. data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +190 -77
  480. data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +81 -284
  481. data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +109 -42
  482. data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
  483. data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +54 -55
  484. data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
  485. data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
  486. data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
  487. data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +284 -331
  488. data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
  489. data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
  490. data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +67 -50
  491. data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +153 -150
  492. data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +786 -0
  493. data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
  494. data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
  495. data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
  496. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +227 -252
  497. data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
  498. data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
  499. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +230 -224
  500. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
  501. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
  502. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
  503. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
  504. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +534 -618
  505. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
  506. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +116 -182
  507. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
  508. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +181 -202
  509. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
  510. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +175 -160
  511. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1865 -2050
  512. data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +433 -462
  513. data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
  514. data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +267 -263
  515. data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
  516. data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
  517. data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
  518. data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
  519. data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
  520. data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +326 -415
  521. data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
  522. data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
  523. data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
  524. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
  525. data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +116 -119
  526. data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
  527. data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
  528. data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
  529. data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
  530. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
  531. data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
  532. data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
  533. data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +78 -170
  534. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
  535. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
  536. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
  537. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
  538. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
  539. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +309 -346
  540. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +341 -365
  541. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
  542. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
  543. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
  544. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
  545. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
  546. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +122 -125
  547. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
  548. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +247 -253
  549. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
  550. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
  551. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
  552. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
  553. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +143 -136
  554. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +664 -707
  555. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +83 -75
  556. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1062 -1146
  557. data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +8 -4
  558. data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +28 -48
  559. data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +211 -187
  560. data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
  561. data/third_party/boringssl-with-bazel/src/include/openssl/base.h +19 -14
  562. data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +21 -2
  563. data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -17
  564. data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
  565. data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
  566. data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +2 -15
  567. data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
  568. data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
  569. data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
  570. data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
  571. data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
  572. data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -0
  573. data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +48 -5
  574. data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +37 -8
  575. data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
  576. data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
  577. data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +22 -30
  578. data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
  579. data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
  580. data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +41 -16
  581. data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
  582. data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
  583. data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +13 -0
  584. data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
  585. data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -15
  586. data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
  587. data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +12 -1
  588. data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +7 -4
  589. data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
  590. data/third_party/boringssl-with-bazel/src/include/openssl/span.h +13 -21
  591. data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -75
  592. data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
  593. data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +384 -286
  594. data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +5 -6
  595. data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
  596. data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +18 -7
  597. data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +49 -23
  598. data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
  599. data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1592 -1074
  600. data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +202 -205
  601. data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
  602. data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
  603. data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
  604. data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
  605. data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
  606. data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +34 -20
  607. data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +65 -34
  608. data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +198 -54
  609. data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
  610. data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +32 -28
  611. data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +76 -44
  612. data/third_party/boringssl-with-bazel/src/ssl/internal.h +130 -98
  613. data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +27 -11
  614. data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
  615. data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
  616. data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
  617. data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +39 -65
  618. data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
  619. data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
  620. data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +30 -33
  621. data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +77 -100
  622. data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +120 -107
  623. data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +164 -30
  624. data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +150 -60
  625. data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +22 -11
  626. data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
  627. data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
  628. data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +5 -43
  629. data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +7 -4
  630. data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +2 -2
  631. data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +22 -34
  632. data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
  633. data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
  634. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
  635. data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
  636. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
  637. data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
  638. metadata +105 -70
  639. data/src/core/ext/filters/client_channel/lb_call_state_internal.h +0 -39
  640. data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
  641. data/src/core/lib/gprpp/global_config.h +0 -93
  642. data/src/core/lib/gprpp/global_config_env.cc +0 -140
  643. data/src/core/lib/gprpp/global_config_env.h +0 -133
  644. data/src/core/lib/gprpp/global_config_generic.h +0 -40
  645. data/src/core/lib/promise/intra_activity_waiter.h +0 -55
  646. data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
  647. data/src/core/lib/security/security_connector/ssl_utils_config.h +0 -29
  648. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
  649. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +0 -83
  650. data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
  651. data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
  652. data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
  653. data/third_party/boringssl-with-bazel/src/crypto/cpu-ppc64le.c +0 -38
  654. data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
  655. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
  656. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
  657. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
  658. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
  659. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
  660. data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
  661. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
  662. data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
  663. /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
  664. /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
  665. /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
  666. /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
  667. /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
  668. /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
  669. /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
  670. /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
  671. /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
  672. /data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +0 -0
  673. /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
  674. /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
  675. /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
  676. /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
  677. /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
  678. /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
  679. /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
  680. /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
  681. /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
  682. /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
  683. /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
  684. /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
  685. /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
@@ -67,50 +67,51 @@
67
67
  #include <openssl/x509.h>
68
68
  #include <openssl/x509v3.h>
69
69
 
70
- #include "internal.h"
71
70
  #include "../internal.h"
72
71
  #include "../x509v3/internal.h"
72
+ #include "internal.h"
73
73
 
74
74
  static CRYPTO_EX_DATA_CLASS g_ex_data_class =
75
75
  CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
76
76
 
77
- /* CRL score values */
77
+ // CRL score values
78
78
 
79
- /* No unhandled critical extensions */
79
+ // No unhandled critical extensions
80
80
 
81
- #define CRL_SCORE_NOCRITICAL 0x100
81
+ #define CRL_SCORE_NOCRITICAL 0x100
82
82
 
83
- /* certificate is within CRL scope */
83
+ // certificate is within CRL scope
84
84
 
85
- #define CRL_SCORE_SCOPE 0x080
85
+ #define CRL_SCORE_SCOPE 0x080
86
86
 
87
- /* CRL times valid */
87
+ // CRL times valid
88
88
 
89
- #define CRL_SCORE_TIME 0x040
89
+ #define CRL_SCORE_TIME 0x040
90
90
 
91
- /* Issuer name matches certificate */
91
+ // Issuer name matches certificate
92
92
 
93
- #define CRL_SCORE_ISSUER_NAME 0x020
93
+ #define CRL_SCORE_ISSUER_NAME 0x020
94
94
 
95
- /* If this score or above CRL is probably valid */
95
+ // If this score or above CRL is probably valid
96
96
 
97
- #define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
97
+ #define CRL_SCORE_VALID \
98
+ (CRL_SCORE_NOCRITICAL | CRL_SCORE_TIME | CRL_SCORE_SCOPE)
98
99
 
99
- /* CRL issuer is certificate issuer */
100
+ // CRL issuer is certificate issuer
100
101
 
101
- #define CRL_SCORE_ISSUER_CERT 0x018
102
+ #define CRL_SCORE_ISSUER_CERT 0x018
102
103
 
103
- /* CRL issuer is on certificate path */
104
+ // CRL issuer is on certificate path
104
105
 
105
- #define CRL_SCORE_SAME_PATH 0x008
106
+ #define CRL_SCORE_SAME_PATH 0x008
106
107
 
107
- /* CRL issuer matches CRL AKID */
108
+ // CRL issuer matches CRL AKID
108
109
 
109
- #define CRL_SCORE_AKID 0x004
110
+ #define CRL_SCORE_AKID 0x004
110
111
 
111
- /* Have a delta CRL with valid times */
112
+ // Have a delta CRL with valid times
112
113
 
113
- #define CRL_SCORE_TIME_DELTA 0x002
114
+ #define CRL_SCORE_TIME_DELTA 0x002
114
115
 
115
116
  static int null_callback(int ok, X509_STORE_CTX *e);
116
117
  static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
@@ -125,2332 +126,2146 @@ static int check_policy(X509_STORE_CTX *ctx);
125
126
 
126
127
  static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
127
128
  unsigned int *preasons, X509_CRL *crl, X509 *x);
128
- static int get_crl_delta(X509_STORE_CTX *ctx,
129
- X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
130
- static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl,
131
- int *pcrl_score, X509_CRL *base,
132
- STACK_OF(X509_CRL) *crls);
129
+ static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
130
+ X509 *x);
131
+ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
132
+ X509_CRL *base, STACK_OF(X509_CRL) *crls);
133
133
  static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
134
134
  int *pcrl_score);
135
135
  static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
136
136
  unsigned int *preasons);
137
137
  static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
138
- static int check_crl_chain(X509_STORE_CTX *ctx,
139
- STACK_OF(X509) *cert_path,
138
+ static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
140
139
  STACK_OF(X509) *crl_path);
141
140
 
142
141
  static int internal_verify(X509_STORE_CTX *ctx);
143
142
 
144
- static int null_callback(int ok, X509_STORE_CTX *e)
145
- {
146
- return ok;
147
- }
143
+ static int null_callback(int ok, X509_STORE_CTX *e) { return ok; }
148
144
 
149
- /* cert_self_signed checks if |x| is self-signed. If |x| is valid, it returns
150
- * one and sets |*out_is_self_signed| to the result. If |x| is invalid, it
151
- * returns zero. */
152
- static int cert_self_signed(X509 *x, int *out_is_self_signed)
153
- {
154
- if (!x509v3_cache_extensions(x)) {
155
- return 0;
156
- }
157
- *out_is_self_signed = (x->ex_flags & EXFLAG_SS) != 0;
158
- return 1;
145
+ // cert_self_signed checks if |x| is self-signed. If |x| is valid, it returns
146
+ // one and sets |*out_is_self_signed| to the result. If |x| is invalid, it
147
+ // returns zero.
148
+ static int cert_self_signed(X509 *x, int *out_is_self_signed) {
149
+ if (!x509v3_cache_extensions(x)) {
150
+ return 0;
151
+ }
152
+ *out_is_self_signed = (x->ex_flags & EXFLAG_SS) != 0;
153
+ return 1;
159
154
  }
160
155
 
161
- /* Given a certificate try and find an exact match in the store */
162
-
163
- static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
164
- {
165
- STACK_OF(X509) *certs;
166
- X509 *xtmp = NULL;
167
- size_t i;
168
- /* Lookup all certs with matching subject name */
169
- certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
170
- if (certs == NULL)
171
- return NULL;
172
- /* Look for exact match */
173
- for (i = 0; i < sk_X509_num(certs); i++) {
174
- xtmp = sk_X509_value(certs, i);
175
- if (!X509_cmp(xtmp, x))
176
- break;
177
- }
178
- if (i < sk_X509_num(certs))
179
- X509_up_ref(xtmp);
180
- else
181
- xtmp = NULL;
182
- sk_X509_pop_free(certs, X509_free);
183
- return xtmp;
184
- }
185
-
186
- int X509_verify_cert(X509_STORE_CTX *ctx)
187
- {
188
- X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
189
- int bad_chain = 0;
190
- X509_VERIFY_PARAM *param = ctx->param;
191
- int depth, i, ok = 0;
192
- int num, j, retry, trust;
193
- int (*cb) (int xok, X509_STORE_CTX *xctx);
194
- STACK_OF(X509) *sktmp = NULL;
195
- if (ctx->cert == NULL) {
196
- OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
197
- ctx->error = X509_V_ERR_INVALID_CALL;
198
- return -1;
199
- }
200
- if (ctx->chain != NULL) {
201
- /*
202
- * This X509_STORE_CTX has already been used to verify a cert. We
203
- * cannot do another one.
204
- */
205
- OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
206
- ctx->error = X509_V_ERR_INVALID_CALL;
207
- return -1;
208
- }
209
-
210
- cb = ctx->verify_cb;
211
-
212
- /*
213
- * first we make sure the chain we are going to build is present and that
214
- * the first entry is in place
215
- */
216
- ctx->chain = sk_X509_new_null();
217
- if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
218
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
219
- ctx->error = X509_V_ERR_OUT_OF_MEM;
220
- goto end;
221
- }
222
- X509_up_ref(ctx->cert);
223
- ctx->last_untrusted = 1;
156
+ // Given a certificate try and find an exact match in the store
224
157
 
225
- /* We use a temporary STACK so we can chop and hack at it. */
226
- if (ctx->untrusted != NULL
227
- && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
228
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
229
- ctx->error = X509_V_ERR_OUT_OF_MEM;
158
+ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) {
159
+ STACK_OF(X509) *certs;
160
+ X509 *xtmp = NULL;
161
+ size_t i;
162
+ // Lookup all certs with matching subject name
163
+ certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
164
+ if (certs == NULL) {
165
+ return NULL;
166
+ }
167
+ // Look for exact match
168
+ for (i = 0; i < sk_X509_num(certs); i++) {
169
+ xtmp = sk_X509_value(certs, i);
170
+ if (!X509_cmp(xtmp, x)) {
171
+ break;
172
+ }
173
+ }
174
+ if (i < sk_X509_num(certs)) {
175
+ X509_up_ref(xtmp);
176
+ } else {
177
+ xtmp = NULL;
178
+ }
179
+ sk_X509_pop_free(certs, X509_free);
180
+ return xtmp;
181
+ }
182
+
183
+ int X509_verify_cert(X509_STORE_CTX *ctx) {
184
+ X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
185
+ int bad_chain = 0;
186
+ X509_VERIFY_PARAM *param = ctx->param;
187
+ int depth, i, ok = 0;
188
+ int num, j, retry, trust;
189
+ STACK_OF(X509) *sktmp = NULL;
190
+
191
+ if (ctx->cert == NULL) {
192
+ OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
193
+ ctx->error = X509_V_ERR_INVALID_CALL;
194
+ return -1;
195
+ }
196
+ if (ctx->chain != NULL) {
197
+ // This X509_STORE_CTX has already been used to verify a cert. We
198
+ // cannot do another one.
199
+ OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
200
+ ctx->error = X509_V_ERR_INVALID_CALL;
201
+ return -1;
202
+ }
203
+
204
+ // first we make sure the chain we are going to build is present and that
205
+ // the first entry is in place
206
+ ctx->chain = sk_X509_new_null();
207
+ if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
208
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
209
+ goto end;
210
+ }
211
+ X509_up_ref(ctx->cert);
212
+ ctx->last_untrusted = 1;
213
+
214
+ // We use a temporary STACK so we can chop and hack at it.
215
+ if (ctx->untrusted != NULL && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
216
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
217
+ goto end;
218
+ }
219
+
220
+ num = sk_X509_num(ctx->chain);
221
+ x = sk_X509_value(ctx->chain, num - 1);
222
+ depth = param->depth;
223
+
224
+ for (;;) {
225
+ // If we have enough, we break
226
+ if (depth < num) {
227
+ break; // FIXME: If this happens, we should take
228
+ // note of it and, if appropriate, use the
229
+ // X509_V_ERR_CERT_CHAIN_TOO_LONG error code
230
+ // later.
231
+ }
232
+
233
+ int is_self_signed;
234
+ if (!cert_self_signed(x, &is_self_signed)) {
235
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
236
+ goto end;
237
+ }
238
+
239
+ // If we are self signed, we break
240
+ if (is_self_signed) {
241
+ break;
242
+ }
243
+ // If asked see if we can find issuer in trusted store first
244
+ if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
245
+ ok = ctx->get_issuer(&xtmp, ctx, x);
246
+ if (ok < 0) {
247
+ ctx->error = X509_V_ERR_STORE_LOOKUP;
230
248
  goto end;
231
- }
232
-
233
- num = sk_X509_num(ctx->chain);
234
- x = sk_X509_value(ctx->chain, num - 1);
235
- depth = param->depth;
236
-
237
- for (;;) {
238
- /* If we have enough, we break */
239
- if (depth < num)
240
- break; /* FIXME: If this happens, we should take
241
- * note of it and, if appropriate, use the
242
- * X509_V_ERR_CERT_CHAIN_TOO_LONG error code
243
- * later. */
244
-
245
- int is_self_signed;
246
- if (!cert_self_signed(x, &is_self_signed)) {
247
- ctx->error = X509_V_ERR_INVALID_EXTENSION;
248
- goto end;
249
- }
250
-
251
- /* If we are self signed, we break */
252
- if (is_self_signed)
253
- break;
254
- /*
255
- * If asked see if we can find issuer in trusted store first
256
- */
257
- if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
258
- ok = ctx->get_issuer(&xtmp, ctx, x);
259
- if (ok < 0) {
260
- ctx->error = X509_V_ERR_STORE_LOOKUP;
261
- goto end;
262
- }
263
- /*
264
- * If successful for now free up cert so it will be picked up
265
- * again later.
266
- */
267
- if (ok > 0) {
268
- X509_free(xtmp);
269
- break;
270
- }
271
- }
272
-
273
- /* If we were passed a cert chain, use it first */
274
- if (sktmp != NULL) {
275
- xtmp = find_issuer(ctx, sktmp, x);
276
- if (xtmp != NULL) {
277
- if (!sk_X509_push(ctx->chain, xtmp)) {
278
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
279
- ctx->error = X509_V_ERR_OUT_OF_MEM;
280
- ok = 0;
281
- goto end;
282
- }
283
- X509_up_ref(xtmp);
284
- (void)sk_X509_delete_ptr(sktmp, xtmp);
285
- ctx->last_untrusted++;
286
- x = xtmp;
287
- num++;
288
- /*
289
- * reparse the full chain for the next one
290
- */
291
- continue;
292
- }
293
- }
249
+ }
250
+ // If successful for now free up cert so it will be picked up
251
+ // again later.
252
+ if (ok > 0) {
253
+ X509_free(xtmp);
294
254
  break;
255
+ }
295
256
  }
296
257
 
297
- /* Remember how many untrusted certs we have */
298
- j = num;
299
- /*
300
- * at this point, chain should contain a list of untrusted certificates.
301
- * We now need to add at least one trusted one, if possible, otherwise we
302
- * complain.
303
- */
304
-
305
- do {
306
- /*
307
- * Examine last certificate in chain and see if it is self signed.
308
- */
309
- i = sk_X509_num(ctx->chain);
310
- x = sk_X509_value(ctx->chain, i - 1);
311
-
312
- int is_self_signed;
313
- if (!cert_self_signed(x, &is_self_signed)) {
314
- ctx->error = X509_V_ERR_INVALID_EXTENSION;
315
- goto end;
258
+ // If we were passed a cert chain, use it first
259
+ if (sktmp != NULL) {
260
+ xtmp = find_issuer(ctx, sktmp, x);
261
+ if (xtmp != NULL) {
262
+ if (!sk_X509_push(ctx->chain, xtmp)) {
263
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
264
+ ok = 0;
265
+ goto end;
316
266
  }
317
-
318
- if (is_self_signed) {
319
- /* we have a self signed certificate */
320
- if (sk_X509_num(ctx->chain) == 1) {
321
- /*
322
- * We have a single self signed certificate: see if we can
323
- * find it in the store. We must have an exact match to avoid
324
- * possible impersonation.
325
- */
326
- ok = ctx->get_issuer(&xtmp, ctx, x);
327
- if ((ok <= 0) || X509_cmp(x, xtmp)) {
328
- ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
329
- ctx->current_cert = x;
330
- ctx->error_depth = i - 1;
331
- if (ok == 1)
332
- X509_free(xtmp);
333
- bad_chain = 1;
334
- ok = cb(0, ctx);
335
- if (!ok)
336
- goto end;
337
- } else {
338
- /*
339
- * We have a match: replace certificate with store
340
- * version so we get any trust settings.
341
- */
342
- X509_free(x);
343
- x = xtmp;
344
- (void)sk_X509_set(ctx->chain, i - 1, x);
345
- ctx->last_untrusted = 0;
346
- }
347
- } else {
348
- /*
349
- * extract and save self signed certificate for later use
350
- */
351
- chain_ss = sk_X509_pop(ctx->chain);
352
- ctx->last_untrusted--;
353
- num--;
354
- j--;
355
- x = sk_X509_value(ctx->chain, num - 1);
356
- }
357
- }
358
- /* We now lookup certs from the certificate store */
359
- for (;;) {
360
- /* If we have enough, we break */
361
- if (depth < num)
362
- break;
363
- if (!cert_self_signed(x, &is_self_signed)) {
364
- ctx->error = X509_V_ERR_INVALID_EXTENSION;
365
- goto end;
366
- }
367
- /* If we are self signed, we break */
368
- if (is_self_signed)
369
- break;
370
- ok = ctx->get_issuer(&xtmp, ctx, x);
371
-
372
- if (ok < 0) {
373
- ctx->error = X509_V_ERR_STORE_LOOKUP;
374
- goto end;
375
- }
376
- if (ok == 0)
377
- break;
378
- x = xtmp;
379
- if (!sk_X509_push(ctx->chain, x)) {
380
- X509_free(xtmp);
381
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
382
- ctx->error = X509_V_ERR_OUT_OF_MEM;
383
- ok = 0;
384
- goto end;
385
- }
386
- num++;
387
- }
388
-
389
- /* we now have our chain, lets check it... */
390
- trust = check_trust(ctx);
391
-
392
- /* If explicitly rejected error */
393
- if (trust == X509_TRUST_REJECTED) {
394
- ok = 0;
267
+ X509_up_ref(xtmp);
268
+ (void)sk_X509_delete_ptr(sktmp, xtmp);
269
+ ctx->last_untrusted++;
270
+ x = xtmp;
271
+ num++;
272
+ // reparse the full chain for the next one
273
+ continue;
274
+ }
275
+ }
276
+ break;
277
+ }
278
+
279
+ // Remember how many untrusted certs we have
280
+ j = num;
281
+ // at this point, chain should contain a list of untrusted certificates.
282
+ // We now need to add at least one trusted one, if possible, otherwise we
283
+ // complain.
284
+
285
+ do {
286
+ // Examine last certificate in chain and see if it is self signed.
287
+ i = sk_X509_num(ctx->chain);
288
+ x = sk_X509_value(ctx->chain, i - 1);
289
+
290
+ int is_self_signed;
291
+ if (!cert_self_signed(x, &is_self_signed)) {
292
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
293
+ goto end;
294
+ }
295
+
296
+ if (is_self_signed) {
297
+ // we have a self signed certificate
298
+ if (sk_X509_num(ctx->chain) == 1) {
299
+ // We have a single self signed certificate: see if we can
300
+ // find it in the store. We must have an exact match to avoid
301
+ // possible impersonation.
302
+ ok = ctx->get_issuer(&xtmp, ctx, x);
303
+ if ((ok <= 0) || X509_cmp(x, xtmp)) {
304
+ ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
305
+ ctx->current_cert = x;
306
+ ctx->error_depth = i - 1;
307
+ if (ok == 1) {
308
+ X509_free(xtmp);
309
+ }
310
+ bad_chain = 1;
311
+ ok = ctx->verify_cb(0, ctx);
312
+ if (!ok) {
395
313
  goto end;
396
- }
397
- /*
398
- * If it's not explicitly trusted then check if there is an alternative
399
- * chain that could be used. We only do this if we haven't already
400
- * checked via TRUSTED_FIRST and the user hasn't switched off alternate
401
- * chain checking
402
- */
403
- retry = 0;
404
- if (trust != X509_TRUST_TRUSTED
405
- && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
406
- && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
407
- while (j-- > 1) {
408
- xtmp2 = sk_X509_value(ctx->chain, j - 1);
409
- ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
410
- if (ok < 0)
411
- goto end;
412
- /* Check if we found an alternate chain */
413
- if (ok > 0) {
414
- /*
415
- * Free up the found cert we'll add it again later
416
- */
417
- X509_free(xtmp);
418
-
419
- /*
420
- * Dump all the certs above this point - we've found an
421
- * alternate chain
422
- */
423
- while (num > j) {
424
- xtmp = sk_X509_pop(ctx->chain);
425
- X509_free(xtmp);
426
- num--;
427
- }
428
- ctx->last_untrusted = sk_X509_num(ctx->chain);
429
- retry = 1;
430
- break;
431
- }
432
- }
433
- }
434
- } while (retry);
435
-
436
- /*
437
- * If not explicitly trusted then indicate error unless it's a single
438
- * self signed certificate in which case we've indicated an error already
439
- * and set bad_chain == 1
440
- */
441
- if (trust != X509_TRUST_TRUSTED && !bad_chain) {
442
- if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
443
- if (ctx->last_untrusted >= num)
444
- ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
445
- else
446
- ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
447
- ctx->current_cert = x;
314
+ }
448
315
  } else {
449
-
450
- sk_X509_push(ctx->chain, chain_ss);
451
- num++;
452
- ctx->last_untrusted = num;
453
- ctx->current_cert = chain_ss;
454
- ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
455
- chain_ss = NULL;
316
+ // We have a match: replace certificate with store
317
+ // version so we get any trust settings.
318
+ X509_free(x);
319
+ x = xtmp;
320
+ (void)sk_X509_set(ctx->chain, i - 1, x);
321
+ ctx->last_untrusted = 0;
456
322
  }
457
-
458
- ctx->error_depth = num - 1;
459
- bad_chain = 1;
460
- ok = cb(0, ctx);
461
- if (!ok)
462
- goto end;
463
- }
464
-
465
- /* We have the chain complete: now we need to check its purpose */
466
- ok = check_chain_extensions(ctx);
467
-
468
- if (!ok)
469
- goto end;
470
-
471
- ok = check_id(ctx);
472
-
473
- if (!ok)
474
- goto end;
475
-
476
- /*
477
- * Check revocation status: we do this after copying parameters because
478
- * they may be needed for CRL signature verification.
479
- */
480
-
481
- ok = ctx->check_revocation(ctx);
482
- if (!ok)
323
+ } else {
324
+ // extract and save self signed certificate for later use
325
+ chain_ss = sk_X509_pop(ctx->chain);
326
+ ctx->last_untrusted--;
327
+ num--;
328
+ j--;
329
+ x = sk_X509_value(ctx->chain, num - 1);
330
+ }
331
+ }
332
+ // We now lookup certs from the certificate store
333
+ for (;;) {
334
+ // If we have enough, we break
335
+ if (depth < num) {
336
+ break;
337
+ }
338
+ if (!cert_self_signed(x, &is_self_signed)) {
339
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
483
340
  goto end;
341
+ }
342
+ // If we are self signed, we break
343
+ if (is_self_signed) {
344
+ break;
345
+ }
346
+ ok = ctx->get_issuer(&xtmp, ctx, x);
484
347
 
485
- int err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
486
- ctx->param->flags);
487
- if (err != X509_V_OK) {
488
- ctx->error = err;
489
- ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
490
- ok = cb(0, ctx);
491
- if (!ok)
492
- goto end;
493
- }
494
-
495
- /* At this point, we have a chain and need to verify it */
496
- if (ctx->verify != NULL)
497
- ok = ctx->verify(ctx);
498
- else
499
- ok = internal_verify(ctx);
500
- if (!ok)
348
+ if (ok < 0) {
349
+ ctx->error = X509_V_ERR_STORE_LOOKUP;
501
350
  goto end;
502
-
503
- /* Check name constraints */
504
-
505
- ok = check_name_constraints(ctx);
506
- if (!ok)
351
+ }
352
+ if (ok == 0) {
353
+ break;
354
+ }
355
+ x = xtmp;
356
+ if (!sk_X509_push(ctx->chain, x)) {
357
+ X509_free(xtmp);
358
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
359
+ ok = 0;
507
360
  goto end;
361
+ }
362
+ num++;
363
+ }
364
+
365
+ // we now have our chain, lets check it...
366
+ trust = check_trust(ctx);
367
+
368
+ // If explicitly rejected error
369
+ if (trust == X509_TRUST_REJECTED) {
370
+ ok = 0;
371
+ goto end;
372
+ }
373
+ // If it's not explicitly trusted then check if there is an alternative
374
+ // chain that could be used. We only do this if we haven't already
375
+ // checked via TRUSTED_FIRST and the user hasn't switched off alternate
376
+ // chain checking
377
+ retry = 0;
378
+ if (trust != X509_TRUST_TRUSTED &&
379
+ !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) &&
380
+ !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
381
+ while (j-- > 1) {
382
+ xtmp2 = sk_X509_value(ctx->chain, j - 1);
383
+ ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
384
+ if (ok < 0) {
385
+ goto end;
386
+ }
387
+ // Check if we found an alternate chain
388
+ if (ok > 0) {
389
+ // Free up the found cert we'll add it again later
390
+ X509_free(xtmp);
391
+
392
+ // Dump all the certs above this point - we've found an
393
+ // alternate chain
394
+ while (num > j) {
395
+ xtmp = sk_X509_pop(ctx->chain);
396
+ X509_free(xtmp);
397
+ num--;
398
+ }
399
+ ctx->last_untrusted = sk_X509_num(ctx->chain);
400
+ retry = 1;
401
+ break;
402
+ }
403
+ }
404
+ }
405
+ } while (retry);
406
+
407
+ // If not explicitly trusted then indicate error unless it's a single
408
+ // self signed certificate in which case we've indicated an error already
409
+ // and set bad_chain == 1
410
+ if (trust != X509_TRUST_TRUSTED && !bad_chain) {
411
+ if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
412
+ if (ctx->last_untrusted >= num) {
413
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
414
+ } else {
415
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
416
+ }
417
+ ctx->current_cert = x;
418
+ } else {
419
+ sk_X509_push(ctx->chain, chain_ss);
420
+ num++;
421
+ ctx->last_untrusted = num;
422
+ ctx->current_cert = chain_ss;
423
+ ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
424
+ chain_ss = NULL;
425
+ }
426
+
427
+ ctx->error_depth = num - 1;
428
+ bad_chain = 1;
429
+ ok = ctx->verify_cb(0, ctx);
430
+ if (!ok) {
431
+ goto end;
432
+ }
433
+ }
434
+
435
+ // We have the chain complete: now we need to check its purpose
436
+ ok = check_chain_extensions(ctx);
437
+
438
+ if (!ok) {
439
+ goto end;
440
+ }
441
+
442
+ ok = check_id(ctx);
443
+
444
+ if (!ok) {
445
+ goto end;
446
+ }
447
+
448
+ // Check revocation status: we do this after copying parameters because
449
+ // they may be needed for CRL signature verification.
450
+
451
+ ok = ctx->check_revocation(ctx);
452
+ if (!ok) {
453
+ goto end;
454
+ }
455
+
456
+ // At this point, we have a chain and need to verify it
457
+ if (ctx->verify != NULL) {
458
+ ok = ctx->verify(ctx);
459
+ } else {
460
+ ok = internal_verify(ctx);
461
+ }
462
+ if (!ok) {
463
+ goto end;
464
+ }
465
+
466
+ // Check name constraints
467
+
468
+ ok = check_name_constraints(ctx);
469
+ if (!ok) {
470
+ goto end;
471
+ }
472
+
473
+ // If we get this far evaluate policies
474
+ if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) {
475
+ ok = ctx->check_policy(ctx);
476
+ }
477
+
478
+ end:
479
+ if (sktmp != NULL) {
480
+ sk_X509_free(sktmp);
481
+ }
482
+ if (chain_ss != NULL) {
483
+ X509_free(chain_ss);
484
+ }
485
+
486
+ // Safety net, error returns must set ctx->error
487
+ if (ok <= 0 && ctx->error == X509_V_OK) {
488
+ ctx->error = X509_V_ERR_UNSPECIFIED;
489
+ }
490
+ return ok;
491
+ }
492
+
493
+ // Given a STACK_OF(X509) find the issuer of cert (if any)
494
+
495
+ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) {
496
+ size_t i;
497
+ X509 *issuer;
498
+ for (i = 0; i < sk_X509_num(sk); i++) {
499
+ issuer = sk_X509_value(sk, i);
500
+ if (ctx->check_issued(ctx, x, issuer)) {
501
+ return issuer;
502
+ }
503
+ }
504
+ return NULL;
505
+ }
506
+
507
+ // Given a possible certificate and issuer check them
508
+
509
+ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) {
510
+ int ret;
511
+ ret = X509_check_issued(issuer, x);
512
+ if (ret == X509_V_OK) {
513
+ return 1;
514
+ }
515
+ // If we haven't asked for issuer errors don't set ctx
516
+ if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) {
517
+ return 0;
518
+ }
508
519
 
509
- /* If we get this far evaluate policies */
510
- if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
511
- ok = ctx->check_policy(ctx);
512
-
513
- end:
514
- if (sktmp != NULL)
515
- sk_X509_free(sktmp);
516
- if (chain_ss != NULL)
517
- X509_free(chain_ss);
518
-
519
- /* Safety net, error returns must set ctx->error */
520
- if (ok <= 0 && ctx->error == X509_V_OK)
521
- ctx->error = X509_V_ERR_UNSPECIFIED;
522
- return ok;
523
- }
524
-
525
- /*
526
- * Given a STACK_OF(X509) find the issuer of cert (if any)
527
- */
528
-
529
- static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
530
- {
531
- size_t i;
532
- X509 *issuer;
533
- for (i = 0; i < sk_X509_num(sk); i++) {
534
- issuer = sk_X509_value(sk, i);
535
- if (ctx->check_issued(ctx, x, issuer))
536
- return issuer;
537
- }
538
- return NULL;
539
- }
540
-
541
- /* Given a possible certificate and issuer check them */
542
-
543
- static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
544
- {
545
- int ret;
546
- ret = X509_check_issued(issuer, x);
547
- if (ret == X509_V_OK)
548
- return 1;
549
- /* If we haven't asked for issuer errors don't set ctx */
550
- if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
551
- return 0;
552
-
553
- ctx->error = ret;
554
- ctx->current_cert = x;
555
- ctx->current_issuer = issuer;
556
- return ctx->verify_cb(0, ctx);
520
+ ctx->error = ret;
521
+ ctx->current_cert = x;
522
+ ctx->current_issuer = issuer;
523
+ return ctx->verify_cb(0, ctx);
557
524
  }
558
525
 
559
- /* Alternative lookup method: look from a STACK stored in other_ctx */
526
+ // Alternative lookup method: look from a STACK stored in other_ctx
560
527
 
561
- static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
562
- {
563
- *issuer = find_issuer(ctx, ctx->other_ctx, x);
564
- if (*issuer) {
565
- X509_up_ref(*issuer);
566
- return 1;
567
- } else
568
- return 0;
528
+ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) {
529
+ *issuer = find_issuer(ctx, ctx->other_ctx, x);
530
+ if (*issuer) {
531
+ X509_up_ref(*issuer);
532
+ return 1;
533
+ } else {
534
+ return 0;
535
+ }
569
536
  }
570
537
 
571
- /*
572
- * Check a certificate chains extensions for consistency with the supplied
573
- * purpose
574
- */
575
-
576
- static int check_chain_extensions(X509_STORE_CTX *ctx)
577
- {
578
- int i, ok = 0, plen = 0;
579
- X509 *x;
580
- int (*cb) (int xok, X509_STORE_CTX *xctx);
581
- int proxy_path_length = 0;
582
- int purpose;
583
- int allow_proxy_certs;
584
- cb = ctx->verify_cb;
585
-
586
- enum {
587
- // ca_or_leaf allows either type of certificate so that direct use of
588
- // self-signed certificates works.
589
- ca_or_leaf,
590
- must_be_ca,
591
- must_not_be_ca,
592
- } ca_requirement;
593
-
594
- /* CRL path validation */
595
- if (ctx->parent) {
596
- allow_proxy_certs = 0;
597
- purpose = X509_PURPOSE_CRL_SIGN;
598
- } else {
599
- allow_proxy_certs =
600
- ! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
601
- purpose = ctx->param->purpose;
602
- }
603
-
604
- ca_requirement = ca_or_leaf;
538
+ // Check a certificate chains extensions for consistency with the supplied
539
+ // purpose
605
540
 
606
- /* Check all untrusted certificates */
607
- for (i = 0; i < ctx->last_untrusted; i++) {
608
- int ret;
609
- x = sk_X509_value(ctx->chain, i);
610
- if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
611
- && (x->ex_flags & EXFLAG_CRITICAL)) {
612
- ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
613
- ctx->error_depth = i;
614
- ctx->current_cert = x;
615
- ok = cb(0, ctx);
616
- if (!ok)
617
- goto end;
618
- }
619
- if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
620
- ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
621
- ctx->error_depth = i;
622
- ctx->current_cert = x;
623
- ok = cb(0, ctx);
624
- if (!ok)
625
- goto end;
626
- }
627
-
628
- switch (ca_requirement) {
629
- case ca_or_leaf:
630
- ret = 1;
631
- break;
632
- case must_not_be_ca:
633
- if (X509_check_ca(x)) {
634
- ret = 0;
635
- ctx->error = X509_V_ERR_INVALID_NON_CA;
636
- } else
637
- ret = 1;
638
- break;
639
- case must_be_ca:
640
- if (!X509_check_ca(x)) {
641
- ret = 0;
642
- ctx->error = X509_V_ERR_INVALID_CA;
643
- } else
644
- ret = 1;
645
- break;
646
- default:
647
- // impossible.
648
- ret = 0;
649
- }
541
+ static int check_chain_extensions(X509_STORE_CTX *ctx) {
542
+ int ok = 0, plen = 0;
650
543
 
651
- if (ret == 0) {
652
- ctx->error_depth = i;
653
- ctx->current_cert = x;
654
- ok = cb(0, ctx);
655
- if (!ok)
656
- goto end;
657
- }
658
- if (ctx->param->purpose > 0) {
659
- ret = X509_check_purpose(x, purpose, ca_requirement == must_be_ca);
660
- if (ret != 1) {
661
- ret = 0;
662
- ctx->error = X509_V_ERR_INVALID_PURPOSE;
663
- ctx->error_depth = i;
664
- ctx->current_cert = x;
665
- ok = cb(0, ctx);
666
- if (!ok)
667
- goto end;
668
- }
669
- }
670
- /* Check pathlen if not self issued */
671
- if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
672
- && (x->ex_pathlen != -1)
673
- && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
674
- ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
675
- ctx->error_depth = i;
676
- ctx->current_cert = x;
677
- ok = cb(0, ctx);
678
- if (!ok)
679
- goto end;
680
- }
681
- /* Increment path length if not self issued */
682
- if (!(x->ex_flags & EXFLAG_SI))
683
- plen++;
684
- /*
685
- * If this certificate is a proxy certificate, the next certificate
686
- * must be another proxy certificate or a EE certificate. If not,
687
- * the next certificate must be a CA certificate.
688
- */
689
- if (x->ex_flags & EXFLAG_PROXY) {
690
- if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
691
- ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
692
- ctx->error_depth = i;
693
- ctx->current_cert = x;
694
- ok = cb(0, ctx);
695
- if (!ok)
696
- goto end;
697
- }
698
- proxy_path_length++;
699
- ca_requirement = must_not_be_ca;
700
- } else {
701
- ca_requirement = must_be_ca;
702
- }
703
- }
704
- ok = 1;
705
- end:
706
- return ok;
707
- }
544
+ // If |ctx->parent| is set, this is CRL path validation.
545
+ int purpose =
546
+ ctx->parent == NULL ? ctx->param->purpose : X509_PURPOSE_CRL_SIGN;
708
547
 
709
- static int reject_dns_name_in_common_name(X509 *x509)
710
- {
711
- X509_NAME *name = X509_get_subject_name(x509);
712
- int i = -1;
713
- for (;;) {
714
- i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
715
- if (i == -1) {
716
- return X509_V_OK;
717
- }
718
-
719
- X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
720
- ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(entry);
721
- unsigned char *idval;
722
- int idlen = ASN1_STRING_to_UTF8(&idval, common_name);
723
- if (idlen < 0) {
724
- return X509_V_ERR_OUT_OF_MEM;
725
- }
726
- /* Only process attributes that look like host names. Note it is
727
- * important that this check be mirrored in |X509_check_host|. */
728
- int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen);
729
- OPENSSL_free(idval);
730
- if (looks_like_dns) {
731
- return X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS;
732
- }
733
- }
734
- }
735
-
736
- static int check_name_constraints(X509_STORE_CTX *ctx)
737
- {
738
- int i, j, rv;
739
- int has_name_constraints = 0;
740
- /* Check name constraints for all certificates */
741
- for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
742
- X509 *x = sk_X509_value(ctx->chain, i);
743
- /* Ignore self issued certs unless last in chain */
744
- if (i && (x->ex_flags & EXFLAG_SI))
745
- continue;
746
- /*
747
- * Check against constraints for all certificates higher in chain
748
- * including trust anchor. Trust anchor not strictly speaking needed
749
- * but if it includes constraints it is to be assumed it expects them
750
- * to be obeyed.
751
- */
752
- for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
753
- NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
754
- if (nc) {
755
- has_name_constraints = 1;
756
- rv = NAME_CONSTRAINTS_check(x, nc);
757
- switch (rv) {
758
- case X509_V_OK:
759
- continue;
760
- case X509_V_ERR_OUT_OF_MEM:
761
- ctx->error = rv;
762
- return 0;
763
- default:
764
- ctx->error = rv;
765
- ctx->error_depth = i;
766
- ctx->current_cert = x;
767
- if (!ctx->verify_cb(0, ctx))
768
- return 0;
769
- break;
770
- }
771
- }
772
- }
548
+ // Check all untrusted certificates
549
+ for (int i = 0; i < ctx->last_untrusted; i++) {
550
+ X509 *x = sk_X509_value(ctx->chain, i);
551
+ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
552
+ (x->ex_flags & EXFLAG_CRITICAL)) {
553
+ ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
554
+ ctx->error_depth = i;
555
+ ctx->current_cert = x;
556
+ ok = ctx->verify_cb(0, ctx);
557
+ if (!ok) {
558
+ goto end;
559
+ }
773
560
  }
774
561
 
775
- /* Name constraints do not match against the common name, but
776
- * |X509_check_host| still implements the legacy behavior where, on
777
- * certificates lacking a SAN list, DNS-like names in the common name are
778
- * checked instead.
779
- *
780
- * While we could apply the name constraints to the common name, name
781
- * constraints are rare enough that can hold such certificates to a higher
782
- * standard. Note this does not make "DNS-like" heuristic failures any
783
- * worse. A decorative common-name misidentified as a DNS name would fail
784
- * the name constraint anyway. */
785
- X509 *leaf = sk_X509_value(ctx->chain, 0);
786
- if (has_name_constraints && leaf->altname == NULL) {
787
- rv = reject_dns_name_in_common_name(leaf);
562
+ int must_be_ca = i > 0;
563
+ if (must_be_ca && !X509_check_ca(x)) {
564
+ ctx->error = X509_V_ERR_INVALID_CA;
565
+ ctx->error_depth = i;
566
+ ctx->current_cert = x;
567
+ ok = ctx->verify_cb(0, ctx);
568
+ if (!ok) {
569
+ goto end;
570
+ }
571
+ }
572
+ if (ctx->param->purpose > 0 &&
573
+ X509_check_purpose(x, purpose, must_be_ca) != 1) {
574
+ ctx->error = X509_V_ERR_INVALID_PURPOSE;
575
+ ctx->error_depth = i;
576
+ ctx->current_cert = x;
577
+ ok = ctx->verify_cb(0, ctx);
578
+ if (!ok) {
579
+ goto end;
580
+ }
581
+ }
582
+ // Check pathlen if not self issued
583
+ if (i > 1 && !(x->ex_flags & EXFLAG_SI) && x->ex_pathlen != -1 &&
584
+ plen > x->ex_pathlen + 1) {
585
+ ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
586
+ ctx->error_depth = i;
587
+ ctx->current_cert = x;
588
+ ok = ctx->verify_cb(0, ctx);
589
+ if (!ok) {
590
+ goto end;
591
+ }
592
+ }
593
+ // Increment path length if not self issued
594
+ if (!(x->ex_flags & EXFLAG_SI)) {
595
+ plen++;
596
+ }
597
+ }
598
+ ok = 1;
599
+ end:
600
+ return ok;
601
+ }
602
+
603
+ static int reject_dns_name_in_common_name(X509 *x509) {
604
+ const X509_NAME *name = X509_get_subject_name(x509);
605
+ int i = -1;
606
+ for (;;) {
607
+ i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
608
+ if (i == -1) {
609
+ return X509_V_OK;
610
+ }
611
+
612
+ const X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
613
+ const ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(entry);
614
+ unsigned char *idval;
615
+ int idlen = ASN1_STRING_to_UTF8(&idval, common_name);
616
+ if (idlen < 0) {
617
+ return X509_V_ERR_OUT_OF_MEM;
618
+ }
619
+ // Only process attributes that look like host names. Note it is
620
+ // important that this check be mirrored in |X509_check_host|.
621
+ int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen);
622
+ OPENSSL_free(idval);
623
+ if (looks_like_dns) {
624
+ return X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS;
625
+ }
626
+ }
627
+ }
628
+
629
+ static int check_name_constraints(X509_STORE_CTX *ctx) {
630
+ int i, j, rv;
631
+ int has_name_constraints = 0;
632
+ // Check name constraints for all certificates
633
+ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
634
+ X509 *x = sk_X509_value(ctx->chain, i);
635
+ // Ignore self issued certs unless last in chain
636
+ if (i && (x->ex_flags & EXFLAG_SI)) {
637
+ continue;
638
+ }
639
+ // Check against constraints for all certificates higher in chain
640
+ // including trust anchor. Trust anchor not strictly speaking needed
641
+ // but if it includes constraints it is to be assumed it expects them
642
+ // to be obeyed.
643
+ for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
644
+ NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
645
+ if (nc) {
646
+ has_name_constraints = 1;
647
+ rv = NAME_CONSTRAINTS_check(x, nc);
788
648
  switch (rv) {
789
- case X509_V_OK:
790
- break;
791
- case X509_V_ERR_OUT_OF_MEM:
649
+ case X509_V_OK:
650
+ continue;
651
+ case X509_V_ERR_OUT_OF_MEM:
792
652
  ctx->error = rv;
793
653
  return 0;
794
- default:
654
+ default:
795
655
  ctx->error = rv;
796
656
  ctx->error_depth = i;
797
- ctx->current_cert = leaf;
798
- if (!ctx->verify_cb(0, ctx))
799
- return 0;
657
+ ctx->current_cert = x;
658
+ if (!ctx->verify_cb(0, ctx)) {
659
+ return 0;
660
+ }
800
661
  break;
801
662
  }
663
+ }
664
+ }
665
+ }
666
+
667
+ // Name constraints do not match against the common name, but
668
+ // |X509_check_host| still implements the legacy behavior where, on
669
+ // certificates lacking a SAN list, DNS-like names in the common name are
670
+ // checked instead.
671
+ //
672
+ // While we could apply the name constraints to the common name, name
673
+ // constraints are rare enough that can hold such certificates to a higher
674
+ // standard. Note this does not make "DNS-like" heuristic failures any
675
+ // worse. A decorative common-name misidentified as a DNS name would fail
676
+ // the name constraint anyway.
677
+ X509 *leaf = sk_X509_value(ctx->chain, 0);
678
+ if (has_name_constraints && leaf->altname == NULL) {
679
+ rv = reject_dns_name_in_common_name(leaf);
680
+ switch (rv) {
681
+ case X509_V_OK:
682
+ break;
683
+ case X509_V_ERR_OUT_OF_MEM:
684
+ ctx->error = rv;
685
+ return 0;
686
+ default:
687
+ ctx->error = rv;
688
+ ctx->error_depth = i;
689
+ ctx->current_cert = leaf;
690
+ if (!ctx->verify_cb(0, ctx)) {
691
+ return 0;
692
+ }
693
+ break;
802
694
  }
803
-
695
+ }
696
+
697
+ return 1;
698
+ }
699
+
700
+ static int check_id_error(X509_STORE_CTX *ctx, int errcode) {
701
+ ctx->error = errcode;
702
+ ctx->current_cert = ctx->cert;
703
+ ctx->error_depth = 0;
704
+ return ctx->verify_cb(0, ctx);
705
+ }
706
+
707
+ static int check_hosts(X509 *x, X509_VERIFY_PARAM *param) {
708
+ size_t i;
709
+ size_t n = sk_OPENSSL_STRING_num(param->hosts);
710
+ char *name;
711
+
712
+ if (param->peername != NULL) {
713
+ OPENSSL_free(param->peername);
714
+ param->peername = NULL;
715
+ }
716
+ for (i = 0; i < n; ++i) {
717
+ name = sk_OPENSSL_STRING_value(param->hosts, i);
718
+ if (X509_check_host(x, name, strlen(name), param->hostflags,
719
+ &param->peername) > 0) {
720
+ return 1;
721
+ }
722
+ }
723
+ return n == 0;
724
+ }
725
+
726
+ static int check_id(X509_STORE_CTX *ctx) {
727
+ X509_VERIFY_PARAM *vpm = ctx->param;
728
+ X509 *x = ctx->cert;
729
+ if (vpm->poison) {
730
+ if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL)) {
731
+ return 0;
732
+ }
733
+ }
734
+ if (vpm->hosts && check_hosts(x, vpm) <= 0) {
735
+ if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) {
736
+ return 0;
737
+ }
738
+ }
739
+ if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {
740
+ if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH)) {
741
+ return 0;
742
+ }
743
+ }
744
+ if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
745
+ if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH)) {
746
+ return 0;
747
+ }
748
+ }
749
+ return 1;
750
+ }
751
+
752
+ static int check_trust(X509_STORE_CTX *ctx) {
753
+ size_t i;
754
+ int ok;
755
+ X509 *x = NULL;
756
+ // Check all trusted certificates in chain
757
+ for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
758
+ x = sk_X509_value(ctx->chain, i);
759
+ ok = X509_check_trust(x, ctx->param->trust, 0);
760
+ // If explicitly trusted return trusted
761
+ if (ok == X509_TRUST_TRUSTED) {
762
+ return X509_TRUST_TRUSTED;
763
+ }
764
+ // If explicitly rejected notify callback and reject if not
765
+ // overridden.
766
+ if (ok == X509_TRUST_REJECTED) {
767
+ ctx->error_depth = i;
768
+ ctx->current_cert = x;
769
+ ctx->error = X509_V_ERR_CERT_REJECTED;
770
+ ok = ctx->verify_cb(0, ctx);
771
+ if (!ok) {
772
+ return X509_TRUST_REJECTED;
773
+ }
774
+ }
775
+ }
776
+ // If we accept partial chains and have at least one trusted certificate
777
+ // return success.
778
+ if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
779
+ X509 *mx;
780
+ if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain)) {
781
+ return X509_TRUST_TRUSTED;
782
+ }
783
+ x = sk_X509_value(ctx->chain, 0);
784
+ mx = lookup_cert_match(ctx, x);
785
+ if (mx) {
786
+ (void)sk_X509_set(ctx->chain, 0, mx);
787
+ X509_free(x);
788
+ ctx->last_untrusted = 0;
789
+ return X509_TRUST_TRUSTED;
790
+ }
791
+ }
792
+
793
+ // If no trusted certs in chain at all return untrusted and allow
794
+ // standard (no issuer cert) etc errors to be indicated.
795
+ return X509_TRUST_UNTRUSTED;
796
+ }
797
+
798
+ static int check_revocation(X509_STORE_CTX *ctx) {
799
+ int i, last, ok;
800
+ if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) {
804
801
  return 1;
805
- }
806
-
807
- static int check_id_error(X509_STORE_CTX *ctx, int errcode)
808
- {
809
- ctx->error = errcode;
810
- ctx->current_cert = ctx->cert;
811
- ctx->error_depth = 0;
812
- return ctx->verify_cb(0, ctx);
813
- }
814
-
815
- static int check_hosts(X509 *x, X509_VERIFY_PARAM *param)
816
- {
817
- size_t i;
818
- size_t n = sk_OPENSSL_STRING_num(param->hosts);
819
- char *name;
820
-
821
- if (param->peername != NULL) {
822
- OPENSSL_free(param->peername);
823
- param->peername = NULL;
824
- }
825
- for (i = 0; i < n; ++i) {
826
- name = sk_OPENSSL_STRING_value(param->hosts, i);
827
- if (X509_check_host(x, name, strlen(name), param->hostflags,
828
- &param->peername) > 0)
829
- return 1;
830
- }
831
- return n == 0;
832
- }
833
-
834
- static int check_id(X509_STORE_CTX *ctx)
835
- {
836
- X509_VERIFY_PARAM *vpm = ctx->param;
837
- X509 *x = ctx->cert;
838
- if (vpm->poison) {
839
- if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL))
840
- return 0;
841
- }
842
- if (vpm->hosts && check_hosts(x, vpm) <= 0) {
843
- if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
844
- return 0;
802
+ }
803
+ if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) {
804
+ last = sk_X509_num(ctx->chain) - 1;
805
+ } else {
806
+ // If checking CRL paths this isn't the EE certificate
807
+ if (ctx->parent) {
808
+ return 1;
809
+ }
810
+ last = 0;
811
+ }
812
+ for (i = 0; i <= last; i++) {
813
+ ctx->error_depth = i;
814
+ ok = check_cert(ctx);
815
+ if (!ok) {
816
+ return ok;
817
+ }
818
+ }
819
+ return 1;
820
+ }
821
+
822
+ static int check_cert(X509_STORE_CTX *ctx) {
823
+ X509_CRL *crl = NULL, *dcrl = NULL;
824
+ X509 *x;
825
+ int ok = 0, cnum;
826
+ unsigned int last_reasons;
827
+ cnum = ctx->error_depth;
828
+ x = sk_X509_value(ctx->chain, cnum);
829
+ ctx->current_cert = x;
830
+ ctx->current_issuer = NULL;
831
+ ctx->current_crl_score = 0;
832
+ ctx->current_reasons = 0;
833
+ while (ctx->current_reasons != CRLDP_ALL_REASONS) {
834
+ last_reasons = ctx->current_reasons;
835
+ // Try to retrieve relevant CRL
836
+ if (ctx->get_crl) {
837
+ ok = ctx->get_crl(ctx, &crl, x);
838
+ } else {
839
+ ok = get_crl_delta(ctx, &crl, &dcrl, x);
845
840
  }
846
- if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {
847
- if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
848
- return 0;
841
+ // If error looking up CRL, nothing we can do except notify callback
842
+ if (!ok) {
843
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
844
+ ok = ctx->verify_cb(0, ctx);
845
+ goto err;
849
846
  }
850
- if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
851
- if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
852
- return 0;
847
+ ctx->current_crl = crl;
848
+ ok = ctx->check_crl(ctx, crl);
849
+ if (!ok) {
850
+ goto err;
853
851
  }
854
- return 1;
855
- }
856
852
 
857
- static int check_trust(X509_STORE_CTX *ctx)
858
- {
859
- size_t i;
860
- int ok;
861
- X509 *x = NULL;
862
- int (*cb) (int xok, X509_STORE_CTX *xctx);
863
- cb = ctx->verify_cb;
864
- /* Check all trusted certificates in chain */
865
- for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
866
- x = sk_X509_value(ctx->chain, i);
867
- ok = X509_check_trust(x, ctx->param->trust, 0);
868
- /* If explicitly trusted return trusted */
869
- if (ok == X509_TRUST_TRUSTED)
870
- return X509_TRUST_TRUSTED;
871
- /*
872
- * If explicitly rejected notify callback and reject if not
873
- * overridden.
874
- */
875
- if (ok == X509_TRUST_REJECTED) {
876
- ctx->error_depth = i;
877
- ctx->current_cert = x;
878
- ctx->error = X509_V_ERR_CERT_REJECTED;
879
- ok = cb(0, ctx);
880
- if (!ok)
881
- return X509_TRUST_REJECTED;
882
- }
883
- }
884
- /*
885
- * If we accept partial chains and have at least one trusted certificate
886
- * return success.
887
- */
888
- if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
889
- X509 *mx;
890
- if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain))
891
- return X509_TRUST_TRUSTED;
892
- x = sk_X509_value(ctx->chain, 0);
893
- mx = lookup_cert_match(ctx, x);
894
- if (mx) {
895
- (void)sk_X509_set(ctx->chain, 0, mx);
896
- X509_free(x);
897
- ctx->last_untrusted = 0;
898
- return X509_TRUST_TRUSTED;
899
- }
853
+ if (dcrl) {
854
+ ok = ctx->check_crl(ctx, dcrl);
855
+ if (!ok) {
856
+ goto err;
857
+ }
858
+ ok = ctx->cert_crl(ctx, dcrl, x);
859
+ if (!ok) {
860
+ goto err;
861
+ }
862
+ } else {
863
+ ok = 1;
900
864
  }
901
865
 
902
- /*
903
- * If no trusted certs in chain at all return untrusted and allow
904
- * standard (no issuer cert) etc errors to be indicated.
905
- */
906
- return X509_TRUST_UNTRUSTED;
907
- }
908
-
909
- static int check_revocation(X509_STORE_CTX *ctx)
910
- {
911
- int i, last, ok;
912
- if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
913
- return 1;
914
- if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
915
- last = sk_X509_num(ctx->chain) - 1;
916
- else {
917
- /* If checking CRL paths this isn't the EE certificate */
918
- if (ctx->parent)
919
- return 1;
920
- last = 0;
921
- }
922
- for (i = 0; i <= last; i++) {
923
- ctx->error_depth = i;
924
- ok = check_cert(ctx);
925
- if (!ok)
926
- return ok;
866
+ // Don't look in full CRL if delta reason is removefromCRL
867
+ if (ok != 2) {
868
+ ok = ctx->cert_crl(ctx, crl, x);
869
+ if (!ok) {
870
+ goto err;
871
+ }
927
872
  }
928
- return 1;
929
- }
930
-
931
- static int check_cert(X509_STORE_CTX *ctx)
932
- {
933
- X509_CRL *crl = NULL, *dcrl = NULL;
934
- X509 *x;
935
- int ok = 0, cnum;
936
- unsigned int last_reasons;
937
- cnum = ctx->error_depth;
938
- x = sk_X509_value(ctx->chain, cnum);
939
- ctx->current_cert = x;
940
- ctx->current_issuer = NULL;
941
- ctx->current_crl_score = 0;
942
- ctx->current_reasons = 0;
943
- while (ctx->current_reasons != CRLDP_ALL_REASONS) {
944
- last_reasons = ctx->current_reasons;
945
- /* Try to retrieve relevant CRL */
946
- if (ctx->get_crl)
947
- ok = ctx->get_crl(ctx, &crl, x);
948
- else
949
- ok = get_crl_delta(ctx, &crl, &dcrl, x);
950
- /*
951
- * If error looking up CRL, nothing we can do except notify callback
952
- */
953
- if (!ok) {
954
- ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
955
- ok = ctx->verify_cb(0, ctx);
956
- goto err;
957
- }
958
- ctx->current_crl = crl;
959
- ok = ctx->check_crl(ctx, crl);
960
- if (!ok)
961
- goto err;
962
-
963
- if (dcrl) {
964
- ok = ctx->check_crl(ctx, dcrl);
965
- if (!ok)
966
- goto err;
967
- ok = ctx->cert_crl(ctx, dcrl, x);
968
- if (!ok)
969
- goto err;
970
- } else
971
- ok = 1;
972
-
973
- /* Don't look in full CRL if delta reason is removefromCRL */
974
- if (ok != 2) {
975
- ok = ctx->cert_crl(ctx, crl, x);
976
- if (!ok)
977
- goto err;
978
- }
979
873
 
980
- X509_CRL_free(crl);
981
- X509_CRL_free(dcrl);
982
- crl = NULL;
983
- dcrl = NULL;
984
- /*
985
- * If reasons not updated we wont get anywhere by another iteration,
986
- * so exit loop.
987
- */
988
- if (last_reasons == ctx->current_reasons) {
989
- ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
990
- ok = ctx->verify_cb(0, ctx);
991
- goto err;
992
- }
993
- }
994
- err:
995
874
  X509_CRL_free(crl);
996
875
  X509_CRL_free(dcrl);
876
+ crl = NULL;
877
+ dcrl = NULL;
878
+ // If reasons not updated we wont get anywhere by another iteration,
879
+ // so exit loop.
880
+ if (last_reasons == ctx->current_reasons) {
881
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
882
+ ok = ctx->verify_cb(0, ctx);
883
+ goto err;
884
+ }
885
+ }
886
+ err:
887
+ X509_CRL_free(crl);
888
+ X509_CRL_free(dcrl);
997
889
 
998
- ctx->current_crl = NULL;
999
- return ok;
1000
-
890
+ ctx->current_crl = NULL;
891
+ return ok;
1001
892
  }
1002
893
 
1003
- /* Check CRL times against values in X509_STORE_CTX */
894
+ // Check CRL times against values in X509_STORE_CTX
1004
895
 
1005
- static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
1006
- {
1007
- time_t *ptime;
1008
- int i;
1009
- if (notify)
1010
- ctx->current_crl = crl;
1011
- if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1012
- ptime = &ctx->param->check_time;
1013
- else
1014
- ptime = NULL;
896
+ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) {
897
+ if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) {
898
+ return 1;
899
+ }
1015
900
 
1016
- i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
1017
- if (i == 0) {
1018
- if (!notify)
1019
- return 0;
1020
- ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
1021
- if (!ctx->verify_cb(0, ctx))
1022
- return 0;
901
+ if (notify) {
902
+ ctx->current_crl = crl;
903
+ }
904
+ int64_t ptime;
905
+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) {
906
+ ptime = ctx->param->check_time;
907
+ } else {
908
+ ptime = time(NULL);
909
+ }
910
+
911
+ int i = X509_cmp_time_posix(X509_CRL_get0_lastUpdate(crl), ptime);
912
+ if (i == 0) {
913
+ if (!notify) {
914
+ return 0;
915
+ }
916
+ ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
917
+ if (!ctx->verify_cb(0, ctx)) {
918
+ return 0;
1023
919
  }
920
+ }
1024
921
 
1025
- if (i > 0) {
1026
- if (!notify)
1027
- return 0;
1028
- ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
1029
- if (!ctx->verify_cb(0, ctx))
1030
- return 0;
922
+ if (i > 0) {
923
+ if (!notify) {
924
+ return 0;
1031
925
  }
926
+ ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
927
+ if (!ctx->verify_cb(0, ctx)) {
928
+ return 0;
929
+ }
930
+ }
1032
931
 
1033
- if (X509_CRL_get0_nextUpdate(crl)) {
1034
- i = X509_cmp_time(X509_CRL_get0_nextUpdate(crl), ptime);
932
+ if (X509_CRL_get0_nextUpdate(crl)) {
933
+ i = X509_cmp_time_posix(X509_CRL_get0_nextUpdate(crl), ptime);
1035
934
 
1036
- if (i == 0) {
1037
- if (!notify)
1038
- return 0;
1039
- ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
1040
- if (!ctx->verify_cb(0, ctx))
1041
- return 0;
1042
- }
1043
- /* Ignore expiry of base CRL is delta is valid */
1044
- if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
1045
- if (!notify)
1046
- return 0;
1047
- ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
1048
- if (!ctx->verify_cb(0, ctx))
1049
- return 0;
1050
- }
935
+ if (i == 0) {
936
+ if (!notify) {
937
+ return 0;
938
+ }
939
+ ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
940
+ if (!ctx->verify_cb(0, ctx)) {
941
+ return 0;
942
+ }
943
+ }
944
+ // Ignore expiry of base CRL is delta is valid
945
+ if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
946
+ if (!notify) {
947
+ return 0;
948
+ }
949
+ ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
950
+ if (!ctx->verify_cb(0, ctx)) {
951
+ return 0;
952
+ }
1051
953
  }
954
+ }
1052
955
 
1053
- if (notify)
1054
- ctx->current_crl = NULL;
956
+ if (notify) {
957
+ ctx->current_crl = NULL;
958
+ }
1055
959
 
1056
- return 1;
960
+ return 1;
1057
961
  }
1058
962
 
1059
963
  static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
1060
964
  X509 **pissuer, int *pscore, unsigned int *preasons,
1061
- STACK_OF(X509_CRL) *crls)
1062
- {
1063
- int crl_score, best_score = *pscore;
1064
- size_t i;
1065
- unsigned int reasons, best_reasons = 0;
1066
- X509 *x = ctx->current_cert;
1067
- X509_CRL *crl, *best_crl = NULL;
1068
- X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
1069
-
1070
- for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1071
- crl = sk_X509_CRL_value(crls, i);
1072
- reasons = *preasons;
1073
- crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
1074
- if (crl_score < best_score || crl_score == 0)
1075
- continue;
1076
- /* If current CRL is equivalent use it if it is newer */
1077
- if (crl_score == best_score && best_crl != NULL) {
1078
- int day, sec;
1079
- if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
1080
- X509_CRL_get0_lastUpdate(crl)) == 0)
1081
- continue;
1082
- /*
1083
- * ASN1_TIME_diff never returns inconsistent signs for |day|
1084
- * and |sec|.
1085
- */
1086
- if (day <= 0 && sec <= 0)
1087
- continue;
1088
- }
1089
- best_crl = crl;
1090
- best_crl_issuer = crl_issuer;
1091
- best_score = crl_score;
1092
- best_reasons = reasons;
1093
- }
1094
-
1095
- if (best_crl) {
1096
- if (*pcrl)
1097
- X509_CRL_free(*pcrl);
1098
- *pcrl = best_crl;
1099
- *pissuer = best_crl_issuer;
1100
- *pscore = best_score;
1101
- *preasons = best_reasons;
1102
- X509_CRL_up_ref(best_crl);
1103
- if (*pdcrl) {
1104
- X509_CRL_free(*pdcrl);
1105
- *pdcrl = NULL;
1106
- }
1107
- get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
1108
- }
1109
-
1110
- if (best_score >= CRL_SCORE_VALID)
1111
- return 1;
965
+ STACK_OF(X509_CRL) *crls) {
966
+ int crl_score, best_score = *pscore;
967
+ size_t i;
968
+ unsigned int reasons, best_reasons = 0;
969
+ X509 *x = ctx->current_cert;
970
+ X509_CRL *crl, *best_crl = NULL;
971
+ X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
972
+
973
+ for (i = 0; i < sk_X509_CRL_num(crls); i++) {
974
+ crl = sk_X509_CRL_value(crls, i);
975
+ reasons = *preasons;
976
+ crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
977
+ if (crl_score < best_score || crl_score == 0) {
978
+ continue;
979
+ }
980
+ // If current CRL is equivalent use it if it is newer
981
+ if (crl_score == best_score && best_crl != NULL) {
982
+ int day, sec;
983
+ if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
984
+ X509_CRL_get0_lastUpdate(crl)) == 0) {
985
+ continue;
986
+ }
987
+ // ASN1_TIME_diff never returns inconsistent signs for |day|
988
+ // and |sec|.
989
+ if (day <= 0 && sec <= 0) {
990
+ continue;
991
+ }
992
+ }
993
+ best_crl = crl;
994
+ best_crl_issuer = crl_issuer;
995
+ best_score = crl_score;
996
+ best_reasons = reasons;
997
+ }
998
+
999
+ if (best_crl) {
1000
+ if (*pcrl) {
1001
+ X509_CRL_free(*pcrl);
1002
+ }
1003
+ *pcrl = best_crl;
1004
+ *pissuer = best_crl_issuer;
1005
+ *pscore = best_score;
1006
+ *preasons = best_reasons;
1007
+ X509_CRL_up_ref(best_crl);
1008
+ if (*pdcrl) {
1009
+ X509_CRL_free(*pdcrl);
1010
+ *pdcrl = NULL;
1011
+ }
1012
+ get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
1013
+ }
1014
+
1015
+ if (best_score >= CRL_SCORE_VALID) {
1016
+ return 1;
1017
+ }
1112
1018
 
1113
- return 0;
1019
+ return 0;
1114
1020
  }
1115
1021
 
1116
- /*
1117
- * Compare two CRL extensions for delta checking purposes. They should be
1118
- * both present or both absent. If both present all fields must be identical.
1119
- */
1120
-
1121
- static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
1122
- {
1123
- ASN1_OCTET_STRING *exta, *extb;
1124
- int i;
1125
- i = X509_CRL_get_ext_by_NID(a, nid, -1);
1126
- if (i >= 0) {
1127
- /* Can't have multiple occurrences */
1128
- if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
1129
- return 0;
1130
- exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
1131
- } else
1132
- exta = NULL;
1022
+ // Compare two CRL extensions for delta checking purposes. They should be
1023
+ // both present or both absent. If both present all fields must be identical.
1133
1024
 
1134
- i = X509_CRL_get_ext_by_NID(b, nid, -1);
1025
+ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) {
1026
+ const ASN1_OCTET_STRING *exta, *extb;
1027
+ int i;
1028
+ i = X509_CRL_get_ext_by_NID(a, nid, -1);
1029
+ if (i >= 0) {
1030
+ // Can't have multiple occurrences
1031
+ if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) {
1032
+ return 0;
1033
+ }
1034
+ exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
1035
+ } else {
1036
+ exta = NULL;
1037
+ }
1135
1038
 
1136
- if (i >= 0) {
1039
+ i = X509_CRL_get_ext_by_NID(b, nid, -1);
1137
1040
 
1138
- if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
1139
- return 0;
1140
- extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
1141
- } else
1142
- extb = NULL;
1041
+ if (i >= 0) {
1042
+ if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) {
1043
+ return 0;
1044
+ }
1045
+ extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
1046
+ } else {
1047
+ extb = NULL;
1048
+ }
1143
1049
 
1144
- if (!exta && !extb)
1145
- return 1;
1050
+ if (!exta && !extb) {
1051
+ return 1;
1052
+ }
1146
1053
 
1147
- if (!exta || !extb)
1148
- return 0;
1054
+ if (!exta || !extb) {
1055
+ return 0;
1056
+ }
1149
1057
 
1150
- if (ASN1_OCTET_STRING_cmp(exta, extb))
1151
- return 0;
1058
+ if (ASN1_OCTET_STRING_cmp(exta, extb)) {
1059
+ return 0;
1060
+ }
1152
1061
 
1153
- return 1;
1062
+ return 1;
1154
1063
  }
1155
1064
 
1156
- /* See if a base and delta are compatible */
1065
+ // See if a base and delta are compatible
1157
1066
 
1158
- static int check_delta_base(X509_CRL *delta, X509_CRL *base)
1159
- {
1160
- /* Delta CRL must be a delta */
1161
- if (!delta->base_crl_number)
1162
- return 0;
1163
- /* Base must have a CRL number */
1164
- if (!base->crl_number)
1165
- return 0;
1166
- /* Issuer names must match */
1167
- if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta)))
1168
- return 0;
1169
- /* AKID and IDP must match */
1170
- if (!crl_extension_match(delta, base, NID_authority_key_identifier))
1171
- return 0;
1172
- if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
1173
- return 0;
1174
- /* Delta CRL base number must not exceed Full CRL number. */
1175
- if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
1176
- return 0;
1177
- /* Delta CRL number must exceed full CRL number */
1178
- if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
1179
- return 1;
1067
+ static int check_delta_base(X509_CRL *delta, X509_CRL *base) {
1068
+ // Delta CRL must be a delta
1069
+ if (!delta->base_crl_number) {
1070
+ return 0;
1071
+ }
1072
+ // Base must have a CRL number
1073
+ if (!base->crl_number) {
1180
1074
  return 0;
1075
+ }
1076
+ // Issuer names must match
1077
+ if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta))) {
1078
+ return 0;
1079
+ }
1080
+ // AKID and IDP must match
1081
+ if (!crl_extension_match(delta, base, NID_authority_key_identifier)) {
1082
+ return 0;
1083
+ }
1084
+ if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) {
1085
+ return 0;
1086
+ }
1087
+ // Delta CRL base number must not exceed Full CRL number.
1088
+ if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) {
1089
+ return 0;
1090
+ }
1091
+ // Delta CRL number must exceed full CRL number
1092
+ if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) {
1093
+ return 1;
1094
+ }
1095
+ return 0;
1181
1096
  }
1182
1097
 
1183
- /*
1184
- * For a given base CRL find a delta... maybe extend to delta scoring or
1185
- * retrieve a chain of deltas...
1186
- */
1098
+ // For a given base CRL find a delta... maybe extend to delta scoring or
1099
+ // retrieve a chain of deltas...
1187
1100
 
1188
1101
  static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
1189
- X509_CRL *base, STACK_OF(X509_CRL) *crls)
1190
- {
1191
- X509_CRL *delta;
1192
- size_t i;
1193
- if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
1194
- return;
1195
- if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
1196
- return;
1197
- for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1198
- delta = sk_X509_CRL_value(crls, i);
1199
- if (check_delta_base(delta, base)) {
1200
- if (check_crl_time(ctx, delta, 0))
1201
- *pscore |= CRL_SCORE_TIME_DELTA;
1202
- X509_CRL_up_ref(delta);
1203
- *dcrl = delta;
1204
- return;
1205
- }
1206
- }
1207
- *dcrl = NULL;
1208
- }
1209
-
1210
- /*
1211
- * For a given CRL return how suitable it is for the supplied certificate
1212
- * 'x'. The return value is a mask of several criteria. If the issuer is not
1213
- * the certificate issuer this is returned in *pissuer. The reasons mask is
1214
- * also used to determine if the CRL is suitable: if no new reasons the CRL
1215
- * is rejected, otherwise reasons is updated.
1216
- */
1102
+ X509_CRL *base, STACK_OF(X509_CRL) *crls) {
1103
+ X509_CRL *delta;
1104
+ size_t i;
1105
+ if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) {
1106
+ return;
1107
+ }
1108
+ if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) {
1109
+ return;
1110
+ }
1111
+ for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1112
+ delta = sk_X509_CRL_value(crls, i);
1113
+ if (check_delta_base(delta, base)) {
1114
+ if (check_crl_time(ctx, delta, 0)) {
1115
+ *pscore |= CRL_SCORE_TIME_DELTA;
1116
+ }
1117
+ X509_CRL_up_ref(delta);
1118
+ *dcrl = delta;
1119
+ return;
1120
+ }
1121
+ }
1122
+ *dcrl = NULL;
1123
+ }
1124
+
1125
+ // For a given CRL return how suitable it is for the supplied certificate
1126
+ // 'x'. The return value is a mask of several criteria. If the issuer is not
1127
+ // the certificate issuer this is returned in *pissuer. The reasons mask is
1128
+ // also used to determine if the CRL is suitable: if no new reasons the CRL
1129
+ // is rejected, otherwise reasons is updated.
1217
1130
 
1218
1131
  static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
1219
- unsigned int *preasons, X509_CRL *crl, X509 *x)
1220
- {
1221
-
1222
- int crl_score = 0;
1223
- unsigned int tmp_reasons = *preasons, crl_reasons;
1132
+ unsigned int *preasons, X509_CRL *crl, X509 *x) {
1133
+ int crl_score = 0;
1134
+ unsigned int tmp_reasons = *preasons, crl_reasons;
1224
1135
 
1225
- /* First see if we can reject CRL straight away */
1136
+ // First see if we can reject CRL straight away
1226
1137
 
1227
- /* Invalid IDP cannot be processed */
1228
- if (crl->idp_flags & IDP_INVALID)
1229
- return 0;
1230
- /* Reason codes or indirect CRLs need extended CRL support */
1231
- if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
1232
- if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
1233
- return 0;
1234
- } else if (crl->idp_flags & IDP_REASONS) {
1235
- /* If no new reasons reject */
1236
- if (!(crl->idp_reasons & ~tmp_reasons))
1237
- return 0;
1138
+ // Invalid IDP cannot be processed
1139
+ if (crl->idp_flags & IDP_INVALID) {
1140
+ return 0;
1141
+ }
1142
+ // Reason codes or indirect CRLs need extended CRL support
1143
+ if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
1144
+ if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) {
1145
+ return 0;
1146
+ }
1147
+ } else if (crl->idp_flags & IDP_REASONS) {
1148
+ // If no new reasons reject
1149
+ if (!(crl->idp_reasons & ~tmp_reasons)) {
1150
+ return 0;
1151
+ }
1152
+ }
1153
+ // Don't process deltas at this stage
1154
+ else if (crl->base_crl_number) {
1155
+ return 0;
1156
+ }
1157
+ // If issuer name doesn't match certificate need indirect CRL
1158
+ if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
1159
+ if (!(crl->idp_flags & IDP_INDIRECT)) {
1160
+ return 0;
1238
1161
  }
1239
- /* Don't process deltas at this stage */
1240
- else if (crl->base_crl_number)
1241
- return 0;
1242
- /* If issuer name doesn't match certificate need indirect CRL */
1243
- if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
1244
- if (!(crl->idp_flags & IDP_INDIRECT))
1245
- return 0;
1246
- } else
1247
- crl_score |= CRL_SCORE_ISSUER_NAME;
1162
+ } else {
1163
+ crl_score |= CRL_SCORE_ISSUER_NAME;
1164
+ }
1248
1165
 
1249
- if (!(crl->flags & EXFLAG_CRITICAL))
1250
- crl_score |= CRL_SCORE_NOCRITICAL;
1166
+ if (!(crl->flags & EXFLAG_CRITICAL)) {
1167
+ crl_score |= CRL_SCORE_NOCRITICAL;
1168
+ }
1251
1169
 
1252
- /* Check expiry */
1253
- if (check_crl_time(ctx, crl, 0))
1254
- crl_score |= CRL_SCORE_TIME;
1170
+ // Check expiry
1171
+ if (check_crl_time(ctx, crl, 0)) {
1172
+ crl_score |= CRL_SCORE_TIME;
1173
+ }
1255
1174
 
1256
- /* Check authority key ID and locate certificate issuer */
1257
- crl_akid_check(ctx, crl, pissuer, &crl_score);
1175
+ // Check authority key ID and locate certificate issuer
1176
+ crl_akid_check(ctx, crl, pissuer, &crl_score);
1258
1177
 
1259
- /* If we can't locate certificate issuer at this point forget it */
1178
+ // If we can't locate certificate issuer at this point forget it
1260
1179
 
1261
- if (!(crl_score & CRL_SCORE_AKID))
1262
- return 0;
1180
+ if (!(crl_score & CRL_SCORE_AKID)) {
1181
+ return 0;
1182
+ }
1263
1183
 
1264
- /* Check cert for matching CRL distribution points */
1184
+ // Check cert for matching CRL distribution points
1265
1185
 
1266
- if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
1267
- /* If no new reasons reject */
1268
- if (!(crl_reasons & ~tmp_reasons))
1269
- return 0;
1270
- tmp_reasons |= crl_reasons;
1271
- crl_score |= CRL_SCORE_SCOPE;
1186
+ if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
1187
+ // If no new reasons reject
1188
+ if (!(crl_reasons & ~tmp_reasons)) {
1189
+ return 0;
1272
1190
  }
1191
+ tmp_reasons |= crl_reasons;
1192
+ crl_score |= CRL_SCORE_SCOPE;
1193
+ }
1273
1194
 
1274
- *preasons = tmp_reasons;
1275
-
1276
- return crl_score;
1195
+ *preasons = tmp_reasons;
1277
1196
 
1197
+ return crl_score;
1278
1198
  }
1279
1199
 
1280
- static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1281
- X509 **pissuer, int *pcrl_score)
1282
- {
1283
- X509 *crl_issuer = NULL;
1284
- X509_NAME *cnm = X509_CRL_get_issuer(crl);
1285
- int cidx = ctx->error_depth;
1286
- size_t i;
1200
+ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
1201
+ int *pcrl_score) {
1202
+ X509 *crl_issuer = NULL;
1203
+ X509_NAME *cnm = X509_CRL_get_issuer(crl);
1204
+ int cidx = ctx->error_depth;
1205
+ size_t i;
1287
1206
 
1288
- if ((size_t)cidx != sk_X509_num(ctx->chain) - 1)
1289
- cidx++;
1207
+ if ((size_t)cidx != sk_X509_num(ctx->chain) - 1) {
1208
+ cidx++;
1209
+ }
1290
1210
 
1291
- crl_issuer = sk_X509_value(ctx->chain, cidx);
1211
+ crl_issuer = sk_X509_value(ctx->chain, cidx);
1292
1212
 
1293
- if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1294
- if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
1295
- *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT;
1296
- *pissuer = crl_issuer;
1297
- return;
1298
- }
1213
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1214
+ if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
1215
+ *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT;
1216
+ *pissuer = crl_issuer;
1217
+ return;
1299
1218
  }
1219
+ }
1300
1220
 
1301
- for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) {
1302
- crl_issuer = sk_X509_value(ctx->chain, cidx);
1303
- if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1304
- continue;
1305
- if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1306
- *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;
1307
- *pissuer = crl_issuer;
1308
- return;
1309
- }
1221
+ for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) {
1222
+ crl_issuer = sk_X509_value(ctx->chain, cidx);
1223
+ if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) {
1224
+ continue;
1310
1225
  }
1226
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1227
+ *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;
1228
+ *pissuer = crl_issuer;
1229
+ return;
1230
+ }
1231
+ }
1311
1232
 
1312
- /* Anything else needs extended CRL support */
1233
+ // Anything else needs extended CRL support
1313
1234
 
1314
- if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
1315
- return;
1235
+ if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
1236
+ return;
1237
+ }
1316
1238
 
1317
- /*
1318
- * Otherwise the CRL issuer is not on the path. Look for it in the set of
1319
- * untrusted certificates.
1320
- */
1321
- for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
1322
- crl_issuer = sk_X509_value(ctx->untrusted, i);
1323
- if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1324
- continue;
1325
- if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1326
- *pissuer = crl_issuer;
1327
- *pcrl_score |= CRL_SCORE_AKID;
1328
- return;
1329
- }
1239
+ // Otherwise the CRL issuer is not on the path. Look for it in the set of
1240
+ // untrusted certificates.
1241
+ for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
1242
+ crl_issuer = sk_X509_value(ctx->untrusted, i);
1243
+ if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) {
1244
+ continue;
1245
+ }
1246
+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1247
+ *pissuer = crl_issuer;
1248
+ *pcrl_score |= CRL_SCORE_AKID;
1249
+ return;
1330
1250
  }
1251
+ }
1331
1252
  }
1332
1253
 
1333
- /*
1334
- * Check the path of a CRL issuer certificate. This creates a new
1335
- * X509_STORE_CTX and populates it with most of the parameters from the
1336
- * parent. This could be optimised somewhat since a lot of path checking will
1337
- * be duplicated by the parent, but this will rarely be used in practice.
1338
- */
1339
-
1340
- static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1341
- {
1342
- X509_STORE_CTX crl_ctx;
1343
- int ret;
1344
- /* Don't allow recursive CRL path validation */
1345
- if (ctx->parent)
1346
- return 0;
1347
- if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
1348
- return -1;
1349
-
1350
- crl_ctx.crls = ctx->crls;
1351
- /* Copy verify params across */
1352
- X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1353
-
1354
- crl_ctx.parent = ctx;
1355
- crl_ctx.verify_cb = ctx->verify_cb;
1356
-
1357
- /* Verify CRL issuer */
1358
- ret = X509_verify_cert(&crl_ctx);
1254
+ // Check the path of a CRL issuer certificate. This creates a new
1255
+ // X509_STORE_CTX and populates it with most of the parameters from the
1256
+ // parent. This could be optimised somewhat since a lot of path checking will
1257
+ // be duplicated by the parent, but this will rarely be used in practice.
1359
1258
 
1360
- if (ret <= 0)
1361
- goto err;
1362
-
1363
- /* Check chain is acceptable */
1364
-
1365
- ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1366
- err:
1367
- X509_STORE_CTX_cleanup(&crl_ctx);
1368
- return ret;
1369
- }
1370
-
1371
- /*
1372
- * RFC 3280 says nothing about the relationship between CRL path and
1373
- * certificate path, which could lead to situations where a certificate could
1374
- * be revoked or validated by a CA not authorised to do so. RFC 5280 is more
1375
- * strict and states that the two paths must end in the same trust anchor,
1376
- * though some discussions remain... until this is resolved we use the
1377
- * RFC 5280 version
1378
- */
1379
-
1380
- static int check_crl_chain(X509_STORE_CTX *ctx,
1381
- STACK_OF(X509) *cert_path,
1382
- STACK_OF(X509) *crl_path)
1383
- {
1384
- X509 *cert_ta, *crl_ta;
1385
- cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1386
- crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1387
- if (!X509_cmp(cert_ta, crl_ta))
1388
- return 1;
1259
+ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) {
1260
+ X509_STORE_CTX crl_ctx;
1261
+ int ret;
1262
+ // Don't allow recursive CRL path validation
1263
+ if (ctx->parent) {
1389
1264
  return 0;
1265
+ }
1266
+ if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted)) {
1267
+ return -1;
1268
+ }
1269
+
1270
+ crl_ctx.crls = ctx->crls;
1271
+ // Copy verify params across
1272
+ X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1273
+
1274
+ crl_ctx.parent = ctx;
1275
+ crl_ctx.verify_cb = ctx->verify_cb;
1276
+
1277
+ // Verify CRL issuer
1278
+ ret = X509_verify_cert(&crl_ctx);
1279
+
1280
+ if (ret <= 0) {
1281
+ goto err;
1282
+ }
1283
+
1284
+ // Check chain is acceptable
1285
+
1286
+ ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1287
+ err:
1288
+ X509_STORE_CTX_cleanup(&crl_ctx);
1289
+ return ret;
1290
+ }
1291
+
1292
+ // RFC 3280 says nothing about the relationship between CRL path and
1293
+ // certificate path, which could lead to situations where a certificate could
1294
+ // be revoked or validated by a CA not authorised to do so. RFC 5280 is more
1295
+ // strict and states that the two paths must end in the same trust anchor,
1296
+ // though some discussions remain... until this is resolved we use the
1297
+ // RFC 5280 version
1298
+
1299
+ static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
1300
+ STACK_OF(X509) *crl_path) {
1301
+ X509 *cert_ta, *crl_ta;
1302
+ cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1303
+ crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1304
+ if (!X509_cmp(cert_ta, crl_ta)) {
1305
+ return 1;
1306
+ }
1307
+ return 0;
1390
1308
  }
1391
1309
 
1392
- /*
1393
- * Check for match between two dist point names: three separate cases. 1.
1394
- * Both are relative names and compare X509_NAME types. 2. One full, one
1395
- * relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and
1396
- * compare two GENERAL_NAMES. 4. One is NULL: automatic match.
1397
- */
1398
-
1399
- static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1400
- {
1401
- X509_NAME *nm = NULL;
1402
- GENERAL_NAMES *gens = NULL;
1403
- GENERAL_NAME *gena, *genb;
1404
- size_t i, j;
1405
- if (!a || !b)
1310
+ // Check for match between two dist point names: three separate cases. 1.
1311
+ // Both are relative names and compare X509_NAME types. 2. One full, one
1312
+ // relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and
1313
+ // compare two GENERAL_NAMES. 4. One is NULL: automatic match.
1314
+
1315
+ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) {
1316
+ X509_NAME *nm = NULL;
1317
+ GENERAL_NAMES *gens = NULL;
1318
+ GENERAL_NAME *gena, *genb;
1319
+ size_t i, j;
1320
+ if (!a || !b) {
1321
+ return 1;
1322
+ }
1323
+ if (a->type == 1) {
1324
+ if (!a->dpname) {
1325
+ return 0;
1326
+ }
1327
+ // Case 1: two X509_NAME
1328
+ if (b->type == 1) {
1329
+ if (!b->dpname) {
1330
+ return 0;
1331
+ }
1332
+ if (!X509_NAME_cmp(a->dpname, b->dpname)) {
1406
1333
  return 1;
1407
- if (a->type == 1) {
1408
- if (!a->dpname)
1409
- return 0;
1410
- /* Case 1: two X509_NAME */
1411
- if (b->type == 1) {
1412
- if (!b->dpname)
1413
- return 0;
1414
- if (!X509_NAME_cmp(a->dpname, b->dpname))
1415
- return 1;
1416
- else
1417
- return 0;
1418
- }
1419
- /* Case 2: set name and GENERAL_NAMES appropriately */
1420
- nm = a->dpname;
1421
- gens = b->name.fullname;
1422
- } else if (b->type == 1) {
1423
- if (!b->dpname)
1424
- return 0;
1425
- /* Case 2: set name and GENERAL_NAMES appropriately */
1426
- gens = a->name.fullname;
1427
- nm = b->dpname;
1428
- }
1429
-
1430
- /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1431
- if (nm) {
1432
- for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1433
- gena = sk_GENERAL_NAME_value(gens, i);
1434
- if (gena->type != GEN_DIRNAME)
1435
- continue;
1436
- if (!X509_NAME_cmp(nm, gena->d.directoryName))
1437
- return 1;
1438
- }
1334
+ } else {
1439
1335
  return 0;
1336
+ }
1337
+ }
1338
+ // Case 2: set name and GENERAL_NAMES appropriately
1339
+ nm = a->dpname;
1340
+ gens = b->name.fullname;
1341
+ } else if (b->type == 1) {
1342
+ if (!b->dpname) {
1343
+ return 0;
1344
+ }
1345
+ // Case 2: set name and GENERAL_NAMES appropriately
1346
+ gens = a->name.fullname;
1347
+ nm = b->dpname;
1348
+ }
1349
+
1350
+ // Handle case 2 with one GENERAL_NAMES and one X509_NAME
1351
+ if (nm) {
1352
+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1353
+ gena = sk_GENERAL_NAME_value(gens, i);
1354
+ if (gena->type != GEN_DIRNAME) {
1355
+ continue;
1356
+ }
1357
+ if (!X509_NAME_cmp(nm, gena->d.directoryName)) {
1358
+ return 1;
1359
+ }
1440
1360
  }
1361
+ return 0;
1362
+ }
1441
1363
 
1442
- /* Else case 3: two GENERAL_NAMES */
1364
+ // Else case 3: two GENERAL_NAMES
1443
1365
 
1444
- for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
1445
- gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1446
- for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
1447
- genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1448
- if (!GENERAL_NAME_cmp(gena, genb))
1449
- return 1;
1450
- }
1366
+ for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
1367
+ gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1368
+ for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
1369
+ genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1370
+ if (!GENERAL_NAME_cmp(gena, genb)) {
1371
+ return 1;
1372
+ }
1451
1373
  }
1374
+ }
1452
1375
 
1453
- return 0;
1454
-
1376
+ return 0;
1455
1377
  }
1456
1378
 
1457
- static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1458
- {
1459
- size_t i;
1460
- X509_NAME *nm = X509_CRL_get_issuer(crl);
1461
- /* If no CRLissuer return is successful iff don't need a match */
1462
- if (!dp->CRLissuer)
1463
- return ! !(crl_score & CRL_SCORE_ISSUER_NAME);
1464
- for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
1465
- GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1466
- if (gen->type != GEN_DIRNAME)
1467
- continue;
1468
- if (!X509_NAME_cmp(gen->d.directoryName, nm))
1469
- return 1;
1379
+ static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) {
1380
+ size_t i;
1381
+ X509_NAME *nm = X509_CRL_get_issuer(crl);
1382
+ // If no CRLissuer return is successful iff don't need a match
1383
+ if (!dp->CRLissuer) {
1384
+ return !!(crl_score & CRL_SCORE_ISSUER_NAME);
1385
+ }
1386
+ for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
1387
+ GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1388
+ if (gen->type != GEN_DIRNAME) {
1389
+ continue;
1470
1390
  }
1471
- return 0;
1391
+ if (!X509_NAME_cmp(gen->d.directoryName, nm)) {
1392
+ return 1;
1393
+ }
1394
+ }
1395
+ return 0;
1472
1396
  }
1473
1397
 
1474
- /* Check CRLDP and IDP */
1398
+ // Check CRLDP and IDP
1475
1399
 
1476
1400
  static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1477
- unsigned int *preasons)
1478
- {
1479
- size_t i;
1480
- if (crl->idp_flags & IDP_ONLYATTR)
1481
- return 0;
1482
- if (x->ex_flags & EXFLAG_CA) {
1483
- if (crl->idp_flags & IDP_ONLYUSER)
1484
- return 0;
1485
- } else {
1486
- if (crl->idp_flags & IDP_ONLYCA)
1487
- return 0;
1488
- }
1489
- *preasons = crl->idp_reasons;
1490
- for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
1491
- DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1492
- if (crldp_check_crlissuer(dp, crl, crl_score)) {
1493
- if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1494
- *preasons &= dp->dp_reasons;
1495
- return 1;
1496
- }
1497
- }
1498
- }
1499
- if ((!crl->idp || !crl->idp->distpoint)
1500
- && (crl_score & CRL_SCORE_ISSUER_NAME))
1501
- return 1;
1401
+ unsigned int *preasons) {
1402
+ size_t i;
1403
+ if (crl->idp_flags & IDP_ONLYATTR) {
1502
1404
  return 0;
1405
+ }
1406
+ if (x->ex_flags & EXFLAG_CA) {
1407
+ if (crl->idp_flags & IDP_ONLYUSER) {
1408
+ return 0;
1409
+ }
1410
+ } else {
1411
+ if (crl->idp_flags & IDP_ONLYCA) {
1412
+ return 0;
1413
+ }
1414
+ }
1415
+ *preasons = crl->idp_reasons;
1416
+ for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
1417
+ DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1418
+ if (crldp_check_crlissuer(dp, crl, crl_score)) {
1419
+ if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1420
+ *preasons &= dp->dp_reasons;
1421
+ return 1;
1422
+ }
1423
+ }
1424
+ }
1425
+ if ((!crl->idp || !crl->idp->distpoint) &&
1426
+ (crl_score & CRL_SCORE_ISSUER_NAME)) {
1427
+ return 1;
1428
+ }
1429
+ return 0;
1503
1430
  }
1504
1431
 
1505
- /*
1506
- * Retrieve CRL corresponding to current certificate. If deltas enabled try
1507
- * to find a delta CRL too
1508
- */
1432
+ // Retrieve CRL corresponding to current certificate. If deltas enabled try
1433
+ // to find a delta CRL too
1509
1434
 
1510
- static int get_crl_delta(X509_STORE_CTX *ctx,
1511
- X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1512
- {
1513
- int ok;
1514
- X509 *issuer = NULL;
1515
- int crl_score = 0;
1516
- unsigned int reasons;
1517
- X509_CRL *crl = NULL, *dcrl = NULL;
1518
- STACK_OF(X509_CRL) *skcrl;
1519
- X509_NAME *nm = X509_get_issuer_name(x);
1520
- reasons = ctx->current_reasons;
1521
- ok = get_crl_sk(ctx, &crl, &dcrl,
1522
- &issuer, &crl_score, &reasons, ctx->crls);
1435
+ static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
1436
+ X509 *x) {
1437
+ int ok;
1438
+ X509 *issuer = NULL;
1439
+ int crl_score = 0;
1440
+ unsigned int reasons;
1441
+ X509_CRL *crl = NULL, *dcrl = NULL;
1442
+ STACK_OF(X509_CRL) *skcrl;
1443
+ X509_NAME *nm = X509_get_issuer_name(x);
1444
+ reasons = ctx->current_reasons;
1445
+ ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, ctx->crls);
1523
1446
 
1524
- if (ok)
1525
- goto done;
1447
+ if (ok) {
1448
+ goto done;
1449
+ }
1526
1450
 
1527
- /* Lookup CRLs from store */
1451
+ // Lookup CRLs from store
1528
1452
 
1529
- skcrl = ctx->lookup_crls(ctx, nm);
1453
+ skcrl = ctx->lookup_crls(ctx, nm);
1530
1454
 
1531
- /* If no CRLs found and a near match from get_crl_sk use that */
1532
- if (!skcrl && crl)
1533
- goto done;
1455
+ // If no CRLs found and a near match from get_crl_sk use that
1456
+ if (!skcrl && crl) {
1457
+ goto done;
1458
+ }
1534
1459
 
1535
- get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1460
+ get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1536
1461
 
1537
- sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1462
+ sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1538
1463
 
1539
- done:
1464
+ done:
1540
1465
 
1541
- /* If we got any kind of CRL use it and return success */
1542
- if (crl) {
1543
- ctx->current_issuer = issuer;
1544
- ctx->current_crl_score = crl_score;
1545
- ctx->current_reasons = reasons;
1546
- *pcrl = crl;
1547
- *pdcrl = dcrl;
1548
- return 1;
1466
+ // If we got any kind of CRL use it and return success
1467
+ if (crl) {
1468
+ ctx->current_issuer = issuer;
1469
+ ctx->current_crl_score = crl_score;
1470
+ ctx->current_reasons = reasons;
1471
+ *pcrl = crl;
1472
+ *pdcrl = dcrl;
1473
+ return 1;
1474
+ }
1475
+
1476
+ return 0;
1477
+ }
1478
+
1479
+ // Check CRL validity
1480
+ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) {
1481
+ X509 *issuer = NULL;
1482
+ EVP_PKEY *ikey = NULL;
1483
+ int ok = 0, chnum, cnum;
1484
+ cnum = ctx->error_depth;
1485
+ chnum = sk_X509_num(ctx->chain) - 1;
1486
+ // if we have an alternative CRL issuer cert use that
1487
+ if (ctx->current_issuer) {
1488
+ issuer = ctx->current_issuer;
1489
+ }
1490
+
1491
+ // Else find CRL issuer: if not last certificate then issuer is next
1492
+ // certificate in chain.
1493
+ else if (cnum < chnum) {
1494
+ issuer = sk_X509_value(ctx->chain, cnum + 1);
1495
+ } else {
1496
+ issuer = sk_X509_value(ctx->chain, chnum);
1497
+ // If not self signed, can't check signature
1498
+ if (!ctx->check_issued(ctx, issuer, issuer)) {
1499
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1500
+ ok = ctx->verify_cb(0, ctx);
1501
+ if (!ok) {
1502
+ goto err;
1503
+ }
1549
1504
  }
1505
+ }
1550
1506
 
1551
- return 0;
1552
- }
1553
-
1554
- /* Check CRL validity */
1555
- static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1556
- {
1557
- X509 *issuer = NULL;
1558
- EVP_PKEY *ikey = NULL;
1559
- int ok = 0, chnum, cnum;
1560
- cnum = ctx->error_depth;
1561
- chnum = sk_X509_num(ctx->chain) - 1;
1562
- /* if we have an alternative CRL issuer cert use that */
1563
- if (ctx->current_issuer)
1564
- issuer = ctx->current_issuer;
1565
-
1566
- /*
1567
- * Else find CRL issuer: if not last certificate then issuer is next
1568
- * certificate in chain.
1569
- */
1570
- else if (cnum < chnum)
1571
- issuer = sk_X509_value(ctx->chain, cnum + 1);
1572
- else {
1573
- issuer = sk_X509_value(ctx->chain, chnum);
1574
- /* If not self signed, can't check signature */
1575
- if (!ctx->check_issued(ctx, issuer, issuer)) {
1576
- ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1577
- ok = ctx->verify_cb(0, ctx);
1578
- if (!ok)
1579
- goto err;
1507
+ if (issuer) {
1508
+ // Skip most tests for deltas because they have already been done
1509
+ if (!crl->base_crl_number) {
1510
+ // Check for cRLSign bit if keyUsage present
1511
+ if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1512
+ !(issuer->ex_kusage & KU_CRL_SIGN)) {
1513
+ ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1514
+ ok = ctx->verify_cb(0, ctx);
1515
+ if (!ok) {
1516
+ goto err;
1580
1517
  }
1581
- }
1582
-
1583
- if (issuer) {
1584
- /*
1585
- * Skip most tests for deltas because they have already been done
1586
- */
1587
- if (!crl->base_crl_number) {
1588
- /* Check for cRLSign bit if keyUsage present */
1589
- if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1590
- !(issuer->ex_kusage & KU_CRL_SIGN)) {
1591
- ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1592
- ok = ctx->verify_cb(0, ctx);
1593
- if (!ok)
1594
- goto err;
1595
- }
1596
-
1597
- if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1598
- ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1599
- ok = ctx->verify_cb(0, ctx);
1600
- if (!ok)
1601
- goto err;
1602
- }
1603
-
1604
- if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
1605
- if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
1606
- ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1607
- ok = ctx->verify_cb(0, ctx);
1608
- if (!ok)
1609
- goto err;
1610
- }
1611
- }
1612
-
1613
- if (crl->idp_flags & IDP_INVALID) {
1614
- ctx->error = X509_V_ERR_INVALID_EXTENSION;
1615
- ok = ctx->verify_cb(0, ctx);
1616
- if (!ok)
1617
- goto err;
1618
- }
1518
+ }
1619
1519
 
1520
+ if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1521
+ ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1522
+ ok = ctx->verify_cb(0, ctx);
1523
+ if (!ok) {
1524
+ goto err;
1620
1525
  }
1526
+ }
1621
1527
 
1622
- if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
1623
- ok = check_crl_time(ctx, crl, 1);
1624
- if (!ok)
1625
- goto err;
1528
+ if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
1529
+ if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
1530
+ ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1531
+ ok = ctx->verify_cb(0, ctx);
1532
+ if (!ok) {
1533
+ goto err;
1534
+ }
1626
1535
  }
1536
+ }
1627
1537
 
1628
- /* Attempt to get issuer certificate public key */
1629
- ikey = X509_get_pubkey(issuer);
1630
-
1631
- if (!ikey) {
1632
- ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1633
- ok = ctx->verify_cb(0, ctx);
1634
- if (!ok)
1635
- goto err;
1636
- } else {
1637
- int rv;
1638
- rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
1639
- if (rv != X509_V_OK) {
1640
- ctx->error = rv;
1641
- ok = ctx->verify_cb(0, ctx);
1642
- if (!ok)
1643
- goto err;
1644
- }
1645
- /* Verify CRL signature */
1646
- if (X509_CRL_verify(crl, ikey) <= 0) {
1647
- ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
1648
- ok = ctx->verify_cb(0, ctx);
1649
- if (!ok)
1650
- goto err;
1651
- }
1538
+ if (crl->idp_flags & IDP_INVALID) {
1539
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
1540
+ ok = ctx->verify_cb(0, ctx);
1541
+ if (!ok) {
1542
+ goto err;
1652
1543
  }
1544
+ }
1653
1545
  }
1654
1546
 
1655
- ok = 1;
1547
+ if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
1548
+ ok = check_crl_time(ctx, crl, 1);
1549
+ if (!ok) {
1550
+ goto err;
1551
+ }
1552
+ }
1656
1553
 
1657
- err:
1658
- EVP_PKEY_free(ikey);
1659
- return ok;
1660
- }
1554
+ // Attempt to get issuer certificate public key
1555
+ ikey = X509_get_pubkey(issuer);
1661
1556
 
1662
- /* Check certificate against CRL */
1663
- static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1664
- {
1665
- int ok;
1666
- X509_REVOKED *rev;
1667
- /*
1668
- * The rules changed for this... previously if a CRL contained unhandled
1669
- * critical extensions it could still be used to indicate a certificate
1670
- * was revoked. This has since been changed since critical extension can
1671
- * change the meaning of CRL entries.
1672
- */
1673
- if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1674
- && (crl->flags & EXFLAG_CRITICAL)) {
1675
- ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1676
- ok = ctx->verify_cb(0, ctx);
1677
- if (!ok)
1678
- return 0;
1679
- }
1680
- /*
1681
- * Look for serial number of certificate in CRL If found make sure reason
1682
- * is not removeFromCRL.
1683
- */
1684
- if (X509_CRL_get0_by_cert(crl, &rev, x)) {
1685
- if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1686
- return 2;
1687
- ctx->error = X509_V_ERR_CERT_REVOKED;
1557
+ if (!ikey) {
1558
+ ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1559
+ ok = ctx->verify_cb(0, ctx);
1560
+ if (!ok) {
1561
+ goto err;
1562
+ }
1563
+ } else {
1564
+ // Verify CRL signature
1565
+ if (X509_CRL_verify(crl, ikey) <= 0) {
1566
+ ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
1688
1567
  ok = ctx->verify_cb(0, ctx);
1689
- if (!ok)
1690
- return 0;
1568
+ if (!ok) {
1569
+ goto err;
1570
+ }
1571
+ }
1691
1572
  }
1573
+ }
1692
1574
 
1693
- return 1;
1575
+ ok = 1;
1576
+
1577
+ err:
1578
+ EVP_PKEY_free(ikey);
1579
+ return ok;
1694
1580
  }
1695
1581
 
1696
- static int check_policy(X509_STORE_CTX *ctx)
1697
- {
1698
- int ret;
1699
- if (ctx->parent)
1700
- return 1;
1701
- ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1702
- ctx->param->policies, ctx->param->flags);
1703
- if (ret == 0) {
1704
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
1705
- ctx->error = X509_V_ERR_OUT_OF_MEM;
1706
- return 0;
1582
+ // Check certificate against CRL
1583
+ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) {
1584
+ int ok;
1585
+ X509_REVOKED *rev;
1586
+ // The rules changed for this... previously if a CRL contained unhandled
1587
+ // critical extensions it could still be used to indicate a certificate
1588
+ // was revoked. This has since been changed since critical extension can
1589
+ // change the meaning of CRL entries.
1590
+ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
1591
+ (crl->flags & EXFLAG_CRITICAL)) {
1592
+ ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1593
+ ok = ctx->verify_cb(0, ctx);
1594
+ if (!ok) {
1595
+ return 0;
1707
1596
  }
1708
- /* Invalid or inconsistent extensions */
1709
- if (ret == -1) {
1710
- /*
1711
- * Locate certificates with bad extensions and notify callback.
1712
- */
1713
- X509 *x;
1714
- size_t i;
1715
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
1716
- x = sk_X509_value(ctx->chain, i);
1717
- if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1718
- continue;
1719
- ctx->current_cert = x;
1720
- ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1721
- if (!ctx->verify_cb(0, ctx))
1722
- return 0;
1723
- }
1724
- return 1;
1597
+ }
1598
+ // Look for serial number of certificate in CRL If found make sure reason
1599
+ // is not removeFromCRL.
1600
+ if (X509_CRL_get0_by_cert(crl, &rev, x)) {
1601
+ if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) {
1602
+ return 2;
1725
1603
  }
1726
- if (ret == -2) {
1727
- ctx->current_cert = NULL;
1728
- ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1729
- return ctx->verify_cb(0, ctx);
1730
- }
1731
-
1732
- if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
1733
- ctx->current_cert = NULL;
1734
- /*
1735
- * Verification errors need to be "sticky", a callback may have allowed
1736
- * an SSL handshake to continue despite an error, and we must then
1737
- * remain in an error state. Therefore, we MUST NOT clear earlier
1738
- * verification errors by setting the error to X509_V_OK.
1739
- */
1740
- if (!ctx->verify_cb(2, ctx))
1741
- return 0;
1604
+ ctx->error = X509_V_ERR_CERT_REVOKED;
1605
+ ok = ctx->verify_cb(0, ctx);
1606
+ if (!ok) {
1607
+ return 0;
1742
1608
  }
1609
+ }
1743
1610
 
1744
- return 1;
1611
+ return 1;
1745
1612
  }
1746
1613
 
1747
- static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1748
- {
1749
- time_t *ptime;
1750
- int i;
1614
+ static int check_policy(X509_STORE_CTX *ctx) {
1615
+ if (ctx->parent) {
1616
+ return 1;
1617
+ }
1751
1618
 
1752
- if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1753
- ptime = &ctx->param->check_time;
1754
- else
1755
- ptime = NULL;
1619
+ X509 *current_cert = NULL;
1620
+ int ret = X509_policy_check(ctx->chain, ctx->param->policies,
1621
+ ctx->param->flags, &current_cert);
1622
+ if (ret != X509_V_OK) {
1623
+ ctx->current_cert = current_cert;
1624
+ ctx->error = ret;
1625
+ if (ret == X509_V_ERR_OUT_OF_MEM) {
1626
+ return 0;
1627
+ }
1628
+ return ctx->verify_cb(0, ctx);
1629
+ }
1756
1630
 
1757
- i = X509_cmp_time(X509_get_notBefore(x), ptime);
1758
- if (i == 0) {
1759
- ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1760
- ctx->current_cert = x;
1761
- if (!ctx->verify_cb(0, ctx))
1762
- return 0;
1631
+ if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
1632
+ ctx->current_cert = NULL;
1633
+ // Verification errors need to be "sticky", a callback may have allowed
1634
+ // an SSL handshake to continue despite an error, and we must then
1635
+ // remain in an error state. Therefore, we MUST NOT clear earlier
1636
+ // verification errors by setting the error to X509_V_OK.
1637
+ if (!ctx->verify_cb(2, ctx)) {
1638
+ return 0;
1763
1639
  }
1640
+ }
1764
1641
 
1765
- if (i > 0) {
1766
- ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1767
- ctx->current_cert = x;
1768
- if (!ctx->verify_cb(0, ctx))
1769
- return 0;
1642
+ return 1;
1643
+ }
1644
+
1645
+ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) {
1646
+ if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) {
1647
+ return 1;
1648
+ }
1649
+
1650
+ int64_t ptime;
1651
+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) {
1652
+ ptime = ctx->param->check_time;
1653
+ } else {
1654
+ ptime = time(NULL);
1655
+ }
1656
+
1657
+ int i = X509_cmp_time_posix(X509_get_notBefore(x), ptime);
1658
+ if (i == 0) {
1659
+ ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1660
+ ctx->current_cert = x;
1661
+ if (!ctx->verify_cb(0, ctx)) {
1662
+ return 0;
1770
1663
  }
1664
+ }
1771
1665
 
1772
- i = X509_cmp_time(X509_get_notAfter(x), ptime);
1773
- if (i == 0) {
1774
- ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1775
- ctx->current_cert = x;
1776
- if (!ctx->verify_cb(0, ctx))
1777
- return 0;
1666
+ if (i > 0) {
1667
+ ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1668
+ ctx->current_cert = x;
1669
+ if (!ctx->verify_cb(0, ctx)) {
1670
+ return 0;
1778
1671
  }
1672
+ }
1779
1673
 
1780
- if (i < 0) {
1781
- ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1782
- ctx->current_cert = x;
1783
- if (!ctx->verify_cb(0, ctx))
1784
- return 0;
1674
+ i = X509_cmp_time_posix(X509_get_notAfter(x), ptime);
1675
+ if (i == 0) {
1676
+ ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1677
+ ctx->current_cert = x;
1678
+ if (!ctx->verify_cb(0, ctx)) {
1679
+ return 0;
1785
1680
  }
1681
+ }
1786
1682
 
1787
- return 1;
1683
+ if (i < 0) {
1684
+ ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1685
+ ctx->current_cert = x;
1686
+ if (!ctx->verify_cb(0, ctx)) {
1687
+ return 0;
1688
+ }
1689
+ }
1690
+
1691
+ return 1;
1788
1692
  }
1789
1693
 
1790
- static int internal_verify(X509_STORE_CTX *ctx)
1791
- {
1792
- int ok = 0, n;
1793
- X509 *xs, *xi;
1794
- EVP_PKEY *pkey = NULL;
1795
- int (*cb) (int xok, X509_STORE_CTX *xctx);
1694
+ static int internal_verify(X509_STORE_CTX *ctx) {
1695
+ int ok = 0, n;
1696
+ X509 *xs, *xi;
1697
+ EVP_PKEY *pkey = NULL;
1796
1698
 
1797
- cb = ctx->verify_cb;
1699
+ n = sk_X509_num(ctx->chain);
1700
+ ctx->error_depth = n - 1;
1701
+ n--;
1702
+ xi = sk_X509_value(ctx->chain, n);
1798
1703
 
1799
- n = sk_X509_num(ctx->chain);
1800
- ctx->error_depth = n - 1;
1801
- n--;
1802
- xi = sk_X509_value(ctx->chain, n);
1803
-
1804
- if (ctx->check_issued(ctx, xi, xi))
1805
- xs = xi;
1806
- else {
1807
- if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
1808
- xs = xi;
1809
- goto check_cert;
1704
+ if (ctx->check_issued(ctx, xi, xi)) {
1705
+ xs = xi;
1706
+ } else {
1707
+ if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
1708
+ xs = xi;
1709
+ goto check_cert;
1710
+ }
1711
+ if (n <= 0) {
1712
+ ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1713
+ ctx->current_cert = xi;
1714
+ ok = ctx->verify_cb(0, ctx);
1715
+ goto end;
1716
+ } else {
1717
+ n--;
1718
+ ctx->error_depth = n;
1719
+ xs = sk_X509_value(ctx->chain, n);
1720
+ }
1721
+ }
1722
+
1723
+ // ctx->error=0; not needed
1724
+ while (n >= 0) {
1725
+ ctx->error_depth = n;
1726
+
1727
+ // Skip signature check for self signed certificates unless
1728
+ // explicitly asked for. It doesn't add any security and just wastes
1729
+ // time.
1730
+ if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
1731
+ if ((pkey = X509_get_pubkey(xi)) == NULL) {
1732
+ ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1733
+ ctx->current_cert = xi;
1734
+ ok = ctx->verify_cb(0, ctx);
1735
+ if (!ok) {
1736
+ goto end;
1810
1737
  }
1811
- if (n <= 0) {
1812
- ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1813
- ctx->current_cert = xi;
1814
- ok = cb(0, ctx);
1815
- goto end;
1816
- } else {
1817
- n--;
1818
- ctx->error_depth = n;
1819
- xs = sk_X509_value(ctx->chain, n);
1738
+ } else if (X509_verify(xs, pkey) <= 0) {
1739
+ ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
1740
+ ctx->current_cert = xs;
1741
+ ok = ctx->verify_cb(0, ctx);
1742
+ if (!ok) {
1743
+ EVP_PKEY_free(pkey);
1744
+ goto end;
1820
1745
  }
1746
+ }
1747
+ EVP_PKEY_free(pkey);
1748
+ pkey = NULL;
1821
1749
  }
1822
1750
 
1823
- /* ctx->error=0; not needed */
1824
- while (n >= 0) {
1825
- ctx->error_depth = n;
1826
-
1827
- /*
1828
- * Skip signature check for self signed certificates unless
1829
- * explicitly asked for. It doesn't add any security and just wastes
1830
- * time.
1831
- */
1832
- if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
1833
- if ((pkey = X509_get_pubkey(xi)) == NULL) {
1834
- ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1835
- ctx->current_cert = xi;
1836
- ok = (*cb) (0, ctx);
1837
- if (!ok)
1838
- goto end;
1839
- } else if (X509_verify(xs, pkey) <= 0) {
1840
- ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
1841
- ctx->current_cert = xs;
1842
- ok = (*cb) (0, ctx);
1843
- if (!ok) {
1844
- EVP_PKEY_free(pkey);
1845
- goto end;
1846
- }
1847
- }
1848
- EVP_PKEY_free(pkey);
1849
- pkey = NULL;
1850
- }
1851
-
1852
- check_cert:
1853
- ok = check_cert_time(ctx, xs);
1854
- if (!ok)
1855
- goto end;
1856
-
1857
- /* The last error (if any) is still in the error value */
1858
- ctx->current_issuer = xi;
1859
- ctx->current_cert = xs;
1860
- ok = (*cb) (1, ctx);
1861
- if (!ok)
1862
- goto end;
1863
-
1864
- n--;
1865
- if (n >= 0) {
1866
- xi = xs;
1867
- xs = sk_X509_value(ctx->chain, n);
1868
- }
1751
+ check_cert:
1752
+ ok = check_cert_time(ctx, xs);
1753
+ if (!ok) {
1754
+ goto end;
1869
1755
  }
1870
- ok = 1;
1871
- end:
1872
- return ok;
1873
- }
1874
-
1875
- int X509_cmp_current_time(const ASN1_TIME *ctm)
1876
- {
1877
- return X509_cmp_time(ctm, NULL);
1878
- }
1879
-
1880
- int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1881
- {
1882
- static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1;
1883
- static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1;
1884
- ASN1_TIME *asn1_cmp_time = NULL;
1885
- int i, day, sec, ret = 0;
1886
-
1887
- /*
1888
- * Note that ASN.1 allows much more slack in the time format than RFC 5280.
1889
- * In RFC 5280, the representation is fixed:
1890
- * UTCTime: YYMMDDHHMMSSZ
1891
- * GeneralizedTime: YYYYMMDDHHMMSSZ
1892
- *
1893
- * We do NOT currently enforce the following RFC 5280 requirement:
1894
- * "CAs conforming to this profile MUST always encode certificate
1895
- * validity dates through the year 2049 as UTCTime; certificate validity
1896
- * dates in 2050 or later MUST be encoded as GeneralizedTime."
1897
- */
1898
- switch (ctm->type) {
1899
- case V_ASN1_UTCTIME:
1900
- if (ctm->length != (int)(utctime_length))
1901
- return 0;
1902
- break;
1903
- case V_ASN1_GENERALIZEDTIME:
1904
- if (ctm->length != (int)(generalizedtime_length))
1905
- return 0;
1906
- break;
1907
- default:
1908
- return 0;
1756
+
1757
+ // The last error (if any) is still in the error value
1758
+ ctx->current_issuer = xi;
1759
+ ctx->current_cert = xs;
1760
+ ok = ctx->verify_cb(1, ctx);
1761
+ if (!ok) {
1762
+ goto end;
1909
1763
  }
1910
1764
 
1911
- /**
1912
- * Verify the format: the ASN.1 functions we use below allow a more
1913
- * flexible format than what's mandated by RFC 5280.
1914
- * Digit and date ranges will be verified in the conversion methods.
1915
- */
1916
- for (i = 0; i < ctm->length - 1; i++) {
1917
- if (!isdigit(ctm->data[i]))
1918
- return 0;
1765
+ n--;
1766
+ if (n >= 0) {
1767
+ xi = xs;
1768
+ xs = sk_X509_value(ctx->chain, n);
1919
1769
  }
1920
- if (ctm->data[ctm->length - 1] != 'Z')
1921
- return 0;
1770
+ }
1771
+ ok = 1;
1772
+ end:
1773
+ return ok;
1774
+ }
1922
1775
 
1923
- /*
1924
- * There is ASN1_UTCTIME_cmp_time_t but no
1925
- * ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t,
1926
- * so we go through ASN.1
1927
- */
1928
- asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time);
1929
- if (asn1_cmp_time == NULL)
1930
- goto err;
1931
- if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time))
1932
- goto err;
1776
+ int X509_cmp_current_time(const ASN1_TIME *ctm) {
1777
+ return X509_cmp_time_posix(ctm, time(NULL));
1778
+ }
1933
1779
 
1934
- /*
1935
- * X509_cmp_time comparison is <=.
1936
- * The return value 0 is reserved for errors.
1937
- */
1938
- ret = (day >= 0 && sec >= 0) ? -1 : 1;
1780
+ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) {
1781
+ int64_t compare_time = (cmp_time == NULL) ? time(NULL) : *cmp_time;
1782
+ return X509_cmp_time_posix(ctm, compare_time);
1783
+ }
1939
1784
 
1940
- err:
1941
- ASN1_TIME_free(asn1_cmp_time);
1942
- return ret;
1785
+ int X509_cmp_time_posix(const ASN1_TIME *ctm, int64_t cmp_time) {
1786
+ int64_t ctm_time;
1787
+ if (!ASN1_TIME_to_posix(ctm, &ctm_time)) {
1788
+ return 0;
1789
+ }
1790
+ // The return value 0 is reserved for errors.
1791
+ return (ctm_time - cmp_time <= 0) ? -1 : 1;
1943
1792
  }
1944
1793
 
1945
- ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec)
1946
- {
1947
- return X509_time_adj(s, offset_sec, NULL);
1794
+ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec) {
1795
+ return X509_time_adj(s, offset_sec, NULL);
1948
1796
  }
1949
1797
 
1950
- ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1951
- {
1952
- return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1798
+ ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) {
1799
+ return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1953
1800
  }
1954
1801
 
1955
- ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1956
- int offset_day, long offset_sec, time_t *in_tm)
1957
- {
1958
- time_t t = 0;
1802
+ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec,
1803
+ time_t *in_tm) {
1804
+ int64_t t = 0;
1959
1805
 
1960
- if (in_tm) {
1961
- t = *in_tm;
1962
- } else {
1963
- time(&t);
1964
- }
1965
-
1966
- return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1967
- }
1968
-
1969
- /* Make a delta CRL as the diff between two full CRLs */
1970
-
1971
- X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
1972
- EVP_PKEY *skey, const EVP_MD *md, unsigned int flags)
1973
- {
1974
- X509_CRL *crl = NULL;
1975
- int i;
1976
- size_t j;
1977
- STACK_OF(X509_REVOKED) *revs = NULL;
1978
- /* CRLs can't be delta already */
1979
- if (base->base_crl_number || newer->base_crl_number) {
1980
- OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA);
1981
- return NULL;
1982
- }
1983
- /* Base and new CRL must have a CRL number */
1984
- if (!base->crl_number || !newer->crl_number) {
1985
- OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER);
1986
- return NULL;
1987
- }
1988
- /* Issuer names must match */
1989
- if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
1990
- OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH);
1991
- return NULL;
1992
- }
1993
- /* AKID and IDP must match */
1994
- if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
1995
- OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH);
1996
- return NULL;
1997
- }
1998
- if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {
1999
- OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH);
2000
- return NULL;
2001
- }
2002
- /* Newer CRL number must exceed full CRL number */
2003
- if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
2004
- OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER);
2005
- return NULL;
2006
- }
2007
- /* CRLs must verify */
2008
- if (skey && (X509_CRL_verify(base, skey) <= 0 ||
2009
- X509_CRL_verify(newer, skey) <= 0)) {
2010
- OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE);
2011
- return NULL;
2012
- }
2013
- /* Create new CRL */
2014
- crl = X509_CRL_new();
2015
- if (!crl || !X509_CRL_set_version(crl, X509_CRL_VERSION_2))
2016
- goto memerr;
2017
- /* Set issuer name */
2018
- if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
2019
- goto memerr;
1806
+ if (in_tm) {
1807
+ t = *in_tm;
1808
+ } else {
1809
+ t = time(NULL);
1810
+ }
2020
1811
 
2021
- if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer)))
2022
- goto memerr;
2023
- if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer)))
2024
- goto memerr;
1812
+ return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1813
+ }
2025
1814
 
2026
- /* Set base CRL number: must be critical */
1815
+ // Make a delta CRL as the diff between two full CRLs
2027
1816
 
2028
- if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0))
1817
+ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, EVP_PKEY *skey,
1818
+ const EVP_MD *md, unsigned int flags) {
1819
+ X509_CRL *crl = NULL;
1820
+ int i;
1821
+ size_t j;
1822
+ STACK_OF(X509_REVOKED) *revs = NULL;
1823
+ // CRLs can't be delta already
1824
+ if (base->base_crl_number || newer->base_crl_number) {
1825
+ OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA);
1826
+ return NULL;
1827
+ }
1828
+ // Base and new CRL must have a CRL number
1829
+ if (!base->crl_number || !newer->crl_number) {
1830
+ OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER);
1831
+ return NULL;
1832
+ }
1833
+ // Issuer names must match
1834
+ if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
1835
+ OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH);
1836
+ return NULL;
1837
+ }
1838
+ // AKID and IDP must match
1839
+ if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
1840
+ OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH);
1841
+ return NULL;
1842
+ }
1843
+ if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {
1844
+ OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH);
1845
+ return NULL;
1846
+ }
1847
+ // Newer CRL number must exceed full CRL number
1848
+ if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
1849
+ OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER);
1850
+ return NULL;
1851
+ }
1852
+ // CRLs must verify
1853
+ if (skey &&
1854
+ (X509_CRL_verify(base, skey) <= 0 || X509_CRL_verify(newer, skey) <= 0)) {
1855
+ OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE);
1856
+ return NULL;
1857
+ }
1858
+ // Create new CRL
1859
+ crl = X509_CRL_new();
1860
+ if (!crl || !X509_CRL_set_version(crl, X509_CRL_VERSION_2)) {
1861
+ goto memerr;
1862
+ }
1863
+ // Set issuer name
1864
+ if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer))) {
1865
+ goto memerr;
1866
+ }
1867
+
1868
+ if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer))) {
1869
+ goto memerr;
1870
+ }
1871
+ if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer))) {
1872
+ goto memerr;
1873
+ }
1874
+
1875
+ // Set base CRL number: must be critical
1876
+
1877
+ if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0)) {
1878
+ goto memerr;
1879
+ }
1880
+
1881
+ // Copy extensions across from newest CRL to delta: this will set CRL
1882
+ // number to correct value too.
1883
+
1884
+ for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
1885
+ const X509_EXTENSION *ext = X509_CRL_get_ext(newer, i);
1886
+ if (!X509_CRL_add_ext(crl, ext, -1)) {
1887
+ goto memerr;
1888
+ }
1889
+ }
1890
+
1891
+ // Go through revoked entries, copying as needed
1892
+
1893
+ revs = X509_CRL_get_REVOKED(newer);
1894
+
1895
+ for (j = 0; j < sk_X509_REVOKED_num(revs); j++) {
1896
+ X509_REVOKED *rvn, *rvtmp;
1897
+ rvn = sk_X509_REVOKED_value(revs, j);
1898
+ // Add only if not also in base. TODO: need something cleverer here
1899
+ // for some more complex CRLs covering multiple CAs.
1900
+ if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
1901
+ rvtmp = X509_REVOKED_dup(rvn);
1902
+ if (!rvtmp) {
2029
1903
  goto memerr;
2030
-
2031
- /*
2032
- * Copy extensions across from newest CRL to delta: this will set CRL
2033
- * number to correct value too.
2034
- */
2035
-
2036
- for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
2037
- X509_EXTENSION *ext;
2038
- ext = X509_CRL_get_ext(newer, i);
2039
- if (!X509_CRL_add_ext(crl, ext, -1))
2040
- goto memerr;
2041
- }
2042
-
2043
- /* Go through revoked entries, copying as needed */
2044
-
2045
- revs = X509_CRL_get_REVOKED(newer);
2046
-
2047
- for (j = 0; j < sk_X509_REVOKED_num(revs); j++) {
2048
- X509_REVOKED *rvn, *rvtmp;
2049
- rvn = sk_X509_REVOKED_value(revs, j);
2050
- /*
2051
- * Add only if not also in base. TODO: need something cleverer here
2052
- * for some more complex CRLs covering multiple CAs.
2053
- */
2054
- if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
2055
- rvtmp = X509_REVOKED_dup(rvn);
2056
- if (!rvtmp)
2057
- goto memerr;
2058
- if (!X509_CRL_add0_revoked(crl, rvtmp)) {
2059
- X509_REVOKED_free(rvtmp);
2060
- goto memerr;
2061
- }
2062
- }
1904
+ }
1905
+ if (!X509_CRL_add0_revoked(crl, rvtmp)) {
1906
+ X509_REVOKED_free(rvtmp);
1907
+ goto memerr;
1908
+ }
2063
1909
  }
2064
- /* TODO: optionally prune deleted entries */
1910
+ }
1911
+ // TODO: optionally prune deleted entries
2065
1912
 
2066
- if (skey && md && !X509_CRL_sign(crl, skey, md))
2067
- goto memerr;
1913
+ if (skey && md && !X509_CRL_sign(crl, skey, md)) {
1914
+ goto memerr;
1915
+ }
2068
1916
 
2069
- return crl;
1917
+ return crl;
2070
1918
 
2071
- memerr:
2072
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
2073
- if (crl)
2074
- X509_CRL_free(crl);
2075
- return NULL;
1919
+ memerr:
1920
+ if (crl) {
1921
+ X509_CRL_free(crl);
1922
+ }
1923
+ return NULL;
2076
1924
  }
2077
1925
 
2078
1926
  int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
2079
- CRYPTO_EX_unused * unused,
1927
+ CRYPTO_EX_unused *unused,
2080
1928
  CRYPTO_EX_dup *dup_unused,
2081
- CRYPTO_EX_free *free_func)
2082
- {
2083
- /*
2084
- * This function is (usually) called only once, by
2085
- * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c).
2086
- */
2087
- int index;
2088
- if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
2089
- free_func)) {
2090
- return -1;
2091
- }
2092
- return index;
1929
+ CRYPTO_EX_free *free_func) {
1930
+ // This function is (usually) called only once, by
1931
+ // SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c).
1932
+ int index;
1933
+ if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
1934
+ free_func)) {
1935
+ return -1;
1936
+ }
1937
+ return index;
2093
1938
  }
2094
1939
 
2095
- int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
2096
- {
2097
- return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
1940
+ int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) {
1941
+ return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
2098
1942
  }
2099
1943
 
2100
- void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
2101
- {
2102
- return CRYPTO_get_ex_data(&ctx->ex_data, idx);
1944
+ void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) {
1945
+ return CRYPTO_get_ex_data(&ctx->ex_data, idx);
2103
1946
  }
2104
1947
 
2105
- int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
2106
- {
2107
- return ctx->error;
2108
- }
1948
+ int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) { return ctx->error; }
2109
1949
 
2110
- void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
2111
- {
2112
- ctx->error = err;
1950
+ void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) {
1951
+ ctx->error = err;
2113
1952
  }
2114
1953
 
2115
- int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
2116
- {
2117
- return ctx->error_depth;
1954
+ int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) {
1955
+ return ctx->error_depth;
2118
1956
  }
2119
1957
 
2120
- X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
2121
- {
2122
- return ctx->current_cert;
1958
+ X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) {
1959
+ return ctx->current_cert;
2123
1960
  }
2124
1961
 
2125
- STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
2126
- {
2127
- return ctx->chain;
1962
+ STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) {
1963
+ return ctx->chain;
2128
1964
  }
2129
1965
 
2130
- STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
2131
- {
2132
- return ctx->chain;
1966
+ STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx) {
1967
+ return ctx->chain;
2133
1968
  }
2134
1969
 
2135
- STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
2136
- {
2137
- if (!ctx->chain)
2138
- return NULL;
2139
- return X509_chain_up_ref(ctx->chain);
1970
+ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) {
1971
+ if (!ctx->chain) {
1972
+ return NULL;
1973
+ }
1974
+ return X509_chain_up_ref(ctx->chain);
2140
1975
  }
2141
1976
 
2142
- X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
2143
- {
2144
- return ctx->current_issuer;
1977
+ X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) {
1978
+ return ctx->current_issuer;
2145
1979
  }
2146
1980
 
2147
- X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
2148
- {
2149
- return ctx->current_crl;
1981
+ X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) {
1982
+ return ctx->current_crl;
2150
1983
  }
2151
1984
 
2152
- X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
2153
- {
2154
- return ctx->parent;
1985
+ X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) {
1986
+ return ctx->parent;
2155
1987
  }
2156
1988
 
2157
- void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
2158
- {
2159
- ctx->cert = x;
2160
- }
1989
+ void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) { ctx->cert = x; }
2161
1990
 
2162
- void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2163
- {
2164
- ctx->untrusted = sk;
1991
+ void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) {
1992
+ ctx->untrusted = sk;
2165
1993
  }
2166
1994
 
2167
- STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
2168
- {
2169
- return ctx->untrusted;
1995
+ STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) {
1996
+ return ctx->untrusted;
2170
1997
  }
2171
1998
 
2172
- void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
2173
- {
2174
- ctx->crls = sk;
1999
+ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) {
2000
+ ctx->crls = sk;
2175
2001
  }
2176
2002
 
2177
- int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
2178
- {
2179
- return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
2003
+ int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) {
2004
+ return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
2180
2005
  }
2181
2006
 
2182
- int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
2183
- {
2184
- return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
2007
+ int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) {
2008
+ return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
2185
2009
  }
2186
2010
 
2187
- /*
2188
- * This function is used to set the X509_STORE_CTX purpose and trust values.
2189
- * This is intended to be used when another structure has its own trust and
2190
- * purpose values which (if set) will be inherited by the ctx. If they aren't
2191
- * set then we will usually have a default purpose in mind which should then
2192
- * be used to set the trust value. An example of this is SSL use: an SSL
2193
- * structure will have its own purpose and trust settings which the
2194
- * application can set: if they aren't set then we use the default of SSL
2195
- * client/server.
2196
- */
2011
+ // This function is used to set the X509_STORE_CTX purpose and trust values.
2012
+ // This is intended to be used when another structure has its own trust and
2013
+ // purpose values which (if set) will be inherited by the ctx. If they aren't
2014
+ // set then we will usually have a default purpose in mind which should then
2015
+ // be used to set the trust value. An example of this is SSL use: an SSL
2016
+ // structure will have its own purpose and trust settings which the
2017
+ // application can set: if they aren't set then we use the default of SSL
2018
+ // client/server.
2197
2019
 
2198
2020
  int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
2199
- int purpose, int trust)
2200
- {
2201
- int idx;
2202
- /* If purpose not set use default */
2203
- if (!purpose)
2204
- purpose = def_purpose;
2205
- /* If we have a purpose then check it is valid */
2206
- if (purpose) {
2207
- X509_PURPOSE *ptmp;
2208
- idx = X509_PURPOSE_get_by_id(purpose);
2209
- if (idx == -1) {
2210
- OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
2211
- return 0;
2212
- }
2213
- ptmp = X509_PURPOSE_get0(idx);
2214
- if (ptmp->trust == X509_TRUST_DEFAULT) {
2215
- idx = X509_PURPOSE_get_by_id(def_purpose);
2216
- if (idx == -1) {
2217
- OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
2218
- return 0;
2219
- }
2220
- ptmp = X509_PURPOSE_get0(idx);
2221
- }
2222
- /* If trust not set then get from purpose default */
2223
- if (!trust)
2224
- trust = ptmp->trust;
2225
- }
2226
- if (trust) {
2227
- idx = X509_TRUST_get_by_id(trust);
2228
- if (idx == -1) {
2229
- OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID);
2230
- return 0;
2231
- }
2232
- }
2233
-
2234
- if (purpose && !ctx->param->purpose)
2235
- ctx->param->purpose = purpose;
2236
- if (trust && !ctx->param->trust)
2237
- ctx->param->trust = trust;
2238
- return 1;
2239
- }
2240
-
2241
- X509_STORE_CTX *X509_STORE_CTX_new(void)
2242
- {
2243
- X509_STORE_CTX *ctx;
2244
- ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
2245
- if (!ctx) {
2246
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
2247
- return NULL;
2248
- }
2249
- X509_STORE_CTX_zero(ctx);
2250
- return ctx;
2021
+ int purpose, int trust) {
2022
+ int idx;
2023
+ // If purpose not set use default
2024
+ if (!purpose) {
2025
+ purpose = def_purpose;
2026
+ }
2027
+ // If we have a purpose then check it is valid
2028
+ if (purpose) {
2029
+ X509_PURPOSE *ptmp;
2030
+ idx = X509_PURPOSE_get_by_id(purpose);
2031
+ if (idx == -1) {
2032
+ OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
2033
+ return 0;
2034
+ }
2035
+ ptmp = X509_PURPOSE_get0(idx);
2036
+ if (ptmp->trust == X509_TRUST_DEFAULT) {
2037
+ idx = X509_PURPOSE_get_by_id(def_purpose);
2038
+ if (idx == -1) {
2039
+ OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
2040
+ return 0;
2041
+ }
2042
+ ptmp = X509_PURPOSE_get0(idx);
2043
+ }
2044
+ // If trust not set then get from purpose default
2045
+ if (!trust) {
2046
+ trust = ptmp->trust;
2047
+ }
2048
+ }
2049
+ if (trust) {
2050
+ idx = X509_TRUST_get_by_id(trust);
2051
+ if (idx == -1) {
2052
+ OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID);
2053
+ return 0;
2054
+ }
2055
+ }
2056
+
2057
+ if (purpose && !ctx->param->purpose) {
2058
+ ctx->param->purpose = purpose;
2059
+ }
2060
+ if (trust && !ctx->param->trust) {
2061
+ ctx->param->trust = trust;
2062
+ }
2063
+ return 1;
2064
+ }
2065
+
2066
+ X509_STORE_CTX *X509_STORE_CTX_new(void) {
2067
+ X509_STORE_CTX *ctx;
2068
+ ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
2069
+ if (!ctx) {
2070
+ return NULL;
2071
+ }
2072
+ X509_STORE_CTX_zero(ctx);
2073
+ return ctx;
2251
2074
  }
2252
2075
 
2253
- void X509_STORE_CTX_zero(X509_STORE_CTX *ctx)
2254
- {
2255
- OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
2076
+ void X509_STORE_CTX_zero(X509_STORE_CTX *ctx) {
2077
+ OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
2256
2078
  }
2257
2079
 
2258
- void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
2259
- {
2260
- if (ctx == NULL) {
2261
- return;
2262
- }
2263
- X509_STORE_CTX_cleanup(ctx);
2264
- OPENSSL_free(ctx);
2080
+ void X509_STORE_CTX_free(X509_STORE_CTX *ctx) {
2081
+ if (ctx == NULL) {
2082
+ return;
2083
+ }
2084
+ X509_STORE_CTX_cleanup(ctx);
2085
+ OPENSSL_free(ctx);
2265
2086
  }
2266
2087
 
2267
2088
  int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2268
- STACK_OF(X509) *chain)
2269
- {
2270
- X509_STORE_CTX_zero(ctx);
2271
- ctx->ctx = store;
2272
- ctx->cert = x509;
2273
- ctx->untrusted = chain;
2274
-
2275
- CRYPTO_new_ex_data(&ctx->ex_data);
2276
-
2277
- if (store == NULL) {
2278
- OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);
2279
- goto err;
2280
- }
2281
-
2282
- ctx->param = X509_VERIFY_PARAM_new();
2283
- if (!ctx->param)
2284
- goto err;
2285
-
2286
- /*
2287
- * Inherit callbacks and flags from X509_STORE.
2288
- */
2289
-
2089
+ STACK_OF(X509) *chain) {
2090
+ X509_STORE_CTX_zero(ctx);
2091
+ ctx->ctx = store;
2092
+ ctx->cert = x509;
2093
+ ctx->untrusted = chain;
2094
+
2095
+ CRYPTO_new_ex_data(&ctx->ex_data);
2096
+
2097
+ if (store == NULL) {
2098
+ OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);
2099
+ goto err;
2100
+ }
2101
+
2102
+ ctx->param = X509_VERIFY_PARAM_new();
2103
+ if (!ctx->param) {
2104
+ goto err;
2105
+ }
2106
+
2107
+ // Inherit callbacks and flags from X509_STORE.
2108
+
2109
+ ctx->verify_cb = store->verify_cb;
2110
+ ctx->cleanup = store->cleanup;
2111
+
2112
+ if (!X509_VERIFY_PARAM_inherit(ctx->param, store->param) ||
2113
+ !X509_VERIFY_PARAM_inherit(ctx->param,
2114
+ X509_VERIFY_PARAM_lookup("default"))) {
2115
+ goto err;
2116
+ }
2117
+
2118
+ if (store->check_issued) {
2119
+ ctx->check_issued = store->check_issued;
2120
+ } else {
2121
+ ctx->check_issued = check_issued;
2122
+ }
2123
+
2124
+ if (store->get_issuer) {
2125
+ ctx->get_issuer = store->get_issuer;
2126
+ } else {
2127
+ ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2128
+ }
2129
+
2130
+ if (store->verify_cb) {
2290
2131
  ctx->verify_cb = store->verify_cb;
2291
- ctx->cleanup = store->cleanup;
2292
-
2293
- if (!X509_VERIFY_PARAM_inherit(ctx->param, store->param) ||
2294
- !X509_VERIFY_PARAM_inherit(ctx->param,
2295
- X509_VERIFY_PARAM_lookup("default"))) {
2296
- goto err;
2297
- }
2298
-
2299
- if (store->check_issued)
2300
- ctx->check_issued = store->check_issued;
2301
- else
2302
- ctx->check_issued = check_issued;
2303
-
2304
- if (store->get_issuer)
2305
- ctx->get_issuer = store->get_issuer;
2306
- else
2307
- ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2308
-
2309
- if (store->verify_cb)
2310
- ctx->verify_cb = store->verify_cb;
2311
- else
2312
- ctx->verify_cb = null_callback;
2132
+ } else {
2133
+ ctx->verify_cb = null_callback;
2134
+ }
2135
+
2136
+ if (store->verify) {
2137
+ ctx->verify = store->verify;
2138
+ } else {
2139
+ ctx->verify = internal_verify;
2140
+ }
2313
2141
 
2314
- if (store->verify)
2315
- ctx->verify = store->verify;
2316
- else
2317
- ctx->verify = internal_verify;
2142
+ if (store->check_revocation) {
2143
+ ctx->check_revocation = store->check_revocation;
2144
+ } else {
2145
+ ctx->check_revocation = check_revocation;
2146
+ }
2318
2147
 
2319
- if (store->check_revocation)
2320
- ctx->check_revocation = store->check_revocation;
2321
- else
2322
- ctx->check_revocation = check_revocation;
2148
+ if (store->get_crl) {
2149
+ ctx->get_crl = store->get_crl;
2150
+ } else {
2151
+ ctx->get_crl = NULL;
2152
+ }
2323
2153
 
2324
- if (store->get_crl)
2325
- ctx->get_crl = store->get_crl;
2326
- else
2327
- ctx->get_crl = NULL;
2154
+ if (store->check_crl) {
2155
+ ctx->check_crl = store->check_crl;
2156
+ } else {
2157
+ ctx->check_crl = check_crl;
2158
+ }
2328
2159
 
2329
- if (store->check_crl)
2330
- ctx->check_crl = store->check_crl;
2331
- else
2332
- ctx->check_crl = check_crl;
2160
+ if (store->cert_crl) {
2161
+ ctx->cert_crl = store->cert_crl;
2162
+ } else {
2163
+ ctx->cert_crl = cert_crl;
2164
+ }
2333
2165
 
2334
- if (store->cert_crl)
2335
- ctx->cert_crl = store->cert_crl;
2336
- else
2337
- ctx->cert_crl = cert_crl;
2166
+ if (store->lookup_certs) {
2167
+ ctx->lookup_certs = store->lookup_certs;
2168
+ } else {
2169
+ ctx->lookup_certs = X509_STORE_get1_certs;
2170
+ }
2338
2171
 
2339
- if (store->lookup_certs)
2340
- ctx->lookup_certs = store->lookup_certs;
2341
- else
2342
- ctx->lookup_certs = X509_STORE_get1_certs;
2172
+ if (store->lookup_crls) {
2173
+ ctx->lookup_crls = store->lookup_crls;
2174
+ } else {
2175
+ ctx->lookup_crls = X509_STORE_get1_crls;
2176
+ }
2343
2177
 
2344
- if (store->lookup_crls)
2345
- ctx->lookup_crls = store->lookup_crls;
2346
- else
2347
- ctx->lookup_crls = X509_STORE_get1_crls;
2178
+ ctx->check_policy = check_policy;
2348
2179
 
2349
- ctx->check_policy = check_policy;
2180
+ return 1;
2350
2181
 
2351
- return 1;
2352
-
2353
- err:
2354
- CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data);
2355
- if (ctx->param != NULL) {
2356
- X509_VERIFY_PARAM_free(ctx->param);
2357
- }
2182
+ err:
2183
+ CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data);
2184
+ if (ctx->param != NULL) {
2185
+ X509_VERIFY_PARAM_free(ctx->param);
2186
+ }
2358
2187
 
2359
- OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
2360
- OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
2361
- return 0;
2188
+ OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
2189
+ return 0;
2362
2190
  }
2363
2191
 
2364
- /*
2365
- * Set alternative lookup method: just a STACK of trusted certificates. This
2366
- * avoids X509_STORE nastiness where it isn't needed.
2367
- */
2192
+ // Set alternative lookup method: just a STACK of trusted certificates. This
2193
+ // avoids X509_STORE nastiness where it isn't needed.
2368
2194
 
2369
- void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2370
- {
2371
- ctx->other_ctx = sk;
2372
- ctx->get_issuer = get_issuer_sk;
2195
+ void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx,
2196
+ STACK_OF(X509) *sk) {
2197
+ ctx->other_ctx = sk;
2198
+ ctx->get_issuer = get_issuer_sk;
2373
2199
  }
2374
2200
 
2375
- void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2376
- {
2377
- /* We need to be idempotent because, unfortunately, |X509_STORE_CTX_free|
2378
- * also calls this function. */
2379
- if (ctx->cleanup != NULL) {
2380
- ctx->cleanup(ctx);
2381
- ctx->cleanup = NULL;
2382
- }
2383
- if (ctx->param != NULL) {
2384
- if (ctx->parent == NULL)
2385
- X509_VERIFY_PARAM_free(ctx->param);
2386
- ctx->param = NULL;
2387
- }
2388
- if (ctx->tree != NULL) {
2389
- X509_policy_tree_free(ctx->tree);
2390
- ctx->tree = NULL;
2391
- }
2392
- if (ctx->chain != NULL) {
2393
- sk_X509_pop_free(ctx->chain, X509_free);
2394
- ctx->chain = NULL;
2395
- }
2396
- CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));
2397
- OPENSSL_memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
2201
+ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) {
2202
+ X509_STORE_CTX_set0_trusted_stack(ctx, sk);
2398
2203
  }
2399
2204
 
2400
- void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2401
- {
2402
- X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2205
+ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) {
2206
+ // We need to be idempotent because, unfortunately, |X509_STORE_CTX_free|
2207
+ // also calls this function.
2208
+ if (ctx->cleanup != NULL) {
2209
+ ctx->cleanup(ctx);
2210
+ ctx->cleanup = NULL;
2211
+ }
2212
+ if (ctx->param != NULL) {
2213
+ if (ctx->parent == NULL) {
2214
+ X509_VERIFY_PARAM_free(ctx->param);
2215
+ }
2216
+ ctx->param = NULL;
2217
+ }
2218
+ if (ctx->chain != NULL) {
2219
+ sk_X509_pop_free(ctx->chain, X509_free);
2220
+ ctx->chain = NULL;
2221
+ }
2222
+ CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));
2223
+ OPENSSL_memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
2403
2224
  }
2404
2225
 
2405
- void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2406
- {
2407
- X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2226
+ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) {
2227
+ X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2408
2228
  }
2409
2229
 
2410
- void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
2411
- time_t t)
2412
- {
2413
- X509_VERIFY_PARAM_set_time(ctx->param, t);
2230
+ void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) {
2231
+ X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2414
2232
  }
2415
2233
 
2416
- X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
2417
- {
2418
- return ctx->cert;
2234
+ void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, unsigned long flags,
2235
+ int64_t t) {
2236
+ X509_VERIFY_PARAM_set_time_posix(ctx->param, t);
2419
2237
  }
2420
2238
 
2421
- void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2422
- int (*verify_cb) (int, X509_STORE_CTX *))
2423
- {
2424
- ctx->verify_cb = verify_cb;
2239
+ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
2240
+ time_t t) {
2241
+ X509_STORE_CTX_set_time_posix(ctx, flags, t);
2425
2242
  }
2426
2243
 
2427
- X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2428
- {
2429
- return ctx->tree;
2244
+ X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) {
2245
+ return ctx->cert;
2430
2246
  }
2431
2247
 
2432
- int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2433
- {
2434
- return ctx->explicit_policy;
2248
+ void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2249
+ int (*verify_cb)(int, X509_STORE_CTX *)) {
2250
+ ctx->verify_cb = verify_cb;
2435
2251
  }
2436
2252
 
2437
- int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2438
- {
2439
- const X509_VERIFY_PARAM *param;
2440
- param = X509_VERIFY_PARAM_lookup(name);
2441
- if (!param)
2442
- return 0;
2443
- return X509_VERIFY_PARAM_inherit(ctx->param, param);
2253
+ int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) {
2254
+ const X509_VERIFY_PARAM *param;
2255
+ param = X509_VERIFY_PARAM_lookup(name);
2256
+ if (!param) {
2257
+ return 0;
2258
+ }
2259
+ return X509_VERIFY_PARAM_inherit(ctx->param, param);
2444
2260
  }
2445
2261
 
2446
- X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2447
- {
2448
- return ctx->param;
2262
+ X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) {
2263
+ return ctx->param;
2449
2264
  }
2450
2265
 
2451
- void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2452
- {
2453
- if (ctx->param)
2454
- X509_VERIFY_PARAM_free(ctx->param);
2455
- ctx->param = param;
2266
+ void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) {
2267
+ if (ctx->param) {
2268
+ X509_VERIFY_PARAM_free(ctx->param);
2269
+ }
2270
+ ctx->param = param;
2456
2271
  }