grpc 1.53.0 → 1.54.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +80 -66
- data/include/grpc/event_engine/event_engine.h +30 -14
- data/include/grpc/grpc_security.h +4 -0
- data/include/grpc/impl/grpc_types.h +11 -2
- data/include/grpc/support/port_platform.h +4 -4
- data/src/core/ext/filters/backend_metrics/backend_metric_filter.cc +11 -0
- data/src/core/ext/filters/client_channel/backend_metric.cc +6 -0
- data/src/core/ext/filters/client_channel/backup_poller.cc +2 -11
- data/src/core/ext/filters/client_channel/backup_poller.h +0 -3
- data/src/core/ext/filters/client_channel/client_channel.cc +848 -813
- data/src/core/ext/filters/client_channel/client_channel.h +131 -173
- data/src/core/ext/filters/client_channel/client_channel_internal.h +114 -0
- data/src/core/ext/filters/client_channel/config_selector.h +4 -3
- data/src/core/ext/filters/client_channel/http_proxy.cc +1 -1
- data/src/core/ext/filters/client_channel/lb_policy/backend_metric_data.h +6 -1
- data/src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.cc +17 -18
- data/src/core/ext/filters/client_channel/lb_policy/ring_hash/ring_hash.cc +134 -151
- data/src/core/ext/filters/client_channel/lb_policy/rls/rls.cc +1 -15
- data/src/core/ext/filters/client_channel/lb_policy/round_robin/round_robin.cc +14 -10
- data/src/core/ext/filters/client_channel/lb_policy/weighted_round_robin/weighted_round_robin.cc +68 -30
- data/src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc +11 -3
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_impl.cc +8 -1
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc +2 -5
- data/src/core/ext/filters/client_channel/lb_policy/xds/xds_override_host.cc +2 -2
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/dns_resolver_ares.cc +30 -38
- data/src/core/ext/filters/client_channel/resolver/dns/c_ares/grpc_ares_ev_driver_windows.cc +4 -4
- data/src/core/ext/filters/client_channel/resolver/dns/native/dns_resolver.cc +20 -26
- data/src/core/ext/filters/client_channel/resolver/google_c2p/google_c2p_resolver.cc +31 -179
- data/src/core/ext/filters/client_channel/resolver/polling_resolver.cc +1 -2
- data/src/core/ext/filters/client_channel/resolver/polling_resolver.h +1 -2
- data/src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc +4 -2
- data/src/core/ext/filters/client_channel/retry_filter.cc +95 -102
- data/src/core/ext/filters/client_channel/subchannel.cc +2 -4
- data/src/core/ext/filters/client_channel/subchannel_stream_client.cc +26 -27
- data/src/core/ext/filters/client_channel/subchannel_stream_client.h +8 -5
- data/src/core/ext/filters/http/client/http_client_filter.cc +3 -3
- data/src/core/ext/filters/http/http_filters_plugin.cc +1 -12
- data/src/core/ext/filters/http/message_compress/compression_filter.cc +27 -11
- data/src/core/ext/filters/message_size/message_size_filter.cc +141 -224
- data/src/core/ext/filters/message_size/message_size_filter.h +48 -3
- data/src/core/ext/filters/stateful_session/stateful_session_filter.cc +7 -6
- data/src/core/ext/gcp/metadata_query.cc +142 -0
- data/src/core/ext/gcp/metadata_query.h +82 -0
- data/src/core/ext/transport/chttp2/server/chttp2_server.cc +70 -55
- data/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +149 -60
- data/src/core/ext/transport/chttp2/transport/flow_control.cc +5 -2
- data/src/core/ext/transport/chttp2/transport/flow_control.h +2 -1
- data/src/core/ext/transport/chttp2/transport/frame_settings.cc +4 -1
- data/src/core/ext/transport/chttp2/transport/hpack_parser.cc +42 -23
- data/src/core/ext/transport/chttp2/transport/hpack_parser.h +5 -3
- data/src/core/ext/transport/chttp2/transport/internal.h +18 -3
- data/src/core/ext/transport/chttp2/transport/parsing.cc +9 -2
- data/src/core/ext/transport/chttp2/transport/writing.cc +10 -5
- data/src/core/ext/transport/inproc/inproc_transport.cc +20 -14
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/config/bootstrap/v3/bootstrap.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/config/core/v3/protocol.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.c +23 -5
- data/src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h +94 -3
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.c +23 -2
- data/src/core/ext/upb-generated/envoy/config/listener/v3/listener.upb.h +120 -0
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.c +6 -3
- data/src/core/ext/upb-generated/envoy/config/listener/v3/quic_config.upb.h +22 -0
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.c +24 -6
- data/src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h +111 -12
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.c +9 -7
- data/src/core/ext/upb-generated/envoy/config/route/v3/route_components.upb.h +27 -9
- data/src/core/ext/upb-generated/envoy/config/trace/v3/opentelemetry.upb.c +0 -1
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.c +11 -7
- data/src/core/ext/upb-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h +56 -12
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb.h +24 -0
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.c +5 -3
- data/src/core/ext/upb-generated/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.upb.h +24 -0
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.c +13 -2
- data/src/core/ext/upb-generated/envoy/type/matcher/v3/http_inputs.upb.h +49 -0
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.c +24 -9
- data/src/core/ext/upb-generated/xds/data/orca/v3/orca_load_report.upb.h +66 -12
- data/src/core/ext/upbdefs-generated/envoy/config/bootstrap/v3/bootstrap.upbdefs.c +191 -187
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/protocol.upbdefs.c +139 -136
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.c +31 -15
- data/src/core/ext/upbdefs-generated/envoy/config/core/v3/proxy_protocol.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/listener.upbdefs.h +15 -0
- data/src/core/ext/upbdefs-generated/envoy/config/listener/v3/quic_config.upbdefs.c +54 -45
- data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.c +135 -119
- data/src/core/ext/upbdefs-generated/envoy/config/rbac/v3/rbac.upbdefs.h +5 -0
- data/src/core/ext/upbdefs-generated/envoy/config/route/v3/route_components.upbdefs.c +100 -97
- data/src/core/ext/upbdefs-generated/envoy/config/trace/v3/opentelemetry.upbdefs.c +15 -18
- data/src/core/ext/upbdefs-generated/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.c +272 -264
- data/src/core/ext/upbdefs-generated/envoy/extensions/transport_sockets/tls/v3/tls.upbdefs.c +117 -117
- data/src/core/ext/upbdefs-generated/envoy/service/discovery/v3/ads.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/service/load_stats/v3/lrs.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/service/status/v3/csds.upbdefs.c +5 -5
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.c +12 -9
- data/src/core/ext/upbdefs-generated/envoy/type/matcher/v3/http_inputs.upbdefs.h +5 -0
- data/src/core/ext/xds/xds_channel_stack_modifier.cc +1 -2
- data/src/core/ext/xds/xds_client_stats.cc +29 -15
- data/src/core/ext/xds/xds_client_stats.h +24 -20
- data/src/core/ext/xds/xds_endpoint.cc +5 -2
- data/src/core/ext/xds/xds_endpoint.h +9 -1
- data/src/core/ext/xds/xds_http_rbac_filter.cc +1 -1
- data/src/core/ext/xds/xds_lb_policy_registry.cc +13 -0
- data/src/core/ext/xds/xds_transport_grpc.cc +1 -1
- data/src/core/{ext/filters/client_channel/resolver/dns/dns_resolver_selection.h → lib/backoff/random_early_detection.cc} +14 -12
- data/src/core/lib/backoff/random_early_detection.h +59 -0
- data/src/core/lib/channel/call_finalization.h +1 -1
- data/src/core/lib/channel/call_tracer.cc +51 -0
- data/src/core/lib/channel/call_tracer.h +101 -38
- data/src/core/lib/channel/connected_channel.cc +483 -1050
- data/src/core/lib/channel/context.h +8 -1
- data/src/core/lib/channel/promise_based_filter.cc +106 -42
- data/src/core/lib/channel/promise_based_filter.h +27 -13
- data/src/core/lib/channel/server_call_tracer_filter.cc +110 -0
- data/src/core/lib/config/config_vars.cc +151 -0
- data/src/core/lib/config/config_vars.h +127 -0
- data/src/core/lib/config/config_vars_non_generated.cc +51 -0
- data/src/core/lib/config/load_config.cc +66 -0
- data/src/core/lib/config/load_config.h +49 -0
- data/src/core/lib/debug/trace.cc +5 -6
- data/src/core/lib/debug/trace.h +0 -5
- data/src/core/lib/event_engine/event_engine.cc +37 -2
- data/src/core/lib/event_engine/handle_containers.h +7 -22
- data/src/core/lib/event_engine/memory_allocator_factory.h +47 -0
- data/src/core/lib/event_engine/posix_engine/ev_poll_posix.cc +0 -4
- data/src/core/lib/event_engine/posix_engine/event_poller_posix_default.cc +3 -9
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.cc +48 -15
- data/src/core/lib/event_engine/posix_engine/posix_endpoint.h +8 -8
- data/src/core/lib/event_engine/posix_engine/posix_engine.cc +6 -5
- data/src/core/lib/event_engine/posix_engine/posix_engine_listener.cc +6 -3
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.cc +27 -18
- data/src/core/lib/event_engine/posix_engine/tcp_socket_utils.h +0 -3
- data/src/core/lib/event_engine/resolved_address.cc +2 -1
- data/src/core/lib/event_engine/windows/win_socket.cc +0 -1
- data/src/core/lib/event_engine/windows/windows_endpoint.cc +129 -82
- data/src/core/lib/event_engine/windows/windows_endpoint.h +21 -5
- data/src/core/lib/event_engine/windows/windows_engine.cc +39 -18
- data/src/core/lib/event_engine/windows/windows_engine.h +2 -1
- data/src/core/lib/event_engine/windows/windows_listener.cc +370 -0
- data/src/core/lib/event_engine/windows/windows_listener.h +155 -0
- data/src/core/lib/experiments/config.cc +3 -10
- data/src/core/lib/experiments/experiments.cc +7 -0
- data/src/core/lib/experiments/experiments.h +9 -1
- data/src/core/lib/gpr/log.cc +15 -28
- data/src/core/lib/gprpp/fork.cc +8 -14
- data/src/core/lib/gprpp/orphanable.h +4 -3
- data/src/core/lib/gprpp/per_cpu.h +9 -3
- data/src/core/lib/gprpp/{thd_posix.cc → posix/thd.cc} +49 -37
- data/src/core/lib/gprpp/ref_counted.h +33 -34
- data/src/core/lib/gprpp/thd.h +16 -0
- data/src/core/lib/gprpp/time.cc +1 -0
- data/src/core/lib/gprpp/time.h +4 -4
- data/src/core/lib/gprpp/{thd_windows.cc → windows/thd.cc} +2 -2
- data/src/core/lib/iomgr/call_combiner.h +2 -2
- data/src/core/lib/iomgr/endpoint_cfstream.cc +4 -2
- data/src/core/lib/iomgr/endpoint_pair.h +2 -2
- data/src/core/lib/iomgr/endpoint_pair_posix.cc +2 -2
- data/src/core/lib/iomgr/endpoint_pair_windows.cc +1 -1
- data/src/core/lib/iomgr/ev_posix.cc +13 -53
- data/src/core/lib/iomgr/ev_posix.h +0 -3
- data/src/core/lib/iomgr/event_engine_shims/endpoint.cc +103 -76
- data/src/core/lib/iomgr/iomgr.cc +4 -8
- data/src/core/lib/iomgr/iomgr_windows.cc +8 -2
- data/src/core/lib/iomgr/pollset_set_windows.cc +9 -9
- data/src/core/lib/iomgr/pollset_windows.cc +1 -1
- data/src/core/lib/iomgr/socket_utils_common_posix.cc +16 -3
- data/src/core/lib/iomgr/tcp_client_windows.cc +2 -2
- data/src/core/lib/iomgr/tcp_posix.cc +0 -1
- data/src/core/lib/iomgr/tcp_server_posix.cc +5 -16
- data/src/core/lib/iomgr/tcp_server_windows.cc +176 -9
- data/src/core/lib/iomgr/tcp_windows.cc +12 -8
- data/src/core/lib/load_balancing/lb_policy.cc +9 -13
- data/src/core/lib/load_balancing/lb_policy.h +4 -2
- data/src/core/lib/promise/activity.cc +22 -6
- data/src/core/lib/promise/activity.h +61 -24
- data/src/core/lib/promise/cancel_callback.h +77 -0
- data/src/core/lib/promise/detail/basic_seq.h +1 -1
- data/src/core/lib/promise/detail/promise_factory.h +4 -0
- data/src/core/lib/promise/for_each.h +176 -0
- data/src/core/lib/promise/if.h +9 -0
- data/src/core/lib/promise/interceptor_list.h +23 -2
- data/src/core/lib/promise/latch.h +89 -3
- data/src/core/lib/promise/loop.h +13 -9
- data/src/core/lib/promise/map.h +7 -0
- data/src/core/lib/promise/party.cc +286 -0
- data/src/core/lib/promise/party.h +499 -0
- data/src/core/lib/promise/pipe.h +197 -57
- data/src/core/lib/promise/poll.h +48 -0
- data/src/core/lib/promise/promise.h +2 -2
- data/src/core/lib/resource_quota/arena.cc +19 -3
- data/src/core/lib/resource_quota/arena.h +119 -5
- data/src/core/lib/resource_quota/memory_quota.cc +1 -1
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc +12 -35
- data/src/core/lib/security/credentials/external/aws_external_account_credentials.h +1 -0
- data/src/core/lib/security/credentials/google_default/google_default_credentials.cc +0 -59
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc +10 -5
- data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h +1 -1
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +13 -0
- data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h +2 -0
- data/src/core/lib/security/security_connector/load_system_roots_supported.cc +5 -9
- data/src/core/lib/security/security_connector/ssl_utils.cc +11 -25
- data/src/core/lib/security/security_connector/tls/tls_security_connector.cc +12 -0
- data/src/core/lib/security/transport/secure_endpoint.cc +4 -2
- data/src/core/lib/security/transport/server_auth_filter.cc +20 -2
- data/src/core/lib/slice/slice.cc +1 -1
- data/src/core/lib/surface/builtins.cc +2 -0
- data/src/core/lib/surface/call.cc +926 -1024
- data/src/core/lib/surface/call.h +10 -0
- data/src/core/lib/surface/lame_client.cc +1 -0
- data/src/core/lib/surface/version.cc +2 -2
- data/src/core/lib/transport/batch_builder.cc +179 -0
- data/src/core/lib/transport/batch_builder.h +468 -0
- data/src/core/lib/transport/bdp_estimator.cc +7 -7
- data/src/core/lib/transport/bdp_estimator.h +10 -6
- data/src/core/lib/transport/custom_metadata.h +30 -0
- data/src/core/lib/transport/metadata_batch.cc +9 -6
- data/src/core/lib/transport/metadata_batch.h +58 -16
- data/src/core/lib/transport/parsed_metadata.h +3 -3
- data/src/core/lib/transport/timeout_encoding.cc +6 -1
- data/src/core/lib/transport/transport.cc +30 -2
- data/src/core/lib/transport/transport.h +70 -14
- data/src/core/lib/transport/transport_impl.h +7 -0
- data/src/core/lib/transport/transport_op_string.cc +52 -42
- data/src/core/plugin_registry/grpc_plugin_registry.cc +2 -2
- data/src/core/tsi/alts/frame_protector/alts_frame_protector.cc +1 -0
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.cc +21 -4
- data/src/core/tsi/alts/handshaker/alts_handshaker_client.h +5 -0
- data/src/core/tsi/alts/handshaker/alts_tsi_handshaker.cc +1 -1
- data/src/core/tsi/ssl_transport_security.cc +4 -2
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/abseil-cpp/absl/base/config.h +1 -1
- data/third_party/abseil-cpp/absl/flags/commandlineflag.cc +34 -0
- data/third_party/abseil-cpp/absl/flags/commandlineflag.h +200 -0
- data/third_party/abseil-cpp/absl/flags/config.h +68 -0
- data/third_party/abseil-cpp/absl/flags/declare.h +73 -0
- data/third_party/abseil-cpp/absl/flags/flag.cc +38 -0
- data/third_party/abseil-cpp/absl/flags/flag.h +310 -0
- data/{src/core/lib/gprpp/global_config_custom.h → third_party/abseil-cpp/absl/flags/internal/commandlineflag.cc} +11 -14
- data/third_party/abseil-cpp/absl/flags/internal/commandlineflag.h +68 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag.cc +615 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag.h +800 -0
- data/third_party/abseil-cpp/absl/flags/internal/flag_msvc.inc +116 -0
- data/third_party/abseil-cpp/absl/flags/internal/path_util.h +62 -0
- data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.cc +65 -0
- data/third_party/abseil-cpp/absl/flags/internal/private_handle_accessor.h +61 -0
- data/third_party/abseil-cpp/absl/flags/internal/program_name.cc +60 -0
- data/third_party/abseil-cpp/absl/flags/internal/program_name.h +50 -0
- data/third_party/abseil-cpp/absl/flags/internal/registry.h +97 -0
- data/third_party/abseil-cpp/absl/flags/internal/sequence_lock.h +187 -0
- data/third_party/abseil-cpp/absl/flags/marshalling.cc +241 -0
- data/third_party/abseil-cpp/absl/flags/marshalling.h +356 -0
- data/third_party/abseil-cpp/absl/flags/reflection.cc +354 -0
- data/third_party/abseil-cpp/absl/flags/reflection.h +90 -0
- data/third_party/abseil-cpp/absl/flags/usage_config.cc +165 -0
- data/third_party/abseil-cpp/absl/flags/usage_config.h +135 -0
- data/third_party/abseil-cpp/absl/strings/internal/cord_internal.h +12 -8
- data/third_party/boringssl-with-bazel/err_data.c +728 -712
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bitstr.c +177 -177
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +28 -55
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +21 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_dup.c +20 -23
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +66 -185
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_i2d_fp.c +18 -21
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_int.c +356 -311
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +174 -194
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +146 -210
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_octet.c +6 -9
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strex.c +346 -526
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +110 -131
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +130 -116
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_type.c +93 -60
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +93 -181
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_lib.c +242 -305
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +41 -18
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn_pack.c +30 -33
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_int.c +36 -33
- data/third_party/boringssl-with-bazel/src/crypto/asn1/f_string.c +29 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +133 -88
- data/third_party/boringssl-with-bazel/src/crypto/asn1/posix_time.c +230 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +791 -791
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +526 -526
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +114 -135
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +201 -207
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_typ.c +21 -26
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +55 -68
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio.c +11 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +15 -9
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +17 -10
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -3
- data/third_party/boringssl-with-bazel/src/crypto/bio/printf.c +0 -13
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket_helper.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/blake2/blake2.c +9 -5
- data/third_party/boringssl-with-bazel/src/crypto/bn_extra/convert.c +10 -23
- data/third_party/boringssl-with-bazel/src/crypto/buf/buf.c +2 -6
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/asn1_compat.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/ber.c +29 -28
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +161 -201
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +254 -39
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/internal.h +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/chacha/chacha.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/derive_key.c +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesctrhmac.c +9 -8
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_aesgcmsiv.c +37 -75
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_chacha20poly1305.c +8 -10
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/cipher → cipher_extra}/e_des.c +100 -78
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_null.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc2.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_rc4.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/e_tls.c +6 -12
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/internal.h +14 -11
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf.c +6 -10
- data/third_party/boringssl-with-bazel/src/crypto/conf/conf_def.h +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/conf/internal.h +12 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_apple.c +74 -0
- data/third_party/boringssl-with-bazel/src/crypto/cpu_aarch64_freebsd.c +62 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-fuchsia.c → cpu_aarch64_fuchsia.c} +8 -7
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-linux.c → cpu_aarch64_linux.c} +6 -4
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-aarch64-win.c → cpu_aarch64_win.c} +4 -4
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm.c → cpu_arm.c} +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/cpu_arm_freebsd.c +55 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.c → cpu_arm_linux.c} +11 -90
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-arm-linux.h → cpu_arm_linux.h} +0 -38
- data/third_party/boringssl-with-bazel/src/crypto/{cpu-intel.c → cpu_intel.c} +1 -2
- data/third_party/boringssl-with-bazel/src/crypto/crypto.c +25 -20
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/curve25519.c +16 -27
- data/third_party/boringssl-with-bazel/src/crypto/curve25519/spake25519.c +17 -32
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/des.c +232 -232
- data/third_party/boringssl-with-bazel/src/crypto/{fipsmodule/des → des}/internal.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/dh_extra/dh_asn1.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/dh_extra/params.c +232 -29
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +0 -3
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c +39 -16
- data/third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c +37 -7
- data/third_party/boringssl-with-bazel/src/crypto/dsa/internal.h +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c +11 -36
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c +214 -99
- data/third_party/boringssl-with-bazel/src/crypto/ec_extra/internal.h +21 -5
- data/third_party/boringssl-with-bazel/src/crypto/ecdsa_extra/ecdsa_asn1.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/err/err.c +83 -60
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp.c +46 -12
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_asn1.c +3 -3
- data/third_party/boringssl-with-bazel/src/crypto/evp/evp_ctx.c +25 -23
- data/third_party/boringssl-with-bazel/src/crypto/evp/internal.h +43 -9
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_dsa_asn1.c +75 -44
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec.c +19 -25
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ec_asn1.c +96 -45
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519.c +7 -8
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_ed25519_asn1.c +26 -23
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_hkdf.c +233 -0
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_rsa_asn1.c +42 -25
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/evp/p_x25519_asn1.c +35 -47
- data/third_party/boringssl-with-bazel/src/crypto/evp/print.c +135 -244
- data/third_party/boringssl-with-bazel/src/crypto/evp/scrypt.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/evp/sign.c +15 -10
- data/third_party/boringssl-with-bazel/src/crypto/ex_data.c +29 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/aes_nohw.c +13 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/internal.h +3 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/key_wrap.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/aes/mode_wrappers.c +9 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bcm.c +35 -27
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bn.c +16 -26
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/bytes.c +88 -60
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/cmp.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/ctx.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div_extra.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/exponentiation.c +99 -113
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/generic.c +112 -168
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +86 -31
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery.c +11 -6
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/montgomery_inv.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/mul.c +4 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/prime.c +13 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/random.c +13 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.c +19 -108
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/rsaz_exp.h +19 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/shift.c +15 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/sqrt.c +22 -21
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/aead.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/cipher.c +79 -19
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +102 -99
- data/third_party/boringssl-with-bazel/src/crypto/{cipher_extra → fipsmodule/cipher}/e_aesccm.c +52 -46
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/internal.h +39 -0
- data/third_party/boringssl-with-bazel/src/crypto/{cmac → fipsmodule/cmac}/cmac.c +55 -11
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/check.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/dh.c +21 -6
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/dh/internal.h +56 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/digest.c +5 -3
- data/third_party/boringssl-with-bazel/src/crypto/{evp → fipsmodule/digestsign}/digestsign.c +51 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec.c +25 -25
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_key.c +91 -17
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/ec_montgomery.c +5 -5
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/internal.h +34 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/oct.c +54 -23
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p224-64.c +44 -60
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64-table.h → p256-nistz-table.h} +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.c → p256-nistz.c} +60 -53
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/{p256-x86_64.h → p256-nistz.h} +5 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/p256.c +48 -36
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/scalar.c +2 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple.c +2 -7
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/simple_mul.c +2 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ec/wnaf.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdh/ecdh.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/ecdsa.c +42 -14
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/ecdsa/internal.h +6 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/hmac/hmac.c +52 -24
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cbc.c +9 -15
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/cfb.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ctr.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm.c +71 -43
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/internal.h +14 -16
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c +1 -4
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/ctrdrbg.c +31 -13
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.c +16 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/fork_detect.h +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/getrandom_fillin.h +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h +9 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +73 -59
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c +11 -45
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/blinding.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/internal.h +22 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/padding.c +63 -52
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +107 -62
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +58 -31
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c +41 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c +523 -422
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/internal.h +89 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/service_indicator/service_indicator.c +334 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/internal.h +3 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha256.c +12 -8
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha512.c +14 -12
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/tls/kdf.c +19 -6
- data/third_party/boringssl-with-bazel/src/crypto/hpke/hpke.c +32 -14
- data/third_party/boringssl-with-bazel/src/crypto/hrss/hrss.c +65 -29
- data/third_party/boringssl-with-bazel/src/crypto/internal.h +373 -18
- data/third_party/boringssl-with-bazel/src/crypto/kyber/internal.h +61 -0
- data/third_party/boringssl-with-bazel/src/crypto/kyber/keccak.c +205 -0
- data/third_party/boringssl-with-bazel/src/crypto/lhash/internal.h +13 -1
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +220 -13
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj.c +19 -7
- data/third_party/boringssl-with-bazel/src/crypto/obj/obj_dat.h +13 -1
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +81 -90
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +150 -245
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +629 -613
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_oth.c +17 -17
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +142 -149
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +99 -131
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_x509.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_xaux.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +0 -1
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8.c +0 -3
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +36 -66
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305.c +31 -38
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_arm.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/poly1305/poly1305_vec.c +18 -31
- data/third_party/boringssl-with-bazel/src/crypto/pool/internal.h +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/pool/pool.c +8 -1
- data/third_party/boringssl-with-bazel/src/crypto/rand_extra/passive.c +129 -5
- data/third_party/boringssl-with-bazel/src/crypto/refcount_c11.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c +8 -11
- data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c +61 -27
- data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/thread_win.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h +66 -34
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/pmbtoken.c +190 -77
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/trust_token.c +81 -284
- data/third_party/boringssl-with-bazel/src/crypto/trust_token/voprf.c +109 -42
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_digest.c +22 -24
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_sign.c +54 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509/a_verify.c +32 -34
- data/third_party/boringssl-with-bazel/src/crypto/x509/algorithm.c +32 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/asn1_gen.c +465 -704
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_dir.c +284 -331
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +183 -178
- data/third_party/boringssl-with-bazel/src/crypto/x509/i2d_pr.c +11 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +67 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +153 -150
- data/third_party/boringssl-with-bazel/src/crypto/x509/policy.c +786 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +95 -102
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +72 -57
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_req.c +12 -10
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +227 -252
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +52 -47
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_att.c +230 -224
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_cmp.c +161 -327
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_d2.c +37 -33
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_def.c +14 -31
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_ext.c +55 -85
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +534 -618
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +129 -122
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_req.c +116 -182
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_set.c +132 -132
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_trs.c +181 -202
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_txt.c +64 -79
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_v3.c +175 -160
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +1865 -2050
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +433 -462
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509cset.c +156 -163
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +267 -263
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509rset.c +40 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509spki.c +59 -63
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_algor.c +63 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +114 -144
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_attrib.c +25 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_crl.c +326 -415
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_exten.c +8 -7
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_info.c +30 -28
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +354 -370
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pkey.c +37 -32
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_pubkey.c +116 -119
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_req.c +36 -26
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_sig.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_spki.c +10 -13
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_val.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +419 -261
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509a.c +113 -105
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/ext_dat.h +11 -15
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +78 -170
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +126 -131
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akeya.c +3 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +465 -469
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bcons.c +56 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +46 -49
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_conf.c +309 -346
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +341 -365
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +429 -393
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +29 -24
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_extku.c +65 -59
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_genn.c +125 -121
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ia5.c +43 -42
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_info.c +122 -125
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_int.c +50 -20
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_lib.c +247 -253
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +386 -389
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ocsp.c +45 -32
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c +57 -54
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c +63 -67
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +143 -136
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +664 -707
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c +83 -75
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +1062 -1146
- data/third_party/boringssl-with-bazel/src/include/openssl/aead.h +8 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/arm_arch.h +28 -48
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +211 -187
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +26 -78
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +19 -14
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +21 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +49 -17
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +99 -29
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +49 -60
- data/third_party/boringssl-with-bazel/src/include/openssl/conf.h +2 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/cpu.h +16 -200
- data/third_party/boringssl-with-bazel/src/include/openssl/crypto.h +34 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ctrdrbg.h +82 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dh.h +32 -30
- data/third_party/boringssl-with-bazel/src/include/openssl/digest.h +7 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/dsa.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/ec.h +48 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/ec_key.h +37 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/ecdsa.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/err.h +33 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/evp.h +22 -30
- data/third_party/boringssl-with-bazel/src/include/openssl/ex_data.h +1 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/hmac.h +7 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/hpke.h +41 -16
- data/third_party/boringssl-with-bazel/src/include/openssl/kdf.h +91 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +74 -8
- data/third_party/boringssl-with-bazel/src/include/openssl/nid.h +13 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/opensslconf.h +1 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +11 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs8.h +8 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/rand.h +12 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +7 -4
- data/third_party/boringssl-with-bazel/src/include/openssl/service_indicator.h +96 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +13 -21
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +139 -75
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl3.h +1 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/stack.h +384 -286
- data/third_party/boringssl-with-bazel/src/include/openssl/thread.h +5 -6
- data/third_party/boringssl-with-bazel/src/include/openssl/time.h +41 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +18 -7
- data/third_party/boringssl-with-bazel/src/include/openssl/trust_token.h +49 -23
- data/third_party/boringssl-with-bazel/src/include/openssl/type_check.h +0 -11
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +1592 -1074
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +202 -205
- data/third_party/boringssl-with-bazel/src/ssl/bio_ssl.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/d1_both.cc +6 -13
- data/third_party/boringssl-with-bazel/src/ssl/d1_pkt.cc +17 -18
- data/third_party/boringssl-with-bazel/src/ssl/dtls_method.cc +4 -5
- data/third_party/boringssl-with-bazel/src/ssl/dtls_record.cc +25 -33
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +34 -20
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +65 -34
- data/third_party/boringssl-with-bazel/src/ssl/handoff.cc +198 -54
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +5 -5
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +32 -28
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +76 -44
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +130 -98
- data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc +27 -11
- data/third_party/boringssl-with-bazel/src/ssl/s3_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc +91 -75
- data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc +8 -10
- data/third_party/boringssl-with-bazel/src/ssl/ssl_asn1.cc +39 -65
- data/third_party/boringssl-with-bazel/src/ssl/ssl_buffer.cc +1 -0
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cert.cc +5 -9
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +30 -33
- data/third_party/boringssl-with-bazel/src/ssl/ssl_file.cc +77 -100
- data/third_party/boringssl-with-bazel/src/ssl/ssl_key_share.cc +120 -107
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +164 -30
- data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc +150 -60
- data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc +22 -11
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +22 -6
- data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +5 -43
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +7 -4
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +22 -34
- data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc +16 -98
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h +1241 -657
- data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_64.h +751 -398
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_32.h +3551 -1938
- data/third_party/boringssl-with-bazel/src/third_party/fiat/p256_64.h +1272 -487
- metadata +105 -70
- data/src/core/ext/filters/client_channel/lb_call_state_internal.h +0 -39
- data/src/core/ext/filters/client_channel/resolver/dns/dns_resolver_selection.cc +0 -30
- data/src/core/lib/gprpp/global_config.h +0 -93
- data/src/core/lib/gprpp/global_config_env.cc +0 -140
- data/src/core/lib/gprpp/global_config_env.h +0 -133
- data/src/core/lib/gprpp/global_config_generic.h +0 -40
- data/src/core/lib/promise/intra_activity_waiter.h +0 -55
- data/src/core/lib/security/security_connector/ssl_utils_config.cc +0 -32
- data/src/core/lib/security/security_connector/ssl_utils_config.h +0 -29
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_enum.c +0 -195
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +0 -83
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utf8.c +0 -236
- data/third_party/boringssl-with-bazel/src/crypto/asn1/charmap.h +0 -15
- data/third_party/boringssl-with-bazel/src/crypto/asn1/time_support.c +0 -206
- data/third_party/boringssl-with-bazel/src/crypto/cpu-ppc64le.c +0 -38
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1-altivec.c +0 -361
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +0 -287
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +0 -132
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_lib.c +0 -155
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +0 -131
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_node.c +0 -189
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +0 -843
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +0 -289
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c +0 -57
- /data/src/core/lib/gpr/{log_android.cc → android/log.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_iphone.cc → iphone/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_linux.cc → linux/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_linux.cc → linux/log.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_msys.cc → msys/tmpfile.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_posix.cc → posix/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_posix.cc → posix/log.cc} +0 -0
- /data/src/core/lib/gpr/{string_posix.cc → posix/string.cc} +0 -0
- /data/src/core/lib/gpr/{sync_posix.cc → posix/sync.cc} +0 -0
- /data/src/core/lib/gpr/{time_posix.cc → posix/time.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_posix.cc → posix/tmpfile.cc} +0 -0
- /data/src/core/lib/gpr/{cpu_windows.cc → windows/cpu.cc} +0 -0
- /data/src/core/lib/gpr/{log_windows.cc → windows/log.cc} +0 -0
- /data/src/core/lib/gpr/{string_windows.cc → windows/string.cc} +0 -0
- /data/src/core/lib/gpr/{string_util_windows.cc → windows/string_util.cc} +0 -0
- /data/src/core/lib/gpr/{sync_windows.cc → windows/sync.cc} +0 -0
- /data/src/core/lib/gpr/{time_windows.cc → windows/time.cc} +0 -0
- /data/src/core/lib/gpr/{tmpfile_windows.cc → windows/tmpfile.cc} +0 -0
- /data/src/core/lib/gprpp/{env_linux.cc → linux/env.cc} +0 -0
- /data/src/core/lib/gprpp/{env_posix.cc → posix/env.cc} +0 -0
- /data/src/core/lib/gprpp/{stat_posix.cc → posix/stat.cc} +0 -0
- /data/src/core/lib/gprpp/{env_windows.cc → windows/env.cc} +0 -0
- /data/src/core/lib/gprpp/{stat_windows.cc → windows/stat.cc} +0 -0
@@ -67,50 +67,51 @@
|
|
67
67
|
#include <openssl/x509.h>
|
68
68
|
#include <openssl/x509v3.h>
|
69
69
|
|
70
|
-
#include "internal.h"
|
71
70
|
#include "../internal.h"
|
72
71
|
#include "../x509v3/internal.h"
|
72
|
+
#include "internal.h"
|
73
73
|
|
74
74
|
static CRYPTO_EX_DATA_CLASS g_ex_data_class =
|
75
75
|
CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
|
76
76
|
|
77
|
-
|
77
|
+
// CRL score values
|
78
78
|
|
79
|
-
|
79
|
+
// No unhandled critical extensions
|
80
80
|
|
81
|
-
#define CRL_SCORE_NOCRITICAL
|
81
|
+
#define CRL_SCORE_NOCRITICAL 0x100
|
82
82
|
|
83
|
-
|
83
|
+
// certificate is within CRL scope
|
84
84
|
|
85
|
-
#define CRL_SCORE_SCOPE
|
85
|
+
#define CRL_SCORE_SCOPE 0x080
|
86
86
|
|
87
|
-
|
87
|
+
// CRL times valid
|
88
88
|
|
89
|
-
#define CRL_SCORE_TIME
|
89
|
+
#define CRL_SCORE_TIME 0x040
|
90
90
|
|
91
|
-
|
91
|
+
// Issuer name matches certificate
|
92
92
|
|
93
|
-
#define CRL_SCORE_ISSUER_NAME
|
93
|
+
#define CRL_SCORE_ISSUER_NAME 0x020
|
94
94
|
|
95
|
-
|
95
|
+
// If this score or above CRL is probably valid
|
96
96
|
|
97
|
-
#define CRL_SCORE_VALID
|
97
|
+
#define CRL_SCORE_VALID \
|
98
|
+
(CRL_SCORE_NOCRITICAL | CRL_SCORE_TIME | CRL_SCORE_SCOPE)
|
98
99
|
|
99
|
-
|
100
|
+
// CRL issuer is certificate issuer
|
100
101
|
|
101
|
-
#define CRL_SCORE_ISSUER_CERT
|
102
|
+
#define CRL_SCORE_ISSUER_CERT 0x018
|
102
103
|
|
103
|
-
|
104
|
+
// CRL issuer is on certificate path
|
104
105
|
|
105
|
-
#define CRL_SCORE_SAME_PATH
|
106
|
+
#define CRL_SCORE_SAME_PATH 0x008
|
106
107
|
|
107
|
-
|
108
|
+
// CRL issuer matches CRL AKID
|
108
109
|
|
109
|
-
#define CRL_SCORE_AKID
|
110
|
+
#define CRL_SCORE_AKID 0x004
|
110
111
|
|
111
|
-
|
112
|
+
// Have a delta CRL with valid times
|
112
113
|
|
113
|
-
#define CRL_SCORE_TIME_DELTA
|
114
|
+
#define CRL_SCORE_TIME_DELTA 0x002
|
114
115
|
|
115
116
|
static int null_callback(int ok, X509_STORE_CTX *e);
|
116
117
|
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
|
@@ -125,2332 +126,2146 @@ static int check_policy(X509_STORE_CTX *ctx);
|
|
125
126
|
|
126
127
|
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
|
127
128
|
unsigned int *preasons, X509_CRL *crl, X509 *x);
|
128
|
-
static int get_crl_delta(X509_STORE_CTX *ctx,
|
129
|
-
|
130
|
-
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl,
|
131
|
-
|
132
|
-
STACK_OF(X509_CRL) *crls);
|
129
|
+
static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
|
130
|
+
X509 *x);
|
131
|
+
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
|
132
|
+
X509_CRL *base, STACK_OF(X509_CRL) *crls);
|
133
133
|
static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
|
134
134
|
int *pcrl_score);
|
135
135
|
static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
|
136
136
|
unsigned int *preasons);
|
137
137
|
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
|
138
|
-
static int check_crl_chain(X509_STORE_CTX *ctx,
|
139
|
-
STACK_OF(X509) *cert_path,
|
138
|
+
static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
|
140
139
|
STACK_OF(X509) *crl_path);
|
141
140
|
|
142
141
|
static int internal_verify(X509_STORE_CTX *ctx);
|
143
142
|
|
144
|
-
static int null_callback(int ok, X509_STORE_CTX *e)
|
145
|
-
{
|
146
|
-
return ok;
|
147
|
-
}
|
143
|
+
static int null_callback(int ok, X509_STORE_CTX *e) { return ok; }
|
148
144
|
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
static int cert_self_signed(X509 *x, int *out_is_self_signed)
|
153
|
-
{
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
return 1;
|
145
|
+
// cert_self_signed checks if |x| is self-signed. If |x| is valid, it returns
|
146
|
+
// one and sets |*out_is_self_signed| to the result. If |x| is invalid, it
|
147
|
+
// returns zero.
|
148
|
+
static int cert_self_signed(X509 *x, int *out_is_self_signed) {
|
149
|
+
if (!x509v3_cache_extensions(x)) {
|
150
|
+
return 0;
|
151
|
+
}
|
152
|
+
*out_is_self_signed = (x->ex_flags & EXFLAG_SS) != 0;
|
153
|
+
return 1;
|
159
154
|
}
|
160
155
|
|
161
|
-
|
162
|
-
|
163
|
-
static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
|
164
|
-
{
|
165
|
-
STACK_OF(X509) *certs;
|
166
|
-
X509 *xtmp = NULL;
|
167
|
-
size_t i;
|
168
|
-
/* Lookup all certs with matching subject name */
|
169
|
-
certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
|
170
|
-
if (certs == NULL)
|
171
|
-
return NULL;
|
172
|
-
/* Look for exact match */
|
173
|
-
for (i = 0; i < sk_X509_num(certs); i++) {
|
174
|
-
xtmp = sk_X509_value(certs, i);
|
175
|
-
if (!X509_cmp(xtmp, x))
|
176
|
-
break;
|
177
|
-
}
|
178
|
-
if (i < sk_X509_num(certs))
|
179
|
-
X509_up_ref(xtmp);
|
180
|
-
else
|
181
|
-
xtmp = NULL;
|
182
|
-
sk_X509_pop_free(certs, X509_free);
|
183
|
-
return xtmp;
|
184
|
-
}
|
185
|
-
|
186
|
-
int X509_verify_cert(X509_STORE_CTX *ctx)
|
187
|
-
{
|
188
|
-
X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
|
189
|
-
int bad_chain = 0;
|
190
|
-
X509_VERIFY_PARAM *param = ctx->param;
|
191
|
-
int depth, i, ok = 0;
|
192
|
-
int num, j, retry, trust;
|
193
|
-
int (*cb) (int xok, X509_STORE_CTX *xctx);
|
194
|
-
STACK_OF(X509) *sktmp = NULL;
|
195
|
-
if (ctx->cert == NULL) {
|
196
|
-
OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
|
197
|
-
ctx->error = X509_V_ERR_INVALID_CALL;
|
198
|
-
return -1;
|
199
|
-
}
|
200
|
-
if (ctx->chain != NULL) {
|
201
|
-
/*
|
202
|
-
* This X509_STORE_CTX has already been used to verify a cert. We
|
203
|
-
* cannot do another one.
|
204
|
-
*/
|
205
|
-
OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
206
|
-
ctx->error = X509_V_ERR_INVALID_CALL;
|
207
|
-
return -1;
|
208
|
-
}
|
209
|
-
|
210
|
-
cb = ctx->verify_cb;
|
211
|
-
|
212
|
-
/*
|
213
|
-
* first we make sure the chain we are going to build is present and that
|
214
|
-
* the first entry is in place
|
215
|
-
*/
|
216
|
-
ctx->chain = sk_X509_new_null();
|
217
|
-
if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
|
218
|
-
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
219
|
-
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
220
|
-
goto end;
|
221
|
-
}
|
222
|
-
X509_up_ref(ctx->cert);
|
223
|
-
ctx->last_untrusted = 1;
|
156
|
+
// Given a certificate try and find an exact match in the store
|
224
157
|
|
225
|
-
|
226
|
-
|
227
|
-
|
228
|
-
|
229
|
-
|
158
|
+
static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) {
|
159
|
+
STACK_OF(X509) *certs;
|
160
|
+
X509 *xtmp = NULL;
|
161
|
+
size_t i;
|
162
|
+
// Lookup all certs with matching subject name
|
163
|
+
certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
|
164
|
+
if (certs == NULL) {
|
165
|
+
return NULL;
|
166
|
+
}
|
167
|
+
// Look for exact match
|
168
|
+
for (i = 0; i < sk_X509_num(certs); i++) {
|
169
|
+
xtmp = sk_X509_value(certs, i);
|
170
|
+
if (!X509_cmp(xtmp, x)) {
|
171
|
+
break;
|
172
|
+
}
|
173
|
+
}
|
174
|
+
if (i < sk_X509_num(certs)) {
|
175
|
+
X509_up_ref(xtmp);
|
176
|
+
} else {
|
177
|
+
xtmp = NULL;
|
178
|
+
}
|
179
|
+
sk_X509_pop_free(certs, X509_free);
|
180
|
+
return xtmp;
|
181
|
+
}
|
182
|
+
|
183
|
+
int X509_verify_cert(X509_STORE_CTX *ctx) {
|
184
|
+
X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
|
185
|
+
int bad_chain = 0;
|
186
|
+
X509_VERIFY_PARAM *param = ctx->param;
|
187
|
+
int depth, i, ok = 0;
|
188
|
+
int num, j, retry, trust;
|
189
|
+
STACK_OF(X509) *sktmp = NULL;
|
190
|
+
|
191
|
+
if (ctx->cert == NULL) {
|
192
|
+
OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
|
193
|
+
ctx->error = X509_V_ERR_INVALID_CALL;
|
194
|
+
return -1;
|
195
|
+
}
|
196
|
+
if (ctx->chain != NULL) {
|
197
|
+
// This X509_STORE_CTX has already been used to verify a cert. We
|
198
|
+
// cannot do another one.
|
199
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
200
|
+
ctx->error = X509_V_ERR_INVALID_CALL;
|
201
|
+
return -1;
|
202
|
+
}
|
203
|
+
|
204
|
+
// first we make sure the chain we are going to build is present and that
|
205
|
+
// the first entry is in place
|
206
|
+
ctx->chain = sk_X509_new_null();
|
207
|
+
if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
|
208
|
+
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
209
|
+
goto end;
|
210
|
+
}
|
211
|
+
X509_up_ref(ctx->cert);
|
212
|
+
ctx->last_untrusted = 1;
|
213
|
+
|
214
|
+
// We use a temporary STACK so we can chop and hack at it.
|
215
|
+
if (ctx->untrusted != NULL && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
|
216
|
+
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
217
|
+
goto end;
|
218
|
+
}
|
219
|
+
|
220
|
+
num = sk_X509_num(ctx->chain);
|
221
|
+
x = sk_X509_value(ctx->chain, num - 1);
|
222
|
+
depth = param->depth;
|
223
|
+
|
224
|
+
for (;;) {
|
225
|
+
// If we have enough, we break
|
226
|
+
if (depth < num) {
|
227
|
+
break; // FIXME: If this happens, we should take
|
228
|
+
// note of it and, if appropriate, use the
|
229
|
+
// X509_V_ERR_CERT_CHAIN_TOO_LONG error code
|
230
|
+
// later.
|
231
|
+
}
|
232
|
+
|
233
|
+
int is_self_signed;
|
234
|
+
if (!cert_self_signed(x, &is_self_signed)) {
|
235
|
+
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
236
|
+
goto end;
|
237
|
+
}
|
238
|
+
|
239
|
+
// If we are self signed, we break
|
240
|
+
if (is_self_signed) {
|
241
|
+
break;
|
242
|
+
}
|
243
|
+
// If asked see if we can find issuer in trusted store first
|
244
|
+
if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
|
245
|
+
ok = ctx->get_issuer(&xtmp, ctx, x);
|
246
|
+
if (ok < 0) {
|
247
|
+
ctx->error = X509_V_ERR_STORE_LOOKUP;
|
230
248
|
goto end;
|
231
|
-
|
232
|
-
|
233
|
-
|
234
|
-
|
235
|
-
|
236
|
-
|
237
|
-
for (;;) {
|
238
|
-
/* If we have enough, we break */
|
239
|
-
if (depth < num)
|
240
|
-
break; /* FIXME: If this happens, we should take
|
241
|
-
* note of it and, if appropriate, use the
|
242
|
-
* X509_V_ERR_CERT_CHAIN_TOO_LONG error code
|
243
|
-
* later. */
|
244
|
-
|
245
|
-
int is_self_signed;
|
246
|
-
if (!cert_self_signed(x, &is_self_signed)) {
|
247
|
-
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
248
|
-
goto end;
|
249
|
-
}
|
250
|
-
|
251
|
-
/* If we are self signed, we break */
|
252
|
-
if (is_self_signed)
|
253
|
-
break;
|
254
|
-
/*
|
255
|
-
* If asked see if we can find issuer in trusted store first
|
256
|
-
*/
|
257
|
-
if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
|
258
|
-
ok = ctx->get_issuer(&xtmp, ctx, x);
|
259
|
-
if (ok < 0) {
|
260
|
-
ctx->error = X509_V_ERR_STORE_LOOKUP;
|
261
|
-
goto end;
|
262
|
-
}
|
263
|
-
/*
|
264
|
-
* If successful for now free up cert so it will be picked up
|
265
|
-
* again later.
|
266
|
-
*/
|
267
|
-
if (ok > 0) {
|
268
|
-
X509_free(xtmp);
|
269
|
-
break;
|
270
|
-
}
|
271
|
-
}
|
272
|
-
|
273
|
-
/* If we were passed a cert chain, use it first */
|
274
|
-
if (sktmp != NULL) {
|
275
|
-
xtmp = find_issuer(ctx, sktmp, x);
|
276
|
-
if (xtmp != NULL) {
|
277
|
-
if (!sk_X509_push(ctx->chain, xtmp)) {
|
278
|
-
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
279
|
-
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
280
|
-
ok = 0;
|
281
|
-
goto end;
|
282
|
-
}
|
283
|
-
X509_up_ref(xtmp);
|
284
|
-
(void)sk_X509_delete_ptr(sktmp, xtmp);
|
285
|
-
ctx->last_untrusted++;
|
286
|
-
x = xtmp;
|
287
|
-
num++;
|
288
|
-
/*
|
289
|
-
* reparse the full chain for the next one
|
290
|
-
*/
|
291
|
-
continue;
|
292
|
-
}
|
293
|
-
}
|
249
|
+
}
|
250
|
+
// If successful for now free up cert so it will be picked up
|
251
|
+
// again later.
|
252
|
+
if (ok > 0) {
|
253
|
+
X509_free(xtmp);
|
294
254
|
break;
|
255
|
+
}
|
295
256
|
}
|
296
257
|
|
297
|
-
|
298
|
-
|
299
|
-
|
300
|
-
|
301
|
-
|
302
|
-
|
303
|
-
|
304
|
-
|
305
|
-
do {
|
306
|
-
/*
|
307
|
-
* Examine last certificate in chain and see if it is self signed.
|
308
|
-
*/
|
309
|
-
i = sk_X509_num(ctx->chain);
|
310
|
-
x = sk_X509_value(ctx->chain, i - 1);
|
311
|
-
|
312
|
-
int is_self_signed;
|
313
|
-
if (!cert_self_signed(x, &is_self_signed)) {
|
314
|
-
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
315
|
-
goto end;
|
258
|
+
// If we were passed a cert chain, use it first
|
259
|
+
if (sktmp != NULL) {
|
260
|
+
xtmp = find_issuer(ctx, sktmp, x);
|
261
|
+
if (xtmp != NULL) {
|
262
|
+
if (!sk_X509_push(ctx->chain, xtmp)) {
|
263
|
+
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
264
|
+
ok = 0;
|
265
|
+
goto end;
|
316
266
|
}
|
317
|
-
|
318
|
-
|
319
|
-
|
320
|
-
|
321
|
-
|
322
|
-
|
323
|
-
|
324
|
-
|
325
|
-
|
326
|
-
|
327
|
-
|
328
|
-
|
329
|
-
|
330
|
-
|
331
|
-
|
332
|
-
|
333
|
-
|
334
|
-
|
335
|
-
|
336
|
-
|
337
|
-
|
338
|
-
|
339
|
-
|
340
|
-
|
341
|
-
|
342
|
-
|
343
|
-
|
344
|
-
|
345
|
-
|
346
|
-
|
347
|
-
|
348
|
-
|
349
|
-
|
350
|
-
|
351
|
-
|
352
|
-
|
353
|
-
|
354
|
-
|
355
|
-
|
356
|
-
|
357
|
-
|
358
|
-
|
359
|
-
|
360
|
-
|
361
|
-
|
362
|
-
|
363
|
-
if (!cert_self_signed(x, &is_self_signed)) {
|
364
|
-
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
365
|
-
goto end;
|
366
|
-
}
|
367
|
-
/* If we are self signed, we break */
|
368
|
-
if (is_self_signed)
|
369
|
-
break;
|
370
|
-
ok = ctx->get_issuer(&xtmp, ctx, x);
|
371
|
-
|
372
|
-
if (ok < 0) {
|
373
|
-
ctx->error = X509_V_ERR_STORE_LOOKUP;
|
374
|
-
goto end;
|
375
|
-
}
|
376
|
-
if (ok == 0)
|
377
|
-
break;
|
378
|
-
x = xtmp;
|
379
|
-
if (!sk_X509_push(ctx->chain, x)) {
|
380
|
-
X509_free(xtmp);
|
381
|
-
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
|
382
|
-
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
383
|
-
ok = 0;
|
384
|
-
goto end;
|
385
|
-
}
|
386
|
-
num++;
|
387
|
-
}
|
388
|
-
|
389
|
-
/* we now have our chain, lets check it... */
|
390
|
-
trust = check_trust(ctx);
|
391
|
-
|
392
|
-
/* If explicitly rejected error */
|
393
|
-
if (trust == X509_TRUST_REJECTED) {
|
394
|
-
ok = 0;
|
267
|
+
X509_up_ref(xtmp);
|
268
|
+
(void)sk_X509_delete_ptr(sktmp, xtmp);
|
269
|
+
ctx->last_untrusted++;
|
270
|
+
x = xtmp;
|
271
|
+
num++;
|
272
|
+
// reparse the full chain for the next one
|
273
|
+
continue;
|
274
|
+
}
|
275
|
+
}
|
276
|
+
break;
|
277
|
+
}
|
278
|
+
|
279
|
+
// Remember how many untrusted certs we have
|
280
|
+
j = num;
|
281
|
+
// at this point, chain should contain a list of untrusted certificates.
|
282
|
+
// We now need to add at least one trusted one, if possible, otherwise we
|
283
|
+
// complain.
|
284
|
+
|
285
|
+
do {
|
286
|
+
// Examine last certificate in chain and see if it is self signed.
|
287
|
+
i = sk_X509_num(ctx->chain);
|
288
|
+
x = sk_X509_value(ctx->chain, i - 1);
|
289
|
+
|
290
|
+
int is_self_signed;
|
291
|
+
if (!cert_self_signed(x, &is_self_signed)) {
|
292
|
+
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
293
|
+
goto end;
|
294
|
+
}
|
295
|
+
|
296
|
+
if (is_self_signed) {
|
297
|
+
// we have a self signed certificate
|
298
|
+
if (sk_X509_num(ctx->chain) == 1) {
|
299
|
+
// We have a single self signed certificate: see if we can
|
300
|
+
// find it in the store. We must have an exact match to avoid
|
301
|
+
// possible impersonation.
|
302
|
+
ok = ctx->get_issuer(&xtmp, ctx, x);
|
303
|
+
if ((ok <= 0) || X509_cmp(x, xtmp)) {
|
304
|
+
ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
|
305
|
+
ctx->current_cert = x;
|
306
|
+
ctx->error_depth = i - 1;
|
307
|
+
if (ok == 1) {
|
308
|
+
X509_free(xtmp);
|
309
|
+
}
|
310
|
+
bad_chain = 1;
|
311
|
+
ok = ctx->verify_cb(0, ctx);
|
312
|
+
if (!ok) {
|
395
313
|
goto end;
|
396
|
-
|
397
|
-
/*
|
398
|
-
* If it's not explicitly trusted then check if there is an alternative
|
399
|
-
* chain that could be used. We only do this if we haven't already
|
400
|
-
* checked via TRUSTED_FIRST and the user hasn't switched off alternate
|
401
|
-
* chain checking
|
402
|
-
*/
|
403
|
-
retry = 0;
|
404
|
-
if (trust != X509_TRUST_TRUSTED
|
405
|
-
&& !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
|
406
|
-
&& !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
|
407
|
-
while (j-- > 1) {
|
408
|
-
xtmp2 = sk_X509_value(ctx->chain, j - 1);
|
409
|
-
ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
|
410
|
-
if (ok < 0)
|
411
|
-
goto end;
|
412
|
-
/* Check if we found an alternate chain */
|
413
|
-
if (ok > 0) {
|
414
|
-
/*
|
415
|
-
* Free up the found cert we'll add it again later
|
416
|
-
*/
|
417
|
-
X509_free(xtmp);
|
418
|
-
|
419
|
-
/*
|
420
|
-
* Dump all the certs above this point - we've found an
|
421
|
-
* alternate chain
|
422
|
-
*/
|
423
|
-
while (num > j) {
|
424
|
-
xtmp = sk_X509_pop(ctx->chain);
|
425
|
-
X509_free(xtmp);
|
426
|
-
num--;
|
427
|
-
}
|
428
|
-
ctx->last_untrusted = sk_X509_num(ctx->chain);
|
429
|
-
retry = 1;
|
430
|
-
break;
|
431
|
-
}
|
432
|
-
}
|
433
|
-
}
|
434
|
-
} while (retry);
|
435
|
-
|
436
|
-
/*
|
437
|
-
* If not explicitly trusted then indicate error unless it's a single
|
438
|
-
* self signed certificate in which case we've indicated an error already
|
439
|
-
* and set bad_chain == 1
|
440
|
-
*/
|
441
|
-
if (trust != X509_TRUST_TRUSTED && !bad_chain) {
|
442
|
-
if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
|
443
|
-
if (ctx->last_untrusted >= num)
|
444
|
-
ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
|
445
|
-
else
|
446
|
-
ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
|
447
|
-
ctx->current_cert = x;
|
314
|
+
}
|
448
315
|
} else {
|
449
|
-
|
450
|
-
|
451
|
-
|
452
|
-
|
453
|
-
|
454
|
-
|
455
|
-
chain_ss = NULL;
|
316
|
+
// We have a match: replace certificate with store
|
317
|
+
// version so we get any trust settings.
|
318
|
+
X509_free(x);
|
319
|
+
x = xtmp;
|
320
|
+
(void)sk_X509_set(ctx->chain, i - 1, x);
|
321
|
+
ctx->last_untrusted = 0;
|
456
322
|
}
|
457
|
-
|
458
|
-
|
459
|
-
|
460
|
-
|
461
|
-
|
462
|
-
|
463
|
-
|
464
|
-
|
465
|
-
|
466
|
-
|
467
|
-
|
468
|
-
|
469
|
-
|
470
|
-
|
471
|
-
|
472
|
-
|
473
|
-
|
474
|
-
goto end;
|
475
|
-
|
476
|
-
/*
|
477
|
-
* Check revocation status: we do this after copying parameters because
|
478
|
-
* they may be needed for CRL signature verification.
|
479
|
-
*/
|
480
|
-
|
481
|
-
ok = ctx->check_revocation(ctx);
|
482
|
-
if (!ok)
|
323
|
+
} else {
|
324
|
+
// extract and save self signed certificate for later use
|
325
|
+
chain_ss = sk_X509_pop(ctx->chain);
|
326
|
+
ctx->last_untrusted--;
|
327
|
+
num--;
|
328
|
+
j--;
|
329
|
+
x = sk_X509_value(ctx->chain, num - 1);
|
330
|
+
}
|
331
|
+
}
|
332
|
+
// We now lookup certs from the certificate store
|
333
|
+
for (;;) {
|
334
|
+
// If we have enough, we break
|
335
|
+
if (depth < num) {
|
336
|
+
break;
|
337
|
+
}
|
338
|
+
if (!cert_self_signed(x, &is_self_signed)) {
|
339
|
+
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
483
340
|
goto end;
|
341
|
+
}
|
342
|
+
// If we are self signed, we break
|
343
|
+
if (is_self_signed) {
|
344
|
+
break;
|
345
|
+
}
|
346
|
+
ok = ctx->get_issuer(&xtmp, ctx, x);
|
484
347
|
|
485
|
-
|
486
|
-
|
487
|
-
if (err != X509_V_OK) {
|
488
|
-
ctx->error = err;
|
489
|
-
ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
|
490
|
-
ok = cb(0, ctx);
|
491
|
-
if (!ok)
|
492
|
-
goto end;
|
493
|
-
}
|
494
|
-
|
495
|
-
/* At this point, we have a chain and need to verify it */
|
496
|
-
if (ctx->verify != NULL)
|
497
|
-
ok = ctx->verify(ctx);
|
498
|
-
else
|
499
|
-
ok = internal_verify(ctx);
|
500
|
-
if (!ok)
|
348
|
+
if (ok < 0) {
|
349
|
+
ctx->error = X509_V_ERR_STORE_LOOKUP;
|
501
350
|
goto end;
|
502
|
-
|
503
|
-
|
504
|
-
|
505
|
-
|
506
|
-
|
351
|
+
}
|
352
|
+
if (ok == 0) {
|
353
|
+
break;
|
354
|
+
}
|
355
|
+
x = xtmp;
|
356
|
+
if (!sk_X509_push(ctx->chain, x)) {
|
357
|
+
X509_free(xtmp);
|
358
|
+
ctx->error = X509_V_ERR_OUT_OF_MEM;
|
359
|
+
ok = 0;
|
507
360
|
goto end;
|
361
|
+
}
|
362
|
+
num++;
|
363
|
+
}
|
364
|
+
|
365
|
+
// we now have our chain, lets check it...
|
366
|
+
trust = check_trust(ctx);
|
367
|
+
|
368
|
+
// If explicitly rejected error
|
369
|
+
if (trust == X509_TRUST_REJECTED) {
|
370
|
+
ok = 0;
|
371
|
+
goto end;
|
372
|
+
}
|
373
|
+
// If it's not explicitly trusted then check if there is an alternative
|
374
|
+
// chain that could be used. We only do this if we haven't already
|
375
|
+
// checked via TRUSTED_FIRST and the user hasn't switched off alternate
|
376
|
+
// chain checking
|
377
|
+
retry = 0;
|
378
|
+
if (trust != X509_TRUST_TRUSTED &&
|
379
|
+
!(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) &&
|
380
|
+
!(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
|
381
|
+
while (j-- > 1) {
|
382
|
+
xtmp2 = sk_X509_value(ctx->chain, j - 1);
|
383
|
+
ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
|
384
|
+
if (ok < 0) {
|
385
|
+
goto end;
|
386
|
+
}
|
387
|
+
// Check if we found an alternate chain
|
388
|
+
if (ok > 0) {
|
389
|
+
// Free up the found cert we'll add it again later
|
390
|
+
X509_free(xtmp);
|
391
|
+
|
392
|
+
// Dump all the certs above this point - we've found an
|
393
|
+
// alternate chain
|
394
|
+
while (num > j) {
|
395
|
+
xtmp = sk_X509_pop(ctx->chain);
|
396
|
+
X509_free(xtmp);
|
397
|
+
num--;
|
398
|
+
}
|
399
|
+
ctx->last_untrusted = sk_X509_num(ctx->chain);
|
400
|
+
retry = 1;
|
401
|
+
break;
|
402
|
+
}
|
403
|
+
}
|
404
|
+
}
|
405
|
+
} while (retry);
|
406
|
+
|
407
|
+
// If not explicitly trusted then indicate error unless it's a single
|
408
|
+
// self signed certificate in which case we've indicated an error already
|
409
|
+
// and set bad_chain == 1
|
410
|
+
if (trust != X509_TRUST_TRUSTED && !bad_chain) {
|
411
|
+
if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
|
412
|
+
if (ctx->last_untrusted >= num) {
|
413
|
+
ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
|
414
|
+
} else {
|
415
|
+
ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
|
416
|
+
}
|
417
|
+
ctx->current_cert = x;
|
418
|
+
} else {
|
419
|
+
sk_X509_push(ctx->chain, chain_ss);
|
420
|
+
num++;
|
421
|
+
ctx->last_untrusted = num;
|
422
|
+
ctx->current_cert = chain_ss;
|
423
|
+
ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
|
424
|
+
chain_ss = NULL;
|
425
|
+
}
|
426
|
+
|
427
|
+
ctx->error_depth = num - 1;
|
428
|
+
bad_chain = 1;
|
429
|
+
ok = ctx->verify_cb(0, ctx);
|
430
|
+
if (!ok) {
|
431
|
+
goto end;
|
432
|
+
}
|
433
|
+
}
|
434
|
+
|
435
|
+
// We have the chain complete: now we need to check its purpose
|
436
|
+
ok = check_chain_extensions(ctx);
|
437
|
+
|
438
|
+
if (!ok) {
|
439
|
+
goto end;
|
440
|
+
}
|
441
|
+
|
442
|
+
ok = check_id(ctx);
|
443
|
+
|
444
|
+
if (!ok) {
|
445
|
+
goto end;
|
446
|
+
}
|
447
|
+
|
448
|
+
// Check revocation status: we do this after copying parameters because
|
449
|
+
// they may be needed for CRL signature verification.
|
450
|
+
|
451
|
+
ok = ctx->check_revocation(ctx);
|
452
|
+
if (!ok) {
|
453
|
+
goto end;
|
454
|
+
}
|
455
|
+
|
456
|
+
// At this point, we have a chain and need to verify it
|
457
|
+
if (ctx->verify != NULL) {
|
458
|
+
ok = ctx->verify(ctx);
|
459
|
+
} else {
|
460
|
+
ok = internal_verify(ctx);
|
461
|
+
}
|
462
|
+
if (!ok) {
|
463
|
+
goto end;
|
464
|
+
}
|
465
|
+
|
466
|
+
// Check name constraints
|
467
|
+
|
468
|
+
ok = check_name_constraints(ctx);
|
469
|
+
if (!ok) {
|
470
|
+
goto end;
|
471
|
+
}
|
472
|
+
|
473
|
+
// If we get this far evaluate policies
|
474
|
+
if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) {
|
475
|
+
ok = ctx->check_policy(ctx);
|
476
|
+
}
|
477
|
+
|
478
|
+
end:
|
479
|
+
if (sktmp != NULL) {
|
480
|
+
sk_X509_free(sktmp);
|
481
|
+
}
|
482
|
+
if (chain_ss != NULL) {
|
483
|
+
X509_free(chain_ss);
|
484
|
+
}
|
485
|
+
|
486
|
+
// Safety net, error returns must set ctx->error
|
487
|
+
if (ok <= 0 && ctx->error == X509_V_OK) {
|
488
|
+
ctx->error = X509_V_ERR_UNSPECIFIED;
|
489
|
+
}
|
490
|
+
return ok;
|
491
|
+
}
|
492
|
+
|
493
|
+
// Given a STACK_OF(X509) find the issuer of cert (if any)
|
494
|
+
|
495
|
+
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) {
|
496
|
+
size_t i;
|
497
|
+
X509 *issuer;
|
498
|
+
for (i = 0; i < sk_X509_num(sk); i++) {
|
499
|
+
issuer = sk_X509_value(sk, i);
|
500
|
+
if (ctx->check_issued(ctx, x, issuer)) {
|
501
|
+
return issuer;
|
502
|
+
}
|
503
|
+
}
|
504
|
+
return NULL;
|
505
|
+
}
|
506
|
+
|
507
|
+
// Given a possible certificate and issuer check them
|
508
|
+
|
509
|
+
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) {
|
510
|
+
int ret;
|
511
|
+
ret = X509_check_issued(issuer, x);
|
512
|
+
if (ret == X509_V_OK) {
|
513
|
+
return 1;
|
514
|
+
}
|
515
|
+
// If we haven't asked for issuer errors don't set ctx
|
516
|
+
if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) {
|
517
|
+
return 0;
|
518
|
+
}
|
508
519
|
|
509
|
-
|
510
|
-
|
511
|
-
|
512
|
-
|
513
|
-
end:
|
514
|
-
if (sktmp != NULL)
|
515
|
-
sk_X509_free(sktmp);
|
516
|
-
if (chain_ss != NULL)
|
517
|
-
X509_free(chain_ss);
|
518
|
-
|
519
|
-
/* Safety net, error returns must set ctx->error */
|
520
|
-
if (ok <= 0 && ctx->error == X509_V_OK)
|
521
|
-
ctx->error = X509_V_ERR_UNSPECIFIED;
|
522
|
-
return ok;
|
523
|
-
}
|
524
|
-
|
525
|
-
/*
|
526
|
-
* Given a STACK_OF(X509) find the issuer of cert (if any)
|
527
|
-
*/
|
528
|
-
|
529
|
-
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
|
530
|
-
{
|
531
|
-
size_t i;
|
532
|
-
X509 *issuer;
|
533
|
-
for (i = 0; i < sk_X509_num(sk); i++) {
|
534
|
-
issuer = sk_X509_value(sk, i);
|
535
|
-
if (ctx->check_issued(ctx, x, issuer))
|
536
|
-
return issuer;
|
537
|
-
}
|
538
|
-
return NULL;
|
539
|
-
}
|
540
|
-
|
541
|
-
/* Given a possible certificate and issuer check them */
|
542
|
-
|
543
|
-
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
|
544
|
-
{
|
545
|
-
int ret;
|
546
|
-
ret = X509_check_issued(issuer, x);
|
547
|
-
if (ret == X509_V_OK)
|
548
|
-
return 1;
|
549
|
-
/* If we haven't asked for issuer errors don't set ctx */
|
550
|
-
if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
|
551
|
-
return 0;
|
552
|
-
|
553
|
-
ctx->error = ret;
|
554
|
-
ctx->current_cert = x;
|
555
|
-
ctx->current_issuer = issuer;
|
556
|
-
return ctx->verify_cb(0, ctx);
|
520
|
+
ctx->error = ret;
|
521
|
+
ctx->current_cert = x;
|
522
|
+
ctx->current_issuer = issuer;
|
523
|
+
return ctx->verify_cb(0, ctx);
|
557
524
|
}
|
558
525
|
|
559
|
-
|
526
|
+
// Alternative lookup method: look from a STACK stored in other_ctx
|
560
527
|
|
561
|
-
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
|
562
|
-
|
563
|
-
|
564
|
-
|
565
|
-
|
566
|
-
|
567
|
-
|
568
|
-
|
528
|
+
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) {
|
529
|
+
*issuer = find_issuer(ctx, ctx->other_ctx, x);
|
530
|
+
if (*issuer) {
|
531
|
+
X509_up_ref(*issuer);
|
532
|
+
return 1;
|
533
|
+
} else {
|
534
|
+
return 0;
|
535
|
+
}
|
569
536
|
}
|
570
537
|
|
571
|
-
|
572
|
-
|
573
|
-
* purpose
|
574
|
-
*/
|
575
|
-
|
576
|
-
static int check_chain_extensions(X509_STORE_CTX *ctx)
|
577
|
-
{
|
578
|
-
int i, ok = 0, plen = 0;
|
579
|
-
X509 *x;
|
580
|
-
int (*cb) (int xok, X509_STORE_CTX *xctx);
|
581
|
-
int proxy_path_length = 0;
|
582
|
-
int purpose;
|
583
|
-
int allow_proxy_certs;
|
584
|
-
cb = ctx->verify_cb;
|
585
|
-
|
586
|
-
enum {
|
587
|
-
// ca_or_leaf allows either type of certificate so that direct use of
|
588
|
-
// self-signed certificates works.
|
589
|
-
ca_or_leaf,
|
590
|
-
must_be_ca,
|
591
|
-
must_not_be_ca,
|
592
|
-
} ca_requirement;
|
593
|
-
|
594
|
-
/* CRL path validation */
|
595
|
-
if (ctx->parent) {
|
596
|
-
allow_proxy_certs = 0;
|
597
|
-
purpose = X509_PURPOSE_CRL_SIGN;
|
598
|
-
} else {
|
599
|
-
allow_proxy_certs =
|
600
|
-
! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
|
601
|
-
purpose = ctx->param->purpose;
|
602
|
-
}
|
603
|
-
|
604
|
-
ca_requirement = ca_or_leaf;
|
538
|
+
// Check a certificate chains extensions for consistency with the supplied
|
539
|
+
// purpose
|
605
540
|
|
606
|
-
|
607
|
-
|
608
|
-
int ret;
|
609
|
-
x = sk_X509_value(ctx->chain, i);
|
610
|
-
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
|
611
|
-
&& (x->ex_flags & EXFLAG_CRITICAL)) {
|
612
|
-
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
|
613
|
-
ctx->error_depth = i;
|
614
|
-
ctx->current_cert = x;
|
615
|
-
ok = cb(0, ctx);
|
616
|
-
if (!ok)
|
617
|
-
goto end;
|
618
|
-
}
|
619
|
-
if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
|
620
|
-
ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
|
621
|
-
ctx->error_depth = i;
|
622
|
-
ctx->current_cert = x;
|
623
|
-
ok = cb(0, ctx);
|
624
|
-
if (!ok)
|
625
|
-
goto end;
|
626
|
-
}
|
627
|
-
|
628
|
-
switch (ca_requirement) {
|
629
|
-
case ca_or_leaf:
|
630
|
-
ret = 1;
|
631
|
-
break;
|
632
|
-
case must_not_be_ca:
|
633
|
-
if (X509_check_ca(x)) {
|
634
|
-
ret = 0;
|
635
|
-
ctx->error = X509_V_ERR_INVALID_NON_CA;
|
636
|
-
} else
|
637
|
-
ret = 1;
|
638
|
-
break;
|
639
|
-
case must_be_ca:
|
640
|
-
if (!X509_check_ca(x)) {
|
641
|
-
ret = 0;
|
642
|
-
ctx->error = X509_V_ERR_INVALID_CA;
|
643
|
-
} else
|
644
|
-
ret = 1;
|
645
|
-
break;
|
646
|
-
default:
|
647
|
-
// impossible.
|
648
|
-
ret = 0;
|
649
|
-
}
|
541
|
+
static int check_chain_extensions(X509_STORE_CTX *ctx) {
|
542
|
+
int ok = 0, plen = 0;
|
650
543
|
|
651
|
-
|
652
|
-
|
653
|
-
|
654
|
-
ok = cb(0, ctx);
|
655
|
-
if (!ok)
|
656
|
-
goto end;
|
657
|
-
}
|
658
|
-
if (ctx->param->purpose > 0) {
|
659
|
-
ret = X509_check_purpose(x, purpose, ca_requirement == must_be_ca);
|
660
|
-
if (ret != 1) {
|
661
|
-
ret = 0;
|
662
|
-
ctx->error = X509_V_ERR_INVALID_PURPOSE;
|
663
|
-
ctx->error_depth = i;
|
664
|
-
ctx->current_cert = x;
|
665
|
-
ok = cb(0, ctx);
|
666
|
-
if (!ok)
|
667
|
-
goto end;
|
668
|
-
}
|
669
|
-
}
|
670
|
-
/* Check pathlen if not self issued */
|
671
|
-
if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
|
672
|
-
&& (x->ex_pathlen != -1)
|
673
|
-
&& (plen > (x->ex_pathlen + proxy_path_length + 1))) {
|
674
|
-
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
|
675
|
-
ctx->error_depth = i;
|
676
|
-
ctx->current_cert = x;
|
677
|
-
ok = cb(0, ctx);
|
678
|
-
if (!ok)
|
679
|
-
goto end;
|
680
|
-
}
|
681
|
-
/* Increment path length if not self issued */
|
682
|
-
if (!(x->ex_flags & EXFLAG_SI))
|
683
|
-
plen++;
|
684
|
-
/*
|
685
|
-
* If this certificate is a proxy certificate, the next certificate
|
686
|
-
* must be another proxy certificate or a EE certificate. If not,
|
687
|
-
* the next certificate must be a CA certificate.
|
688
|
-
*/
|
689
|
-
if (x->ex_flags & EXFLAG_PROXY) {
|
690
|
-
if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
|
691
|
-
ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
|
692
|
-
ctx->error_depth = i;
|
693
|
-
ctx->current_cert = x;
|
694
|
-
ok = cb(0, ctx);
|
695
|
-
if (!ok)
|
696
|
-
goto end;
|
697
|
-
}
|
698
|
-
proxy_path_length++;
|
699
|
-
ca_requirement = must_not_be_ca;
|
700
|
-
} else {
|
701
|
-
ca_requirement = must_be_ca;
|
702
|
-
}
|
703
|
-
}
|
704
|
-
ok = 1;
|
705
|
-
end:
|
706
|
-
return ok;
|
707
|
-
}
|
544
|
+
// If |ctx->parent| is set, this is CRL path validation.
|
545
|
+
int purpose =
|
546
|
+
ctx->parent == NULL ? ctx->param->purpose : X509_PURPOSE_CRL_SIGN;
|
708
547
|
|
709
|
-
|
710
|
-
{
|
711
|
-
|
712
|
-
|
713
|
-
|
714
|
-
|
715
|
-
|
716
|
-
|
717
|
-
|
718
|
-
|
719
|
-
|
720
|
-
|
721
|
-
unsigned char *idval;
|
722
|
-
int idlen = ASN1_STRING_to_UTF8(&idval, common_name);
|
723
|
-
if (idlen < 0) {
|
724
|
-
return X509_V_ERR_OUT_OF_MEM;
|
725
|
-
}
|
726
|
-
/* Only process attributes that look like host names. Note it is
|
727
|
-
* important that this check be mirrored in |X509_check_host|. */
|
728
|
-
int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen);
|
729
|
-
OPENSSL_free(idval);
|
730
|
-
if (looks_like_dns) {
|
731
|
-
return X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS;
|
732
|
-
}
|
733
|
-
}
|
734
|
-
}
|
735
|
-
|
736
|
-
static int check_name_constraints(X509_STORE_CTX *ctx)
|
737
|
-
{
|
738
|
-
int i, j, rv;
|
739
|
-
int has_name_constraints = 0;
|
740
|
-
/* Check name constraints for all certificates */
|
741
|
-
for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
|
742
|
-
X509 *x = sk_X509_value(ctx->chain, i);
|
743
|
-
/* Ignore self issued certs unless last in chain */
|
744
|
-
if (i && (x->ex_flags & EXFLAG_SI))
|
745
|
-
continue;
|
746
|
-
/*
|
747
|
-
* Check against constraints for all certificates higher in chain
|
748
|
-
* including trust anchor. Trust anchor not strictly speaking needed
|
749
|
-
* but if it includes constraints it is to be assumed it expects them
|
750
|
-
* to be obeyed.
|
751
|
-
*/
|
752
|
-
for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
|
753
|
-
NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
|
754
|
-
if (nc) {
|
755
|
-
has_name_constraints = 1;
|
756
|
-
rv = NAME_CONSTRAINTS_check(x, nc);
|
757
|
-
switch (rv) {
|
758
|
-
case X509_V_OK:
|
759
|
-
continue;
|
760
|
-
case X509_V_ERR_OUT_OF_MEM:
|
761
|
-
ctx->error = rv;
|
762
|
-
return 0;
|
763
|
-
default:
|
764
|
-
ctx->error = rv;
|
765
|
-
ctx->error_depth = i;
|
766
|
-
ctx->current_cert = x;
|
767
|
-
if (!ctx->verify_cb(0, ctx))
|
768
|
-
return 0;
|
769
|
-
break;
|
770
|
-
}
|
771
|
-
}
|
772
|
-
}
|
548
|
+
// Check all untrusted certificates
|
549
|
+
for (int i = 0; i < ctx->last_untrusted; i++) {
|
550
|
+
X509 *x = sk_X509_value(ctx->chain, i);
|
551
|
+
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
|
552
|
+
(x->ex_flags & EXFLAG_CRITICAL)) {
|
553
|
+
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
|
554
|
+
ctx->error_depth = i;
|
555
|
+
ctx->current_cert = x;
|
556
|
+
ok = ctx->verify_cb(0, ctx);
|
557
|
+
if (!ok) {
|
558
|
+
goto end;
|
559
|
+
}
|
773
560
|
}
|
774
561
|
|
775
|
-
|
776
|
-
|
777
|
-
|
778
|
-
|
779
|
-
|
780
|
-
|
781
|
-
|
782
|
-
|
783
|
-
|
784
|
-
|
785
|
-
|
786
|
-
|
787
|
-
|
562
|
+
int must_be_ca = i > 0;
|
563
|
+
if (must_be_ca && !X509_check_ca(x)) {
|
564
|
+
ctx->error = X509_V_ERR_INVALID_CA;
|
565
|
+
ctx->error_depth = i;
|
566
|
+
ctx->current_cert = x;
|
567
|
+
ok = ctx->verify_cb(0, ctx);
|
568
|
+
if (!ok) {
|
569
|
+
goto end;
|
570
|
+
}
|
571
|
+
}
|
572
|
+
if (ctx->param->purpose > 0 &&
|
573
|
+
X509_check_purpose(x, purpose, must_be_ca) != 1) {
|
574
|
+
ctx->error = X509_V_ERR_INVALID_PURPOSE;
|
575
|
+
ctx->error_depth = i;
|
576
|
+
ctx->current_cert = x;
|
577
|
+
ok = ctx->verify_cb(0, ctx);
|
578
|
+
if (!ok) {
|
579
|
+
goto end;
|
580
|
+
}
|
581
|
+
}
|
582
|
+
// Check pathlen if not self issued
|
583
|
+
if (i > 1 && !(x->ex_flags & EXFLAG_SI) && x->ex_pathlen != -1 &&
|
584
|
+
plen > x->ex_pathlen + 1) {
|
585
|
+
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
|
586
|
+
ctx->error_depth = i;
|
587
|
+
ctx->current_cert = x;
|
588
|
+
ok = ctx->verify_cb(0, ctx);
|
589
|
+
if (!ok) {
|
590
|
+
goto end;
|
591
|
+
}
|
592
|
+
}
|
593
|
+
// Increment path length if not self issued
|
594
|
+
if (!(x->ex_flags & EXFLAG_SI)) {
|
595
|
+
plen++;
|
596
|
+
}
|
597
|
+
}
|
598
|
+
ok = 1;
|
599
|
+
end:
|
600
|
+
return ok;
|
601
|
+
}
|
602
|
+
|
603
|
+
static int reject_dns_name_in_common_name(X509 *x509) {
|
604
|
+
const X509_NAME *name = X509_get_subject_name(x509);
|
605
|
+
int i = -1;
|
606
|
+
for (;;) {
|
607
|
+
i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
|
608
|
+
if (i == -1) {
|
609
|
+
return X509_V_OK;
|
610
|
+
}
|
611
|
+
|
612
|
+
const X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
|
613
|
+
const ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(entry);
|
614
|
+
unsigned char *idval;
|
615
|
+
int idlen = ASN1_STRING_to_UTF8(&idval, common_name);
|
616
|
+
if (idlen < 0) {
|
617
|
+
return X509_V_ERR_OUT_OF_MEM;
|
618
|
+
}
|
619
|
+
// Only process attributes that look like host names. Note it is
|
620
|
+
// important that this check be mirrored in |X509_check_host|.
|
621
|
+
int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen);
|
622
|
+
OPENSSL_free(idval);
|
623
|
+
if (looks_like_dns) {
|
624
|
+
return X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS;
|
625
|
+
}
|
626
|
+
}
|
627
|
+
}
|
628
|
+
|
629
|
+
static int check_name_constraints(X509_STORE_CTX *ctx) {
|
630
|
+
int i, j, rv;
|
631
|
+
int has_name_constraints = 0;
|
632
|
+
// Check name constraints for all certificates
|
633
|
+
for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
|
634
|
+
X509 *x = sk_X509_value(ctx->chain, i);
|
635
|
+
// Ignore self issued certs unless last in chain
|
636
|
+
if (i && (x->ex_flags & EXFLAG_SI)) {
|
637
|
+
continue;
|
638
|
+
}
|
639
|
+
// Check against constraints for all certificates higher in chain
|
640
|
+
// including trust anchor. Trust anchor not strictly speaking needed
|
641
|
+
// but if it includes constraints it is to be assumed it expects them
|
642
|
+
// to be obeyed.
|
643
|
+
for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
|
644
|
+
NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
|
645
|
+
if (nc) {
|
646
|
+
has_name_constraints = 1;
|
647
|
+
rv = NAME_CONSTRAINTS_check(x, nc);
|
788
648
|
switch (rv) {
|
789
|
-
|
790
|
-
|
791
|
-
|
649
|
+
case X509_V_OK:
|
650
|
+
continue;
|
651
|
+
case X509_V_ERR_OUT_OF_MEM:
|
792
652
|
ctx->error = rv;
|
793
653
|
return 0;
|
794
|
-
|
654
|
+
default:
|
795
655
|
ctx->error = rv;
|
796
656
|
ctx->error_depth = i;
|
797
|
-
ctx->current_cert =
|
798
|
-
if (!ctx->verify_cb(0, ctx))
|
799
|
-
|
657
|
+
ctx->current_cert = x;
|
658
|
+
if (!ctx->verify_cb(0, ctx)) {
|
659
|
+
return 0;
|
660
|
+
}
|
800
661
|
break;
|
801
662
|
}
|
663
|
+
}
|
664
|
+
}
|
665
|
+
}
|
666
|
+
|
667
|
+
// Name constraints do not match against the common name, but
|
668
|
+
// |X509_check_host| still implements the legacy behavior where, on
|
669
|
+
// certificates lacking a SAN list, DNS-like names in the common name are
|
670
|
+
// checked instead.
|
671
|
+
//
|
672
|
+
// While we could apply the name constraints to the common name, name
|
673
|
+
// constraints are rare enough that can hold such certificates to a higher
|
674
|
+
// standard. Note this does not make "DNS-like" heuristic failures any
|
675
|
+
// worse. A decorative common-name misidentified as a DNS name would fail
|
676
|
+
// the name constraint anyway.
|
677
|
+
X509 *leaf = sk_X509_value(ctx->chain, 0);
|
678
|
+
if (has_name_constraints && leaf->altname == NULL) {
|
679
|
+
rv = reject_dns_name_in_common_name(leaf);
|
680
|
+
switch (rv) {
|
681
|
+
case X509_V_OK:
|
682
|
+
break;
|
683
|
+
case X509_V_ERR_OUT_OF_MEM:
|
684
|
+
ctx->error = rv;
|
685
|
+
return 0;
|
686
|
+
default:
|
687
|
+
ctx->error = rv;
|
688
|
+
ctx->error_depth = i;
|
689
|
+
ctx->current_cert = leaf;
|
690
|
+
if (!ctx->verify_cb(0, ctx)) {
|
691
|
+
return 0;
|
692
|
+
}
|
693
|
+
break;
|
802
694
|
}
|
803
|
-
|
695
|
+
}
|
696
|
+
|
697
|
+
return 1;
|
698
|
+
}
|
699
|
+
|
700
|
+
static int check_id_error(X509_STORE_CTX *ctx, int errcode) {
|
701
|
+
ctx->error = errcode;
|
702
|
+
ctx->current_cert = ctx->cert;
|
703
|
+
ctx->error_depth = 0;
|
704
|
+
return ctx->verify_cb(0, ctx);
|
705
|
+
}
|
706
|
+
|
707
|
+
static int check_hosts(X509 *x, X509_VERIFY_PARAM *param) {
|
708
|
+
size_t i;
|
709
|
+
size_t n = sk_OPENSSL_STRING_num(param->hosts);
|
710
|
+
char *name;
|
711
|
+
|
712
|
+
if (param->peername != NULL) {
|
713
|
+
OPENSSL_free(param->peername);
|
714
|
+
param->peername = NULL;
|
715
|
+
}
|
716
|
+
for (i = 0; i < n; ++i) {
|
717
|
+
name = sk_OPENSSL_STRING_value(param->hosts, i);
|
718
|
+
if (X509_check_host(x, name, strlen(name), param->hostflags,
|
719
|
+
¶m->peername) > 0) {
|
720
|
+
return 1;
|
721
|
+
}
|
722
|
+
}
|
723
|
+
return n == 0;
|
724
|
+
}
|
725
|
+
|
726
|
+
static int check_id(X509_STORE_CTX *ctx) {
|
727
|
+
X509_VERIFY_PARAM *vpm = ctx->param;
|
728
|
+
X509 *x = ctx->cert;
|
729
|
+
if (vpm->poison) {
|
730
|
+
if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL)) {
|
731
|
+
return 0;
|
732
|
+
}
|
733
|
+
}
|
734
|
+
if (vpm->hosts && check_hosts(x, vpm) <= 0) {
|
735
|
+
if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) {
|
736
|
+
return 0;
|
737
|
+
}
|
738
|
+
}
|
739
|
+
if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {
|
740
|
+
if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH)) {
|
741
|
+
return 0;
|
742
|
+
}
|
743
|
+
}
|
744
|
+
if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
|
745
|
+
if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH)) {
|
746
|
+
return 0;
|
747
|
+
}
|
748
|
+
}
|
749
|
+
return 1;
|
750
|
+
}
|
751
|
+
|
752
|
+
static int check_trust(X509_STORE_CTX *ctx) {
|
753
|
+
size_t i;
|
754
|
+
int ok;
|
755
|
+
X509 *x = NULL;
|
756
|
+
// Check all trusted certificates in chain
|
757
|
+
for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
|
758
|
+
x = sk_X509_value(ctx->chain, i);
|
759
|
+
ok = X509_check_trust(x, ctx->param->trust, 0);
|
760
|
+
// If explicitly trusted return trusted
|
761
|
+
if (ok == X509_TRUST_TRUSTED) {
|
762
|
+
return X509_TRUST_TRUSTED;
|
763
|
+
}
|
764
|
+
// If explicitly rejected notify callback and reject if not
|
765
|
+
// overridden.
|
766
|
+
if (ok == X509_TRUST_REJECTED) {
|
767
|
+
ctx->error_depth = i;
|
768
|
+
ctx->current_cert = x;
|
769
|
+
ctx->error = X509_V_ERR_CERT_REJECTED;
|
770
|
+
ok = ctx->verify_cb(0, ctx);
|
771
|
+
if (!ok) {
|
772
|
+
return X509_TRUST_REJECTED;
|
773
|
+
}
|
774
|
+
}
|
775
|
+
}
|
776
|
+
// If we accept partial chains and have at least one trusted certificate
|
777
|
+
// return success.
|
778
|
+
if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
|
779
|
+
X509 *mx;
|
780
|
+
if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain)) {
|
781
|
+
return X509_TRUST_TRUSTED;
|
782
|
+
}
|
783
|
+
x = sk_X509_value(ctx->chain, 0);
|
784
|
+
mx = lookup_cert_match(ctx, x);
|
785
|
+
if (mx) {
|
786
|
+
(void)sk_X509_set(ctx->chain, 0, mx);
|
787
|
+
X509_free(x);
|
788
|
+
ctx->last_untrusted = 0;
|
789
|
+
return X509_TRUST_TRUSTED;
|
790
|
+
}
|
791
|
+
}
|
792
|
+
|
793
|
+
// If no trusted certs in chain at all return untrusted and allow
|
794
|
+
// standard (no issuer cert) etc errors to be indicated.
|
795
|
+
return X509_TRUST_UNTRUSTED;
|
796
|
+
}
|
797
|
+
|
798
|
+
static int check_revocation(X509_STORE_CTX *ctx) {
|
799
|
+
int i, last, ok;
|
800
|
+
if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) {
|
804
801
|
return 1;
|
805
|
-
}
|
806
|
-
|
807
|
-
|
808
|
-
{
|
809
|
-
|
810
|
-
ctx->
|
811
|
-
|
812
|
-
|
813
|
-
|
814
|
-
|
815
|
-
|
816
|
-
|
817
|
-
|
818
|
-
|
819
|
-
|
820
|
-
|
821
|
-
|
822
|
-
|
823
|
-
|
824
|
-
|
825
|
-
|
826
|
-
|
827
|
-
|
828
|
-
|
829
|
-
|
830
|
-
|
831
|
-
|
832
|
-
|
833
|
-
|
834
|
-
|
835
|
-
|
836
|
-
|
837
|
-
|
838
|
-
|
839
|
-
|
840
|
-
|
841
|
-
}
|
842
|
-
|
843
|
-
if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
|
844
|
-
return 0;
|
802
|
+
}
|
803
|
+
if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) {
|
804
|
+
last = sk_X509_num(ctx->chain) - 1;
|
805
|
+
} else {
|
806
|
+
// If checking CRL paths this isn't the EE certificate
|
807
|
+
if (ctx->parent) {
|
808
|
+
return 1;
|
809
|
+
}
|
810
|
+
last = 0;
|
811
|
+
}
|
812
|
+
for (i = 0; i <= last; i++) {
|
813
|
+
ctx->error_depth = i;
|
814
|
+
ok = check_cert(ctx);
|
815
|
+
if (!ok) {
|
816
|
+
return ok;
|
817
|
+
}
|
818
|
+
}
|
819
|
+
return 1;
|
820
|
+
}
|
821
|
+
|
822
|
+
static int check_cert(X509_STORE_CTX *ctx) {
|
823
|
+
X509_CRL *crl = NULL, *dcrl = NULL;
|
824
|
+
X509 *x;
|
825
|
+
int ok = 0, cnum;
|
826
|
+
unsigned int last_reasons;
|
827
|
+
cnum = ctx->error_depth;
|
828
|
+
x = sk_X509_value(ctx->chain, cnum);
|
829
|
+
ctx->current_cert = x;
|
830
|
+
ctx->current_issuer = NULL;
|
831
|
+
ctx->current_crl_score = 0;
|
832
|
+
ctx->current_reasons = 0;
|
833
|
+
while (ctx->current_reasons != CRLDP_ALL_REASONS) {
|
834
|
+
last_reasons = ctx->current_reasons;
|
835
|
+
// Try to retrieve relevant CRL
|
836
|
+
if (ctx->get_crl) {
|
837
|
+
ok = ctx->get_crl(ctx, &crl, x);
|
838
|
+
} else {
|
839
|
+
ok = get_crl_delta(ctx, &crl, &dcrl, x);
|
845
840
|
}
|
846
|
-
|
847
|
-
|
848
|
-
|
841
|
+
// If error looking up CRL, nothing we can do except notify callback
|
842
|
+
if (!ok) {
|
843
|
+
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
|
844
|
+
ok = ctx->verify_cb(0, ctx);
|
845
|
+
goto err;
|
849
846
|
}
|
850
|
-
|
851
|
-
|
852
|
-
|
847
|
+
ctx->current_crl = crl;
|
848
|
+
ok = ctx->check_crl(ctx, crl);
|
849
|
+
if (!ok) {
|
850
|
+
goto err;
|
853
851
|
}
|
854
|
-
return 1;
|
855
|
-
}
|
856
852
|
|
857
|
-
|
858
|
-
|
859
|
-
|
860
|
-
|
861
|
-
|
862
|
-
|
863
|
-
|
864
|
-
|
865
|
-
|
866
|
-
|
867
|
-
|
868
|
-
/* If explicitly trusted return trusted */
|
869
|
-
if (ok == X509_TRUST_TRUSTED)
|
870
|
-
return X509_TRUST_TRUSTED;
|
871
|
-
/*
|
872
|
-
* If explicitly rejected notify callback and reject if not
|
873
|
-
* overridden.
|
874
|
-
*/
|
875
|
-
if (ok == X509_TRUST_REJECTED) {
|
876
|
-
ctx->error_depth = i;
|
877
|
-
ctx->current_cert = x;
|
878
|
-
ctx->error = X509_V_ERR_CERT_REJECTED;
|
879
|
-
ok = cb(0, ctx);
|
880
|
-
if (!ok)
|
881
|
-
return X509_TRUST_REJECTED;
|
882
|
-
}
|
883
|
-
}
|
884
|
-
/*
|
885
|
-
* If we accept partial chains and have at least one trusted certificate
|
886
|
-
* return success.
|
887
|
-
*/
|
888
|
-
if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
|
889
|
-
X509 *mx;
|
890
|
-
if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain))
|
891
|
-
return X509_TRUST_TRUSTED;
|
892
|
-
x = sk_X509_value(ctx->chain, 0);
|
893
|
-
mx = lookup_cert_match(ctx, x);
|
894
|
-
if (mx) {
|
895
|
-
(void)sk_X509_set(ctx->chain, 0, mx);
|
896
|
-
X509_free(x);
|
897
|
-
ctx->last_untrusted = 0;
|
898
|
-
return X509_TRUST_TRUSTED;
|
899
|
-
}
|
853
|
+
if (dcrl) {
|
854
|
+
ok = ctx->check_crl(ctx, dcrl);
|
855
|
+
if (!ok) {
|
856
|
+
goto err;
|
857
|
+
}
|
858
|
+
ok = ctx->cert_crl(ctx, dcrl, x);
|
859
|
+
if (!ok) {
|
860
|
+
goto err;
|
861
|
+
}
|
862
|
+
} else {
|
863
|
+
ok = 1;
|
900
864
|
}
|
901
865
|
|
902
|
-
|
903
|
-
|
904
|
-
|
905
|
-
|
906
|
-
|
907
|
-
}
|
908
|
-
|
909
|
-
static int check_revocation(X509_STORE_CTX *ctx)
|
910
|
-
{
|
911
|
-
int i, last, ok;
|
912
|
-
if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
|
913
|
-
return 1;
|
914
|
-
if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
|
915
|
-
last = sk_X509_num(ctx->chain) - 1;
|
916
|
-
else {
|
917
|
-
/* If checking CRL paths this isn't the EE certificate */
|
918
|
-
if (ctx->parent)
|
919
|
-
return 1;
|
920
|
-
last = 0;
|
921
|
-
}
|
922
|
-
for (i = 0; i <= last; i++) {
|
923
|
-
ctx->error_depth = i;
|
924
|
-
ok = check_cert(ctx);
|
925
|
-
if (!ok)
|
926
|
-
return ok;
|
866
|
+
// Don't look in full CRL if delta reason is removefromCRL
|
867
|
+
if (ok != 2) {
|
868
|
+
ok = ctx->cert_crl(ctx, crl, x);
|
869
|
+
if (!ok) {
|
870
|
+
goto err;
|
871
|
+
}
|
927
872
|
}
|
928
|
-
return 1;
|
929
|
-
}
|
930
|
-
|
931
|
-
static int check_cert(X509_STORE_CTX *ctx)
|
932
|
-
{
|
933
|
-
X509_CRL *crl = NULL, *dcrl = NULL;
|
934
|
-
X509 *x;
|
935
|
-
int ok = 0, cnum;
|
936
|
-
unsigned int last_reasons;
|
937
|
-
cnum = ctx->error_depth;
|
938
|
-
x = sk_X509_value(ctx->chain, cnum);
|
939
|
-
ctx->current_cert = x;
|
940
|
-
ctx->current_issuer = NULL;
|
941
|
-
ctx->current_crl_score = 0;
|
942
|
-
ctx->current_reasons = 0;
|
943
|
-
while (ctx->current_reasons != CRLDP_ALL_REASONS) {
|
944
|
-
last_reasons = ctx->current_reasons;
|
945
|
-
/* Try to retrieve relevant CRL */
|
946
|
-
if (ctx->get_crl)
|
947
|
-
ok = ctx->get_crl(ctx, &crl, x);
|
948
|
-
else
|
949
|
-
ok = get_crl_delta(ctx, &crl, &dcrl, x);
|
950
|
-
/*
|
951
|
-
* If error looking up CRL, nothing we can do except notify callback
|
952
|
-
*/
|
953
|
-
if (!ok) {
|
954
|
-
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
|
955
|
-
ok = ctx->verify_cb(0, ctx);
|
956
|
-
goto err;
|
957
|
-
}
|
958
|
-
ctx->current_crl = crl;
|
959
|
-
ok = ctx->check_crl(ctx, crl);
|
960
|
-
if (!ok)
|
961
|
-
goto err;
|
962
|
-
|
963
|
-
if (dcrl) {
|
964
|
-
ok = ctx->check_crl(ctx, dcrl);
|
965
|
-
if (!ok)
|
966
|
-
goto err;
|
967
|
-
ok = ctx->cert_crl(ctx, dcrl, x);
|
968
|
-
if (!ok)
|
969
|
-
goto err;
|
970
|
-
} else
|
971
|
-
ok = 1;
|
972
|
-
|
973
|
-
/* Don't look in full CRL if delta reason is removefromCRL */
|
974
|
-
if (ok != 2) {
|
975
|
-
ok = ctx->cert_crl(ctx, crl, x);
|
976
|
-
if (!ok)
|
977
|
-
goto err;
|
978
|
-
}
|
979
873
|
|
980
|
-
X509_CRL_free(crl);
|
981
|
-
X509_CRL_free(dcrl);
|
982
|
-
crl = NULL;
|
983
|
-
dcrl = NULL;
|
984
|
-
/*
|
985
|
-
* If reasons not updated we wont get anywhere by another iteration,
|
986
|
-
* so exit loop.
|
987
|
-
*/
|
988
|
-
if (last_reasons == ctx->current_reasons) {
|
989
|
-
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
|
990
|
-
ok = ctx->verify_cb(0, ctx);
|
991
|
-
goto err;
|
992
|
-
}
|
993
|
-
}
|
994
|
-
err:
|
995
874
|
X509_CRL_free(crl);
|
996
875
|
X509_CRL_free(dcrl);
|
876
|
+
crl = NULL;
|
877
|
+
dcrl = NULL;
|
878
|
+
// If reasons not updated we wont get anywhere by another iteration,
|
879
|
+
// so exit loop.
|
880
|
+
if (last_reasons == ctx->current_reasons) {
|
881
|
+
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
|
882
|
+
ok = ctx->verify_cb(0, ctx);
|
883
|
+
goto err;
|
884
|
+
}
|
885
|
+
}
|
886
|
+
err:
|
887
|
+
X509_CRL_free(crl);
|
888
|
+
X509_CRL_free(dcrl);
|
997
889
|
|
998
|
-
|
999
|
-
|
1000
|
-
|
890
|
+
ctx->current_crl = NULL;
|
891
|
+
return ok;
|
1001
892
|
}
|
1002
893
|
|
1003
|
-
|
894
|
+
// Check CRL times against values in X509_STORE_CTX
|
1004
895
|
|
1005
|
-
static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
|
1006
|
-
{
|
1007
|
-
|
1008
|
-
|
1009
|
-
if (notify)
|
1010
|
-
ctx->current_crl = crl;
|
1011
|
-
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
|
1012
|
-
ptime = &ctx->param->check_time;
|
1013
|
-
else
|
1014
|
-
ptime = NULL;
|
896
|
+
static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) {
|
897
|
+
if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) {
|
898
|
+
return 1;
|
899
|
+
}
|
1015
900
|
|
1016
|
-
|
1017
|
-
|
1018
|
-
|
1019
|
-
|
1020
|
-
|
1021
|
-
|
1022
|
-
|
901
|
+
if (notify) {
|
902
|
+
ctx->current_crl = crl;
|
903
|
+
}
|
904
|
+
int64_t ptime;
|
905
|
+
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) {
|
906
|
+
ptime = ctx->param->check_time;
|
907
|
+
} else {
|
908
|
+
ptime = time(NULL);
|
909
|
+
}
|
910
|
+
|
911
|
+
int i = X509_cmp_time_posix(X509_CRL_get0_lastUpdate(crl), ptime);
|
912
|
+
if (i == 0) {
|
913
|
+
if (!notify) {
|
914
|
+
return 0;
|
915
|
+
}
|
916
|
+
ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
|
917
|
+
if (!ctx->verify_cb(0, ctx)) {
|
918
|
+
return 0;
|
1023
919
|
}
|
920
|
+
}
|
1024
921
|
|
1025
|
-
|
1026
|
-
|
1027
|
-
|
1028
|
-
ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
|
1029
|
-
if (!ctx->verify_cb(0, ctx))
|
1030
|
-
return 0;
|
922
|
+
if (i > 0) {
|
923
|
+
if (!notify) {
|
924
|
+
return 0;
|
1031
925
|
}
|
926
|
+
ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
|
927
|
+
if (!ctx->verify_cb(0, ctx)) {
|
928
|
+
return 0;
|
929
|
+
}
|
930
|
+
}
|
1032
931
|
|
1033
|
-
|
1034
|
-
|
932
|
+
if (X509_CRL_get0_nextUpdate(crl)) {
|
933
|
+
i = X509_cmp_time_posix(X509_CRL_get0_nextUpdate(crl), ptime);
|
1035
934
|
|
1036
|
-
|
1037
|
-
|
1038
|
-
|
1039
|
-
|
1040
|
-
|
1041
|
-
|
1042
|
-
|
1043
|
-
|
1044
|
-
|
1045
|
-
|
1046
|
-
|
1047
|
-
|
1048
|
-
|
1049
|
-
|
1050
|
-
|
935
|
+
if (i == 0) {
|
936
|
+
if (!notify) {
|
937
|
+
return 0;
|
938
|
+
}
|
939
|
+
ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
|
940
|
+
if (!ctx->verify_cb(0, ctx)) {
|
941
|
+
return 0;
|
942
|
+
}
|
943
|
+
}
|
944
|
+
// Ignore expiry of base CRL is delta is valid
|
945
|
+
if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
|
946
|
+
if (!notify) {
|
947
|
+
return 0;
|
948
|
+
}
|
949
|
+
ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
|
950
|
+
if (!ctx->verify_cb(0, ctx)) {
|
951
|
+
return 0;
|
952
|
+
}
|
1051
953
|
}
|
954
|
+
}
|
1052
955
|
|
1053
|
-
|
1054
|
-
|
956
|
+
if (notify) {
|
957
|
+
ctx->current_crl = NULL;
|
958
|
+
}
|
1055
959
|
|
1056
|
-
|
960
|
+
return 1;
|
1057
961
|
}
|
1058
962
|
|
1059
963
|
static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
|
1060
964
|
X509 **pissuer, int *pscore, unsigned int *preasons,
|
1061
|
-
STACK_OF(X509_CRL) *crls)
|
1062
|
-
|
1063
|
-
|
1064
|
-
|
1065
|
-
|
1066
|
-
|
1067
|
-
|
1068
|
-
|
1069
|
-
|
1070
|
-
|
1071
|
-
|
1072
|
-
|
1073
|
-
|
1074
|
-
|
1075
|
-
|
1076
|
-
|
1077
|
-
|
1078
|
-
|
1079
|
-
|
1080
|
-
|
1081
|
-
|
1082
|
-
|
1083
|
-
|
1084
|
-
|
1085
|
-
|
1086
|
-
|
1087
|
-
|
1088
|
-
|
1089
|
-
|
1090
|
-
|
1091
|
-
|
1092
|
-
|
1093
|
-
|
1094
|
-
|
1095
|
-
|
1096
|
-
|
1097
|
-
|
1098
|
-
|
1099
|
-
|
1100
|
-
|
1101
|
-
|
1102
|
-
|
1103
|
-
|
1104
|
-
|
1105
|
-
|
1106
|
-
|
1107
|
-
|
1108
|
-
|
1109
|
-
|
1110
|
-
|
1111
|
-
|
965
|
+
STACK_OF(X509_CRL) *crls) {
|
966
|
+
int crl_score, best_score = *pscore;
|
967
|
+
size_t i;
|
968
|
+
unsigned int reasons, best_reasons = 0;
|
969
|
+
X509 *x = ctx->current_cert;
|
970
|
+
X509_CRL *crl, *best_crl = NULL;
|
971
|
+
X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
|
972
|
+
|
973
|
+
for (i = 0; i < sk_X509_CRL_num(crls); i++) {
|
974
|
+
crl = sk_X509_CRL_value(crls, i);
|
975
|
+
reasons = *preasons;
|
976
|
+
crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
|
977
|
+
if (crl_score < best_score || crl_score == 0) {
|
978
|
+
continue;
|
979
|
+
}
|
980
|
+
// If current CRL is equivalent use it if it is newer
|
981
|
+
if (crl_score == best_score && best_crl != NULL) {
|
982
|
+
int day, sec;
|
983
|
+
if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
|
984
|
+
X509_CRL_get0_lastUpdate(crl)) == 0) {
|
985
|
+
continue;
|
986
|
+
}
|
987
|
+
// ASN1_TIME_diff never returns inconsistent signs for |day|
|
988
|
+
// and |sec|.
|
989
|
+
if (day <= 0 && sec <= 0) {
|
990
|
+
continue;
|
991
|
+
}
|
992
|
+
}
|
993
|
+
best_crl = crl;
|
994
|
+
best_crl_issuer = crl_issuer;
|
995
|
+
best_score = crl_score;
|
996
|
+
best_reasons = reasons;
|
997
|
+
}
|
998
|
+
|
999
|
+
if (best_crl) {
|
1000
|
+
if (*pcrl) {
|
1001
|
+
X509_CRL_free(*pcrl);
|
1002
|
+
}
|
1003
|
+
*pcrl = best_crl;
|
1004
|
+
*pissuer = best_crl_issuer;
|
1005
|
+
*pscore = best_score;
|
1006
|
+
*preasons = best_reasons;
|
1007
|
+
X509_CRL_up_ref(best_crl);
|
1008
|
+
if (*pdcrl) {
|
1009
|
+
X509_CRL_free(*pdcrl);
|
1010
|
+
*pdcrl = NULL;
|
1011
|
+
}
|
1012
|
+
get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
|
1013
|
+
}
|
1014
|
+
|
1015
|
+
if (best_score >= CRL_SCORE_VALID) {
|
1016
|
+
return 1;
|
1017
|
+
}
|
1112
1018
|
|
1113
|
-
|
1019
|
+
return 0;
|
1114
1020
|
}
|
1115
1021
|
|
1116
|
-
|
1117
|
-
|
1118
|
-
* both present or both absent. If both present all fields must be identical.
|
1119
|
-
*/
|
1120
|
-
|
1121
|
-
static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
|
1122
|
-
{
|
1123
|
-
ASN1_OCTET_STRING *exta, *extb;
|
1124
|
-
int i;
|
1125
|
-
i = X509_CRL_get_ext_by_NID(a, nid, -1);
|
1126
|
-
if (i >= 0) {
|
1127
|
-
/* Can't have multiple occurrences */
|
1128
|
-
if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
|
1129
|
-
return 0;
|
1130
|
-
exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
|
1131
|
-
} else
|
1132
|
-
exta = NULL;
|
1022
|
+
// Compare two CRL extensions for delta checking purposes. They should be
|
1023
|
+
// both present or both absent. If both present all fields must be identical.
|
1133
1024
|
|
1134
|
-
|
1025
|
+
static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) {
|
1026
|
+
const ASN1_OCTET_STRING *exta, *extb;
|
1027
|
+
int i;
|
1028
|
+
i = X509_CRL_get_ext_by_NID(a, nid, -1);
|
1029
|
+
if (i >= 0) {
|
1030
|
+
// Can't have multiple occurrences
|
1031
|
+
if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) {
|
1032
|
+
return 0;
|
1033
|
+
}
|
1034
|
+
exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
|
1035
|
+
} else {
|
1036
|
+
exta = NULL;
|
1037
|
+
}
|
1135
1038
|
|
1136
|
-
|
1039
|
+
i = X509_CRL_get_ext_by_NID(b, nid, -1);
|
1137
1040
|
|
1138
|
-
|
1139
|
-
|
1140
|
-
|
1141
|
-
}
|
1142
|
-
|
1041
|
+
if (i >= 0) {
|
1042
|
+
if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) {
|
1043
|
+
return 0;
|
1044
|
+
}
|
1045
|
+
extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
|
1046
|
+
} else {
|
1047
|
+
extb = NULL;
|
1048
|
+
}
|
1143
1049
|
|
1144
|
-
|
1145
|
-
|
1050
|
+
if (!exta && !extb) {
|
1051
|
+
return 1;
|
1052
|
+
}
|
1146
1053
|
|
1147
|
-
|
1148
|
-
|
1054
|
+
if (!exta || !extb) {
|
1055
|
+
return 0;
|
1056
|
+
}
|
1149
1057
|
|
1150
|
-
|
1151
|
-
|
1058
|
+
if (ASN1_OCTET_STRING_cmp(exta, extb)) {
|
1059
|
+
return 0;
|
1060
|
+
}
|
1152
1061
|
|
1153
|
-
|
1062
|
+
return 1;
|
1154
1063
|
}
|
1155
1064
|
|
1156
|
-
|
1065
|
+
// See if a base and delta are compatible
|
1157
1066
|
|
1158
|
-
static int check_delta_base(X509_CRL *delta, X509_CRL *base)
|
1159
|
-
|
1160
|
-
|
1161
|
-
|
1162
|
-
|
1163
|
-
|
1164
|
-
|
1165
|
-
return 0;
|
1166
|
-
/* Issuer names must match */
|
1167
|
-
if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta)))
|
1168
|
-
return 0;
|
1169
|
-
/* AKID and IDP must match */
|
1170
|
-
if (!crl_extension_match(delta, base, NID_authority_key_identifier))
|
1171
|
-
return 0;
|
1172
|
-
if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
|
1173
|
-
return 0;
|
1174
|
-
/* Delta CRL base number must not exceed Full CRL number. */
|
1175
|
-
if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
|
1176
|
-
return 0;
|
1177
|
-
/* Delta CRL number must exceed full CRL number */
|
1178
|
-
if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
|
1179
|
-
return 1;
|
1067
|
+
static int check_delta_base(X509_CRL *delta, X509_CRL *base) {
|
1068
|
+
// Delta CRL must be a delta
|
1069
|
+
if (!delta->base_crl_number) {
|
1070
|
+
return 0;
|
1071
|
+
}
|
1072
|
+
// Base must have a CRL number
|
1073
|
+
if (!base->crl_number) {
|
1180
1074
|
return 0;
|
1075
|
+
}
|
1076
|
+
// Issuer names must match
|
1077
|
+
if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta))) {
|
1078
|
+
return 0;
|
1079
|
+
}
|
1080
|
+
// AKID and IDP must match
|
1081
|
+
if (!crl_extension_match(delta, base, NID_authority_key_identifier)) {
|
1082
|
+
return 0;
|
1083
|
+
}
|
1084
|
+
if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) {
|
1085
|
+
return 0;
|
1086
|
+
}
|
1087
|
+
// Delta CRL base number must not exceed Full CRL number.
|
1088
|
+
if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) {
|
1089
|
+
return 0;
|
1090
|
+
}
|
1091
|
+
// Delta CRL number must exceed full CRL number
|
1092
|
+
if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) {
|
1093
|
+
return 1;
|
1094
|
+
}
|
1095
|
+
return 0;
|
1181
1096
|
}
|
1182
1097
|
|
1183
|
-
|
1184
|
-
|
1185
|
-
* retrieve a chain of deltas...
|
1186
|
-
*/
|
1098
|
+
// For a given base CRL find a delta... maybe extend to delta scoring or
|
1099
|
+
// retrieve a chain of deltas...
|
1187
1100
|
|
1188
1101
|
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
|
1189
|
-
X509_CRL *base, STACK_OF(X509_CRL) *crls)
|
1190
|
-
|
1191
|
-
|
1192
|
-
|
1193
|
-
|
1194
|
-
|
1195
|
-
|
1196
|
-
|
1197
|
-
|
1198
|
-
|
1199
|
-
|
1200
|
-
|
1201
|
-
|
1202
|
-
|
1203
|
-
|
1204
|
-
|
1205
|
-
|
1206
|
-
|
1207
|
-
|
1208
|
-
}
|
1209
|
-
|
1210
|
-
|
1211
|
-
|
1212
|
-
|
1213
|
-
|
1214
|
-
|
1215
|
-
|
1216
|
-
|
1102
|
+
X509_CRL *base, STACK_OF(X509_CRL) *crls) {
|
1103
|
+
X509_CRL *delta;
|
1104
|
+
size_t i;
|
1105
|
+
if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) {
|
1106
|
+
return;
|
1107
|
+
}
|
1108
|
+
if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) {
|
1109
|
+
return;
|
1110
|
+
}
|
1111
|
+
for (i = 0; i < sk_X509_CRL_num(crls); i++) {
|
1112
|
+
delta = sk_X509_CRL_value(crls, i);
|
1113
|
+
if (check_delta_base(delta, base)) {
|
1114
|
+
if (check_crl_time(ctx, delta, 0)) {
|
1115
|
+
*pscore |= CRL_SCORE_TIME_DELTA;
|
1116
|
+
}
|
1117
|
+
X509_CRL_up_ref(delta);
|
1118
|
+
*dcrl = delta;
|
1119
|
+
return;
|
1120
|
+
}
|
1121
|
+
}
|
1122
|
+
*dcrl = NULL;
|
1123
|
+
}
|
1124
|
+
|
1125
|
+
// For a given CRL return how suitable it is for the supplied certificate
|
1126
|
+
// 'x'. The return value is a mask of several criteria. If the issuer is not
|
1127
|
+
// the certificate issuer this is returned in *pissuer. The reasons mask is
|
1128
|
+
// also used to determine if the CRL is suitable: if no new reasons the CRL
|
1129
|
+
// is rejected, otherwise reasons is updated.
|
1217
1130
|
|
1218
1131
|
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
|
1219
|
-
unsigned int *preasons, X509_CRL *crl, X509 *x)
|
1220
|
-
|
1221
|
-
|
1222
|
-
int crl_score = 0;
|
1223
|
-
unsigned int tmp_reasons = *preasons, crl_reasons;
|
1132
|
+
unsigned int *preasons, X509_CRL *crl, X509 *x) {
|
1133
|
+
int crl_score = 0;
|
1134
|
+
unsigned int tmp_reasons = *preasons, crl_reasons;
|
1224
1135
|
|
1225
|
-
|
1136
|
+
// First see if we can reject CRL straight away
|
1226
1137
|
|
1227
|
-
|
1228
|
-
|
1229
|
-
|
1230
|
-
|
1231
|
-
|
1232
|
-
|
1233
|
-
|
1234
|
-
|
1235
|
-
|
1236
|
-
|
1237
|
-
|
1138
|
+
// Invalid IDP cannot be processed
|
1139
|
+
if (crl->idp_flags & IDP_INVALID) {
|
1140
|
+
return 0;
|
1141
|
+
}
|
1142
|
+
// Reason codes or indirect CRLs need extended CRL support
|
1143
|
+
if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
|
1144
|
+
if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) {
|
1145
|
+
return 0;
|
1146
|
+
}
|
1147
|
+
} else if (crl->idp_flags & IDP_REASONS) {
|
1148
|
+
// If no new reasons reject
|
1149
|
+
if (!(crl->idp_reasons & ~tmp_reasons)) {
|
1150
|
+
return 0;
|
1151
|
+
}
|
1152
|
+
}
|
1153
|
+
// Don't process deltas at this stage
|
1154
|
+
else if (crl->base_crl_number) {
|
1155
|
+
return 0;
|
1156
|
+
}
|
1157
|
+
// If issuer name doesn't match certificate need indirect CRL
|
1158
|
+
if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
|
1159
|
+
if (!(crl->idp_flags & IDP_INDIRECT)) {
|
1160
|
+
return 0;
|
1238
1161
|
}
|
1239
|
-
|
1240
|
-
|
1241
|
-
|
1242
|
-
/* If issuer name doesn't match certificate need indirect CRL */
|
1243
|
-
if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
|
1244
|
-
if (!(crl->idp_flags & IDP_INDIRECT))
|
1245
|
-
return 0;
|
1246
|
-
} else
|
1247
|
-
crl_score |= CRL_SCORE_ISSUER_NAME;
|
1162
|
+
} else {
|
1163
|
+
crl_score |= CRL_SCORE_ISSUER_NAME;
|
1164
|
+
}
|
1248
1165
|
|
1249
|
-
|
1250
|
-
|
1166
|
+
if (!(crl->flags & EXFLAG_CRITICAL)) {
|
1167
|
+
crl_score |= CRL_SCORE_NOCRITICAL;
|
1168
|
+
}
|
1251
1169
|
|
1252
|
-
|
1253
|
-
|
1254
|
-
|
1170
|
+
// Check expiry
|
1171
|
+
if (check_crl_time(ctx, crl, 0)) {
|
1172
|
+
crl_score |= CRL_SCORE_TIME;
|
1173
|
+
}
|
1255
1174
|
|
1256
|
-
|
1257
|
-
|
1175
|
+
// Check authority key ID and locate certificate issuer
|
1176
|
+
crl_akid_check(ctx, crl, pissuer, &crl_score);
|
1258
1177
|
|
1259
|
-
|
1178
|
+
// If we can't locate certificate issuer at this point forget it
|
1260
1179
|
|
1261
|
-
|
1262
|
-
|
1180
|
+
if (!(crl_score & CRL_SCORE_AKID)) {
|
1181
|
+
return 0;
|
1182
|
+
}
|
1263
1183
|
|
1264
|
-
|
1184
|
+
// Check cert for matching CRL distribution points
|
1265
1185
|
|
1266
|
-
|
1267
|
-
|
1268
|
-
|
1269
|
-
|
1270
|
-
tmp_reasons |= crl_reasons;
|
1271
|
-
crl_score |= CRL_SCORE_SCOPE;
|
1186
|
+
if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
|
1187
|
+
// If no new reasons reject
|
1188
|
+
if (!(crl_reasons & ~tmp_reasons)) {
|
1189
|
+
return 0;
|
1272
1190
|
}
|
1191
|
+
tmp_reasons |= crl_reasons;
|
1192
|
+
crl_score |= CRL_SCORE_SCOPE;
|
1193
|
+
}
|
1273
1194
|
|
1274
|
-
|
1275
|
-
|
1276
|
-
return crl_score;
|
1195
|
+
*preasons = tmp_reasons;
|
1277
1196
|
|
1197
|
+
return crl_score;
|
1278
1198
|
}
|
1279
1199
|
|
1280
|
-
static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
|
1281
|
-
|
1282
|
-
|
1283
|
-
|
1284
|
-
|
1285
|
-
|
1286
|
-
size_t i;
|
1200
|
+
static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
|
1201
|
+
int *pcrl_score) {
|
1202
|
+
X509 *crl_issuer = NULL;
|
1203
|
+
X509_NAME *cnm = X509_CRL_get_issuer(crl);
|
1204
|
+
int cidx = ctx->error_depth;
|
1205
|
+
size_t i;
|
1287
1206
|
|
1288
|
-
|
1289
|
-
|
1207
|
+
if ((size_t)cidx != sk_X509_num(ctx->chain) - 1) {
|
1208
|
+
cidx++;
|
1209
|
+
}
|
1290
1210
|
|
1291
|
-
|
1211
|
+
crl_issuer = sk_X509_value(ctx->chain, cidx);
|
1292
1212
|
|
1293
|
-
|
1294
|
-
|
1295
|
-
|
1296
|
-
|
1297
|
-
|
1298
|
-
}
|
1213
|
+
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
|
1214
|
+
if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
|
1215
|
+
*pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT;
|
1216
|
+
*pissuer = crl_issuer;
|
1217
|
+
return;
|
1299
1218
|
}
|
1219
|
+
}
|
1300
1220
|
|
1301
|
-
|
1302
|
-
|
1303
|
-
|
1304
|
-
|
1305
|
-
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
|
1306
|
-
*pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;
|
1307
|
-
*pissuer = crl_issuer;
|
1308
|
-
return;
|
1309
|
-
}
|
1221
|
+
for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) {
|
1222
|
+
crl_issuer = sk_X509_value(ctx->chain, cidx);
|
1223
|
+
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) {
|
1224
|
+
continue;
|
1310
1225
|
}
|
1226
|
+
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
|
1227
|
+
*pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;
|
1228
|
+
*pissuer = crl_issuer;
|
1229
|
+
return;
|
1230
|
+
}
|
1231
|
+
}
|
1311
1232
|
|
1312
|
-
|
1233
|
+
// Anything else needs extended CRL support
|
1313
1234
|
|
1314
|
-
|
1315
|
-
|
1235
|
+
if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
|
1236
|
+
return;
|
1237
|
+
}
|
1316
1238
|
|
1317
|
-
|
1318
|
-
|
1319
|
-
|
1320
|
-
|
1321
|
-
|
1322
|
-
|
1323
|
-
|
1324
|
-
|
1325
|
-
|
1326
|
-
|
1327
|
-
|
1328
|
-
return;
|
1329
|
-
}
|
1239
|
+
// Otherwise the CRL issuer is not on the path. Look for it in the set of
|
1240
|
+
// untrusted certificates.
|
1241
|
+
for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
|
1242
|
+
crl_issuer = sk_X509_value(ctx->untrusted, i);
|
1243
|
+
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) {
|
1244
|
+
continue;
|
1245
|
+
}
|
1246
|
+
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
|
1247
|
+
*pissuer = crl_issuer;
|
1248
|
+
*pcrl_score |= CRL_SCORE_AKID;
|
1249
|
+
return;
|
1330
1250
|
}
|
1251
|
+
}
|
1331
1252
|
}
|
1332
1253
|
|
1333
|
-
|
1334
|
-
|
1335
|
-
|
1336
|
-
|
1337
|
-
* be duplicated by the parent, but this will rarely be used in practice.
|
1338
|
-
*/
|
1339
|
-
|
1340
|
-
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
|
1341
|
-
{
|
1342
|
-
X509_STORE_CTX crl_ctx;
|
1343
|
-
int ret;
|
1344
|
-
/* Don't allow recursive CRL path validation */
|
1345
|
-
if (ctx->parent)
|
1346
|
-
return 0;
|
1347
|
-
if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
|
1348
|
-
return -1;
|
1349
|
-
|
1350
|
-
crl_ctx.crls = ctx->crls;
|
1351
|
-
/* Copy verify params across */
|
1352
|
-
X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
|
1353
|
-
|
1354
|
-
crl_ctx.parent = ctx;
|
1355
|
-
crl_ctx.verify_cb = ctx->verify_cb;
|
1356
|
-
|
1357
|
-
/* Verify CRL issuer */
|
1358
|
-
ret = X509_verify_cert(&crl_ctx);
|
1254
|
+
// Check the path of a CRL issuer certificate. This creates a new
|
1255
|
+
// X509_STORE_CTX and populates it with most of the parameters from the
|
1256
|
+
// parent. This could be optimised somewhat since a lot of path checking will
|
1257
|
+
// be duplicated by the parent, but this will rarely be used in practice.
|
1359
1258
|
|
1360
|
-
|
1361
|
-
|
1362
|
-
|
1363
|
-
|
1364
|
-
|
1365
|
-
ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
|
1366
|
-
err:
|
1367
|
-
X509_STORE_CTX_cleanup(&crl_ctx);
|
1368
|
-
return ret;
|
1369
|
-
}
|
1370
|
-
|
1371
|
-
/*
|
1372
|
-
* RFC 3280 says nothing about the relationship between CRL path and
|
1373
|
-
* certificate path, which could lead to situations where a certificate could
|
1374
|
-
* be revoked or validated by a CA not authorised to do so. RFC 5280 is more
|
1375
|
-
* strict and states that the two paths must end in the same trust anchor,
|
1376
|
-
* though some discussions remain... until this is resolved we use the
|
1377
|
-
* RFC 5280 version
|
1378
|
-
*/
|
1379
|
-
|
1380
|
-
static int check_crl_chain(X509_STORE_CTX *ctx,
|
1381
|
-
STACK_OF(X509) *cert_path,
|
1382
|
-
STACK_OF(X509) *crl_path)
|
1383
|
-
{
|
1384
|
-
X509 *cert_ta, *crl_ta;
|
1385
|
-
cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
|
1386
|
-
crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
|
1387
|
-
if (!X509_cmp(cert_ta, crl_ta))
|
1388
|
-
return 1;
|
1259
|
+
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) {
|
1260
|
+
X509_STORE_CTX crl_ctx;
|
1261
|
+
int ret;
|
1262
|
+
// Don't allow recursive CRL path validation
|
1263
|
+
if (ctx->parent) {
|
1389
1264
|
return 0;
|
1265
|
+
}
|
1266
|
+
if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted)) {
|
1267
|
+
return -1;
|
1268
|
+
}
|
1269
|
+
|
1270
|
+
crl_ctx.crls = ctx->crls;
|
1271
|
+
// Copy verify params across
|
1272
|
+
X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
|
1273
|
+
|
1274
|
+
crl_ctx.parent = ctx;
|
1275
|
+
crl_ctx.verify_cb = ctx->verify_cb;
|
1276
|
+
|
1277
|
+
// Verify CRL issuer
|
1278
|
+
ret = X509_verify_cert(&crl_ctx);
|
1279
|
+
|
1280
|
+
if (ret <= 0) {
|
1281
|
+
goto err;
|
1282
|
+
}
|
1283
|
+
|
1284
|
+
// Check chain is acceptable
|
1285
|
+
|
1286
|
+
ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
|
1287
|
+
err:
|
1288
|
+
X509_STORE_CTX_cleanup(&crl_ctx);
|
1289
|
+
return ret;
|
1290
|
+
}
|
1291
|
+
|
1292
|
+
// RFC 3280 says nothing about the relationship between CRL path and
|
1293
|
+
// certificate path, which could lead to situations where a certificate could
|
1294
|
+
// be revoked or validated by a CA not authorised to do so. RFC 5280 is more
|
1295
|
+
// strict and states that the two paths must end in the same trust anchor,
|
1296
|
+
// though some discussions remain... until this is resolved we use the
|
1297
|
+
// RFC 5280 version
|
1298
|
+
|
1299
|
+
static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
|
1300
|
+
STACK_OF(X509) *crl_path) {
|
1301
|
+
X509 *cert_ta, *crl_ta;
|
1302
|
+
cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
|
1303
|
+
crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
|
1304
|
+
if (!X509_cmp(cert_ta, crl_ta)) {
|
1305
|
+
return 1;
|
1306
|
+
}
|
1307
|
+
return 0;
|
1390
1308
|
}
|
1391
1309
|
|
1392
|
-
|
1393
|
-
|
1394
|
-
|
1395
|
-
|
1396
|
-
|
1397
|
-
|
1398
|
-
|
1399
|
-
|
1400
|
-
|
1401
|
-
|
1402
|
-
|
1403
|
-
|
1404
|
-
|
1405
|
-
|
1310
|
+
// Check for match between two dist point names: three separate cases. 1.
|
1311
|
+
// Both are relative names and compare X509_NAME types. 2. One full, one
|
1312
|
+
// relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and
|
1313
|
+
// compare two GENERAL_NAMES. 4. One is NULL: automatic match.
|
1314
|
+
|
1315
|
+
static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) {
|
1316
|
+
X509_NAME *nm = NULL;
|
1317
|
+
GENERAL_NAMES *gens = NULL;
|
1318
|
+
GENERAL_NAME *gena, *genb;
|
1319
|
+
size_t i, j;
|
1320
|
+
if (!a || !b) {
|
1321
|
+
return 1;
|
1322
|
+
}
|
1323
|
+
if (a->type == 1) {
|
1324
|
+
if (!a->dpname) {
|
1325
|
+
return 0;
|
1326
|
+
}
|
1327
|
+
// Case 1: two X509_NAME
|
1328
|
+
if (b->type == 1) {
|
1329
|
+
if (!b->dpname) {
|
1330
|
+
return 0;
|
1331
|
+
}
|
1332
|
+
if (!X509_NAME_cmp(a->dpname, b->dpname)) {
|
1406
1333
|
return 1;
|
1407
|
-
|
1408
|
-
if (!a->dpname)
|
1409
|
-
return 0;
|
1410
|
-
/* Case 1: two X509_NAME */
|
1411
|
-
if (b->type == 1) {
|
1412
|
-
if (!b->dpname)
|
1413
|
-
return 0;
|
1414
|
-
if (!X509_NAME_cmp(a->dpname, b->dpname))
|
1415
|
-
return 1;
|
1416
|
-
else
|
1417
|
-
return 0;
|
1418
|
-
}
|
1419
|
-
/* Case 2: set name and GENERAL_NAMES appropriately */
|
1420
|
-
nm = a->dpname;
|
1421
|
-
gens = b->name.fullname;
|
1422
|
-
} else if (b->type == 1) {
|
1423
|
-
if (!b->dpname)
|
1424
|
-
return 0;
|
1425
|
-
/* Case 2: set name and GENERAL_NAMES appropriately */
|
1426
|
-
gens = a->name.fullname;
|
1427
|
-
nm = b->dpname;
|
1428
|
-
}
|
1429
|
-
|
1430
|
-
/* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
|
1431
|
-
if (nm) {
|
1432
|
-
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
|
1433
|
-
gena = sk_GENERAL_NAME_value(gens, i);
|
1434
|
-
if (gena->type != GEN_DIRNAME)
|
1435
|
-
continue;
|
1436
|
-
if (!X509_NAME_cmp(nm, gena->d.directoryName))
|
1437
|
-
return 1;
|
1438
|
-
}
|
1334
|
+
} else {
|
1439
1335
|
return 0;
|
1336
|
+
}
|
1337
|
+
}
|
1338
|
+
// Case 2: set name and GENERAL_NAMES appropriately
|
1339
|
+
nm = a->dpname;
|
1340
|
+
gens = b->name.fullname;
|
1341
|
+
} else if (b->type == 1) {
|
1342
|
+
if (!b->dpname) {
|
1343
|
+
return 0;
|
1344
|
+
}
|
1345
|
+
// Case 2: set name and GENERAL_NAMES appropriately
|
1346
|
+
gens = a->name.fullname;
|
1347
|
+
nm = b->dpname;
|
1348
|
+
}
|
1349
|
+
|
1350
|
+
// Handle case 2 with one GENERAL_NAMES and one X509_NAME
|
1351
|
+
if (nm) {
|
1352
|
+
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
|
1353
|
+
gena = sk_GENERAL_NAME_value(gens, i);
|
1354
|
+
if (gena->type != GEN_DIRNAME) {
|
1355
|
+
continue;
|
1356
|
+
}
|
1357
|
+
if (!X509_NAME_cmp(nm, gena->d.directoryName)) {
|
1358
|
+
return 1;
|
1359
|
+
}
|
1440
1360
|
}
|
1361
|
+
return 0;
|
1362
|
+
}
|
1441
1363
|
|
1442
|
-
|
1364
|
+
// Else case 3: two GENERAL_NAMES
|
1443
1365
|
|
1444
|
-
|
1445
|
-
|
1446
|
-
|
1447
|
-
|
1448
|
-
|
1449
|
-
|
1450
|
-
|
1366
|
+
for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
|
1367
|
+
gena = sk_GENERAL_NAME_value(a->name.fullname, i);
|
1368
|
+
for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
|
1369
|
+
genb = sk_GENERAL_NAME_value(b->name.fullname, j);
|
1370
|
+
if (!GENERAL_NAME_cmp(gena, genb)) {
|
1371
|
+
return 1;
|
1372
|
+
}
|
1451
1373
|
}
|
1374
|
+
}
|
1452
1375
|
|
1453
|
-
|
1454
|
-
|
1376
|
+
return 0;
|
1455
1377
|
}
|
1456
1378
|
|
1457
|
-
static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
|
1458
|
-
|
1459
|
-
|
1460
|
-
|
1461
|
-
|
1462
|
-
|
1463
|
-
|
1464
|
-
|
1465
|
-
|
1466
|
-
|
1467
|
-
|
1468
|
-
if (!X509_NAME_cmp(gen->d.directoryName, nm))
|
1469
|
-
return 1;
|
1379
|
+
static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) {
|
1380
|
+
size_t i;
|
1381
|
+
X509_NAME *nm = X509_CRL_get_issuer(crl);
|
1382
|
+
// If no CRLissuer return is successful iff don't need a match
|
1383
|
+
if (!dp->CRLissuer) {
|
1384
|
+
return !!(crl_score & CRL_SCORE_ISSUER_NAME);
|
1385
|
+
}
|
1386
|
+
for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
|
1387
|
+
GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
|
1388
|
+
if (gen->type != GEN_DIRNAME) {
|
1389
|
+
continue;
|
1470
1390
|
}
|
1471
|
-
|
1391
|
+
if (!X509_NAME_cmp(gen->d.directoryName, nm)) {
|
1392
|
+
return 1;
|
1393
|
+
}
|
1394
|
+
}
|
1395
|
+
return 0;
|
1472
1396
|
}
|
1473
1397
|
|
1474
|
-
|
1398
|
+
// Check CRLDP and IDP
|
1475
1399
|
|
1476
1400
|
static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
|
1477
|
-
unsigned int *preasons)
|
1478
|
-
|
1479
|
-
|
1480
|
-
if (crl->idp_flags & IDP_ONLYATTR)
|
1481
|
-
return 0;
|
1482
|
-
if (x->ex_flags & EXFLAG_CA) {
|
1483
|
-
if (crl->idp_flags & IDP_ONLYUSER)
|
1484
|
-
return 0;
|
1485
|
-
} else {
|
1486
|
-
if (crl->idp_flags & IDP_ONLYCA)
|
1487
|
-
return 0;
|
1488
|
-
}
|
1489
|
-
*preasons = crl->idp_reasons;
|
1490
|
-
for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
|
1491
|
-
DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
|
1492
|
-
if (crldp_check_crlissuer(dp, crl, crl_score)) {
|
1493
|
-
if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
|
1494
|
-
*preasons &= dp->dp_reasons;
|
1495
|
-
return 1;
|
1496
|
-
}
|
1497
|
-
}
|
1498
|
-
}
|
1499
|
-
if ((!crl->idp || !crl->idp->distpoint)
|
1500
|
-
&& (crl_score & CRL_SCORE_ISSUER_NAME))
|
1501
|
-
return 1;
|
1401
|
+
unsigned int *preasons) {
|
1402
|
+
size_t i;
|
1403
|
+
if (crl->idp_flags & IDP_ONLYATTR) {
|
1502
1404
|
return 0;
|
1405
|
+
}
|
1406
|
+
if (x->ex_flags & EXFLAG_CA) {
|
1407
|
+
if (crl->idp_flags & IDP_ONLYUSER) {
|
1408
|
+
return 0;
|
1409
|
+
}
|
1410
|
+
} else {
|
1411
|
+
if (crl->idp_flags & IDP_ONLYCA) {
|
1412
|
+
return 0;
|
1413
|
+
}
|
1414
|
+
}
|
1415
|
+
*preasons = crl->idp_reasons;
|
1416
|
+
for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
|
1417
|
+
DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
|
1418
|
+
if (crldp_check_crlissuer(dp, crl, crl_score)) {
|
1419
|
+
if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
|
1420
|
+
*preasons &= dp->dp_reasons;
|
1421
|
+
return 1;
|
1422
|
+
}
|
1423
|
+
}
|
1424
|
+
}
|
1425
|
+
if ((!crl->idp || !crl->idp->distpoint) &&
|
1426
|
+
(crl_score & CRL_SCORE_ISSUER_NAME)) {
|
1427
|
+
return 1;
|
1428
|
+
}
|
1429
|
+
return 0;
|
1503
1430
|
}
|
1504
1431
|
|
1505
|
-
|
1506
|
-
|
1507
|
-
* to find a delta CRL too
|
1508
|
-
*/
|
1432
|
+
// Retrieve CRL corresponding to current certificate. If deltas enabled try
|
1433
|
+
// to find a delta CRL too
|
1509
1434
|
|
1510
|
-
static int get_crl_delta(X509_STORE_CTX *ctx,
|
1511
|
-
|
1512
|
-
|
1513
|
-
|
1514
|
-
|
1515
|
-
|
1516
|
-
|
1517
|
-
|
1518
|
-
|
1519
|
-
|
1520
|
-
|
1521
|
-
ok = get_crl_sk(ctx, &crl, &dcrl,
|
1522
|
-
&issuer, &crl_score, &reasons, ctx->crls);
|
1435
|
+
static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
|
1436
|
+
X509 *x) {
|
1437
|
+
int ok;
|
1438
|
+
X509 *issuer = NULL;
|
1439
|
+
int crl_score = 0;
|
1440
|
+
unsigned int reasons;
|
1441
|
+
X509_CRL *crl = NULL, *dcrl = NULL;
|
1442
|
+
STACK_OF(X509_CRL) *skcrl;
|
1443
|
+
X509_NAME *nm = X509_get_issuer_name(x);
|
1444
|
+
reasons = ctx->current_reasons;
|
1445
|
+
ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, ctx->crls);
|
1523
1446
|
|
1524
|
-
|
1525
|
-
|
1447
|
+
if (ok) {
|
1448
|
+
goto done;
|
1449
|
+
}
|
1526
1450
|
|
1527
|
-
|
1451
|
+
// Lookup CRLs from store
|
1528
1452
|
|
1529
|
-
|
1453
|
+
skcrl = ctx->lookup_crls(ctx, nm);
|
1530
1454
|
|
1531
|
-
|
1532
|
-
|
1533
|
-
|
1455
|
+
// If no CRLs found and a near match from get_crl_sk use that
|
1456
|
+
if (!skcrl && crl) {
|
1457
|
+
goto done;
|
1458
|
+
}
|
1534
1459
|
|
1535
|
-
|
1460
|
+
get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
|
1536
1461
|
|
1537
|
-
|
1462
|
+
sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
|
1538
1463
|
|
1539
|
-
|
1464
|
+
done:
|
1540
1465
|
|
1541
|
-
|
1542
|
-
|
1543
|
-
|
1544
|
-
|
1545
|
-
|
1546
|
-
|
1547
|
-
|
1548
|
-
|
1466
|
+
// If we got any kind of CRL use it and return success
|
1467
|
+
if (crl) {
|
1468
|
+
ctx->current_issuer = issuer;
|
1469
|
+
ctx->current_crl_score = crl_score;
|
1470
|
+
ctx->current_reasons = reasons;
|
1471
|
+
*pcrl = crl;
|
1472
|
+
*pdcrl = dcrl;
|
1473
|
+
return 1;
|
1474
|
+
}
|
1475
|
+
|
1476
|
+
return 0;
|
1477
|
+
}
|
1478
|
+
|
1479
|
+
// Check CRL validity
|
1480
|
+
static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) {
|
1481
|
+
X509 *issuer = NULL;
|
1482
|
+
EVP_PKEY *ikey = NULL;
|
1483
|
+
int ok = 0, chnum, cnum;
|
1484
|
+
cnum = ctx->error_depth;
|
1485
|
+
chnum = sk_X509_num(ctx->chain) - 1;
|
1486
|
+
// if we have an alternative CRL issuer cert use that
|
1487
|
+
if (ctx->current_issuer) {
|
1488
|
+
issuer = ctx->current_issuer;
|
1489
|
+
}
|
1490
|
+
|
1491
|
+
// Else find CRL issuer: if not last certificate then issuer is next
|
1492
|
+
// certificate in chain.
|
1493
|
+
else if (cnum < chnum) {
|
1494
|
+
issuer = sk_X509_value(ctx->chain, cnum + 1);
|
1495
|
+
} else {
|
1496
|
+
issuer = sk_X509_value(ctx->chain, chnum);
|
1497
|
+
// If not self signed, can't check signature
|
1498
|
+
if (!ctx->check_issued(ctx, issuer, issuer)) {
|
1499
|
+
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
|
1500
|
+
ok = ctx->verify_cb(0, ctx);
|
1501
|
+
if (!ok) {
|
1502
|
+
goto err;
|
1503
|
+
}
|
1549
1504
|
}
|
1505
|
+
}
|
1550
1506
|
|
1551
|
-
|
1552
|
-
|
1553
|
-
|
1554
|
-
|
1555
|
-
|
1556
|
-
{
|
1557
|
-
|
1558
|
-
|
1559
|
-
|
1560
|
-
|
1561
|
-
chnum = sk_X509_num(ctx->chain) - 1;
|
1562
|
-
/* if we have an alternative CRL issuer cert use that */
|
1563
|
-
if (ctx->current_issuer)
|
1564
|
-
issuer = ctx->current_issuer;
|
1565
|
-
|
1566
|
-
/*
|
1567
|
-
* Else find CRL issuer: if not last certificate then issuer is next
|
1568
|
-
* certificate in chain.
|
1569
|
-
*/
|
1570
|
-
else if (cnum < chnum)
|
1571
|
-
issuer = sk_X509_value(ctx->chain, cnum + 1);
|
1572
|
-
else {
|
1573
|
-
issuer = sk_X509_value(ctx->chain, chnum);
|
1574
|
-
/* If not self signed, can't check signature */
|
1575
|
-
if (!ctx->check_issued(ctx, issuer, issuer)) {
|
1576
|
-
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
|
1577
|
-
ok = ctx->verify_cb(0, ctx);
|
1578
|
-
if (!ok)
|
1579
|
-
goto err;
|
1507
|
+
if (issuer) {
|
1508
|
+
// Skip most tests for deltas because they have already been done
|
1509
|
+
if (!crl->base_crl_number) {
|
1510
|
+
// Check for cRLSign bit if keyUsage present
|
1511
|
+
if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
|
1512
|
+
!(issuer->ex_kusage & KU_CRL_SIGN)) {
|
1513
|
+
ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
|
1514
|
+
ok = ctx->verify_cb(0, ctx);
|
1515
|
+
if (!ok) {
|
1516
|
+
goto err;
|
1580
1517
|
}
|
1581
|
-
|
1582
|
-
|
1583
|
-
if (issuer) {
|
1584
|
-
/*
|
1585
|
-
* Skip most tests for deltas because they have already been done
|
1586
|
-
*/
|
1587
|
-
if (!crl->base_crl_number) {
|
1588
|
-
/* Check for cRLSign bit if keyUsage present */
|
1589
|
-
if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
|
1590
|
-
!(issuer->ex_kusage & KU_CRL_SIGN)) {
|
1591
|
-
ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
|
1592
|
-
ok = ctx->verify_cb(0, ctx);
|
1593
|
-
if (!ok)
|
1594
|
-
goto err;
|
1595
|
-
}
|
1596
|
-
|
1597
|
-
if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
|
1598
|
-
ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
|
1599
|
-
ok = ctx->verify_cb(0, ctx);
|
1600
|
-
if (!ok)
|
1601
|
-
goto err;
|
1602
|
-
}
|
1603
|
-
|
1604
|
-
if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
|
1605
|
-
if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
|
1606
|
-
ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
|
1607
|
-
ok = ctx->verify_cb(0, ctx);
|
1608
|
-
if (!ok)
|
1609
|
-
goto err;
|
1610
|
-
}
|
1611
|
-
}
|
1612
|
-
|
1613
|
-
if (crl->idp_flags & IDP_INVALID) {
|
1614
|
-
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
1615
|
-
ok = ctx->verify_cb(0, ctx);
|
1616
|
-
if (!ok)
|
1617
|
-
goto err;
|
1618
|
-
}
|
1518
|
+
}
|
1619
1519
|
|
1520
|
+
if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
|
1521
|
+
ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
|
1522
|
+
ok = ctx->verify_cb(0, ctx);
|
1523
|
+
if (!ok) {
|
1524
|
+
goto err;
|
1620
1525
|
}
|
1526
|
+
}
|
1621
1527
|
|
1622
|
-
|
1623
|
-
|
1624
|
-
|
1625
|
-
|
1528
|
+
if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
|
1529
|
+
if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
|
1530
|
+
ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
|
1531
|
+
ok = ctx->verify_cb(0, ctx);
|
1532
|
+
if (!ok) {
|
1533
|
+
goto err;
|
1534
|
+
}
|
1626
1535
|
}
|
1536
|
+
}
|
1627
1537
|
|
1628
|
-
|
1629
|
-
|
1630
|
-
|
1631
|
-
if (!
|
1632
|
-
|
1633
|
-
ok = ctx->verify_cb(0, ctx);
|
1634
|
-
if (!ok)
|
1635
|
-
goto err;
|
1636
|
-
} else {
|
1637
|
-
int rv;
|
1638
|
-
rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
|
1639
|
-
if (rv != X509_V_OK) {
|
1640
|
-
ctx->error = rv;
|
1641
|
-
ok = ctx->verify_cb(0, ctx);
|
1642
|
-
if (!ok)
|
1643
|
-
goto err;
|
1644
|
-
}
|
1645
|
-
/* Verify CRL signature */
|
1646
|
-
if (X509_CRL_verify(crl, ikey) <= 0) {
|
1647
|
-
ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
|
1648
|
-
ok = ctx->verify_cb(0, ctx);
|
1649
|
-
if (!ok)
|
1650
|
-
goto err;
|
1651
|
-
}
|
1538
|
+
if (crl->idp_flags & IDP_INVALID) {
|
1539
|
+
ctx->error = X509_V_ERR_INVALID_EXTENSION;
|
1540
|
+
ok = ctx->verify_cb(0, ctx);
|
1541
|
+
if (!ok) {
|
1542
|
+
goto err;
|
1652
1543
|
}
|
1544
|
+
}
|
1653
1545
|
}
|
1654
1546
|
|
1655
|
-
|
1547
|
+
if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
|
1548
|
+
ok = check_crl_time(ctx, crl, 1);
|
1549
|
+
if (!ok) {
|
1550
|
+
goto err;
|
1551
|
+
}
|
1552
|
+
}
|
1656
1553
|
|
1657
|
-
|
1658
|
-
|
1659
|
-
return ok;
|
1660
|
-
}
|
1554
|
+
// Attempt to get issuer certificate public key
|
1555
|
+
ikey = X509_get_pubkey(issuer);
|
1661
1556
|
|
1662
|
-
|
1663
|
-
|
1664
|
-
|
1665
|
-
|
1666
|
-
|
1667
|
-
|
1668
|
-
|
1669
|
-
|
1670
|
-
|
1671
|
-
|
1672
|
-
*/
|
1673
|
-
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
|
1674
|
-
&& (crl->flags & EXFLAG_CRITICAL)) {
|
1675
|
-
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
|
1676
|
-
ok = ctx->verify_cb(0, ctx);
|
1677
|
-
if (!ok)
|
1678
|
-
return 0;
|
1679
|
-
}
|
1680
|
-
/*
|
1681
|
-
* Look for serial number of certificate in CRL If found make sure reason
|
1682
|
-
* is not removeFromCRL.
|
1683
|
-
*/
|
1684
|
-
if (X509_CRL_get0_by_cert(crl, &rev, x)) {
|
1685
|
-
if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
|
1686
|
-
return 2;
|
1687
|
-
ctx->error = X509_V_ERR_CERT_REVOKED;
|
1557
|
+
if (!ikey) {
|
1558
|
+
ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
|
1559
|
+
ok = ctx->verify_cb(0, ctx);
|
1560
|
+
if (!ok) {
|
1561
|
+
goto err;
|
1562
|
+
}
|
1563
|
+
} else {
|
1564
|
+
// Verify CRL signature
|
1565
|
+
if (X509_CRL_verify(crl, ikey) <= 0) {
|
1566
|
+
ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
|
1688
1567
|
ok = ctx->verify_cb(0, ctx);
|
1689
|
-
if (!ok)
|
1690
|
-
|
1568
|
+
if (!ok) {
|
1569
|
+
goto err;
|
1570
|
+
}
|
1571
|
+
}
|
1691
1572
|
}
|
1573
|
+
}
|
1692
1574
|
|
1693
|
-
|
1575
|
+
ok = 1;
|
1576
|
+
|
1577
|
+
err:
|
1578
|
+
EVP_PKEY_free(ikey);
|
1579
|
+
return ok;
|
1694
1580
|
}
|
1695
1581
|
|
1696
|
-
|
1697
|
-
{
|
1698
|
-
|
1699
|
-
|
1700
|
-
|
1701
|
-
|
1702
|
-
|
1703
|
-
|
1704
|
-
|
1705
|
-
|
1706
|
-
|
1582
|
+
// Check certificate against CRL
|
1583
|
+
static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) {
|
1584
|
+
int ok;
|
1585
|
+
X509_REVOKED *rev;
|
1586
|
+
// The rules changed for this... previously if a CRL contained unhandled
|
1587
|
+
// critical extensions it could still be used to indicate a certificate
|
1588
|
+
// was revoked. This has since been changed since critical extension can
|
1589
|
+
// change the meaning of CRL entries.
|
1590
|
+
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
|
1591
|
+
(crl->flags & EXFLAG_CRITICAL)) {
|
1592
|
+
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
|
1593
|
+
ok = ctx->verify_cb(0, ctx);
|
1594
|
+
if (!ok) {
|
1595
|
+
return 0;
|
1707
1596
|
}
|
1708
|
-
|
1709
|
-
|
1710
|
-
|
1711
|
-
|
1712
|
-
|
1713
|
-
|
1714
|
-
size_t i;
|
1715
|
-
for (i = 1; i < sk_X509_num(ctx->chain); i++) {
|
1716
|
-
x = sk_X509_value(ctx->chain, i);
|
1717
|
-
if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
|
1718
|
-
continue;
|
1719
|
-
ctx->current_cert = x;
|
1720
|
-
ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
|
1721
|
-
if (!ctx->verify_cb(0, ctx))
|
1722
|
-
return 0;
|
1723
|
-
}
|
1724
|
-
return 1;
|
1597
|
+
}
|
1598
|
+
// Look for serial number of certificate in CRL If found make sure reason
|
1599
|
+
// is not removeFromCRL.
|
1600
|
+
if (X509_CRL_get0_by_cert(crl, &rev, x)) {
|
1601
|
+
if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) {
|
1602
|
+
return 2;
|
1725
1603
|
}
|
1726
|
-
|
1727
|
-
|
1728
|
-
|
1729
|
-
|
1730
|
-
}
|
1731
|
-
|
1732
|
-
if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
|
1733
|
-
ctx->current_cert = NULL;
|
1734
|
-
/*
|
1735
|
-
* Verification errors need to be "sticky", a callback may have allowed
|
1736
|
-
* an SSL handshake to continue despite an error, and we must then
|
1737
|
-
* remain in an error state. Therefore, we MUST NOT clear earlier
|
1738
|
-
* verification errors by setting the error to X509_V_OK.
|
1739
|
-
*/
|
1740
|
-
if (!ctx->verify_cb(2, ctx))
|
1741
|
-
return 0;
|
1604
|
+
ctx->error = X509_V_ERR_CERT_REVOKED;
|
1605
|
+
ok = ctx->verify_cb(0, ctx);
|
1606
|
+
if (!ok) {
|
1607
|
+
return 0;
|
1742
1608
|
}
|
1609
|
+
}
|
1743
1610
|
|
1744
|
-
|
1611
|
+
return 1;
|
1745
1612
|
}
|
1746
1613
|
|
1747
|
-
static int
|
1748
|
-
{
|
1749
|
-
|
1750
|
-
|
1614
|
+
static int check_policy(X509_STORE_CTX *ctx) {
|
1615
|
+
if (ctx->parent) {
|
1616
|
+
return 1;
|
1617
|
+
}
|
1751
1618
|
|
1752
|
-
|
1753
|
-
|
1754
|
-
|
1755
|
-
|
1619
|
+
X509 *current_cert = NULL;
|
1620
|
+
int ret = X509_policy_check(ctx->chain, ctx->param->policies,
|
1621
|
+
ctx->param->flags, ¤t_cert);
|
1622
|
+
if (ret != X509_V_OK) {
|
1623
|
+
ctx->current_cert = current_cert;
|
1624
|
+
ctx->error = ret;
|
1625
|
+
if (ret == X509_V_ERR_OUT_OF_MEM) {
|
1626
|
+
return 0;
|
1627
|
+
}
|
1628
|
+
return ctx->verify_cb(0, ctx);
|
1629
|
+
}
|
1756
1630
|
|
1757
|
-
|
1758
|
-
|
1759
|
-
|
1760
|
-
|
1761
|
-
|
1762
|
-
|
1631
|
+
if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
|
1632
|
+
ctx->current_cert = NULL;
|
1633
|
+
// Verification errors need to be "sticky", a callback may have allowed
|
1634
|
+
// an SSL handshake to continue despite an error, and we must then
|
1635
|
+
// remain in an error state. Therefore, we MUST NOT clear earlier
|
1636
|
+
// verification errors by setting the error to X509_V_OK.
|
1637
|
+
if (!ctx->verify_cb(2, ctx)) {
|
1638
|
+
return 0;
|
1763
1639
|
}
|
1640
|
+
}
|
1764
1641
|
|
1765
|
-
|
1766
|
-
|
1767
|
-
|
1768
|
-
|
1769
|
-
|
1642
|
+
return 1;
|
1643
|
+
}
|
1644
|
+
|
1645
|
+
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) {
|
1646
|
+
if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) {
|
1647
|
+
return 1;
|
1648
|
+
}
|
1649
|
+
|
1650
|
+
int64_t ptime;
|
1651
|
+
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) {
|
1652
|
+
ptime = ctx->param->check_time;
|
1653
|
+
} else {
|
1654
|
+
ptime = time(NULL);
|
1655
|
+
}
|
1656
|
+
|
1657
|
+
int i = X509_cmp_time_posix(X509_get_notBefore(x), ptime);
|
1658
|
+
if (i == 0) {
|
1659
|
+
ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
|
1660
|
+
ctx->current_cert = x;
|
1661
|
+
if (!ctx->verify_cb(0, ctx)) {
|
1662
|
+
return 0;
|
1770
1663
|
}
|
1664
|
+
}
|
1771
1665
|
|
1772
|
-
|
1773
|
-
|
1774
|
-
|
1775
|
-
|
1776
|
-
|
1777
|
-
return 0;
|
1666
|
+
if (i > 0) {
|
1667
|
+
ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
|
1668
|
+
ctx->current_cert = x;
|
1669
|
+
if (!ctx->verify_cb(0, ctx)) {
|
1670
|
+
return 0;
|
1778
1671
|
}
|
1672
|
+
}
|
1779
1673
|
|
1780
|
-
|
1781
|
-
|
1782
|
-
|
1783
|
-
|
1784
|
-
|
1674
|
+
i = X509_cmp_time_posix(X509_get_notAfter(x), ptime);
|
1675
|
+
if (i == 0) {
|
1676
|
+
ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
|
1677
|
+
ctx->current_cert = x;
|
1678
|
+
if (!ctx->verify_cb(0, ctx)) {
|
1679
|
+
return 0;
|
1785
1680
|
}
|
1681
|
+
}
|
1786
1682
|
|
1787
|
-
|
1683
|
+
if (i < 0) {
|
1684
|
+
ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
|
1685
|
+
ctx->current_cert = x;
|
1686
|
+
if (!ctx->verify_cb(0, ctx)) {
|
1687
|
+
return 0;
|
1688
|
+
}
|
1689
|
+
}
|
1690
|
+
|
1691
|
+
return 1;
|
1788
1692
|
}
|
1789
1693
|
|
1790
|
-
static int internal_verify(X509_STORE_CTX *ctx)
|
1791
|
-
|
1792
|
-
|
1793
|
-
|
1794
|
-
EVP_PKEY *pkey = NULL;
|
1795
|
-
int (*cb) (int xok, X509_STORE_CTX *xctx);
|
1694
|
+
static int internal_verify(X509_STORE_CTX *ctx) {
|
1695
|
+
int ok = 0, n;
|
1696
|
+
X509 *xs, *xi;
|
1697
|
+
EVP_PKEY *pkey = NULL;
|
1796
1698
|
|
1797
|
-
|
1699
|
+
n = sk_X509_num(ctx->chain);
|
1700
|
+
ctx->error_depth = n - 1;
|
1701
|
+
n--;
|
1702
|
+
xi = sk_X509_value(ctx->chain, n);
|
1798
1703
|
|
1799
|
-
|
1800
|
-
|
1801
|
-
|
1802
|
-
|
1803
|
-
|
1804
|
-
|
1805
|
-
|
1806
|
-
|
1807
|
-
|
1808
|
-
|
1809
|
-
|
1704
|
+
if (ctx->check_issued(ctx, xi, xi)) {
|
1705
|
+
xs = xi;
|
1706
|
+
} else {
|
1707
|
+
if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
|
1708
|
+
xs = xi;
|
1709
|
+
goto check_cert;
|
1710
|
+
}
|
1711
|
+
if (n <= 0) {
|
1712
|
+
ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
|
1713
|
+
ctx->current_cert = xi;
|
1714
|
+
ok = ctx->verify_cb(0, ctx);
|
1715
|
+
goto end;
|
1716
|
+
} else {
|
1717
|
+
n--;
|
1718
|
+
ctx->error_depth = n;
|
1719
|
+
xs = sk_X509_value(ctx->chain, n);
|
1720
|
+
}
|
1721
|
+
}
|
1722
|
+
|
1723
|
+
// ctx->error=0; not needed
|
1724
|
+
while (n >= 0) {
|
1725
|
+
ctx->error_depth = n;
|
1726
|
+
|
1727
|
+
// Skip signature check for self signed certificates unless
|
1728
|
+
// explicitly asked for. It doesn't add any security and just wastes
|
1729
|
+
// time.
|
1730
|
+
if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
|
1731
|
+
if ((pkey = X509_get_pubkey(xi)) == NULL) {
|
1732
|
+
ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
|
1733
|
+
ctx->current_cert = xi;
|
1734
|
+
ok = ctx->verify_cb(0, ctx);
|
1735
|
+
if (!ok) {
|
1736
|
+
goto end;
|
1810
1737
|
}
|
1811
|
-
|
1812
|
-
|
1813
|
-
|
1814
|
-
|
1815
|
-
|
1816
|
-
|
1817
|
-
|
1818
|
-
ctx->error_depth = n;
|
1819
|
-
xs = sk_X509_value(ctx->chain, n);
|
1738
|
+
} else if (X509_verify(xs, pkey) <= 0) {
|
1739
|
+
ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
|
1740
|
+
ctx->current_cert = xs;
|
1741
|
+
ok = ctx->verify_cb(0, ctx);
|
1742
|
+
if (!ok) {
|
1743
|
+
EVP_PKEY_free(pkey);
|
1744
|
+
goto end;
|
1820
1745
|
}
|
1746
|
+
}
|
1747
|
+
EVP_PKEY_free(pkey);
|
1748
|
+
pkey = NULL;
|
1821
1749
|
}
|
1822
1750
|
|
1823
|
-
|
1824
|
-
|
1825
|
-
|
1826
|
-
|
1827
|
-
/*
|
1828
|
-
* Skip signature check for self signed certificates unless
|
1829
|
-
* explicitly asked for. It doesn't add any security and just wastes
|
1830
|
-
* time.
|
1831
|
-
*/
|
1832
|
-
if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
|
1833
|
-
if ((pkey = X509_get_pubkey(xi)) == NULL) {
|
1834
|
-
ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
|
1835
|
-
ctx->current_cert = xi;
|
1836
|
-
ok = (*cb) (0, ctx);
|
1837
|
-
if (!ok)
|
1838
|
-
goto end;
|
1839
|
-
} else if (X509_verify(xs, pkey) <= 0) {
|
1840
|
-
ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
|
1841
|
-
ctx->current_cert = xs;
|
1842
|
-
ok = (*cb) (0, ctx);
|
1843
|
-
if (!ok) {
|
1844
|
-
EVP_PKEY_free(pkey);
|
1845
|
-
goto end;
|
1846
|
-
}
|
1847
|
-
}
|
1848
|
-
EVP_PKEY_free(pkey);
|
1849
|
-
pkey = NULL;
|
1850
|
-
}
|
1851
|
-
|
1852
|
-
check_cert:
|
1853
|
-
ok = check_cert_time(ctx, xs);
|
1854
|
-
if (!ok)
|
1855
|
-
goto end;
|
1856
|
-
|
1857
|
-
/* The last error (if any) is still in the error value */
|
1858
|
-
ctx->current_issuer = xi;
|
1859
|
-
ctx->current_cert = xs;
|
1860
|
-
ok = (*cb) (1, ctx);
|
1861
|
-
if (!ok)
|
1862
|
-
goto end;
|
1863
|
-
|
1864
|
-
n--;
|
1865
|
-
if (n >= 0) {
|
1866
|
-
xi = xs;
|
1867
|
-
xs = sk_X509_value(ctx->chain, n);
|
1868
|
-
}
|
1751
|
+
check_cert:
|
1752
|
+
ok = check_cert_time(ctx, xs);
|
1753
|
+
if (!ok) {
|
1754
|
+
goto end;
|
1869
1755
|
}
|
1870
|
-
|
1871
|
-
|
1872
|
-
|
1873
|
-
|
1874
|
-
|
1875
|
-
|
1876
|
-
|
1877
|
-
return X509_cmp_time(ctm, NULL);
|
1878
|
-
}
|
1879
|
-
|
1880
|
-
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
|
1881
|
-
{
|
1882
|
-
static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1;
|
1883
|
-
static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1;
|
1884
|
-
ASN1_TIME *asn1_cmp_time = NULL;
|
1885
|
-
int i, day, sec, ret = 0;
|
1886
|
-
|
1887
|
-
/*
|
1888
|
-
* Note that ASN.1 allows much more slack in the time format than RFC 5280.
|
1889
|
-
* In RFC 5280, the representation is fixed:
|
1890
|
-
* UTCTime: YYMMDDHHMMSSZ
|
1891
|
-
* GeneralizedTime: YYYYMMDDHHMMSSZ
|
1892
|
-
*
|
1893
|
-
* We do NOT currently enforce the following RFC 5280 requirement:
|
1894
|
-
* "CAs conforming to this profile MUST always encode certificate
|
1895
|
-
* validity dates through the year 2049 as UTCTime; certificate validity
|
1896
|
-
* dates in 2050 or later MUST be encoded as GeneralizedTime."
|
1897
|
-
*/
|
1898
|
-
switch (ctm->type) {
|
1899
|
-
case V_ASN1_UTCTIME:
|
1900
|
-
if (ctm->length != (int)(utctime_length))
|
1901
|
-
return 0;
|
1902
|
-
break;
|
1903
|
-
case V_ASN1_GENERALIZEDTIME:
|
1904
|
-
if (ctm->length != (int)(generalizedtime_length))
|
1905
|
-
return 0;
|
1906
|
-
break;
|
1907
|
-
default:
|
1908
|
-
return 0;
|
1756
|
+
|
1757
|
+
// The last error (if any) is still in the error value
|
1758
|
+
ctx->current_issuer = xi;
|
1759
|
+
ctx->current_cert = xs;
|
1760
|
+
ok = ctx->verify_cb(1, ctx);
|
1761
|
+
if (!ok) {
|
1762
|
+
goto end;
|
1909
1763
|
}
|
1910
1764
|
|
1911
|
-
|
1912
|
-
|
1913
|
-
|
1914
|
-
|
1915
|
-
*/
|
1916
|
-
for (i = 0; i < ctm->length - 1; i++) {
|
1917
|
-
if (!isdigit(ctm->data[i]))
|
1918
|
-
return 0;
|
1765
|
+
n--;
|
1766
|
+
if (n >= 0) {
|
1767
|
+
xi = xs;
|
1768
|
+
xs = sk_X509_value(ctx->chain, n);
|
1919
1769
|
}
|
1920
|
-
|
1921
|
-
|
1770
|
+
}
|
1771
|
+
ok = 1;
|
1772
|
+
end:
|
1773
|
+
return ok;
|
1774
|
+
}
|
1922
1775
|
|
1923
|
-
|
1924
|
-
|
1925
|
-
|
1926
|
-
* so we go through ASN.1
|
1927
|
-
*/
|
1928
|
-
asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time);
|
1929
|
-
if (asn1_cmp_time == NULL)
|
1930
|
-
goto err;
|
1931
|
-
if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time))
|
1932
|
-
goto err;
|
1776
|
+
int X509_cmp_current_time(const ASN1_TIME *ctm) {
|
1777
|
+
return X509_cmp_time_posix(ctm, time(NULL));
|
1778
|
+
}
|
1933
1779
|
|
1934
|
-
|
1935
|
-
|
1936
|
-
|
1937
|
-
|
1938
|
-
ret = (day >= 0 && sec >= 0) ? -1 : 1;
|
1780
|
+
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) {
|
1781
|
+
int64_t compare_time = (cmp_time == NULL) ? time(NULL) : *cmp_time;
|
1782
|
+
return X509_cmp_time_posix(ctm, compare_time);
|
1783
|
+
}
|
1939
1784
|
|
1940
|
-
|
1941
|
-
|
1942
|
-
|
1785
|
+
int X509_cmp_time_posix(const ASN1_TIME *ctm, int64_t cmp_time) {
|
1786
|
+
int64_t ctm_time;
|
1787
|
+
if (!ASN1_TIME_to_posix(ctm, &ctm_time)) {
|
1788
|
+
return 0;
|
1789
|
+
}
|
1790
|
+
// The return value 0 is reserved for errors.
|
1791
|
+
return (ctm_time - cmp_time <= 0) ? -1 : 1;
|
1943
1792
|
}
|
1944
1793
|
|
1945
|
-
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec)
|
1946
|
-
|
1947
|
-
return X509_time_adj(s, offset_sec, NULL);
|
1794
|
+
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec) {
|
1795
|
+
return X509_time_adj(s, offset_sec, NULL);
|
1948
1796
|
}
|
1949
1797
|
|
1950
|
-
ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
|
1951
|
-
|
1952
|
-
return X509_time_adj_ex(s, 0, offset_sec, in_tm);
|
1798
|
+
ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) {
|
1799
|
+
return X509_time_adj_ex(s, 0, offset_sec, in_tm);
|
1953
1800
|
}
|
1954
1801
|
|
1955
|
-
ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
|
1956
|
-
|
1957
|
-
|
1958
|
-
time_t t = 0;
|
1802
|
+
ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec,
|
1803
|
+
time_t *in_tm) {
|
1804
|
+
int64_t t = 0;
|
1959
1805
|
|
1960
|
-
|
1961
|
-
|
1962
|
-
|
1963
|
-
|
1964
|
-
|
1965
|
-
|
1966
|
-
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
|
1967
|
-
}
|
1968
|
-
|
1969
|
-
/* Make a delta CRL as the diff between two full CRLs */
|
1970
|
-
|
1971
|
-
X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
|
1972
|
-
EVP_PKEY *skey, const EVP_MD *md, unsigned int flags)
|
1973
|
-
{
|
1974
|
-
X509_CRL *crl = NULL;
|
1975
|
-
int i;
|
1976
|
-
size_t j;
|
1977
|
-
STACK_OF(X509_REVOKED) *revs = NULL;
|
1978
|
-
/* CRLs can't be delta already */
|
1979
|
-
if (base->base_crl_number || newer->base_crl_number) {
|
1980
|
-
OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA);
|
1981
|
-
return NULL;
|
1982
|
-
}
|
1983
|
-
/* Base and new CRL must have a CRL number */
|
1984
|
-
if (!base->crl_number || !newer->crl_number) {
|
1985
|
-
OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER);
|
1986
|
-
return NULL;
|
1987
|
-
}
|
1988
|
-
/* Issuer names must match */
|
1989
|
-
if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
|
1990
|
-
OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH);
|
1991
|
-
return NULL;
|
1992
|
-
}
|
1993
|
-
/* AKID and IDP must match */
|
1994
|
-
if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
|
1995
|
-
OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH);
|
1996
|
-
return NULL;
|
1997
|
-
}
|
1998
|
-
if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {
|
1999
|
-
OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH);
|
2000
|
-
return NULL;
|
2001
|
-
}
|
2002
|
-
/* Newer CRL number must exceed full CRL number */
|
2003
|
-
if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
|
2004
|
-
OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER);
|
2005
|
-
return NULL;
|
2006
|
-
}
|
2007
|
-
/* CRLs must verify */
|
2008
|
-
if (skey && (X509_CRL_verify(base, skey) <= 0 ||
|
2009
|
-
X509_CRL_verify(newer, skey) <= 0)) {
|
2010
|
-
OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE);
|
2011
|
-
return NULL;
|
2012
|
-
}
|
2013
|
-
/* Create new CRL */
|
2014
|
-
crl = X509_CRL_new();
|
2015
|
-
if (!crl || !X509_CRL_set_version(crl, X509_CRL_VERSION_2))
|
2016
|
-
goto memerr;
|
2017
|
-
/* Set issuer name */
|
2018
|
-
if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
|
2019
|
-
goto memerr;
|
1806
|
+
if (in_tm) {
|
1807
|
+
t = *in_tm;
|
1808
|
+
} else {
|
1809
|
+
t = time(NULL);
|
1810
|
+
}
|
2020
1811
|
|
2021
|
-
|
2022
|
-
|
2023
|
-
if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer)))
|
2024
|
-
goto memerr;
|
1812
|
+
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
|
1813
|
+
}
|
2025
1814
|
|
2026
|
-
|
1815
|
+
// Make a delta CRL as the diff between two full CRLs
|
2027
1816
|
|
2028
|
-
|
1817
|
+
X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, EVP_PKEY *skey,
|
1818
|
+
const EVP_MD *md, unsigned int flags) {
|
1819
|
+
X509_CRL *crl = NULL;
|
1820
|
+
int i;
|
1821
|
+
size_t j;
|
1822
|
+
STACK_OF(X509_REVOKED) *revs = NULL;
|
1823
|
+
// CRLs can't be delta already
|
1824
|
+
if (base->base_crl_number || newer->base_crl_number) {
|
1825
|
+
OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA);
|
1826
|
+
return NULL;
|
1827
|
+
}
|
1828
|
+
// Base and new CRL must have a CRL number
|
1829
|
+
if (!base->crl_number || !newer->crl_number) {
|
1830
|
+
OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER);
|
1831
|
+
return NULL;
|
1832
|
+
}
|
1833
|
+
// Issuer names must match
|
1834
|
+
if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
|
1835
|
+
OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH);
|
1836
|
+
return NULL;
|
1837
|
+
}
|
1838
|
+
// AKID and IDP must match
|
1839
|
+
if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
|
1840
|
+
OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH);
|
1841
|
+
return NULL;
|
1842
|
+
}
|
1843
|
+
if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {
|
1844
|
+
OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH);
|
1845
|
+
return NULL;
|
1846
|
+
}
|
1847
|
+
// Newer CRL number must exceed full CRL number
|
1848
|
+
if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
|
1849
|
+
OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER);
|
1850
|
+
return NULL;
|
1851
|
+
}
|
1852
|
+
// CRLs must verify
|
1853
|
+
if (skey &&
|
1854
|
+
(X509_CRL_verify(base, skey) <= 0 || X509_CRL_verify(newer, skey) <= 0)) {
|
1855
|
+
OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE);
|
1856
|
+
return NULL;
|
1857
|
+
}
|
1858
|
+
// Create new CRL
|
1859
|
+
crl = X509_CRL_new();
|
1860
|
+
if (!crl || !X509_CRL_set_version(crl, X509_CRL_VERSION_2)) {
|
1861
|
+
goto memerr;
|
1862
|
+
}
|
1863
|
+
// Set issuer name
|
1864
|
+
if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer))) {
|
1865
|
+
goto memerr;
|
1866
|
+
}
|
1867
|
+
|
1868
|
+
if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer))) {
|
1869
|
+
goto memerr;
|
1870
|
+
}
|
1871
|
+
if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer))) {
|
1872
|
+
goto memerr;
|
1873
|
+
}
|
1874
|
+
|
1875
|
+
// Set base CRL number: must be critical
|
1876
|
+
|
1877
|
+
if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0)) {
|
1878
|
+
goto memerr;
|
1879
|
+
}
|
1880
|
+
|
1881
|
+
// Copy extensions across from newest CRL to delta: this will set CRL
|
1882
|
+
// number to correct value too.
|
1883
|
+
|
1884
|
+
for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
|
1885
|
+
const X509_EXTENSION *ext = X509_CRL_get_ext(newer, i);
|
1886
|
+
if (!X509_CRL_add_ext(crl, ext, -1)) {
|
1887
|
+
goto memerr;
|
1888
|
+
}
|
1889
|
+
}
|
1890
|
+
|
1891
|
+
// Go through revoked entries, copying as needed
|
1892
|
+
|
1893
|
+
revs = X509_CRL_get_REVOKED(newer);
|
1894
|
+
|
1895
|
+
for (j = 0; j < sk_X509_REVOKED_num(revs); j++) {
|
1896
|
+
X509_REVOKED *rvn, *rvtmp;
|
1897
|
+
rvn = sk_X509_REVOKED_value(revs, j);
|
1898
|
+
// Add only if not also in base. TODO: need something cleverer here
|
1899
|
+
// for some more complex CRLs covering multiple CAs.
|
1900
|
+
if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
|
1901
|
+
rvtmp = X509_REVOKED_dup(rvn);
|
1902
|
+
if (!rvtmp) {
|
2029
1903
|
goto memerr;
|
2030
|
-
|
2031
|
-
|
2032
|
-
|
2033
|
-
|
2034
|
-
|
2035
|
-
|
2036
|
-
for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
|
2037
|
-
X509_EXTENSION *ext;
|
2038
|
-
ext = X509_CRL_get_ext(newer, i);
|
2039
|
-
if (!X509_CRL_add_ext(crl, ext, -1))
|
2040
|
-
goto memerr;
|
2041
|
-
}
|
2042
|
-
|
2043
|
-
/* Go through revoked entries, copying as needed */
|
2044
|
-
|
2045
|
-
revs = X509_CRL_get_REVOKED(newer);
|
2046
|
-
|
2047
|
-
for (j = 0; j < sk_X509_REVOKED_num(revs); j++) {
|
2048
|
-
X509_REVOKED *rvn, *rvtmp;
|
2049
|
-
rvn = sk_X509_REVOKED_value(revs, j);
|
2050
|
-
/*
|
2051
|
-
* Add only if not also in base. TODO: need something cleverer here
|
2052
|
-
* for some more complex CRLs covering multiple CAs.
|
2053
|
-
*/
|
2054
|
-
if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
|
2055
|
-
rvtmp = X509_REVOKED_dup(rvn);
|
2056
|
-
if (!rvtmp)
|
2057
|
-
goto memerr;
|
2058
|
-
if (!X509_CRL_add0_revoked(crl, rvtmp)) {
|
2059
|
-
X509_REVOKED_free(rvtmp);
|
2060
|
-
goto memerr;
|
2061
|
-
}
|
2062
|
-
}
|
1904
|
+
}
|
1905
|
+
if (!X509_CRL_add0_revoked(crl, rvtmp)) {
|
1906
|
+
X509_REVOKED_free(rvtmp);
|
1907
|
+
goto memerr;
|
1908
|
+
}
|
2063
1909
|
}
|
2064
|
-
|
1910
|
+
}
|
1911
|
+
// TODO: optionally prune deleted entries
|
2065
1912
|
|
2066
|
-
|
2067
|
-
|
1913
|
+
if (skey && md && !X509_CRL_sign(crl, skey, md)) {
|
1914
|
+
goto memerr;
|
1915
|
+
}
|
2068
1916
|
|
2069
|
-
|
1917
|
+
return crl;
|
2070
1918
|
|
2071
|
-
|
2072
|
-
|
2073
|
-
|
2074
|
-
|
2075
|
-
|
1919
|
+
memerr:
|
1920
|
+
if (crl) {
|
1921
|
+
X509_CRL_free(crl);
|
1922
|
+
}
|
1923
|
+
return NULL;
|
2076
1924
|
}
|
2077
1925
|
|
2078
1926
|
int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
|
2079
|
-
CRYPTO_EX_unused *
|
1927
|
+
CRYPTO_EX_unused *unused,
|
2080
1928
|
CRYPTO_EX_dup *dup_unused,
|
2081
|
-
CRYPTO_EX_free *free_func)
|
2082
|
-
|
2083
|
-
|
2084
|
-
|
2085
|
-
|
2086
|
-
|
2087
|
-
|
2088
|
-
|
2089
|
-
|
2090
|
-
return -1;
|
2091
|
-
}
|
2092
|
-
return index;
|
1929
|
+
CRYPTO_EX_free *free_func) {
|
1930
|
+
// This function is (usually) called only once, by
|
1931
|
+
// SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c).
|
1932
|
+
int index;
|
1933
|
+
if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
|
1934
|
+
free_func)) {
|
1935
|
+
return -1;
|
1936
|
+
}
|
1937
|
+
return index;
|
2093
1938
|
}
|
2094
1939
|
|
2095
|
-
int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
|
2096
|
-
|
2097
|
-
return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
|
1940
|
+
int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) {
|
1941
|
+
return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
|
2098
1942
|
}
|
2099
1943
|
|
2100
|
-
void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
|
2101
|
-
|
2102
|
-
return CRYPTO_get_ex_data(&ctx->ex_data, idx);
|
1944
|
+
void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) {
|
1945
|
+
return CRYPTO_get_ex_data(&ctx->ex_data, idx);
|
2103
1946
|
}
|
2104
1947
|
|
2105
|
-
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
|
2106
|
-
{
|
2107
|
-
return ctx->error;
|
2108
|
-
}
|
1948
|
+
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) { return ctx->error; }
|
2109
1949
|
|
2110
|
-
void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
|
2111
|
-
|
2112
|
-
ctx->error = err;
|
1950
|
+
void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) {
|
1951
|
+
ctx->error = err;
|
2113
1952
|
}
|
2114
1953
|
|
2115
|
-
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
|
2116
|
-
|
2117
|
-
return ctx->error_depth;
|
1954
|
+
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) {
|
1955
|
+
return ctx->error_depth;
|
2118
1956
|
}
|
2119
1957
|
|
2120
|
-
X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
|
2121
|
-
|
2122
|
-
return ctx->current_cert;
|
1958
|
+
X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) {
|
1959
|
+
return ctx->current_cert;
|
2123
1960
|
}
|
2124
1961
|
|
2125
|
-
STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
|
2126
|
-
|
2127
|
-
return ctx->chain;
|
1962
|
+
STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) {
|
1963
|
+
return ctx->chain;
|
2128
1964
|
}
|
2129
1965
|
|
2130
|
-
STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
|
2131
|
-
|
2132
|
-
return ctx->chain;
|
1966
|
+
STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx) {
|
1967
|
+
return ctx->chain;
|
2133
1968
|
}
|
2134
1969
|
|
2135
|
-
STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
|
2136
|
-
{
|
2137
|
-
|
2138
|
-
|
2139
|
-
|
1970
|
+
STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) {
|
1971
|
+
if (!ctx->chain) {
|
1972
|
+
return NULL;
|
1973
|
+
}
|
1974
|
+
return X509_chain_up_ref(ctx->chain);
|
2140
1975
|
}
|
2141
1976
|
|
2142
|
-
X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
|
2143
|
-
|
2144
|
-
return ctx->current_issuer;
|
1977
|
+
X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) {
|
1978
|
+
return ctx->current_issuer;
|
2145
1979
|
}
|
2146
1980
|
|
2147
|
-
X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
|
2148
|
-
|
2149
|
-
return ctx->current_crl;
|
1981
|
+
X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) {
|
1982
|
+
return ctx->current_crl;
|
2150
1983
|
}
|
2151
1984
|
|
2152
|
-
X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
|
2153
|
-
|
2154
|
-
return ctx->parent;
|
1985
|
+
X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) {
|
1986
|
+
return ctx->parent;
|
2155
1987
|
}
|
2156
1988
|
|
2157
|
-
void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
|
2158
|
-
{
|
2159
|
-
ctx->cert = x;
|
2160
|
-
}
|
1989
|
+
void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) { ctx->cert = x; }
|
2161
1990
|
|
2162
|
-
void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
|
2163
|
-
|
2164
|
-
ctx->untrusted = sk;
|
1991
|
+
void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) {
|
1992
|
+
ctx->untrusted = sk;
|
2165
1993
|
}
|
2166
1994
|
|
2167
|
-
STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
|
2168
|
-
|
2169
|
-
return ctx->untrusted;
|
1995
|
+
STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) {
|
1996
|
+
return ctx->untrusted;
|
2170
1997
|
}
|
2171
1998
|
|
2172
|
-
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
|
2173
|
-
|
2174
|
-
ctx->crls = sk;
|
1999
|
+
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) {
|
2000
|
+
ctx->crls = sk;
|
2175
2001
|
}
|
2176
2002
|
|
2177
|
-
int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
|
2178
|
-
|
2179
|
-
return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
|
2003
|
+
int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) {
|
2004
|
+
return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
|
2180
2005
|
}
|
2181
2006
|
|
2182
|
-
int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
|
2183
|
-
|
2184
|
-
return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
|
2007
|
+
int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) {
|
2008
|
+
return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
|
2185
2009
|
}
|
2186
2010
|
|
2187
|
-
|
2188
|
-
|
2189
|
-
|
2190
|
-
|
2191
|
-
|
2192
|
-
|
2193
|
-
|
2194
|
-
|
2195
|
-
* client/server.
|
2196
|
-
*/
|
2011
|
+
// This function is used to set the X509_STORE_CTX purpose and trust values.
|
2012
|
+
// This is intended to be used when another structure has its own trust and
|
2013
|
+
// purpose values which (if set) will be inherited by the ctx. If they aren't
|
2014
|
+
// set then we will usually have a default purpose in mind which should then
|
2015
|
+
// be used to set the trust value. An example of this is SSL use: an SSL
|
2016
|
+
// structure will have its own purpose and trust settings which the
|
2017
|
+
// application can set: if they aren't set then we use the default of SSL
|
2018
|
+
// client/server.
|
2197
2019
|
|
2198
2020
|
int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
|
2199
|
-
int purpose, int trust)
|
2200
|
-
|
2201
|
-
|
2202
|
-
|
2203
|
-
|
2204
|
-
|
2205
|
-
|
2206
|
-
|
2207
|
-
|
2208
|
-
|
2209
|
-
|
2210
|
-
|
2211
|
-
|
2212
|
-
|
2213
|
-
|
2214
|
-
|
2215
|
-
|
2216
|
-
|
2217
|
-
|
2218
|
-
|
2219
|
-
|
2220
|
-
|
2221
|
-
|
2222
|
-
|
2223
|
-
|
2224
|
-
|
2225
|
-
}
|
2226
|
-
|
2227
|
-
|
2228
|
-
|
2229
|
-
|
2230
|
-
|
2231
|
-
|
2232
|
-
}
|
2233
|
-
|
2234
|
-
|
2235
|
-
|
2236
|
-
|
2237
|
-
|
2238
|
-
|
2239
|
-
|
2240
|
-
|
2241
|
-
|
2242
|
-
|
2243
|
-
|
2244
|
-
|
2245
|
-
|
2246
|
-
|
2247
|
-
|
2248
|
-
|
2249
|
-
|
2250
|
-
|
2021
|
+
int purpose, int trust) {
|
2022
|
+
int idx;
|
2023
|
+
// If purpose not set use default
|
2024
|
+
if (!purpose) {
|
2025
|
+
purpose = def_purpose;
|
2026
|
+
}
|
2027
|
+
// If we have a purpose then check it is valid
|
2028
|
+
if (purpose) {
|
2029
|
+
X509_PURPOSE *ptmp;
|
2030
|
+
idx = X509_PURPOSE_get_by_id(purpose);
|
2031
|
+
if (idx == -1) {
|
2032
|
+
OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
|
2033
|
+
return 0;
|
2034
|
+
}
|
2035
|
+
ptmp = X509_PURPOSE_get0(idx);
|
2036
|
+
if (ptmp->trust == X509_TRUST_DEFAULT) {
|
2037
|
+
idx = X509_PURPOSE_get_by_id(def_purpose);
|
2038
|
+
if (idx == -1) {
|
2039
|
+
OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
|
2040
|
+
return 0;
|
2041
|
+
}
|
2042
|
+
ptmp = X509_PURPOSE_get0(idx);
|
2043
|
+
}
|
2044
|
+
// If trust not set then get from purpose default
|
2045
|
+
if (!trust) {
|
2046
|
+
trust = ptmp->trust;
|
2047
|
+
}
|
2048
|
+
}
|
2049
|
+
if (trust) {
|
2050
|
+
idx = X509_TRUST_get_by_id(trust);
|
2051
|
+
if (idx == -1) {
|
2052
|
+
OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID);
|
2053
|
+
return 0;
|
2054
|
+
}
|
2055
|
+
}
|
2056
|
+
|
2057
|
+
if (purpose && !ctx->param->purpose) {
|
2058
|
+
ctx->param->purpose = purpose;
|
2059
|
+
}
|
2060
|
+
if (trust && !ctx->param->trust) {
|
2061
|
+
ctx->param->trust = trust;
|
2062
|
+
}
|
2063
|
+
return 1;
|
2064
|
+
}
|
2065
|
+
|
2066
|
+
X509_STORE_CTX *X509_STORE_CTX_new(void) {
|
2067
|
+
X509_STORE_CTX *ctx;
|
2068
|
+
ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
|
2069
|
+
if (!ctx) {
|
2070
|
+
return NULL;
|
2071
|
+
}
|
2072
|
+
X509_STORE_CTX_zero(ctx);
|
2073
|
+
return ctx;
|
2251
2074
|
}
|
2252
2075
|
|
2253
|
-
void X509_STORE_CTX_zero(X509_STORE_CTX *ctx)
|
2254
|
-
|
2255
|
-
OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
|
2076
|
+
void X509_STORE_CTX_zero(X509_STORE_CTX *ctx) {
|
2077
|
+
OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
|
2256
2078
|
}
|
2257
2079
|
|
2258
|
-
void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
|
2259
|
-
{
|
2260
|
-
|
2261
|
-
|
2262
|
-
|
2263
|
-
|
2264
|
-
OPENSSL_free(ctx);
|
2080
|
+
void X509_STORE_CTX_free(X509_STORE_CTX *ctx) {
|
2081
|
+
if (ctx == NULL) {
|
2082
|
+
return;
|
2083
|
+
}
|
2084
|
+
X509_STORE_CTX_cleanup(ctx);
|
2085
|
+
OPENSSL_free(ctx);
|
2265
2086
|
}
|
2266
2087
|
|
2267
2088
|
int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
|
2268
|
-
STACK_OF(X509) *chain)
|
2269
|
-
|
2270
|
-
|
2271
|
-
|
2272
|
-
|
2273
|
-
|
2274
|
-
|
2275
|
-
|
2276
|
-
|
2277
|
-
|
2278
|
-
|
2279
|
-
|
2280
|
-
|
2281
|
-
|
2282
|
-
|
2283
|
-
|
2284
|
-
|
2285
|
-
|
2286
|
-
|
2287
|
-
|
2288
|
-
|
2289
|
-
|
2089
|
+
STACK_OF(X509) *chain) {
|
2090
|
+
X509_STORE_CTX_zero(ctx);
|
2091
|
+
ctx->ctx = store;
|
2092
|
+
ctx->cert = x509;
|
2093
|
+
ctx->untrusted = chain;
|
2094
|
+
|
2095
|
+
CRYPTO_new_ex_data(&ctx->ex_data);
|
2096
|
+
|
2097
|
+
if (store == NULL) {
|
2098
|
+
OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);
|
2099
|
+
goto err;
|
2100
|
+
}
|
2101
|
+
|
2102
|
+
ctx->param = X509_VERIFY_PARAM_new();
|
2103
|
+
if (!ctx->param) {
|
2104
|
+
goto err;
|
2105
|
+
}
|
2106
|
+
|
2107
|
+
// Inherit callbacks and flags from X509_STORE.
|
2108
|
+
|
2109
|
+
ctx->verify_cb = store->verify_cb;
|
2110
|
+
ctx->cleanup = store->cleanup;
|
2111
|
+
|
2112
|
+
if (!X509_VERIFY_PARAM_inherit(ctx->param, store->param) ||
|
2113
|
+
!X509_VERIFY_PARAM_inherit(ctx->param,
|
2114
|
+
X509_VERIFY_PARAM_lookup("default"))) {
|
2115
|
+
goto err;
|
2116
|
+
}
|
2117
|
+
|
2118
|
+
if (store->check_issued) {
|
2119
|
+
ctx->check_issued = store->check_issued;
|
2120
|
+
} else {
|
2121
|
+
ctx->check_issued = check_issued;
|
2122
|
+
}
|
2123
|
+
|
2124
|
+
if (store->get_issuer) {
|
2125
|
+
ctx->get_issuer = store->get_issuer;
|
2126
|
+
} else {
|
2127
|
+
ctx->get_issuer = X509_STORE_CTX_get1_issuer;
|
2128
|
+
}
|
2129
|
+
|
2130
|
+
if (store->verify_cb) {
|
2290
2131
|
ctx->verify_cb = store->verify_cb;
|
2291
|
-
|
2292
|
-
|
2293
|
-
|
2294
|
-
|
2295
|
-
|
2296
|
-
|
2297
|
-
|
2298
|
-
|
2299
|
-
|
2300
|
-
ctx->check_issued = store->check_issued;
|
2301
|
-
else
|
2302
|
-
ctx->check_issued = check_issued;
|
2303
|
-
|
2304
|
-
if (store->get_issuer)
|
2305
|
-
ctx->get_issuer = store->get_issuer;
|
2306
|
-
else
|
2307
|
-
ctx->get_issuer = X509_STORE_CTX_get1_issuer;
|
2308
|
-
|
2309
|
-
if (store->verify_cb)
|
2310
|
-
ctx->verify_cb = store->verify_cb;
|
2311
|
-
else
|
2312
|
-
ctx->verify_cb = null_callback;
|
2132
|
+
} else {
|
2133
|
+
ctx->verify_cb = null_callback;
|
2134
|
+
}
|
2135
|
+
|
2136
|
+
if (store->verify) {
|
2137
|
+
ctx->verify = store->verify;
|
2138
|
+
} else {
|
2139
|
+
ctx->verify = internal_verify;
|
2140
|
+
}
|
2313
2141
|
|
2314
|
-
|
2315
|
-
|
2316
|
-
|
2317
|
-
|
2142
|
+
if (store->check_revocation) {
|
2143
|
+
ctx->check_revocation = store->check_revocation;
|
2144
|
+
} else {
|
2145
|
+
ctx->check_revocation = check_revocation;
|
2146
|
+
}
|
2318
2147
|
|
2319
|
-
|
2320
|
-
|
2321
|
-
|
2322
|
-
|
2148
|
+
if (store->get_crl) {
|
2149
|
+
ctx->get_crl = store->get_crl;
|
2150
|
+
} else {
|
2151
|
+
ctx->get_crl = NULL;
|
2152
|
+
}
|
2323
2153
|
|
2324
|
-
|
2325
|
-
|
2326
|
-
|
2327
|
-
|
2154
|
+
if (store->check_crl) {
|
2155
|
+
ctx->check_crl = store->check_crl;
|
2156
|
+
} else {
|
2157
|
+
ctx->check_crl = check_crl;
|
2158
|
+
}
|
2328
2159
|
|
2329
|
-
|
2330
|
-
|
2331
|
-
|
2332
|
-
|
2160
|
+
if (store->cert_crl) {
|
2161
|
+
ctx->cert_crl = store->cert_crl;
|
2162
|
+
} else {
|
2163
|
+
ctx->cert_crl = cert_crl;
|
2164
|
+
}
|
2333
2165
|
|
2334
|
-
|
2335
|
-
|
2336
|
-
|
2337
|
-
|
2166
|
+
if (store->lookup_certs) {
|
2167
|
+
ctx->lookup_certs = store->lookup_certs;
|
2168
|
+
} else {
|
2169
|
+
ctx->lookup_certs = X509_STORE_get1_certs;
|
2170
|
+
}
|
2338
2171
|
|
2339
|
-
|
2340
|
-
|
2341
|
-
|
2342
|
-
|
2172
|
+
if (store->lookup_crls) {
|
2173
|
+
ctx->lookup_crls = store->lookup_crls;
|
2174
|
+
} else {
|
2175
|
+
ctx->lookup_crls = X509_STORE_get1_crls;
|
2176
|
+
}
|
2343
2177
|
|
2344
|
-
|
2345
|
-
ctx->lookup_crls = store->lookup_crls;
|
2346
|
-
else
|
2347
|
-
ctx->lookup_crls = X509_STORE_get1_crls;
|
2178
|
+
ctx->check_policy = check_policy;
|
2348
2179
|
|
2349
|
-
|
2180
|
+
return 1;
|
2350
2181
|
|
2351
|
-
|
2352
|
-
|
2353
|
-
|
2354
|
-
|
2355
|
-
|
2356
|
-
X509_VERIFY_PARAM_free(ctx->param);
|
2357
|
-
}
|
2182
|
+
err:
|
2183
|
+
CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data);
|
2184
|
+
if (ctx->param != NULL) {
|
2185
|
+
X509_VERIFY_PARAM_free(ctx->param);
|
2186
|
+
}
|
2358
2187
|
|
2359
|
-
|
2360
|
-
|
2361
|
-
return 0;
|
2188
|
+
OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
|
2189
|
+
return 0;
|
2362
2190
|
}
|
2363
2191
|
|
2364
|
-
|
2365
|
-
|
2366
|
-
* avoids X509_STORE nastiness where it isn't needed.
|
2367
|
-
*/
|
2192
|
+
// Set alternative lookup method: just a STACK of trusted certificates. This
|
2193
|
+
// avoids X509_STORE nastiness where it isn't needed.
|
2368
2194
|
|
2369
|
-
void
|
2370
|
-
{
|
2371
|
-
|
2372
|
-
|
2195
|
+
void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx,
|
2196
|
+
STACK_OF(X509) *sk) {
|
2197
|
+
ctx->other_ctx = sk;
|
2198
|
+
ctx->get_issuer = get_issuer_sk;
|
2373
2199
|
}
|
2374
2200
|
|
2375
|
-
void
|
2376
|
-
|
2377
|
-
/* We need to be idempotent because, unfortunately, |X509_STORE_CTX_free|
|
2378
|
-
* also calls this function. */
|
2379
|
-
if (ctx->cleanup != NULL) {
|
2380
|
-
ctx->cleanup(ctx);
|
2381
|
-
ctx->cleanup = NULL;
|
2382
|
-
}
|
2383
|
-
if (ctx->param != NULL) {
|
2384
|
-
if (ctx->parent == NULL)
|
2385
|
-
X509_VERIFY_PARAM_free(ctx->param);
|
2386
|
-
ctx->param = NULL;
|
2387
|
-
}
|
2388
|
-
if (ctx->tree != NULL) {
|
2389
|
-
X509_policy_tree_free(ctx->tree);
|
2390
|
-
ctx->tree = NULL;
|
2391
|
-
}
|
2392
|
-
if (ctx->chain != NULL) {
|
2393
|
-
sk_X509_pop_free(ctx->chain, X509_free);
|
2394
|
-
ctx->chain = NULL;
|
2395
|
-
}
|
2396
|
-
CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));
|
2397
|
-
OPENSSL_memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
|
2201
|
+
void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) {
|
2202
|
+
X509_STORE_CTX_set0_trusted_stack(ctx, sk);
|
2398
2203
|
}
|
2399
2204
|
|
2400
|
-
void
|
2401
|
-
|
2402
|
-
|
2205
|
+
void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) {
|
2206
|
+
// We need to be idempotent because, unfortunately, |X509_STORE_CTX_free|
|
2207
|
+
// also calls this function.
|
2208
|
+
if (ctx->cleanup != NULL) {
|
2209
|
+
ctx->cleanup(ctx);
|
2210
|
+
ctx->cleanup = NULL;
|
2211
|
+
}
|
2212
|
+
if (ctx->param != NULL) {
|
2213
|
+
if (ctx->parent == NULL) {
|
2214
|
+
X509_VERIFY_PARAM_free(ctx->param);
|
2215
|
+
}
|
2216
|
+
ctx->param = NULL;
|
2217
|
+
}
|
2218
|
+
if (ctx->chain != NULL) {
|
2219
|
+
sk_X509_pop_free(ctx->chain, X509_free);
|
2220
|
+
ctx->chain = NULL;
|
2221
|
+
}
|
2222
|
+
CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));
|
2223
|
+
OPENSSL_memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
|
2403
2224
|
}
|
2404
2225
|
|
2405
|
-
void
|
2406
|
-
|
2407
|
-
X509_VERIFY_PARAM_set_flags(ctx->param, flags);
|
2226
|
+
void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) {
|
2227
|
+
X509_VERIFY_PARAM_set_depth(ctx->param, depth);
|
2408
2228
|
}
|
2409
2229
|
|
2410
|
-
void
|
2411
|
-
|
2412
|
-
{
|
2413
|
-
X509_VERIFY_PARAM_set_time(ctx->param, t);
|
2230
|
+
void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) {
|
2231
|
+
X509_VERIFY_PARAM_set_flags(ctx->param, flags);
|
2414
2232
|
}
|
2415
2233
|
|
2416
|
-
|
2417
|
-
{
|
2418
|
-
|
2234
|
+
void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, unsigned long flags,
|
2235
|
+
int64_t t) {
|
2236
|
+
X509_VERIFY_PARAM_set_time_posix(ctx->param, t);
|
2419
2237
|
}
|
2420
2238
|
|
2421
|
-
void
|
2422
|
-
|
2423
|
-
|
2424
|
-
ctx->verify_cb = verify_cb;
|
2239
|
+
void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
|
2240
|
+
time_t t) {
|
2241
|
+
X509_STORE_CTX_set_time_posix(ctx, flags, t);
|
2425
2242
|
}
|
2426
2243
|
|
2427
|
-
|
2428
|
-
|
2429
|
-
return ctx->tree;
|
2244
|
+
X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) {
|
2245
|
+
return ctx->cert;
|
2430
2246
|
}
|
2431
2247
|
|
2432
|
-
|
2433
|
-
{
|
2434
|
-
|
2248
|
+
void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
|
2249
|
+
int (*verify_cb)(int, X509_STORE_CTX *)) {
|
2250
|
+
ctx->verify_cb = verify_cb;
|
2435
2251
|
}
|
2436
2252
|
|
2437
|
-
int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
|
2438
|
-
|
2439
|
-
|
2440
|
-
|
2441
|
-
|
2442
|
-
|
2443
|
-
|
2253
|
+
int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) {
|
2254
|
+
const X509_VERIFY_PARAM *param;
|
2255
|
+
param = X509_VERIFY_PARAM_lookup(name);
|
2256
|
+
if (!param) {
|
2257
|
+
return 0;
|
2258
|
+
}
|
2259
|
+
return X509_VERIFY_PARAM_inherit(ctx->param, param);
|
2444
2260
|
}
|
2445
2261
|
|
2446
|
-
X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
|
2447
|
-
|
2448
|
-
return ctx->param;
|
2262
|
+
X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) {
|
2263
|
+
return ctx->param;
|
2449
2264
|
}
|
2450
2265
|
|
2451
|
-
void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
|
2452
|
-
{
|
2453
|
-
|
2454
|
-
|
2455
|
-
|
2266
|
+
void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) {
|
2267
|
+
if (ctx->param) {
|
2268
|
+
X509_VERIFY_PARAM_free(ctx->param);
|
2269
|
+
}
|
2270
|
+
ctx->param = param;
|
2456
2271
|
}
|