[thirdparty/openssl.git] / crypto / x509 / x509_vpm.c

/* x509_vpm.c */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
/* ====================================================================
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <stdio.h>

#include "cryptlib.h"
#include <openssl/crypto.h>
#include <openssl/lhash.h>
#include <openssl/buffer.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>

#include "x509_lcl.h"

/* X509_VERIFY_PARAM functions */

static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
	{
	X509_VERIFY_PARAM_ID *paramid;
	if (!param)
		return;
	param->name = NULL;
	param->purpose = 0;
	param->trust = 0;
	/*param->inh_flags = X509_VP_FLAG_DEFAULT;*/
	param->inh_flags = 0;
	param->flags = 0;
	param->depth = -1;
	if (param->policies)
		{
		sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
		param->policies = NULL;
		}
	paramid = param->id;
	if (paramid->host)
		{
		OPENSSL_free(paramid->host);
		paramid->host = NULL;
		}
	if (paramid->email)
		{
		OPENSSL_free(paramid->email);
		paramid->email = NULL;
		paramid->emaillen = 0;
		}
	if (paramid->ip)
		{
		OPENSSL_free(paramid->ip);
		paramid->ip = NULL;
		paramid->iplen = 0;
		}

	}

X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
	{
	X509_VERIFY_PARAM *param;
	X509_VERIFY_PARAM_ID *paramid;
	param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
	if (!param)
		return NULL;
	paramid = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
	if (!paramid)
		{
		OPENSSL_free(param);
		return NULL;
		}
	memset(param, 0, sizeof(X509_VERIFY_PARAM));
	memset(paramid, 0, sizeof(X509_VERIFY_PARAM_ID));
	param->id = paramid;
	x509_verify_param_zero(param);
	return param;
	}

void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
	{
	x509_verify_param_zero(param);
	OPENSSL_free(param->id);
	OPENSSL_free(param);
	}

/* This function determines how parameters are "inherited" from one structure
 * to another. There are several different ways this can happen.
 *
 * 1. If a child structure needs to have its values initialized from a parent
 *    they are simply copied across. For example SSL_CTX copied to SSL.
 * 2. If the structure should take on values only if they are currently unset.
 *    For example the values in an SSL structure will take appropriate value
 *    for SSL servers or clients but only if the application has not set new
 *    ones.
 *
 * The "inh_flags" field determines how this function behaves. 
 *
 * Normally any values which are set in the default are not copied from the
 * destination and verify flags are ORed together.
 *
 * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
 * to the destination. Effectively the values in "to" become default values
 * which will be used only if nothing new is set in "from".
 *
 * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
 * they are set or not. Flags is still Ored though.
 *
 * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
 * of ORed.
 *
 * If X509_VP_FLAG_LOCKED is set then no values are copied.
 *
 * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
 * after the next call.
 */

/* Macro to test if a field should be copied from src to dest */

#define test_x509_verify_param_copy(field, def) \
	(to_overwrite || \
		((src->field != def) && (to_default || (dest->field == def))))

/* As above but for ID fields */

#define test_x509_verify_param_copy_id(idf, def) \
	test_x509_verify_param_copy(id->idf, def)

/* Macro to test and copy a field if necessary */

#define x509_verify_param_copy(field, def) \
	if (test_x509_verify_param_copy(field, def)) \
		dest->field = src->field


int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
						const X509_VERIFY_PARAM *src)
	{
	unsigned long inh_flags;
	int to_default, to_overwrite;
	X509_VERIFY_PARAM_ID *id;
	if (!src)
		return 1;
	id = src->id;
	inh_flags = dest->inh_flags | src->inh_flags;

	if (inh_flags & X509_VP_FLAG_ONCE)
		dest->inh_flags = 0;

	if (inh_flags & X509_VP_FLAG_LOCKED)
		return 1;

	if (inh_flags & X509_VP_FLAG_DEFAULT)
		to_default = 1;
	else
		to_default = 0;

	if (inh_flags & X509_VP_FLAG_OVERWRITE)
		to_overwrite = 1;
	else
		to_overwrite = 0;

	x509_verify_param_copy(purpose, 0);
	x509_verify_param_copy(trust, 0);
	x509_verify_param_copy(depth, -1);

	/* If overwrite or check time not set, copy across */

	if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME))
		{
		dest->check_time = src->check_time;
		dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
		/* Don't need to copy flag: that is done below */
		}

	if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
		dest->flags = 0;

	dest->flags |= src->flags;

	if (test_x509_verify_param_copy(policies, NULL))
		{
		if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
			return 0;
		}

	if (test_x509_verify_param_copy_id(host, NULL))
		{
		if (!X509_VERIFY_PARAM_set1_host(dest, id->host, 0))
			return 0;
		dest->id->hostflags = id->hostflags;
		}

	if (test_x509_verify_param_copy_id(email, NULL))
		{
		if (!X509_VERIFY_PARAM_set1_email(dest, id->email, id->emaillen))
			return 0;
		}

	if (test_x509_verify_param_copy_id(ip, NULL))
		{
		if (!X509_VERIFY_PARAM_set1_ip(dest, id->ip, id->iplen))
			return 0;
		}

	return 1;
	}

int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
						const X509_VERIFY_PARAM *from)
	{
	unsigned long save_flags = to->inh_flags;
	int ret;
	to->inh_flags |= X509_VP_FLAG_DEFAULT;
	ret = X509_VERIFY_PARAM_inherit(to, from);
	to->inh_flags = save_flags;
	return ret;
	}

static int int_x509_param_set1(unsigned char **pdest, size_t *pdestlen,
				const unsigned char *src, size_t srclen)
	{
	void *tmp;
	if (src)
		{
		if (srclen == 0)
			{
			tmp = BUF_strdup((char *)src);
			srclen = strlen((char *)src);
			}
		else
			tmp = BUF_memdup(src, srclen);
		if (!tmp)
			return 0;
		}
	else
		{
		tmp = NULL;
		srclen = 0;
		}
	if (*pdest)
		OPENSSL_free(*pdest);
	*pdest = tmp;
	if (pdestlen)
		*pdestlen = srclen;
	return 1;
	}

int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
	{
	if (param->name)
		OPENSSL_free(param->name);
	param->name = BUF_strdup(name);
	if (param->name)
		return 1;
	return 0;
	}

int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
	{
	param->flags |= flags;
	if (flags & X509_V_FLAG_POLICY_MASK)
		param->flags |= X509_V_FLAG_POLICY_CHECK;
	return 1;
	}

int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
	{
	param->flags &= ~flags;
	return 1;
	}

unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
	{
	return param->flags;
	}

int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
	{
	return X509_PURPOSE_set(&param->purpose, purpose);
	}

int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
	{
	return X509_TRUST_set(&param->trust, trust);
	}

void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
	{
	param->depth = depth;
	}

void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
	{
	param->check_time = t;
	param->flags |= X509_V_FLAG_USE_CHECK_TIME;
	}

int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
	{
	if (!param->policies)
		{
		param->policies = sk_ASN1_OBJECT_new_null();
		if (!param->policies)
			return 0;
		}
	if (!sk_ASN1_OBJECT_push(param->policies, policy))
		return 0;
	return 1;
	}

int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 
					STACK_OF(ASN1_OBJECT) *policies)
	{
	int i;
	ASN1_OBJECT *oid, *doid;
	if (!param)
		return 0;
	if (param->policies)
		sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);

	if (!policies)
		{
		param->policies = NULL;
		return 1;
		}

	param->policies = sk_ASN1_OBJECT_new_null();
	if (!param->policies)
		return 0;

	for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++)
		{
		oid = sk_ASN1_OBJECT_value(policies, i);
		doid = OBJ_dup(oid);
		if (!doid)
			return 0;
		if (!sk_ASN1_OBJECT_push(param->policies, doid))
			{
			ASN1_OBJECT_free(doid);
			return 0;
			}
		}
	param->flags |= X509_V_FLAG_POLICY_CHECK;
	return 1;
	}

int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
				const unsigned char *name, size_t namelen)
	{
	return int_x509_param_set1(&param->id->host, NULL, name, namelen);
	}

void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
					unsigned int flags)
	{
	param->id->hostflags = flags;
	}

int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
				const unsigned char *email, size_t emaillen)
	{
	return int_x509_param_set1(&param->id->email, &param->id->emaillen,
					email, emaillen);
	}

int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
					const unsigned char *ip, size_t iplen)
	{
	if (iplen != 0 && iplen != 4 && iplen != 16)
		return 0;
	return int_x509_param_set1(&param->id->ip, &param->id->iplen, ip, iplen);
	}

int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
	{
	unsigned char ipout[16];
	int iplen;
	iplen = a2i_ipadd(ipout, ipasc);
	if (iplen == 0)
		return 0;
	return X509_VERIFY_PARAM_set1_ip(param, ipout, (size_t)iplen);
	}

int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
	{
	return param->depth;
	}

const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
	{
	return param->name;
	}

static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0U, NULL, 0, NULL, 0};

#define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id


/* Default verify parameters: these are used for various
 * applications and can be overridden by the user specified table.
 * NB: the 'name' field *must* be in alphabetical order because it
 * will be searched using OBJ_search.
 */

static const X509_VERIFY_PARAM default_table[] = {
	{
	"default",	/* X509 default parameters */
	0,		/* Check time */
	0,		/* internal flags */
	0,		/* flags */
	0,		/* purpose */
	0,		/* trust */
	100,		/* depth */
	NULL,		/* policies */
	vpm_empty_id
	},
	{
	"pkcs7",			/* S/MIME sign parameters */
	0,				/* Check time */
	0,				/* internal flags */
	0,				/* flags */
	X509_PURPOSE_SMIME_SIGN,	/* purpose */
	X509_TRUST_EMAIL,		/* trust */
	-1,				/* depth */
	NULL,				/* policies */
	vpm_empty_id
	},
	{
	"smime_sign",			/* S/MIME sign parameters */
	0,				/* Check time */
	0,				/* internal flags */
	0,				/* flags */
	X509_PURPOSE_SMIME_SIGN,	/* purpose */
	X509_TRUST_EMAIL,		/* trust */
	-1,				/* depth */
	NULL,				/* policies */
	vpm_empty_id
	},
	{
	"ssl_client",			/* SSL/TLS client parameters */
	0,				/* Check time */
	0,				/* internal flags */
	0,				/* flags */
	X509_PURPOSE_SSL_CLIENT,	/* purpose */
	X509_TRUST_SSL_CLIENT,		/* trust */
	-1,				/* depth */
	NULL,				/* policies */
	vpm_empty_id
	},
	{
	"ssl_server",			/* SSL/TLS server parameters */
	0,				/* Check time */
	0,				/* internal flags */
	0,				/* flags */
	X509_PURPOSE_SSL_SERVER,	/* purpose */
	X509_TRUST_SSL_SERVER,		/* trust */
	-1,				/* depth */
	NULL,				/* policies */
	vpm_empty_id
	}};

static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;

static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)

	{
	return strcmp(a->name, b->name);
	}

DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
			   table);
IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
			     table);

static int param_cmp(const X509_VERIFY_PARAM * const *a,
			const X509_VERIFY_PARAM * const *b)
	{
	return strcmp((*a)->name, (*b)->name);
	}

int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
	{
	int idx;
	X509_VERIFY_PARAM *ptmp;
	if (!param_table)
		{
		param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
		if (!param_table)
			return 0;
		}
	else
		{
		idx = sk_X509_VERIFY_PARAM_find(param_table, param);
		if (idx != -1)
			{
			ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
			X509_VERIFY_PARAM_free(ptmp);
			(void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
			}
		}
	if (!sk_X509_VERIFY_PARAM_push(param_table, param))
		return 0;
	return 1;
	}

int X509_VERIFY_PARAM_get_count(void)
	{
	int num = sizeof(default_table)/sizeof(X509_VERIFY_PARAM);
	if (param_table)
		num += sk_X509_VERIFY_PARAM_num(param_table);
	return num;
	}

const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
	{
	int num = sizeof(default_table)/sizeof(X509_VERIFY_PARAM);
	if (id < num)
		return default_table + id;
	return sk_X509_VERIFY_PARAM_value(param_table, id - num);
	}

const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
	{
	int idx;
	X509_VERIFY_PARAM pm;

	pm.name = (char *)name;
	if (param_table)
		{
		idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
		if (idx != -1)
			return sk_X509_VERIFY_PARAM_value(param_table, idx);
		}
	return OBJ_bsearch_table(&pm, default_table,
			   sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
	}

void X509_VERIFY_PARAM_table_cleanup(void)
	{
	if (param_table)
		sk_X509_VERIFY_PARAM_pop_free(param_table,
						X509_VERIFY_PARAM_free);
	param_table = NULL;
	}
Commit	Line	Data
5d7c222d	1	/* x509_vpm.c */
2e597528	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5d7c222d DSH	3	* project 2004.
	4	*/
	5	/* ====================================================================
	6	* Copyright (c) 2004 The OpenSSL Project. All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in
	17	* the documentation and/or other materials provided with the
	18	* distribution.
	19	*
	20	* 3. All advertising materials mentioning features or use of this
	21	* software must display the following acknowledgment:
	22	* "This product includes software developed by the OpenSSL Project
	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	24	*
	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	* endorse or promote products derived from this software without
	27	* prior written permission. For written permission, please contact
	28	* licensing@OpenSSL.org.
	29	*
	30	* 5. Products derived from this software may not be called "OpenSSL"
	31	* nor may "OpenSSL" appear in their names without prior written
	32	* permission of the OpenSSL Project.
	33	*
	34	* 6. Redistributions of any form whatsoever must retain the following
	35	* acknowledgment:
	36	* "This product includes software developed by the OpenSSL Project
	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
	51	* ====================================================================
	52	*
	53	* This product includes cryptographic software written by Eric Young
	54	* (eay@cryptsoft.com). This product includes software written by Tim
	55	* Hudson (tjh@cryptsoft.com).
	56	*
	57	*/
	58
	59	#include <stdio.h>
	60
	61	#include "cryptlib.h"
	62	#include <openssl/crypto.h>
	63	#include <openssl/lhash.h>
	64	#include <openssl/buffer.h>
	65	#include <openssl/x509.h>
	66	#include <openssl/x509v3.h>
67
6c21b860	68	#include "x509_lcl.h"
4a253652	69
5d7c222d DSH	70	/* X509_VERIFY_PARAM functions */
	71
	72	static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
	73	{
4a253652	74	X509_VERIFY_PARAM_ID *paramid;
5d7c222d DSH	75	if (!param)
	76	return;
	77	param->name = NULL;
	78	param->purpose = 0;
	79	param->trust = 0;
237d7b6c DSH	80	/param->inh_flags = X509_VP_FLAG_DEFAULT;/
237d7b6c DSH	81	param->inh_flags = 0;
5d7c222d DSH	82	param->flags = 0;
	83	param->depth = -1;
	84	if (param->policies)
	85	{
	86	sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
	87	param->policies = NULL;
	88	}
4a253652 DSH	89	paramid = param->id;
4a253652 DSH	90	if (paramid->host)
3bf15e29	91	{
4a253652 DSH	92	OPENSSL_free(paramid->host);
4a253652 DSH	93	paramid->host = NULL;
3bf15e29	94	}
4a253652	95	if (paramid->email)
3bf15e29	96	{
4a253652 DSH	97	OPENSSL_free(paramid->email);
	98	paramid->email = NULL;
	99	paramid->emaillen = 0;
3bf15e29	100	}
4a253652	101	if (paramid->ip)
3bf15e29	102	{
4a253652 DSH	103	OPENSSL_free(paramid->ip);
	104	paramid->ip = NULL;
	105	paramid->iplen = 0;
3bf15e29	106	}
4a253652	107
5d7c222d DSH	108	}
	109
	110	X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
	111	{
	112	X509_VERIFY_PARAM *param;
4a253652	113	X509_VERIFY_PARAM_ID *paramid;
5d7c222d	114	param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
4a253652 DSH	115	if (!param)
	116	return NULL;
	117	paramid = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
	118	if (!paramid)
	119	{
	120	OPENSSL_free(param);
	121	return NULL;
	122	}
5d7c222d	123	memset(param, 0, sizeof(X509_VERIFY_PARAM));
4a253652 DSH	124	memset(paramid, 0, sizeof(X509_VERIFY_PARAM_ID));
4a253652 DSH	125	param->id = paramid;
5d7c222d DSH	126	x509_verify_param_zero(param);
	127	return param;
	128	}
	129
	130	void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
	131	{
	132	x509_verify_param_zero(param);
4a253652	133	OPENSSL_free(param->id);
5d7c222d DSH	134	OPENSSL_free(param);
	135	}
	136
	137	/* This function determines how parameters are "inherited" from one structure
	138	* to another. There are several different ways this can happen.
	139	*
	140	* 1. If a child structure needs to have its values initialized from a parent
	141	* they are simply copied across. For example SSL_CTX copied to SSL.
	142	* 2. If the structure should take on values only if they are currently unset.
	143	* For example the values in an SSL structure will take appropriate value
	144	* for SSL servers or clients but only if the application has not set new
	145	* ones.
	146	*
	147	* The "inh_flags" field determines how this function behaves.
	148	*
	149	* Normally any values which are set in the default are not copied from the
	150	* destination and verify flags are ORed together.
	151	*
	152	* If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
	153	* to the destination. Effectively the values in "to" become default values
	154	* which will be used only if nothing new is set in "from".
	155	*
	156	* If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
	157	* they are set or not. Flags is still Ored though.
	158	*
	159	* If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
	160	* of ORed.
	161	*
	162	* If X509_VP_FLAG_LOCKED is set then no values are copied.
	163	*
	164	* If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
	165	* after the next call.
	166	*/
	167
	168	/* Macro to test if a field should be copied from src to dest */
	169
	170	#define test_x509_verify_param_copy(field, def) \
	171	(to_overwrite \|\| \
	172	((src->field != def) && (to_default \|\| (dest->field == def))))
	173
4a253652 DSH	174	/* As above but for ID fields */
	175
	176	#define test_x509_verify_param_copy_id(idf, def) \
	177	test_x509_verify_param_copy(id->idf, def)
	178
5d7c222d DSH	179	/* Macro to test and copy a field if necessary */
	180
	181	#define x509_verify_param_copy(field, def) \
	182	if (test_x509_verify_param_copy(field, def)) \
	183	dest->field = src->field
4a253652	184
5d7c222d DSH	185
	186	int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
	187	const X509_VERIFY_PARAM *src)
	188	{
	189	unsigned long inh_flags;
	190	int to_default, to_overwrite;
4a253652	191	X509_VERIFY_PARAM_ID *id;
5d7c222d DSH	192	if (!src)
5d7c222d DSH	193	return 1;
4a253652	194	id = src->id;
5d7c222d DSH	195	inh_flags = dest->inh_flags \| src->inh_flags;
	196
	197	if (inh_flags & X509_VP_FLAG_ONCE)
	198	dest->inh_flags = 0;
	199
	200	if (inh_flags & X509_VP_FLAG_LOCKED)
	201	return 1;
	202
	203	if (inh_flags & X509_VP_FLAG_DEFAULT)
	204	to_default = 1;
	205	else
	206	to_default = 0;
	207
	208	if (inh_flags & X509_VP_FLAG_OVERWRITE)
	209	to_overwrite = 1;
	210	else
	211	to_overwrite = 0;
	212
	213	x509_verify_param_copy(purpose, 0);
	214	x509_verify_param_copy(trust, 0);
	215	x509_verify_param_copy(depth, -1);
	216
e881f617 DSH	217	/* If overwrite or check time not set, copy across */
	218
	219	if (to_overwrite \|\| !(dest->flags & X509_V_FLAG_USE_CHECK_TIME))
	220	{
	221	dest->check_time = src->check_time;
	222	dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
	223	/* Don't need to copy flag: that is done below */
	224	}
	225
5d7c222d DSH	226	if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
	227	dest->flags = 0;
	228
	229	dest->flags \|= src->flags;
	230
	231	if (test_x509_verify_param_copy(policies, NULL))
	232	{
	233	if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
	234	return 0;
	235	}
	236
4a253652	237	if (test_x509_verify_param_copy_id(host, NULL))
3bf15e29	238	{
b3012c69	239	if (!X509_VERIFY_PARAM_set1_host(dest, id->host, 0))
3bf15e29	240	return 0;
397a8e74	241	dest->id->hostflags = id->hostflags;
3bf15e29 DSH	242	}
3bf15e29 DSH	243
4a253652	244	if (test_x509_verify_param_copy_id(email, NULL))
3bf15e29	245	{
4a253652	246	if (!X509_VERIFY_PARAM_set1_email(dest, id->email, id->emaillen))
3bf15e29 DSH	247	return 0;
	248	}
	249
4a253652	250	if (test_x509_verify_param_copy_id(ip, NULL))
3bf15e29	251	{
4a253652	252	if (!X509_VERIFY_PARAM_set1_ip(dest, id->ip, id->iplen))
3bf15e29 DSH	253	return 0;
	254	}
	255
5d7c222d DSH	256	return 1;
	257	}
	258
	259	int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
	260	const X509_VERIFY_PARAM *from)
	261	{
508c5352 DSH	262	unsigned long save_flags = to->inh_flags;
508c5352 DSH	263	int ret;
5d7c222d	264	to->inh_flags \|= X509_VP_FLAG_DEFAULT;
508c5352 DSH	265	ret = X509_VERIFY_PARAM_inherit(to, from);
	266	to->inh_flags = save_flags;
	267	return ret;
5d7c222d DSH	268	}
5d7c222d DSH	269
3bf15e29 DSH	270	static int int_x509_param_set1(unsigned char *pdest, size_t pdestlen,
	271	const unsigned char *src, size_t srclen)
	272	{
	273	void *tmp;
	274	if (src)
	275	{
	276	if (srclen == 0)
	277	{
	278	tmp = BUF_strdup((char *)src);
	279	srclen = strlen((char *)src);
	280	}
	281	else
	282	tmp = BUF_memdup(src, srclen);
	283	if (!tmp)
	284	return 0;
	285	}
	286	else
	287	{
	288	tmp = NULL;
	289	srclen = 0;
	290	}
	291	if (*pdest)
	292	OPENSSL_free(*pdest);
	293	*pdest = tmp;
	294	if (pdestlen)
	295	*pdestlen = srclen;
	296	return 1;
	297	}
	298
5d7c222d DSH	299	int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM param, const char name)
	300	{
	301	if (param->name)
	302	OPENSSL_free(param->name);
	303	param->name = BUF_strdup(name);
	304	if (param->name)
	305	return 1;
	306	return 0;
	307	}
	308
	309	int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
	310	{
	311	param->flags \|= flags;
	312	if (flags & X509_V_FLAG_POLICY_MASK)
	313	param->flags \|= X509_V_FLAG_POLICY_CHECK;
	314	return 1;
	315	}
	316
f022c177 DSH	317	int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
	318	{
	319	param->flags &= ~flags;
	320	return 1;
	321	}
	322
	323	unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
	324	{
	325	return param->flags;
	326	}
	327
5d7c222d DSH	328	int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
	329	{
	330	return X509_PURPOSE_set(&param->purpose, purpose);
	331	}
	332
	333	int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
	334	{
	335	return X509_TRUST_set(&param->trust, trust);
	336	}
	337
	338	void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
	339	{
	340	param->depth = depth;
	341	}
	342
	343	void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
	344	{
	345	param->check_time = t;
	346	param->flags \|= X509_V_FLAG_USE_CHECK_TIME;
	347	}
	348
	349	int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM param, ASN1_OBJECT policy)
	350	{
	351	if (!param->policies)
	352	{
	353	param->policies = sk_ASN1_OBJECT_new_null();
	354	if (!param->policies)
	355	return 0;
	356	}
	357	if (!sk_ASN1_OBJECT_push(param->policies, policy))
	358	return 0;
	359	return 1;
	360	}
	361
	362	int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
	363	STACK_OF(ASN1_OBJECT) *policies)
	364	{
	365	int i;
	366	ASN1_OBJECT oid, doid;
	367	if (!param)
	368	return 0;
	369	if (param->policies)
	370	sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
	371
	372	if (!policies)
	373	{
	374	param->policies = NULL;
	375	return 1;
	376	}
	377
	378	param->policies = sk_ASN1_OBJECT_new_null();
	379	if (!param->policies)
	380	return 0;
	381
	382	for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++)
	383	{
	384	oid = sk_ASN1_OBJECT_value(policies, i);
	385	doid = OBJ_dup(oid);
	386	if (!doid)
	387	return 0;
	388	if (!sk_ASN1_OBJECT_push(param->policies, doid))
	389	{
	390	ASN1_OBJECT_free(doid);
	391	return 0;
392	}
393	}
394	param->flags \|= X509_V_FLAG_POLICY_CHECK;
395	return 1;
396	}
397
3bf15e29 DSH	398	int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
	399	const unsigned char *name, size_t namelen)
	400	{
b3012c69	401	return int_x509_param_set1(&param->id->host, NULL, name, namelen);
3bf15e29 DSH	402	}
3bf15e29 DSH	403
397a8e74 VD	404	void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
	405	unsigned int flags)
	406	{
	407	param->id->hostflags = flags;
	408	}
	409
3bf15e29 DSH	410	int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
	411	const unsigned char *email, size_t emaillen)
	412	{
4a253652	413	return int_x509_param_set1(&param->id->email, &param->id->emaillen,
3bf15e29 DSH	414	email, emaillen);
	415	}
	416
	417	int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
	418	const unsigned char *ip, size_t iplen)
	419	{
	420	if (iplen != 0 && iplen != 4 && iplen != 16)
	421	return 0;
4a253652	422	return int_x509_param_set1(&param->id->ip, &param->id->iplen, ip, iplen);
3bf15e29 DSH	423	}
	424
	425	int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM param, const char ipasc)
	426	{
	427	unsigned char ipout[16];
	428	int iplen;
	429	iplen = a2i_ipadd(ipout, ipasc);
	430	if (iplen == 0)
	431	return 0;
	432	return X509_VERIFY_PARAM_set1_ip(param, ipout, (size_t)iplen);
	433	}
	434
5d7c222d DSH	435	int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
	436	{
	437	return param->depth;
	438	}
	439
9b3d7570 DSH	440	const char X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM param)
	441	{
	442	return param->name;
	443	}
	444
b3012c69	445	static X509_VERIFY_PARAM_ID _empty_id = {NULL, 0U, NULL, 0, NULL, 0};
4a253652 DSH	446
	447	#define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id
	448
	449
5d7c222d DSH	450	/* Default verify parameters: these are used for various
	451	* applications and can be overridden by the user specified table.
	452	* NB: the 'name' field must be in alphabetical order because it
	453	* will be searched using OBJ_search.
	454	*/
	455
	456	static const X509_VERIFY_PARAM default_table[] = {
	457	{
	458	"default", /* X509 default parameters */
	459	0, /* Check time */
	460	0, /* internal flags */
	461	0, /* flags */
	462	0, /* purpose */
	463	0, /* trust */
30e5e39a	464	100, /* depth */
4a253652 DSH	465	NULL, /* policies */
4a253652 DSH	466	vpm_empty_id
5d7c222d DSH	467	},
5d7c222d DSH	468	{
237d7b6c DSH	469	"pkcs7", /* S/MIME sign parameters */
	470	0, /* Check time */
	471	0, /* internal flags */
	472	0, /* flags */
	473	X509_PURPOSE_SMIME_SIGN, /* purpose */
	474	X509_TRUST_EMAIL, /* trust */
	475	-1, /* depth */
4a253652 DSH	476	NULL, /* policies */
4a253652 DSH	477	vpm_empty_id
237d7b6c DSH	478	},
	479	{
	480	"smime_sign", /* S/MIME sign parameters */
5d7c222d DSH	481	0, /* Check time */
	482	0, /* internal flags */
	483	0, /* flags */
	484	X509_PURPOSE_SMIME_SIGN, /* purpose */
	485	X509_TRUST_EMAIL, /* trust */
	486	-1, /* depth */
4a253652 DSH	487	NULL, /* policies */
4a253652 DSH	488	vpm_empty_id
5d7c222d DSH	489	},
	490	{
	491	"ssl_client", /* SSL/TLS client parameters */
	492	0, /* Check time */
	493	0, /* internal flags */
	494	0, /* flags */
	495	X509_PURPOSE_SSL_CLIENT, /* purpose */
	496	X509_TRUST_SSL_CLIENT, /* trust */
	497	-1, /* depth */
4a253652 DSH	498	NULL, /* policies */
4a253652 DSH	499	vpm_empty_id
5d7c222d DSH	500	},
	501	{
	502	"ssl_server", /* SSL/TLS server parameters */
	503	0, /* Check time */
	504	0, /* internal flags */
	505	0, /* flags */
	506	X509_PURPOSE_SSL_SERVER, /* purpose */
	507	X509_TRUST_SSL_SERVER, /* trust */
	508	-1, /* depth */
4a253652 DSH	509	NULL, /* policies */
4a253652 DSH	510	vpm_empty_id
5d7c222d DSH	511	}};
	512
	513	static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
	514
babb3798 BL	515	static int table_cmp(const X509_VERIFY_PARAM a, const X509_VERIFY_PARAM b)
babb3798 BL	516
5d7c222d	517	{
5d7c222d DSH	518	return strcmp(a->name, b->name);
	519	}
	520
606f6c47	521	DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
e19106f5	522	table);
606f6c47	523	IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
e19106f5	524	table);
babb3798	525
5d7c222d DSH	526	static int param_cmp(const X509_VERIFY_PARAM * const *a,
	527	const X509_VERIFY_PARAM * const *b)
	528	{
	529	return strcmp((a)->name, (b)->name);
	530	}
	531
	532	int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
	533	{
	534	int idx;
	535	X509_VERIFY_PARAM *ptmp;
	536	if (!param_table)
	537	{
	538	param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
	539	if (!param_table)
	540	return 0;
	541	}
	542	else
	543	{
	544	idx = sk_X509_VERIFY_PARAM_find(param_table, param);
	545	if (idx != -1)
	546	{
	547	ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
	548	X509_VERIFY_PARAM_free(ptmp);
a6fbcb42	549	(void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
5d7c222d DSH	550	}
	551	}
	552	if (!sk_X509_VERIFY_PARAM_push(param_table, param))
	553	return 0;
	554	return 1;
	555	}
	556
9b3d7570 DSH	557	int X509_VERIFY_PARAM_get_count(void)
	558	{
	559	int num = sizeof(default_table)/sizeof(X509_VERIFY_PARAM);
	560	if (param_table)
	561	num += sk_X509_VERIFY_PARAM_num(param_table);
	562	return num;
	563	}
	564
	565	const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
	566	{
	567	int num = sizeof(default_table)/sizeof(X509_VERIFY_PARAM);
	568	if (id < num)
	569	return default_table + id;
	570	return sk_X509_VERIFY_PARAM_value(param_table, id - num);
	571	}
	572
5d7c222d DSH	573	const X509_VERIFY_PARAM X509_VERIFY_PARAM_lookup(const char name)
	574	{
	575	int idx;
	576	X509_VERIFY_PARAM pm;
babb3798	577
5d7c222d DSH	578	pm.name = (char *)name;
	579	if (param_table)
	580	{
	581	idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
	582	if (idx != -1)
	583	return sk_X509_VERIFY_PARAM_value(param_table, idx);
	584	}
e19106f5 DSH	585	return OBJ_bsearch_table(&pm, default_table,
e19106f5 DSH	586	sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
5d7c222d DSH	587	}
	588
	589	void X509_VERIFY_PARAM_table_cleanup(void)
	590	{
	591	if (param_table)
	592	sk_X509_VERIFY_PARAM_pop_free(param_table,
	593	X509_VERIFY_PARAM_free);
	594	param_table = NULL;
	595	}