]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/x509/x509_vpm.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Rename some BUF_xxx to OPENSSL_xxx
[thirdparty/openssl.git] / crypto / x509 / x509_vpm.c
1 /* x509_vpm.c */
2 /*
3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
4 * 2004.
5 */
6 /* ====================================================================
7 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59
60 #include <stdio.h>
61
62 #include "internal/cryptlib.h"
63 #include <openssl/crypto.h>
64 #include <openssl/lhash.h>
65 #include <openssl/buffer.h>
66 #include <openssl/x509.h>
67 #include <openssl/x509v3.h>
68
69 #include "x509_lcl.h"
70
71 /* X509_VERIFY_PARAM functions */
72
73 #define SET_HOST 0
74 #define ADD_HOST 1
75
76 static char *str_copy(const char *s)
77 {
78 return OPENSSL_strdup(s);
79 }
80
81 static void str_free(char *s)
82 {
83 OPENSSL_free(s);
84 }
85
86 static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode,
87 const char *name, size_t namelen)
88 {
89 char *copy;
90
91 /*
92 * Refuse names with embedded NUL bytes, except perhaps as final byte.
93 * XXX: Do we need to push an error onto the error stack?
94 */
95 if (namelen == 0)
96 namelen = name ? strlen(name) : 0;
97 else if (name && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen))
98 return 0;
99 if (name && name[namelen - 1] == '\0')
100 --namelen;
101
102 if (mode == SET_HOST) {
103 sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);
104 vpm->hosts = NULL;
105 }
106 if (name == NULL || namelen == 0)
107 return 1;
108
109 copy = OPENSSL_strndup(name, namelen);
110 if (copy == NULL)
111 return 0;
112
113 if (vpm->hosts == NULL &&
114 (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
115 OPENSSL_free(copy);
116 return 0;
117 }
118
119 if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {
120 OPENSSL_free(copy);
121 if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {
122 sk_OPENSSL_STRING_free(vpm->hosts);
123 vpm->hosts = NULL;
124 }
125 return 0;
126 }
127
128 return 1;
129 }
130
131 static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
132 {
133 if (!param)
134 return;
135 param->name = NULL;
136 param->purpose = 0;
137 param->trust = 0;
138 /*
139 * param->inh_flags = X509_VP_FLAG_DEFAULT;
140 */
141 param->inh_flags = 0;
142 param->flags = 0;
143 param->depth = -1;
144 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
145 param->policies = NULL;
146 sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
147 param->hosts = NULL;
148 OPENSSL_free(param->peername);
149 param->peername = NULL;
150 OPENSSL_free(param->email);
151 param->email = NULL;
152 param->emaillen = 0;
153 OPENSSL_free(param->ip);
154 param->ip = NULL;
155 param->iplen = 0;
156 }
157
158 X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
159 {
160 X509_VERIFY_PARAM *param;
161
162 param = OPENSSL_zalloc(sizeof(*param));
163 if (param == NULL)
164 return NULL;
165 x509_verify_param_zero(param);
166 return param;
167 }
168
169 void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
170 {
171 if (!param)
172 return;
173 x509_verify_param_zero(param);
174 OPENSSL_free(param);
175 }
176
177 /*-
178 * This function determines how parameters are "inherited" from one structure
179 * to another. There are several different ways this can happen.
180 *
181 * 1. If a child structure needs to have its values initialized from a parent
182 * they are simply copied across. For example SSL_CTX copied to SSL.
183 * 2. If the structure should take on values only if they are currently unset.
184 * For example the values in an SSL structure will take appropriate value
185 * for SSL servers or clients but only if the application has not set new
186 * ones.
187 *
188 * The "inh_flags" field determines how this function behaves.
189 *
190 * Normally any values which are set in the default are not copied from the
191 * destination and verify flags are ORed together.
192 *
193 * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
194 * to the destination. Effectively the values in "to" become default values
195 * which will be used only if nothing new is set in "from".
196 *
197 * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
198 * they are set or not. Flags is still Ored though.
199 *
200 * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
201 * of ORed.
202 *
203 * If X509_VP_FLAG_LOCKED is set then no values are copied.
204 *
205 * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
206 * after the next call.
207 */
208
209 /* Macro to test if a field should be copied from src to dest */
210
211 #define test_x509_verify_param_copy(field, def) \
212 (to_overwrite || \
213 ((src->field != def) && (to_default || (dest->field == def))))
214
215 /* Macro to test and copy a field if necessary */
216
217 #define x509_verify_param_copy(field, def) \
218 if (test_x509_verify_param_copy(field, def)) \
219 dest->field = src->field
220
221 int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
222 const X509_VERIFY_PARAM *src)
223 {
224 unsigned long inh_flags;
225 int to_default, to_overwrite;
226 if (!src)
227 return 1;
228 inh_flags = dest->inh_flags | src->inh_flags;
229
230 if (inh_flags & X509_VP_FLAG_ONCE)
231 dest->inh_flags = 0;
232
233 if (inh_flags & X509_VP_FLAG_LOCKED)
234 return 1;
235
236 if (inh_flags & X509_VP_FLAG_DEFAULT)
237 to_default = 1;
238 else
239 to_default = 0;
240
241 if (inh_flags & X509_VP_FLAG_OVERWRITE)
242 to_overwrite = 1;
243 else
244 to_overwrite = 0;
245
246 x509_verify_param_copy(purpose, 0);
247 x509_verify_param_copy(trust, 0);
248 x509_verify_param_copy(depth, -1);
249
250 /* If overwrite or check time not set, copy across */
251
252 if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {
253 dest->check_time = src->check_time;
254 dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
255 /* Don't need to copy flag: that is done below */
256 }
257
258 if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
259 dest->flags = 0;
260
261 dest->flags |= src->flags;
262
263 if (test_x509_verify_param_copy(policies, NULL)) {
264 if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
265 return 0;
266 }
267
268 /* Copy the host flags if and only if we're copying the host list */
269 if (test_x509_verify_param_copy(hosts, NULL)) {
270 sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
271 dest->hosts = NULL;
272 if (src->hosts) {
273 dest->hosts =
274 sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free);
275 if (dest->hosts == NULL)
276 return 0;
277 dest->hostflags = src->hostflags;
278 }
279 }
280
281 if (test_x509_verify_param_copy(email, NULL)) {
282 if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen))
283 return 0;
284 }
285
286 if (test_x509_verify_param_copy(ip, NULL)) {
287 if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen))
288 return 0;
289 }
290
291 return 1;
292 }
293
294 int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
295 const X509_VERIFY_PARAM *from)
296 {
297 unsigned long save_flags = to->inh_flags;
298 int ret;
299 to->inh_flags |= X509_VP_FLAG_DEFAULT;
300 ret = X509_VERIFY_PARAM_inherit(to, from);
301 to->inh_flags = save_flags;
302 return ret;
303 }
304
305 static int int_x509_param_set1(char **pdest, size_t *pdestlen,
306 const char *src, size_t srclen)
307 {
308 void *tmp;
309 if (src) {
310 if (srclen == 0) {
311 tmp = OPENSSL_strdup(src);
312 srclen = strlen(src);
313 } else
314 tmp = OPENSSL_memdup(src, srclen);
315 if (!tmp)
316 return 0;
317 } else {
318 tmp = NULL;
319 srclen = 0;
320 }
321 OPENSSL_free(*pdest);
322 *pdest = tmp;
323 if (pdestlen)
324 *pdestlen = srclen;
325 return 1;
326 }
327
328 int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
329 {
330 OPENSSL_free(param->name);
331 param->name = OPENSSL_strdup(name);
332 if (param->name)
333 return 1;
334 return 0;
335 }
336
337 int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
338 {
339 param->flags |= flags;
340 if (flags & X509_V_FLAG_POLICY_MASK)
341 param->flags |= X509_V_FLAG_POLICY_CHECK;
342 return 1;
343 }
344
345 int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
346 unsigned long flags)
347 {
348 param->flags &= ~flags;
349 return 1;
350 }
351
352 unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
353 {
354 return param->flags;
355 }
356
357 int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
358 {
359 return X509_PURPOSE_set(&param->purpose, purpose);
360 }
361
362 int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
363 {
364 return X509_TRUST_set(&param->trust, trust);
365 }
366
367 void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
368 {
369 param->depth = depth;
370 }
371
372 void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
373 {
374 param->check_time = t;
375 param->flags |= X509_V_FLAG_USE_CHECK_TIME;
376 }
377
378 int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
379 ASN1_OBJECT *policy)
380 {
381 if (!param->policies) {
382 param->policies = sk_ASN1_OBJECT_new_null();
383 if (!param->policies)
384 return 0;
385 }
386 if (!sk_ASN1_OBJECT_push(param->policies, policy))
387 return 0;
388 return 1;
389 }
390
391 int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
392 STACK_OF(ASN1_OBJECT) *policies)
393 {
394 int i;
395 ASN1_OBJECT *oid, *doid;
396
397 if (!param)
398 return 0;
399 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
400
401 if (!policies) {
402 param->policies = NULL;
403 return 1;
404 }
405
406 param->policies = sk_ASN1_OBJECT_new_null();
407 if (!param->policies)
408 return 0;
409
410 for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) {
411 oid = sk_ASN1_OBJECT_value(policies, i);
412 doid = OBJ_dup(oid);
413 if (!doid)
414 return 0;
415 if (!sk_ASN1_OBJECT_push(param->policies, doid)) {
416 ASN1_OBJECT_free(doid);
417 return 0;
418 }
419 }
420 param->flags |= X509_V_FLAG_POLICY_CHECK;
421 return 1;
422 }
423
424 int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
425 const char *name, size_t namelen)
426 {
427 return int_x509_param_set_hosts(param, SET_HOST, name, namelen);
428 }
429
430 int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
431 const char *name, size_t namelen)
432 {
433 return int_x509_param_set_hosts(param, ADD_HOST, name, namelen);
434 }
435
436 void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
437 unsigned int flags)
438 {
439 param->hostflags = flags;
440 }
441
442 char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
443 {
444 return param->peername;
445 }
446
447 int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
448 const char *email, size_t emaillen)
449 {
450 return int_x509_param_set1(&param->email, &param->emaillen,
451 email, emaillen);
452 }
453
454 int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
455 const unsigned char *ip, size_t iplen)
456 {
457 if (iplen != 0 && iplen != 4 && iplen != 16)
458 return 0;
459 return int_x509_param_set1((char **)&param->ip, &param->iplen,
460 (char *)ip, iplen);
461 }
462
463 int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
464 {
465 unsigned char ipout[16];
466 size_t iplen;
467
468 iplen = (size_t)a2i_ipadd(ipout, ipasc);
469 if (iplen == 0)
470 return 0;
471 return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);
472 }
473
474 int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
475 {
476 return param->depth;
477 }
478
479 const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
480 {
481 return param->name;
482 }
483
484 #define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0
485
486 /*
487 * Default verify parameters: these are used for various applications and can
488 * be overridden by the user specified table. NB: the 'name' field *must* be
489 * in alphabetical order because it will be searched using OBJ_search.
490 */
491
492 static const X509_VERIFY_PARAM default_table[] = {
493 {
494 "default", /* X509 default parameters */
495 0, /* Check time */
496 0, /* internal flags */
497 0, /* flags */
498 0, /* purpose */
499 0, /* trust */
500 100, /* depth */
501 NULL, /* policies */
502 vpm_empty_id},
503 {
504 "pkcs7", /* S/MIME sign parameters */
505 0, /* Check time */
506 0, /* internal flags */
507 0, /* flags */
508 X509_PURPOSE_SMIME_SIGN, /* purpose */
509 X509_TRUST_EMAIL, /* trust */
510 -1, /* depth */
511 NULL, /* policies */
512 vpm_empty_id},
513 {
514 "smime_sign", /* S/MIME sign parameters */
515 0, /* Check time */
516 0, /* internal flags */
517 0, /* flags */
518 X509_PURPOSE_SMIME_SIGN, /* purpose */
519 X509_TRUST_EMAIL, /* trust */
520 -1, /* depth */
521 NULL, /* policies */
522 vpm_empty_id},
523 {
524 "ssl_client", /* SSL/TLS client parameters */
525 0, /* Check time */
526 0, /* internal flags */
527 0, /* flags */
528 X509_PURPOSE_SSL_CLIENT, /* purpose */
529 X509_TRUST_SSL_CLIENT, /* trust */
530 -1, /* depth */
531 NULL, /* policies */
532 vpm_empty_id},
533 {
534 "ssl_server", /* SSL/TLS server parameters */
535 0, /* Check time */
536 0, /* internal flags */
537 0, /* flags */
538 X509_PURPOSE_SSL_SERVER, /* purpose */
539 X509_TRUST_SSL_SERVER, /* trust */
540 -1, /* depth */
541 NULL, /* policies */
542 vpm_empty_id}
543 };
544
545 static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
546
547 static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
548 {
549 return strcmp(a->name, b->name);
550 }
551
552 DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
553 IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
554
555 static int param_cmp(const X509_VERIFY_PARAM *const *a,
556 const X509_VERIFY_PARAM *const *b)
557 {
558 return strcmp((*a)->name, (*b)->name);
559 }
560
561 int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
562 {
563 int idx;
564 X509_VERIFY_PARAM *ptmp;
565 if (param_table == NULL) {
566 param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
567 if (param_table == NULL)
568 return 0;
569 } else {
570 idx = sk_X509_VERIFY_PARAM_find(param_table, param);
571 if (idx != -1) {
572 ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
573 X509_VERIFY_PARAM_free(ptmp);
574 (void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
575 }
576 }
577 if (!sk_X509_VERIFY_PARAM_push(param_table, param))
578 return 0;
579 return 1;
580 }
581
582 int X509_VERIFY_PARAM_get_count(void)
583 {
584 int num = OSSL_NELEM(default_table);
585 if (param_table)
586 num += sk_X509_VERIFY_PARAM_num(param_table);
587 return num;
588 }
589
590 const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
591 {
592 int num = OSSL_NELEM(default_table);
593 if (id < num)
594 return default_table + id;
595 return sk_X509_VERIFY_PARAM_value(param_table, id - num);
596 }
597
598 const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
599 {
600 int idx;
601 X509_VERIFY_PARAM pm;
602
603 pm.name = (char *)name;
604 if (param_table) {
605 idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
606 if (idx != -1)
607 return sk_X509_VERIFY_PARAM_value(param_table, idx);
608 }
609 return OBJ_bsearch_table(&pm, default_table, OSSL_NELEM(default_table));
610 }
611
612 void X509_VERIFY_PARAM_table_cleanup(void)
613 {
614 sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free);
615 param_table = NULL;
616 }
A mirror of the official openssl repository