/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#define CRL_SCORE_AKID 0x004 /* CRL issuer matches CRL AKID */
#define CRL_SCORE_TIME_DELTA 0x002 /* Have a delta CRL with valid times */
+static int x509_verify_x509(X509_STORE_CTX *ctx);
+static int x509_verify_rpk(X509_STORE_CTX *ctx);
static int build_chain(X509_STORE_CTX *ctx);
static int verify_chain(X509_STORE_CTX *ctx);
+static int verify_rpk(X509_STORE_CTX *ctx);
static int dane_verify(X509_STORE_CTX *ctx);
+static int dane_verify_rpk(X509_STORE_CTX *ctx);
static int null_callback(int ok, X509_STORE_CTX *e);
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
static int check_policy(X509_STORE_CTX *ctx);
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
static int check_dane_issuer(X509_STORE_CTX *ctx, int depth);
-static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
+static int check_cert_key_level(X509_STORE_CTX *ctx, X509 *cert);
+static int check_key_level(X509_STORE_CTX *ctx, EVP_PKEY *pkey);
static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert);
static int check_curve(X509 *cert);
ERR_pop_to_mark();
if (certs == NULL)
return -1;
+
/* Look for exact match */
for (i = 0; i < sk_X509_num(certs); i++) {
xtmp = sk_X509_value(certs, i);
else
*result = xtmp;
}
- sk_X509_pop_free(certs, X509_free);
+ OSSL_STACK_OF_X509_free(certs);
return ret;
}
* The error code is set to |err| if |err| is not X509_V_OK, else
* |ctx->error| is left unchanged (under the assumption it is set elsewhere).
* The error depth is |depth| if >= 0, else it defaults to |ctx->error_depth|.
- * The error cert is |x| if not NULL, else defaults to the chain cert at depth.
+ * The error cert is |x| if not NULL, else the cert in |ctx->chain| at |depth|.
*
* Returns 0 to abort verification with an error, non-zero to continue.
*/
depth = ctx->error_depth;
else
ctx->error_depth = depth;
- ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth);
+ ctx->current_cert = x != NULL ? x : sk_X509_value(ctx->chain, depth);
if (err != X509_V_OK)
ctx->error = err;
return ctx->verify_cb(0, ctx);
return ctx->verify_cb(0, ctx);
}
+/* Sadly, returns 0 also on internal error in ctx->verify_cb(). */
static int check_auth_level(X509_STORE_CTX *ctx)
{
int i;
* We've already checked the security of the leaf key, so here we only
* check the security of issuer keys.
*/
- CB_FAIL_IF(i > 0 && !check_key_level(ctx, cert),
+ CB_FAIL_IF(i > 0 && !check_cert_key_level(ctx, cert),
ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL);
/*
* We also check the signature algorithm security of all certificates
return 1;
}
-/* Returns -1 on internal error */
+/*-
+ * Returns -1 on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
+static int verify_rpk(X509_STORE_CTX *ctx)
+{
+ /* Not much to verify on a RPK */
+ if (ctx->verify != NULL)
+ return ctx->verify(ctx);
+
+ return !!ctx->verify_cb(ctx->error == X509_V_OK, ctx);
+}
+
+
+/*-
+ * Returns -1 on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
static int verify_chain(X509_STORE_CTX *ctx)
{
int err;
ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
return -1;
}
+ if (ctx->rpk != NULL)
+ return x509_verify_rpk(ctx);
if (ctx->cert == NULL && sk_X509_num(ctx->untrusted) >= 1)
ctx->cert = sk_X509_value(ctx->untrusted, 0);
- return X509_verify_cert(ctx);
+ return x509_verify_x509(ctx);
}
int X509_verify_cert(X509_STORE_CTX *ctx)
{
- int ret;
-
if (ctx == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
return -1;
}
+ return (ctx->rpk != NULL) ? x509_verify_rpk(ctx) : x509_verify_x509(ctx);
+}
+
+/*-
+ * Returns -1 on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
+static int x509_verify_rpk(X509_STORE_CTX *ctx)
+{
+ int ret;
+
+ /* If the peer's public key is too weak, we can stop early. */
+ if (!check_key_level(ctx, ctx->rpk)
+ && verify_cb_cert(ctx, NULL, 0, X509_V_ERR_EE_KEY_TOO_SMALL) == 0)
+ return 0;
+
+ /* Barring any data to verify the RPK, simply report it as untrusted */
+ ctx->error = X509_V_ERR_RPK_UNTRUSTED;
+
+ ret = DANETLS_ENABLED(ctx->dane) ? dane_verify_rpk(ctx) : verify_rpk(ctx);
+
+ /*
+ * Safety-net. If we are returning an error, we must also set ctx->error,
+ * so that the chain is not considered verified should the error be ignored
+ * (e.g. TLS with SSL_VERIFY_NONE).
+ */
+ if (ret <= 0 && ctx->error == X509_V_OK)
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return ret;
+}
+
+/*-
+ * Returns -1 on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
+static int x509_verify_x509(X509_STORE_CTX *ctx)
+{
+ int ret;
+
if (ctx->cert == NULL) {
ERR_raise(ERR_LIB_X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
ctx->error = X509_V_ERR_INVALID_CALL;
ctx->num_untrusted = 1;
/* If the peer's public key is too weak, we can stop early. */
- CB_FAIL_IF(!check_key_level(ctx, ctx->cert),
+ CB_FAIL_IF(!check_cert_key_level(ctx, ctx->cert),
ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL);
ret = DANETLS_ENABLED(ctx->dane) ? dane_verify(ctx) : verify_chain(ctx);
return rv;
}
-/* Check that the given certificate 'x' is issued by the certificate 'issuer' */
+/* Check that the given certificate |x| is issued by the certificate |issuer| */
static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
int err = ossl_x509_likely_issued(issuer, x);
* SUBJECT_ISSUER_MISMATCH just means 'x' is clearly not issued by 'issuer'.
* Every other error code likely indicates a real error.
*/
- if (err != X509_V_ERR_SUBJECT_ISSUER_MISMATCH)
- ctx->error = err;
return 0;
}
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
*issuer = find_issuer(ctx, ctx->other_ctx, x);
- if (*issuer != NULL)
- return X509_up_ref(*issuer) ? 1 : -1;
- return 0;
+ if (*issuer == NULL)
+ return 0;
+ return X509_up_ref(*issuer) ? 1 : -1;
}
/*-
* Alternative lookup method: look from a STACK stored in other_ctx.
- * Returns NULL on internal error (such as out of memory).
+ * Returns NULL on internal/fatal error, empty stack if not found.
*/
-static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx,
- const X509_NAME *nm)
+static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, const X509_NAME *nm)
{
STACK_OF(X509) *sk = sk_X509_new_null();
X509 *x;
x = sk_X509_value(ctx->other_ctx, i);
if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) {
if (!X509_add_cert(sk, x, X509_ADD_FLAG_UP_REF)) {
- sk_X509_pop_free(sk, X509_free);
+ OSSL_STACK_OF_X509_free(sk);
ctx->error = X509_V_ERR_OUT_OF_MEM;
return NULL;
}
/*
* Check EE or CA certificate purpose. For trusted certificates explicit local
* auxiliary trust can be used to override EKU-restrictions.
- * Sadly, returns 0 also on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
*/
static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth,
int must_be_ca)
return 1;
case X509_TRUST_REJECTED:
break;
- default:
+ default: /* can only be X509_TRUST_UNTRUSTED */
switch (X509_check_purpose(x, purpose, must_be_ca > 0)) {
case 1:
return 1;
return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE);
}
-/*
+/*-
* Check extensions of a cert chain for consistency with the supplied purpose.
- * Sadly, returns 0 also on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
*/
static int check_extensions(X509_STORE_CTX *ctx)
{
GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
if (gs == NULL)
- return -1;
+ return 0;
for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) {
GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i);
return ret;
}
-/* Returns -1 on internal error */
+/*-
+ * Returns -1 on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
static int check_name_constraints(X509_STORE_CTX *ctx)
{
int i;
*/
tmpsubject = X509_NAME_dup(tmpsubject);
if (tmpsubject == NULL) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_ASN1_LIB);
ctx->error = X509_V_ERR_OUT_OF_MEM;
return -1;
}
res = lookup_cert_match(&mx, ctx, x);
if (res < 0)
return res;
- if (mx == NULL)
+ if (res == 0)
return X509_TRUST_UNTRUSTED;
/*
last = sk_X509_num(ctx->chain) - 1;
} else {
/* If checking CRL paths this isn't the EE certificate */
- if (ctx->parent)
+ if (ctx->parent != NULL)
return 1;
last = 0;
}
time_t *ptime;
int i;
- if (notify)
- ctx->current_crl = crl;
if ((ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) != 0)
ptime = &ctx->param->check_time;
else if ((ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) != 0)
return 1;
else
ptime = NULL;
+ if (notify)
+ ctx->current_crl = crl;
i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
if (i == 0) {
return 1;
}
+/* Sadly, returns 0 also on internal error in ctx->verify_cb(). */
static int check_policy(X509_STORE_CTX *ctx)
{
int ret;
* was verified via a bare public key, and pop it off right after the
* X509_policy_check() call.
*/
- if (ctx->bare_ta_signed && !sk_X509_push(ctx->chain, NULL))
+ if (ctx->bare_ta_signed && !sk_X509_push(ctx->chain, NULL)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
goto memerr;
+ }
ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
ctx->param->policies, ctx->param->flags);
if (ctx->bare_ta_signed)
(void)sk_X509_pop(ctx->chain);
- if (ret == X509_PCY_TREE_INTERNAL)
+ if (ret == X509_PCY_TREE_INTERNAL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
goto memerr;
+ }
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
- int i;
+ int i, cbcalled = 0;
/* Locate certificates with bad extensions and notify callback. */
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
X509 *x = sk_X509_value(ctx->chain, i);
+ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
+ cbcalled = 1;
CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
}
+ if (!cbcalled) {
+ /* Should not be able to get here */
+ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ /* The callback ignored the error so we return success */
return 1;
}
if (ret == X509_PCY_TREE_FAILURE) {
return 1;
memerr:
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
return -1;
}
* the validation status.
*
* Return 1 on success, 0 otherwise.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
*/
int ossl_x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
{
/*
* Verify the issuer signatures and cert times of ctx->chain.
- * Sadly, returns 0 also on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
*/
static int internal_verify(X509_STORE_CTX *ctx)
{
- int n = sk_X509_num(ctx->chain) - 1;
- X509 *xi = sk_X509_value(ctx->chain, n);
- X509 *xs = xi;
+ int n;
+ X509 *xi;
+ X509 *xs;
+
+ /* For RPK: just do the verify callback */
+ if (ctx->rpk != NULL) {
+ if (!ctx->verify_cb(ctx->error == X509_V_OK, ctx))
+ return 0;
+ return 1;
+ }
+ n = sk_X509_num(ctx->chain) - 1;
+ xi = sk_X509_value(ctx->chain, n);
+ xs = xi;
ctx->error_depth = n;
if (ctx->bare_ta_signed) {
return X509_cmp_time(ctm, NULL);
}
+/* returns 0 on error, otherwise 1 if ctm > cmp_time, else -1 */
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
{
static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1;
{
X509_CRL *crl = NULL;
int i;
-
STACK_OF(X509_REVOKED) *revs = NULL;
+
/* CRLs can't be delta already */
if (base->base_crl_number != NULL || newer->base_crl_number != NULL) {
ERR_raise(ERR_LIB_X509, X509_R_CRL_ALREADY_DELTA);
}
/* Create new CRL */
crl = X509_CRL_new_ex(base->libctx, base->propq);
- if (crl == NULL || !X509_CRL_set_version(crl, X509_CRL_VERSION_2))
- goto memerr;
+ if (crl == NULL || !X509_CRL_set_version(crl, X509_CRL_VERSION_2)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
/* Set issuer name */
- if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
- goto memerr;
+ if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer))) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
- if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer)))
- goto memerr;
- if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer)))
- goto memerr;
+ if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer))) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
+ if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer))) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
/* Set base CRL number: must be critical */
- if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0))
- goto memerr;
+ if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
/*
* Copy extensions across from newest CRL to delta: this will set CRL
for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
X509_EXTENSION *ext = X509_CRL_get_ext(newer, i);
- if (!X509_CRL_add_ext(crl, ext, -1))
- goto memerr;
+ if (!X509_CRL_add_ext(crl, ext, -1)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
}
/* Go through revoked entries, copying as needed */
*/
if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) {
rvtmp = X509_REVOKED_dup(rvn);
- if (rvtmp == NULL)
- goto memerr;
+ if (rvtmp == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_ASN1_LIB);
+ goto err;
+ }
if (!X509_CRL_add0_revoked(crl, rvtmp)) {
X509_REVOKED_free(rvtmp);
- goto memerr;
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
}
}
}
- if (skey != NULL && md != NULL && !X509_CRL_sign(crl, skey, md))
- goto memerr;
+ if (skey != NULL && md != NULL && !X509_CRL_sign(crl, skey, md)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
return crl;
- memerr:
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ err:
X509_CRL_free(crl);
return NULL;
}
ctx->cert = x;
}
+void X509_STORE_CTX_set0_rpk(X509_STORE_CTX *ctx, EVP_PKEY *rpk)
+{
+ ctx->rpk = rpk;
+}
+
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
{
ctx->crls = sk;
/* If purpose not set use default */
if (purpose == 0)
purpose = def_purpose;
+ /*
+ * If purpose is set but we don't have a default then set the default to
+ * the current purpose
+ */
+ else if (def_purpose == 0)
+ def_purpose = purpose;
/* If we have a purpose then check it is valid */
if (purpose != 0) {
X509_PURPOSE *ptmp;
ptmp = X509_PURPOSE_get0(idx);
if (ptmp->trust == X509_TRUST_DEFAULT) {
idx = X509_PURPOSE_get_by_id(def_purpose);
- /*
- * XXX: In the two callers above def_purpose is always 0, which is
- * not a known value, so idx will always be -1. How is the
- * X509_TRUST_DEFAULT case actually supposed to be handled?
- */
if (idx == -1) {
ERR_raise(ERR_LIB_X509, X509_R_UNKNOWN_PURPOSE_ID);
return 0;
{
X509_STORE_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
- if (ctx == NULL) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ if (ctx == NULL)
return NULL;
- }
ctx->libctx = libctx;
if (propq != NULL) {
ctx->propq = OPENSSL_strdup(propq);
if (ctx->propq == NULL) {
OPENSSL_free(ctx);
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
return NULL;
}
}
OPENSSL_free(ctx);
}
+
+int X509_STORE_CTX_init_rpk(X509_STORE_CTX *ctx, X509_STORE *store, EVP_PKEY *rpk)
+{
+ if (!X509_STORE_CTX_init(ctx, store, NULL, NULL))
+ return 0;
+ ctx->rpk = rpk;
+ return 1;
+}
+
int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
STACK_OF(X509) *chain)
{
- int ret = 1;
-
if (ctx == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
return 0;
ctx->parent = NULL;
ctx->dane = NULL;
ctx->bare_ta_signed = 0;
+ ctx->rpk = NULL;
/* Zero ex_data to make sure we're cleanup-safe */
memset(&ctx->ex_data, 0, sizeof(ctx->ex_data));
ctx->param = X509_VERIFY_PARAM_new();
if (ctx->param == NULL) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_ASN1_LIB);
goto err;
}
/* Inherit callbacks and flags from X509_STORE if not set use defaults. */
- if (store != NULL)
- ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
- else
+ if (store == NULL)
ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE;
+ else if (X509_VERIFY_PARAM_inherit(ctx->param, store->param) == 0)
+ goto err;
- if (ret)
- ret = X509_VERIFY_PARAM_inherit(ctx->param,
- X509_VERIFY_PARAM_lookup("default"));
-
- if (ret == 0) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ if (!X509_STORE_CTX_set_default(ctx, "default"))
goto err;
- }
/*
* XXX: For now, continue to inherit trust from VPM, but infer from the
if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
&ctx->ex_data))
return 1;
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
err:
/*
}
X509_policy_tree_free(ctx->tree);
ctx->tree = NULL;
- sk_X509_pop_free(ctx->chain, X509_free);
+ OSSL_STACK_OF_X509_free(ctx->chain);
ctx->chain = NULL;
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
memset(&ctx->ex_data, 0, sizeof(ctx->ex_data));
return ctx->cert;
}
+EVP_PKEY *X509_STORE_CTX_get0_rpk(const X509_STORE_CTX *ctx)
+{
+ return ctx->rpk;
+}
+
STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx)
{
return ctx->untrusted;
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
{
- sk_X509_pop_free(ctx->chain, X509_free);
+ OSSL_STACK_OF_X509_free(ctx->chain);
ctx->chain = sk;
}
const X509_VERIFY_PARAM *param;
param = X509_VERIFY_PARAM_lookup(name);
- if (param == NULL)
+ if (param == NULL) {
+ ERR_raise_data(ERR_LIB_X509, X509_R_UNKNOWN_PURPOSE_ID, "name=%s", name);
return 0;
+ }
return X509_VERIFY_PARAM_inherit(ctx->param, param);
}
}
if (len < 0 || buf == NULL) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_ASN1_LIB);
return NULL;
}
#define DANETLS_NONE 256 /* impossible uint8_t */
/* Returns -1 on internal error */
-static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth)
+static int dane_match_cert(X509_STORE_CTX *ctx, X509 *cert, int depth)
{
SSL_DANE *dane = ctx->dane;
unsigned usage = DANETLS_NONE;
* for an exact match for the leaf certificate).
*/
cert = sk_X509_value(ctx->chain, depth);
- if (cert != NULL && (matched = dane_match(ctx, cert, depth)) < 0)
+ if (cert != NULL && (matched = dane_match_cert(ctx, cert, depth)) < 0)
return matched;
if (matched > 0) {
ctx->num_untrusted = depth - 1;
return X509_TRUST_UNTRUSTED;
}
+/*
+ * Only DANE-EE and SPKI are supported
+ * Returns -1 on internal error
+ */
+static int dane_match_rpk(X509_STORE_CTX *ctx, EVP_PKEY *rpk)
+{
+ SSL_DANE *dane = ctx->dane;
+ danetls_record *t = NULL;
+ int mtype = DANETLS_MATCHING_FULL;
+ unsigned char *i2dbuf = NULL;
+ unsigned int i2dlen = 0;
+ unsigned char mdbuf[EVP_MAX_MD_SIZE];
+ unsigned char *cmpbuf;
+ unsigned int cmplen = 0;
+ int len;
+ int recnum = sk_danetls_record_num(dane->trecs);
+ int i;
+ int matched = 0;
+
+ /* Calculate ASN.1 DER of RPK */
+ if ((len = i2d_PUBKEY(rpk, &i2dbuf)) <= 0)
+ return -1;
+ cmplen = i2dlen = (unsigned int)len;
+ cmpbuf = i2dbuf;
+
+ for (i = 0; i < recnum; i++) {
+ t = sk_danetls_record_value(dane->trecs, i);
+ if (t->usage != DANETLS_USAGE_DANE_EE || t->selector != DANETLS_SELECTOR_SPKI)
+ continue;
+
+ /* Calculate hash - keep only one around */
+ if (t->mtype != mtype) {
+ const EVP_MD *md = dane->dctx->mdevp[mtype = t->mtype];
+
+ cmpbuf = i2dbuf;
+ cmplen = i2dlen;
+
+ if (md != NULL) {
+ cmpbuf = mdbuf;
+ if (!EVP_Digest(i2dbuf, i2dlen, cmpbuf, &cmplen, md, 0)) {
+ matched = -1;
+ break;
+ }
+ }
+ }
+ if (cmplen == t->dlen && memcmp(cmpbuf, t->data, cmplen) == 0) {
+ matched = 1;
+ dane->mdpth = 0;
+ dane->mtlsa = t;
+ break;
+ }
+ }
+ OPENSSL_free(i2dbuf);
+ return matched;
+}
+
static void dane_reset(SSL_DANE *dane)
{
/* Reset state to verify another chain, or clear after failure. */
dane->pdpth = -1;
}
+/* Sadly, returns 0 also on internal error in ctx->verify_cb(). */
static int check_leaf_suiteb(X509_STORE_CTX *ctx, X509 *cert)
{
int err = X509_chain_check_suiteb(NULL, cert, NULL, ctx->param->flags);
return 1;
}
+/* Returns -1 on internal error */
+static int dane_verify_rpk(X509_STORE_CTX *ctx)
+{
+ SSL_DANE *dane = ctx->dane;
+ int matched;
+
+ dane_reset(dane);
+
+ /*
+ * Look for a DANE record for RPK
+ * If error, return -1
+ * If found, call ctx->verify_cb(1, ctx)
+ * If not found call ctx->verify_cb(0, ctx)
+ */
+ matched = dane_match_rpk(ctx, ctx->rpk);
+ ctx->error_depth = 0;
+
+ if (matched < 0) {
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return -1;
+ }
+
+ if (matched > 0)
+ ctx->error = X509_V_OK;
+ else
+ ctx->error = X509_V_ERR_DANE_NO_MATCH;
+
+ return verify_rpk(ctx);
+}
+
/* Returns -1 on internal error */
static int dane_verify(X509_STORE_CTX *ctx)
{
* + matched == 0, mdepth < 0 (no PKIX-EE match) and there are no
* DANE-TA(2) or PKIX-TA(0) to test.
*/
- matched = dane_match(ctx, ctx->cert, 0);
+ matched = dane_match_cert(ctx, ctx->cert, 0);
done = matched != 0 || (!DANETLS_HAS_TA(dane) && dane->mdpth < 0);
if (done && !X509_get_pubkey_parameters(NULL, ctx->chain))
return ok;
}
-/* Returns -1 on internal error */
+/*-
+ * Returns -1 on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
static int build_chain(X509_STORE_CTX *ctx)
{
SSL_DANE *dane = ctx->dane;
int alt_untrusted = 0;
int max_depth;
int ok = 0;
- int prev_error = ctx->error;
int i;
/* Our chain starts with a single untrusted element. */
}
/* Initialize empty untrusted stack. */
- if ((sk_untrusted = sk_X509_new_null()) == NULL)
+ if ((sk_untrusted = sk_X509_new_null()) == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
goto memerr;
+ }
/*
* If we got any "Cert(0) Full(0)" trust anchors from DNS, *prepend* them
* to our working copy of the untrusted certificate stack.
*/
if (DANETLS_ENABLED(dane) && dane->certs != NULL
- && !X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT))
+ && !X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
goto memerr;
+ }
/*
* Shallow-copy the stack of untrusted certificates (with TLS, this is
* typically the content of the peer's certificate message) so we can make
* multiple passes over it, while free to remove elements as we go.
*/
- if (!X509_add_certs(sk_untrusted, ctx->untrusted, X509_ADD_FLAG_DEFAULT))
+ if (!X509_add_certs(sk_untrusted, ctx->untrusted, X509_ADD_FLAG_DEFAULT)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
goto memerr;
+ }
/*
* Still absurdly large, but arithmetically safe, a lower hard upper bound
dane->pdpth = -1;
}
- /*
- * Self-signed untrusted certificates get replaced by their
- * trusted matching issuer. Otherwise, grow the chain.
- */
- if (!self_signed) {
+ if (!self_signed) { /* untrusted not self-signed certificate */
+ /* Grow the chain by trusted issuer */
if (!sk_X509_push(ctx->chain, issuer)) {
X509_free(issuer);
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
goto memerr;
}
if ((self_signed = X509_self_signed(issuer, 0)) < 0)
goto int_err;
} else {
/*
- * We have a self-signed certificate that has the same
+ * We have a self-signed untrusted cert that has the same
* subject name (and perhaps keyid and/or serial number) as
* a trust anchor. We must have an exact match to avoid
* possible impersonation via key substitution etc.
X509_free(issuer);
ok = 0;
} else { /* curr "==" issuer */
+ /*
+ * Replace self-signed untrusted certificate
+ * by its trusted matching issuer.
+ */
X509_free(curr);
ctx->num_untrusted = --num;
(void)sk_X509_set(ctx->chain, num, issuer);
}
/*
- * Extend chain with peer-provided untrusted certificates
+ * Try to extend chain with peer-provided untrusted certificate
*/
if ((search & S_DOUNTRUSTED) != 0) {
num = sk_X509_num(ctx->chain);
if (!ossl_assert(num == ctx->num_untrusted))
goto int_err;
curr = sk_X509_value(ctx->chain, num - 1);
- issuer = (X509_self_signed(curr, 0) || num > max_depth) ?
+ issuer = (X509_self_signed(curr, 0) > 0 || num > max_depth) ?
NULL : find_issuer(ctx, sk_untrusted, curr);
if (issuer == NULL) {
/*
/* Drop this issuer from future consideration */
(void)sk_X509_delete_ptr(sk_untrusted, issuer);
+ /* Grow the chain by untrusted issuer */
if (!X509_add_cert(ctx->chain, issuer, X509_ADD_FLAG_UP_REF))
goto int_err;
switch (trust) {
case X509_TRUST_TRUSTED:
- /* Must restore any previous error value for backward compatibility */
- ctx->error = prev_error;
return 1;
case X509_TRUST_REJECTED:
/* Callback already issued */
return 0;
case X509_TRUST_UNTRUSTED:
default:
- switch(ctx->error) {
+ switch (ctx->error) {
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
case X509_V_ERR_CERT_HAS_EXPIRED:
- return 0; /* Callback already issued by ossl_x509_check_cert_time() */
+ return 0; /* Callback already done by ossl_x509_check_cert_time() */
default: /* A preliminary error has become final */
return verify_cb_cert(ctx, NULL, num - 1, ctx->error);
case X509_V_OK:
CB_FAIL_IF(DANETLS_ENABLED(dane)
&& (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0),
ctx, NULL, num - 1, X509_V_ERR_DANE_NO_MATCH);
- if (X509_self_signed(sk_X509_value(ctx->chain, num - 1), 0))
+ if (X509_self_signed(sk_X509_value(ctx->chain, num - 1), 0) > 0)
return verify_cb_cert(ctx, NULL, num - 1,
num == 1
? X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
return -1;
memerr:
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
sk_X509_free(sk_untrusted);
return -1;
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
/*-
- * Check whether the public key of `cert` meets the security level of `ctx`.
+ * Check whether the given public key meets the security level of `ctx`.
* Returns 1 on success, 0 otherwise.
*/
-static int check_key_level(X509_STORE_CTX *ctx, X509 *cert)
+static int check_key_level(X509_STORE_CTX *ctx, EVP_PKEY *pkey)
{
- EVP_PKEY *pkey = X509_get0_pubkey(cert);
int level = ctx->param->auth_level;
/*
return EVP_PKEY_get_security_bits(pkey) >= minbits_table[level - 1];
}
+/*-
+ * Check whether the public key of `cert` meets the security level of `ctx`.
+ * Returns 1 on success, 0 otherwise.
+ */
+static int check_cert_key_level(X509_STORE_CTX *ctx, X509 *cert)
+{
+ return check_key_level(ctx, X509_get0_pubkey(cert));
+}
+
/*-
* Check whether the public key of ``cert`` does not use explicit params
* for an elliptic curve.
static int check_curve(X509 *cert)
{
EVP_PKEY *pkey = X509_get0_pubkey(cert);
+ int ret, val;
/* Unsupported or malformed key */
if (pkey == NULL)
return -1;
+ if (EVP_PKEY_get_id(pkey) != EVP_PKEY_EC)
+ return 1;
- if (EVP_PKEY_get_id(pkey) == EVP_PKEY_EC) {
- int ret, val;
-
- ret = EVP_PKEY_get_int_param(pkey,
- OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS,
- &val);
- return ret < 0 ? ret : !val;
- }
-
- return 1;
+ ret =
+ EVP_PKEY_get_int_param(pkey,
+ OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS,
+ &val);
+ return ret < 0 ? ret : !val;
}
/*-