}
/* Return 1 on success, 0 if x is invalid, -1 on (internal) error. */
-static int setup_crldp(X509 *x)
+static int setup_crldp(const X509 *x, STACK_OF(DIST_POINT) **tmp_crldp)
{
int i;
- x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &i, NULL);
- if (x->crldp == NULL && i != -1)
+ *tmp_crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &i, NULL);
+ if (*tmp_crldp == NULL && i != -1)
return 0;
- for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
- int res = setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
+ for (i = 0; i < sk_DIST_POINT_num(*tmp_crldp); i++) {
+ int res = setup_dp(x, sk_DIST_POINT_value(*tmp_crldp, i));
if (res < 1)
return res;
EXTENDED_KEY_USAGE *extusage;
int i;
int res;
- X509 *x;
-
- /*
- * XXX deliberately cast away const - this is so the
- * public API may be made const even though we are lying
- * about it for the moment. This will enable us
- * to move to where we do not have to cast this away
- * in the future
- */
- x = (X509 *)const_x;
+ uint32_t tmp_ex_flags;
+ unsigned char tmp_sha1_hash[SHA_DIGEST_LENGTH];
+ long tmp_ex_pathlen;
+ long tmp_ex_pcpathlen;
+ uint32_t tmp_ex_kusage;
+ uint32_t tmp_ex_xkusage;
+ uint32_t tmp_ex_nscert;
+ ASN1_OCTET_STRING *tmp_skid;
+ AUTHORITY_KEYID *tmp_akid;
+ STACK_OF(GENERAL_NAME) *tmp_altname;
+ NAME_CONSTRAINTS *tmp_nc;
+ STACK_OF(DIST_POINT) *tmp_crldp = NULL;
+ STACK_OF(IPAddressFamily) *tmp_rfc3779_addr;
+ struct ASIdentifiers_st *tmp_rfc3779_asid;
+ X509_SIG_INFO tmp_siginf;
#ifdef tsan_ld_acq
/* Fast lock-free check, see end of the function for details. */
- if (tsan_ld_acq((TSAN_QUALIFIER int *)&x->ex_cached))
- return (x->ex_flags & EXFLAG_INVALID) == 0;
+ if (tsan_ld_acq((TSAN_QUALIFIER int *)&const_x->ex_cached))
+ return (const_x->ex_flags & EXFLAG_INVALID) == 0;
#endif
- if (!CRYPTO_THREAD_write_lock(x->lock))
+ if (!CRYPTO_THREAD_read_lock(const_x->lock))
return 0;
- if ((x->ex_flags & EXFLAG_SET) != 0) { /* Cert has already been processed */
- CRYPTO_THREAD_unlock(x->lock);
- return (x->ex_flags & EXFLAG_INVALID) == 0;
+ tmp_ex_flags = const_x->ex_flags;
+ tmp_ex_pcpathlen = const_x->ex_pcpathlen;
+ tmp_ex_kusage = const_x->ex_kusage;
+ tmp_ex_nscert = const_x->ex_nscert;
+
+ if ((tmp_ex_flags & EXFLAG_SET) != 0) { /* Cert has already been processed */
+ CRYPTO_THREAD_unlock(const_x->lock);
+ return (tmp_ex_flags & EXFLAG_INVALID) == 0;
}
ERR_set_mark();
/* Cache the SHA1 digest of the cert */
- if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL))
- x->ex_flags |= EXFLAG_NO_FINGERPRINT;
+ if (!X509_digest(const_x, EVP_sha1(), tmp_sha1_hash, NULL))
+ tmp_ex_flags |= EXFLAG_NO_FINGERPRINT;
/* V1 should mean no extensions ... */
- if (X509_get_version(x) == X509_VERSION_1)
- x->ex_flags |= EXFLAG_V1;
+ if (X509_get_version(const_x) == X509_VERSION_1)
+ tmp_ex_flags |= EXFLAG_V1;
/* Handle basic constraints */
- x->ex_pathlen = -1;
- if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL)) != NULL) {
+ tmp_ex_pathlen = -1;
+ if ((bs = X509_get_ext_d2i(const_x, NID_basic_constraints, &i, NULL)) != NULL) {
if (bs->ca)
- x->ex_flags |= EXFLAG_CA;
+ tmp_ex_flags |= EXFLAG_CA;
if (bs->pathlen != NULL) {
/*
* The error case !bs->ca is checked by check_chain()
*/
if (bs->pathlen->type == V_ASN1_NEG_INTEGER) {
ERR_raise(ERR_LIB_X509V3, X509V3_R_NEGATIVE_PATHLEN);
- x->ex_flags |= EXFLAG_INVALID;
+ tmp_ex_flags |= EXFLAG_INVALID;
} else {
- x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
+ tmp_ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
}
}
BASIC_CONSTRAINTS_free(bs);
- x->ex_flags |= EXFLAG_BCONS;
+ tmp_ex_flags |= EXFLAG_BCONS;
} else if (i != -1) {
- x->ex_flags |= EXFLAG_INVALID;
+ tmp_ex_flags |= EXFLAG_INVALID;
}
/* Handle proxy certificates */
- if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL)) != NULL) {
- if ((x->ex_flags & EXFLAG_CA) != 0
- || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
- || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
- x->ex_flags |= EXFLAG_INVALID;
+ if ((pci = X509_get_ext_d2i(const_x, NID_proxyCertInfo, &i, NULL)) != NULL) {
+ if ((tmp_ex_flags & EXFLAG_CA) != 0
+ || X509_get_ext_by_NID(const_x, NID_subject_alt_name, -1) >= 0
+ || X509_get_ext_by_NID(const_x, NID_issuer_alt_name, -1) >= 0) {
+ tmp_ex_flags |= EXFLAG_INVALID;
}
if (pci->pcPathLengthConstraint != NULL)
- x->ex_pcpathlen = ASN1_INTEGER_get(pci->pcPathLengthConstraint);
+ tmp_ex_pcpathlen = ASN1_INTEGER_get(pci->pcPathLengthConstraint);
else
- x->ex_pcpathlen = -1;
+ tmp_ex_pcpathlen = -1;
PROXY_CERT_INFO_EXTENSION_free(pci);
- x->ex_flags |= EXFLAG_PROXY;
+ tmp_ex_flags |= EXFLAG_PROXY;
} else if (i != -1) {
- x->ex_flags |= EXFLAG_INVALID;
+ tmp_ex_flags |= EXFLAG_INVALID;
}
/* Handle (basic) key usage */
- if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL)) != NULL) {
- x->ex_kusage = 0;
+ if ((usage = X509_get_ext_d2i(const_x, NID_key_usage, &i, NULL)) != NULL) {
+ tmp_ex_kusage = 0;
if (usage->length > 0) {
- x->ex_kusage = usage->data[0];
+ tmp_ex_kusage = usage->data[0];
if (usage->length > 1)
- x->ex_kusage |= usage->data[1] << 8;
+ tmp_ex_kusage |= usage->data[1] << 8;
}
- x->ex_flags |= EXFLAG_KUSAGE;
+ tmp_ex_flags |= EXFLAG_KUSAGE;
ASN1_BIT_STRING_free(usage);
/* Check for empty key usage according to RFC 5280 section 4.2.1.3 */
- if (x->ex_kusage == 0) {
+ if (tmp_ex_kusage == 0) {
ERR_raise(ERR_LIB_X509V3, X509V3_R_EMPTY_KEY_USAGE);
- x->ex_flags |= EXFLAG_INVALID;
+ tmp_ex_flags |= EXFLAG_INVALID;
}
} else if (i != -1) {
- x->ex_flags |= EXFLAG_INVALID;
+ tmp_ex_flags |= EXFLAG_INVALID;
}
/* Handle extended key usage */
- x->ex_xkusage = 0;
- if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &i, NULL)) != NULL) {
- x->ex_flags |= EXFLAG_XKUSAGE;
+ tmp_ex_xkusage = 0;
+ if ((extusage = X509_get_ext_d2i(const_x, NID_ext_key_usage, &i, NULL)) != NULL) {
+ tmp_ex_flags |= EXFLAG_XKUSAGE;
for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
case NID_server_auth:
- x->ex_xkusage |= XKU_SSL_SERVER;
+ tmp_ex_xkusage |= XKU_SSL_SERVER;
break;
case NID_client_auth:
- x->ex_xkusage |= XKU_SSL_CLIENT;
+ tmp_ex_xkusage |= XKU_SSL_CLIENT;
break;
case NID_email_protect:
- x->ex_xkusage |= XKU_SMIME;
+ tmp_ex_xkusage |= XKU_SMIME;
break;
case NID_code_sign:
- x->ex_xkusage |= XKU_CODE_SIGN;
+ tmp_ex_xkusage |= XKU_CODE_SIGN;
break;
case NID_ms_sgc:
case NID_ns_sgc:
- x->ex_xkusage |= XKU_SGC;
+ tmp_ex_xkusage |= XKU_SGC;
break;
case NID_OCSP_sign:
- x->ex_xkusage |= XKU_OCSP_SIGN;
+ tmp_ex_xkusage |= XKU_OCSP_SIGN;
break;
case NID_time_stamp:
- x->ex_xkusage |= XKU_TIMESTAMP;
+ tmp_ex_xkusage |= XKU_TIMESTAMP;
break;
case NID_dvcs:
- x->ex_xkusage |= XKU_DVCS;
+ tmp_ex_xkusage |= XKU_DVCS;
break;
case NID_anyExtendedKeyUsage:
- x->ex_xkusage |= XKU_ANYEKU;
+ tmp_ex_xkusage |= XKU_ANYEKU;
break;
default:
/* Ignore unknown extended key usage */
}
sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
} else if (i != -1) {
- x->ex_flags |= EXFLAG_INVALID;
+ tmp_ex_flags |= EXFLAG_INVALID;
}
/* Handle legacy Netscape extension */
- if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &i, NULL)) != NULL) {
+ if ((ns = X509_get_ext_d2i(const_x, NID_netscape_cert_type, &i, NULL)) != NULL) {
if (ns->length > 0)
- x->ex_nscert = ns->data[0];
+ tmp_ex_nscert = ns->data[0];
else
- x->ex_nscert = 0;
- x->ex_flags |= EXFLAG_NSCERT;
+ tmp_ex_nscert = 0;
+ tmp_ex_flags |= EXFLAG_NSCERT;
ASN1_BIT_STRING_free(ns);
} else if (i != -1) {
- x->ex_flags |= EXFLAG_INVALID;
+ tmp_ex_flags |= EXFLAG_INVALID;
}
/* Handle subject key identifier and issuer/authority key identifier */
- x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &i, NULL);
- if (x->skid == NULL && i != -1)
- x->ex_flags |= EXFLAG_INVALID;
+ tmp_skid = X509_get_ext_d2i(const_x, NID_subject_key_identifier, &i, NULL);
+ if (tmp_skid == NULL && i != -1)
+ tmp_ex_flags |= EXFLAG_INVALID;
- x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &i, NULL);
- if (x->akid == NULL && i != -1)
- x->ex_flags |= EXFLAG_INVALID;
+ tmp_akid = X509_get_ext_d2i(const_x, NID_authority_key_identifier, &i, NULL);
+ if (tmp_akid == NULL && i != -1)
+ tmp_ex_flags |= EXFLAG_INVALID;
/* Check if subject name matches issuer */
- if (X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)) == 0) {
- x->ex_flags |= EXFLAG_SI; /* Cert is self-issued */
- if (X509_check_akid(x, x->akid) == X509_V_OK /* SKID matches AKID */
+ if (X509_NAME_cmp(X509_get_subject_name(const_x), X509_get_issuer_name(const_x)) == 0) {
+ tmp_ex_flags |= EXFLAG_SI; /* Cert is self-issued */
+ if (X509_check_akid(const_x, tmp_akid) == X509_V_OK /* SKID matches AKID */
/* .. and the signature alg matches the PUBKEY alg: */
- && check_sig_alg_match(X509_get0_pubkey(x), x) == X509_V_OK)
- x->ex_flags |= EXFLAG_SS; /* indicate self-signed */
+ && check_sig_alg_match(X509_get0_pubkey(const_x), const_x) == X509_V_OK)
+ tmp_ex_flags |= EXFLAG_SS; /* indicate self-signed */
/* This is very related to ossl_x509_likely_issued(x, x) == X509_V_OK */
}
/* Handle subject alternative names and various other extensions */
- x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL);
- if (x->altname == NULL && i != -1)
- x->ex_flags |= EXFLAG_INVALID;
- x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
- if (x->nc == NULL && i != -1)
- x->ex_flags |= EXFLAG_INVALID;
+ tmp_altname = X509_get_ext_d2i(const_x, NID_subject_alt_name, &i, NULL);
+ if (tmp_altname == NULL && i != -1)
+ tmp_ex_flags |= EXFLAG_INVALID;
+ tmp_nc = X509_get_ext_d2i(const_x, NID_name_constraints, &i, NULL);
+ if (tmp_nc == NULL && i != -1)
+ tmp_ex_flags |= EXFLAG_INVALID;
/* Handle CRL distribution point entries */
- res = setup_crldp(x);
+ res = setup_crldp(const_x, &tmp_crldp);
if (res == 0)
- x->ex_flags |= EXFLAG_INVALID;
+ tmp_ex_flags |= EXFLAG_INVALID;
#ifndef OPENSSL_NO_RFC3779
- x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, &i, NULL);
- if (x->rfc3779_addr == NULL && i != -1)
- x->ex_flags |= EXFLAG_INVALID;
- x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, &i, NULL);
- if (x->rfc3779_asid == NULL && i != -1)
- x->ex_flags |= EXFLAG_INVALID;
+ tmp_rfc3779_addr = X509_get_ext_d2i(const_x, NID_sbgp_ipAddrBlock, &i, NULL);
+ if (tmp_rfc3779_addr == NULL && i != -1)
+ tmp_ex_flags |= EXFLAG_INVALID;
+ tmp_rfc3779_asid = X509_get_ext_d2i(const_x, NID_sbgp_autonomousSysNum, &i, NULL);
+ if (tmp_rfc3779_asid == NULL && i != -1)
+ tmp_ex_flags |= EXFLAG_INVALID;
#endif
- for (i = 0; i < X509_get_ext_count(x); i++) {
- const X509_EXTENSION *ex = X509_get_ext(x, i);
+ for (i = 0; i < X509_get_ext_count(const_x); i++) {
+ const X509_EXTENSION *ex = X509_get_ext(const_x, i);
int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
if (nid == NID_freshest_crl)
- x->ex_flags |= EXFLAG_FRESHEST;
+ tmp_ex_flags |= EXFLAG_FRESHEST;
if (!X509_EXTENSION_get_critical(ex))
continue;
if (!X509_supported_extension(ex)) {
- x->ex_flags |= EXFLAG_CRITICAL;
+ tmp_ex_flags |= EXFLAG_CRITICAL;
break;
}
switch (nid) {
case NID_basic_constraints:
- x->ex_flags |= EXFLAG_BCONS_CRITICAL;
+ tmp_ex_flags |= EXFLAG_BCONS_CRITICAL;
break;
case NID_authority_key_identifier:
- x->ex_flags |= EXFLAG_AKID_CRITICAL;
+ tmp_ex_flags |= EXFLAG_AKID_CRITICAL;
break;
case NID_subject_key_identifier:
- x->ex_flags |= EXFLAG_SKID_CRITICAL;
+ tmp_ex_flags |= EXFLAG_SKID_CRITICAL;
break;
case NID_subject_alt_name:
- x->ex_flags |= EXFLAG_SAN_CRITICAL;
+ tmp_ex_flags |= EXFLAG_SAN_CRITICAL;
break;
default:
break;
}
/* Set x->siginf, ignoring errors due to unsupported algos */
- (void)ossl_x509_init_sig_info(x);
+ (void)ossl_x509_init_sig_info(const_x, &tmp_siginf);
+
+ tmp_ex_flags |= EXFLAG_SET; /* Indicate that cert has been processed */
+ ERR_pop_to_mark();
+
+ CRYPTO_THREAD_unlock(const_x->lock);
+ /*
+ * Now that we've done all the compute intensive work under read lock
+ * do all the updating under a write lock
+ */
+ if (!CRYPTO_THREAD_write_lock(const_x->lock))
+ return 0;
+ ((X509 *)const_x)->ex_flags = tmp_ex_flags;
+ ((X509 *)const_x)->ex_pathlen = tmp_ex_pathlen;
+ ((X509 *)const_x)->ex_pcpathlen = tmp_ex_pcpathlen;
+ if (!(tmp_ex_flags & EXFLAG_NO_FINGERPRINT))
+ memcpy(((X509 *)const_x)->sha1_hash, tmp_sha1_hash, SHA_DIGEST_LENGTH);
+ if (tmp_ex_flags & EXFLAG_KUSAGE)
+ ((X509 *)const_x)->ex_kusage = tmp_ex_kusage;
+ ((X509 *)const_x)->ex_xkusage = tmp_ex_xkusage;
+ if (tmp_ex_flags & EXFLAG_NSCERT)
+ ((X509 *)const_x)->ex_nscert = tmp_ex_nscert;
+ ASN1_OCTET_STRING_free(((X509 *)const_x)->skid);
+ ((X509 *)const_x)->skid = tmp_skid;
+ AUTHORITY_KEYID_free(((X509 *)const_x)->akid);
+ ((X509 *)const_x)->akid = tmp_akid;
+ sk_GENERAL_NAME_pop_free(((X509 *)const_x)->altname, GENERAL_NAME_free);
+ ((X509 *)const_x)->altname = tmp_altname;
+ NAME_CONSTRAINTS_free(((X509 *)const_x)->nc);
+ ((X509 *)const_x)->nc = tmp_nc;
+ sk_DIST_POINT_pop_free(((X509 *)const_x)->crldp, DIST_POINT_free);
+ ((X509 *)const_x)->crldp = tmp_crldp;
+ sk_IPAddressFamily_pop_free(((X509 *)const_x)->rfc3779_addr, IPAddressFamily_free);
+ ((X509 *)const_x)->rfc3779_addr = tmp_rfc3779_addr;
+ ASIdentifiers_free(((X509 *)const_x)->rfc3779_asid);
+ ((X509 *)const_x)->rfc3779_asid = tmp_rfc3779_asid;
+ ((X509 *)const_x)->siginf = tmp_siginf;
- x->ex_flags |= EXFLAG_SET; /* Indicate that cert has been processed */
#ifdef tsan_st_rel
- tsan_st_rel((TSAN_QUALIFIER int *)&x->ex_cached, 1);
+ tsan_st_rel((TSAN_QUALIFIER int *)&const_x->ex_cached, 1);
/*
* Above store triggers fast lock-free check in the beginning of the
* function. But one has to ensure that the structure is "stable", i.e.
* all stores are visible on all processors. Hence the release fence.
*/
#endif
- ERR_pop_to_mark();
-
- if ((x->ex_flags & EXFLAG_INVALID) == 0) {
- CRYPTO_THREAD_unlock(x->lock);
- return 1;
+ CRYPTO_THREAD_unlock(const_x->lock);
+ if (tmp_ex_flags & EXFLAG_INVALID) {
+ ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_CERTIFICATE);
+ return 0;
}
- CRYPTO_THREAD_unlock(x->lock);
- ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_CERTIFICATE);
- return 0;
+ return 1;
}
/*-
* Returns 0 for OK, or positive for reason for mismatch
* where reason codes match those for X509_verify_cert().
*/
-int X509_check_issued(X509 *issuer, X509 *subject)
+int X509_check_issued(const X509 *issuer, const X509 *subject)
{
int ret;
}
/* do the checks 1., 2., and 3. as described above for X509_check_issued() */
-int ossl_x509_likely_issued(X509 *issuer, X509 *subject)
+int ossl_x509_likely_issued(const X509 *issuer, const X509 *subject)
{
int ret;
projects / thirdparty / openssl.git / commitdiff
