SecBSD/src
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sync with OpenBSD -current

Browse source
This commit is contained in:
purplerain 2023-12-23 13:56:21 +00:00
parent 38dbdec412
commit 933c153850
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
49 changed files with 931 additions and 4156 deletions
Download patch file Download diff file Expand all files Collapse all files

18
lib/libcrypto/x509/x509_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_local.h,v 1.11 2023/11/01 20:37:42 tb Exp $ */
/* $OpenBSD: x509_local.h,v 1.14 2023/12/22 13:31:35 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2013.
*/
@ -299,15 +299,7 @@ struct x509_store_st {
/* Callbacks for various operations */
int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */
int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
int (*cleanup)(X509_STORE_CTX *ctx);
CRYPTO_EX_DATA ex_data;
int references;
@ -344,14 +336,6 @@ struct x509_store_ctx_st {
int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
int (*check_policy)(X509_STORE_CTX *ctx);
STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
int (*cleanup)(X509_STORE_CTX *ctx);
/* The following is built up */
int valid; /* if 0, rebuild chain */

143
lib/libcrypto/x509/x509_vfy.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_vfy.c,v 1.127 2023/11/27 00:51:12 tb Exp $ */
/* $OpenBSD: x509_vfy.c,v 1.135 2023/12/23 00:52:13 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -116,16 +116,15 @@
#define CRL_SCORE_TIME_DELTA 0x002
static int x509_vfy_check_crl(X509_STORE_CTX *ctx, X509_CRL *crl);
static int x509_vfy_cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
static int null_callback(int ok, X509_STORE_CTX *e);
static int check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer);
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x,
int allow_expired);
static int check_chain_extensions(X509_STORE_CTX *ctx);
static int check_name_constraints(X509_STORE_CTX *ctx);
static int check_trust(X509_STORE_CTX *ctx);
static int check_revocation(X509_STORE_CTX *ctx);
static int check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth);
static int check_policy(X509_STORE_CTX *ctx);
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
unsigned int *preasons, X509_CRL *crl, X509 *x);
@ -144,7 +143,6 @@ static int X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time,
int clamp_notafter);
static int internal_verify(X509_STORE_CTX *ctx);
static int get_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err);
@ -177,7 +175,7 @@ check_id_error(X509_STORE_CTX *ctx, int errcode)
}
static int
check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)
x509_vfy_check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)
{
int i, n;
char *name;
@ -195,13 +193,13 @@ check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)
return n == 0;
}
static int
check_id(X509_STORE_CTX *ctx)
int
x509_vfy_check_id(X509_STORE_CTX *ctx)
{
X509_VERIFY_PARAM *vpm = ctx->param;
X509 *x = ctx->cert;
if (vpm->hosts && check_hosts(x, vpm) <= 0) {
if (vpm->hosts && x509_vfy_check_hosts(x, vpm) <= 0) {
if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
return 0;
}
@ -217,11 +215,6 @@ check_id(X509_STORE_CTX *ctx)
return 1;
}
int
x509_vfy_check_id(X509_STORE_CTX *ctx) {
return check_id(ctx);
}
/*
* This is the effectively broken legacy OpenSSL chain builder. It
* might find an unvalidated chain and leave it sitting in
@ -430,7 +423,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
}
/* we now have our chain, lets check it... */
trust = check_trust(ctx);
trust = x509_vfy_check_trust(ctx);
/* If explicitly rejected error */
if (trust == X509_TRUST_REJECTED) {
@ -532,7 +525,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
goto end;
/* We have the chain complete: now we need to check its purpose */
ok = check_chain_extensions(ctx);
ok = x509_vfy_check_chain_extensions(ctx);
if (!ok)
goto end;
@ -556,7 +549,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
goto end;
#endif
ok = check_id(ctx);
ok = x509_vfy_check_id(ctx);
if (!ok)
goto end;
@ -564,7 +557,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
* Check revocation status: we do this after copying parameters because
* they may be needed for CRL signature verification.
*/
ok = ctx->check_revocation(ctx);
ok = x509_vfy_check_revocation(ctx);
if (!ok)
goto end;
@ -578,7 +571,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
/* If we get this far evaluate policies */
if (!bad_chain)
ok = ctx->check_policy(ctx);
ok = x509_vfy_check_policy(ctx);
end:
/* Safety net, error returns must set ctx->error */
@ -696,7 +689,7 @@ check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer)
/* Alternative lookup method: look from a STACK stored in ctx->trusted */
static int
get_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
x509_vfy_get_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
*issuer = find_issuer(ctx, ctx->trusted, x, 1);
if (*issuer) {
@ -813,11 +806,6 @@ end:
#endif
}
static int
check_chain_extensions(X509_STORE_CTX *ctx) {
return x509_vfy_check_chain_extensions(ctx);
}
static int
check_name_constraints(X509_STORE_CTX *ctx)
{
@ -840,7 +828,7 @@ lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
size_t i;
/* Lookup all certs with matching subject name */
certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
certs = X509_STORE_CTX_get1_certs(ctx, X509_get_subject_name(x));
if (certs == NULL)
return NULL;
@ -863,14 +851,13 @@ lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
X509 *
x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
{
if (ctx->lookup_certs == NULL || ctx->store == NULL ||
ctx->store->objs == NULL)
if (ctx->store == NULL || ctx->store->objs == NULL)
return NULL;
return lookup_cert_match(ctx, x);
}
static int
check_trust(X509_STORE_CTX *ctx)
int
x509_vfy_check_trust(X509_STORE_CTX *ctx)
{
size_t i;
int ok;
@ -925,13 +912,7 @@ check_trust(X509_STORE_CTX *ctx)
}
int
x509_vfy_check_trust(X509_STORE_CTX *ctx)
{
return check_trust(ctx);
}
static int
check_revocation(X509_STORE_CTX *ctx)
x509_vfy_check_revocation(X509_STORE_CTX *ctx)
{
int i, last, ok;
@ -953,12 +934,6 @@ check_revocation(X509_STORE_CTX *ctx)
return 1;
}
int
x509_vfy_check_revocation(X509_STORE_CTX *ctx)
{
return check_revocation(ctx);
}
static int
check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth)
{
@ -976,28 +951,22 @@ check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth)
while (ctx->current_reasons != CRLDP_ALL_REASONS) {
last_reasons = ctx->current_reasons;
/* Try to retrieve relevant CRL */
if (ctx->get_crl)
ok = ctx->get_crl(ctx, &crl, x);
else
ok = get_crl_delta(ctx, &crl, &dcrl, x);
/* If error looking up CRL, nothing we can do except
* notify callback
*/
ok = get_crl_delta(ctx, &crl, &dcrl, x);
if (!ok) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
ok = ctx->verify_cb(0, ctx);
goto err;
}
ctx->current_crl = crl;
ok = ctx->check_crl(ctx, crl);
ok = x509_vfy_check_crl(ctx, crl);
if (!ok)
goto err;
if (dcrl) {
ok = ctx->check_crl(ctx, dcrl);
ok = x509_vfy_check_crl(ctx, dcrl);
if (!ok)
goto err;
ok = ctx->cert_crl(ctx, dcrl, x);
ok = x509_vfy_cert_crl(ctx, dcrl, x);
if (!ok)
goto err;
} else
@ -1005,7 +974,7 @@ check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth)
/* Don't look in full CRL if delta reason is removefromCRL */
if (ok != 2) {
ok = ctx->cert_crl(ctx, crl, x);
ok = x509_vfy_cert_crl(ctx, crl, x);
if (!ok)
goto err;
}
@ -1559,7 +1528,7 @@ get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
goto done;
/* Lookup CRLs from store */
skcrl = ctx->lookup_crls(ctx, nm);
skcrl = X509_STORE_CTX_get1_crls(ctx, nm);
/* If no CRLs found and a near match from get_crl_sk use that */
if (!skcrl && crl)
@ -1586,7 +1555,7 @@ done:
/* Check CRL validity */
static int
check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
x509_vfy_check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
{
X509 *issuer = NULL;
EVP_PKEY *ikey = NULL;
@ -1689,7 +1658,7 @@ err:
/* Check certificate against CRL */
static int
cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
x509_vfy_cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
{
int ok;
X509_REVOKED *rev;
@ -1756,12 +1725,6 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx)
return 1;
}
static int
check_policy(X509_STORE_CTX *ctx)
{
return x509_vfy_check_policy(ctx);
}
/*
* Inform the verify callback of an error.
*
@ -2338,52 +2301,8 @@ X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *leaf,
else
ctx->verify_cb = null_callback;
if (store && store->get_issuer)
ctx->get_issuer = store->get_issuer;
else
ctx->get_issuer = X509_STORE_CTX_get1_issuer;
if (store && store->check_issued)
ctx->check_issued = store->check_issued;
else
ctx->check_issued = check_issued;
if (store && store->check_revocation)
ctx->check_revocation = store->check_revocation;
else
ctx->check_revocation = check_revocation;
if (store && store->get_crl)
ctx->get_crl = store->get_crl;
else
ctx->get_crl = NULL;
if (store && store->check_crl)
ctx->check_crl = store->check_crl;
else
ctx->check_crl = check_crl;
if (store && store->cert_crl)
ctx->cert_crl = store->cert_crl;
else
ctx->cert_crl = cert_crl;
ctx->check_policy = check_policy;
if (store && store->lookup_certs)
ctx->lookup_certs = store->lookup_certs;
else
ctx->lookup_certs = X509_STORE_CTX_get1_certs;
if (store && store->lookup_crls)
ctx->lookup_crls = store->lookup_crls;
else
ctx->lookup_crls = X509_STORE_CTX_get1_crls;
if (store && store->cleanup)
ctx->cleanup = store->cleanup;
else
ctx->cleanup = NULL;
ctx->get_issuer = X509_STORE_CTX_get1_issuer;
ctx->check_issued = check_issued;
ctx->param = X509_VERIFY_PARAM_new();
if (!ctx->param) {
@ -2432,15 +2351,13 @@ void
X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *trusted)
{
ctx->trusted = trusted;
ctx->get_issuer = get_trusted_issuer;
ctx->get_issuer = x509_vfy_get_trusted_issuer;
}
LCRYPTO_ALIAS(X509_STORE_CTX_set0_trusted_stack);
void
X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
{
if (ctx->cleanup)
ctx->cleanup(ctx);
if (ctx->param != NULL) {
if (ctx->parent == NULL)
X509_VERIFY_PARAM_free(ctx->param);