2
0

x509_vpm.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602
  1. /*
  2. * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/crypto.h>
  12. #include <openssl/buffer.h>
  13. #include <openssl/x509.h>
  14. #include <openssl/x509v3.h>
  15. #include "internal/x509_int.h"
  16. #include "x509_lcl.h"
  17. /* X509_VERIFY_PARAM functions */
  18. #define SET_HOST 0
  19. #define ADD_HOST 1
  20. static char *str_copy(const char *s)
  21. {
  22. return OPENSSL_strdup(s);
  23. }
  24. static void str_free(char *s)
  25. {
  26. OPENSSL_free(s);
  27. }
  28. static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode,
  29. const char *name, size_t namelen)
  30. {
  31. char *copy;
  32. /*
  33. * Refuse names with embedded NUL bytes, except perhaps as final byte.
  34. * XXX: Do we need to push an error onto the error stack?
  35. */
  36. if (namelen == 0 || name == NULL)
  37. namelen = name ? strlen(name) : 0;
  38. else if (name && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen))
  39. return 0;
  40. if (namelen > 0 && name[namelen - 1] == '\0')
  41. --namelen;
  42. if (mode == SET_HOST) {
  43. sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);
  44. vpm->hosts = NULL;
  45. }
  46. if (name == NULL || namelen == 0)
  47. return 1;
  48. copy = OPENSSL_strndup(name, namelen);
  49. if (copy == NULL)
  50. return 0;
  51. if (vpm->hosts == NULL &&
  52. (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
  53. OPENSSL_free(copy);
  54. return 0;
  55. }
  56. if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {
  57. OPENSSL_free(copy);
  58. if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {
  59. sk_OPENSSL_STRING_free(vpm->hosts);
  60. vpm->hosts = NULL;
  61. }
  62. return 0;
  63. }
  64. return 1;
  65. }
  66. X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
  67. {
  68. X509_VERIFY_PARAM *param;
  69. param = OPENSSL_zalloc(sizeof(*param));
  70. if (param == NULL) {
  71. X509err(X509_F_X509_VERIFY_PARAM_NEW, ERR_R_MALLOC_FAILURE);
  72. return NULL;
  73. }
  74. param->trust = X509_TRUST_DEFAULT;
  75. /* param->inh_flags = X509_VP_FLAG_DEFAULT; */
  76. param->depth = -1;
  77. param->auth_level = -1; /* -1 means unset, 0 is explicit */
  78. return param;
  79. }
  80. void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
  81. {
  82. if (param == NULL)
  83. return;
  84. sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
  85. sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
  86. OPENSSL_free(param->peername);
  87. OPENSSL_free(param->email);
  88. OPENSSL_free(param->ip);
  89. OPENSSL_free(param);
  90. }
  91. /*-
  92. * This function determines how parameters are "inherited" from one structure
  93. * to another. There are several different ways this can happen.
  94. *
  95. * 1. If a child structure needs to have its values initialized from a parent
  96. * they are simply copied across. For example SSL_CTX copied to SSL.
  97. * 2. If the structure should take on values only if they are currently unset.
  98. * For example the values in an SSL structure will take appropriate value
  99. * for SSL servers or clients but only if the application has not set new
  100. * ones.
  101. *
  102. * The "inh_flags" field determines how this function behaves.
  103. *
  104. * Normally any values which are set in the default are not copied from the
  105. * destination and verify flags are ORed together.
  106. *
  107. * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
  108. * to the destination. Effectively the values in "to" become default values
  109. * which will be used only if nothing new is set in "from".
  110. *
  111. * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
  112. * they are set or not. Flags is still Ored though.
  113. *
  114. * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
  115. * of ORed.
  116. *
  117. * If X509_VP_FLAG_LOCKED is set then no values are copied.
  118. *
  119. * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
  120. * after the next call.
  121. */
  122. /* Macro to test if a field should be copied from src to dest */
  123. #define test_x509_verify_param_copy(field, def) \
  124. (to_overwrite || \
  125. ((src->field != def) && (to_default || (dest->field == def))))
  126. /* Macro to test and copy a field if necessary */
  127. #define x509_verify_param_copy(field, def) \
  128. if (test_x509_verify_param_copy(field, def)) \
  129. dest->field = src->field
  130. int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
  131. const X509_VERIFY_PARAM *src)
  132. {
  133. unsigned long inh_flags;
  134. int to_default, to_overwrite;
  135. if (!src)
  136. return 1;
  137. inh_flags = dest->inh_flags | src->inh_flags;
  138. if (inh_flags & X509_VP_FLAG_ONCE)
  139. dest->inh_flags = 0;
  140. if (inh_flags & X509_VP_FLAG_LOCKED)
  141. return 1;
  142. if (inh_flags & X509_VP_FLAG_DEFAULT)
  143. to_default = 1;
  144. else
  145. to_default = 0;
  146. if (inh_flags & X509_VP_FLAG_OVERWRITE)
  147. to_overwrite = 1;
  148. else
  149. to_overwrite = 0;
  150. x509_verify_param_copy(purpose, 0);
  151. x509_verify_param_copy(trust, X509_TRUST_DEFAULT);
  152. x509_verify_param_copy(depth, -1);
  153. x509_verify_param_copy(auth_level, -1);
  154. /* If overwrite or check time not set, copy across */
  155. if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {
  156. dest->check_time = src->check_time;
  157. dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
  158. /* Don't need to copy flag: that is done below */
  159. }
  160. if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
  161. dest->flags = 0;
  162. dest->flags |= src->flags;
  163. if (test_x509_verify_param_copy(policies, NULL)) {
  164. if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
  165. return 0;
  166. }
  167. /* Copy the host flags if and only if we're copying the host list */
  168. if (test_x509_verify_param_copy(hosts, NULL)) {
  169. sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
  170. dest->hosts = NULL;
  171. if (src->hosts) {
  172. dest->hosts =
  173. sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free);
  174. if (dest->hosts == NULL)
  175. return 0;
  176. dest->hostflags = src->hostflags;
  177. }
  178. }
  179. if (test_x509_verify_param_copy(email, NULL)) {
  180. if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen))
  181. return 0;
  182. }
  183. if (test_x509_verify_param_copy(ip, NULL)) {
  184. if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen))
  185. return 0;
  186. }
  187. return 1;
  188. }
  189. int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
  190. const X509_VERIFY_PARAM *from)
  191. {
  192. unsigned long save_flags = to->inh_flags;
  193. int ret;
  194. to->inh_flags |= X509_VP_FLAG_DEFAULT;
  195. ret = X509_VERIFY_PARAM_inherit(to, from);
  196. to->inh_flags = save_flags;
  197. return ret;
  198. }
  199. static int int_x509_param_set1(char **pdest, size_t *pdestlen,
  200. const char *src, size_t srclen)
  201. {
  202. void *tmp;
  203. if (src) {
  204. if (srclen == 0)
  205. srclen = strlen(src);
  206. tmp = OPENSSL_memdup(src, srclen);
  207. if (tmp == NULL)
  208. return 0;
  209. } else {
  210. tmp = NULL;
  211. srclen = 0;
  212. }
  213. OPENSSL_free(*pdest);
  214. *pdest = tmp;
  215. if (pdestlen != NULL)
  216. *pdestlen = srclen;
  217. return 1;
  218. }
  219. int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
  220. {
  221. OPENSSL_free(param->name);
  222. param->name = OPENSSL_strdup(name);
  223. if (param->name)
  224. return 1;
  225. return 0;
  226. }
  227. int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
  228. {
  229. param->flags |= flags;
  230. if (flags & X509_V_FLAG_POLICY_MASK)
  231. param->flags |= X509_V_FLAG_POLICY_CHECK;
  232. return 1;
  233. }
  234. int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
  235. unsigned long flags)
  236. {
  237. param->flags &= ~flags;
  238. return 1;
  239. }
  240. unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
  241. {
  242. return param->flags;
  243. }
  244. uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param)
  245. {
  246. return param->inh_flags;
  247. }
  248. int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, uint32_t flags)
  249. {
  250. param->inh_flags = flags;
  251. return 1;
  252. }
  253. int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
  254. {
  255. return X509_PURPOSE_set(&param->purpose, purpose);
  256. }
  257. int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
  258. {
  259. return X509_TRUST_set(&param->trust, trust);
  260. }
  261. void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
  262. {
  263. param->depth = depth;
  264. }
  265. void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level)
  266. {
  267. param->auth_level = auth_level;
  268. }
  269. time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param)
  270. {
  271. return param->check_time;
  272. }
  273. void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
  274. {
  275. param->check_time = t;
  276. param->flags |= X509_V_FLAG_USE_CHECK_TIME;
  277. }
  278. int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
  279. ASN1_OBJECT *policy)
  280. {
  281. if (!param->policies) {
  282. param->policies = sk_ASN1_OBJECT_new_null();
  283. if (!param->policies)
  284. return 0;
  285. }
  286. if (!sk_ASN1_OBJECT_push(param->policies, policy))
  287. return 0;
  288. return 1;
  289. }
  290. int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
  291. STACK_OF(ASN1_OBJECT) *policies)
  292. {
  293. int i;
  294. ASN1_OBJECT *oid, *doid;
  295. if (!param)
  296. return 0;
  297. sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
  298. if (!policies) {
  299. param->policies = NULL;
  300. return 1;
  301. }
  302. param->policies = sk_ASN1_OBJECT_new_null();
  303. if (!param->policies)
  304. return 0;
  305. for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) {
  306. oid = sk_ASN1_OBJECT_value(policies, i);
  307. doid = OBJ_dup(oid);
  308. if (!doid)
  309. return 0;
  310. if (!sk_ASN1_OBJECT_push(param->policies, doid)) {
  311. ASN1_OBJECT_free(doid);
  312. return 0;
  313. }
  314. }
  315. param->flags |= X509_V_FLAG_POLICY_CHECK;
  316. return 1;
  317. }
  318. int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
  319. const char *name, size_t namelen)
  320. {
  321. return int_x509_param_set_hosts(param, SET_HOST, name, namelen);
  322. }
  323. int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
  324. const char *name, size_t namelen)
  325. {
  326. return int_x509_param_set_hosts(param, ADD_HOST, name, namelen);
  327. }
  328. void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
  329. unsigned int flags)
  330. {
  331. param->hostflags = flags;
  332. }
  333. unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param)
  334. {
  335. return param->hostflags;
  336. }
  337. char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
  338. {
  339. return param->peername;
  340. }
  341. /*
  342. * Move peername from one param structure to another, freeing any name present
  343. * at the target. If the source is a NULL parameter structure, free and zero
  344. * the target peername.
  345. */
  346. void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *to,
  347. X509_VERIFY_PARAM *from)
  348. {
  349. char *peername = (from != NULL) ? from->peername : NULL;
  350. if (to->peername != peername) {
  351. OPENSSL_free(to->peername);
  352. to->peername = peername;
  353. }
  354. if (from)
  355. from->peername = NULL;
  356. }
  357. int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
  358. const char *email, size_t emaillen)
  359. {
  360. return int_x509_param_set1(&param->email, &param->emaillen,
  361. email, emaillen);
  362. }
  363. int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
  364. const unsigned char *ip, size_t iplen)
  365. {
  366. if (iplen != 0 && iplen != 4 && iplen != 16)
  367. return 0;
  368. return int_x509_param_set1((char **)&param->ip, &param->iplen,
  369. (char *)ip, iplen);
  370. }
  371. int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
  372. {
  373. unsigned char ipout[16];
  374. size_t iplen;
  375. iplen = (size_t)a2i_ipadd(ipout, ipasc);
  376. if (iplen == 0)
  377. return 0;
  378. return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);
  379. }
  380. int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
  381. {
  382. return param->depth;
  383. }
  384. int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param)
  385. {
  386. return param->auth_level;
  387. }
  388. const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
  389. {
  390. return param->name;
  391. }
  392. #define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0
  393. /*
  394. * Default verify parameters: these are used for various applications and can
  395. * be overridden by the user specified table. NB: the 'name' field *must* be
  396. * in alphabetical order because it will be searched using OBJ_search.
  397. */
  398. static const X509_VERIFY_PARAM default_table[] = {
  399. {
  400. "default", /* X509 default parameters */
  401. 0, /* Check time */
  402. 0, /* internal flags */
  403. X509_V_FLAG_TRUSTED_FIRST, /* flags */
  404. 0, /* purpose */
  405. 0, /* trust */
  406. 100, /* depth */
  407. -1, /* auth_level */
  408. NULL, /* policies */
  409. vpm_empty_id},
  410. {
  411. "pkcs7", /* S/MIME sign parameters */
  412. 0, /* Check time */
  413. 0, /* internal flags */
  414. 0, /* flags */
  415. X509_PURPOSE_SMIME_SIGN, /* purpose */
  416. X509_TRUST_EMAIL, /* trust */
  417. -1, /* depth */
  418. -1, /* auth_level */
  419. NULL, /* policies */
  420. vpm_empty_id},
  421. {
  422. "smime_sign", /* S/MIME sign parameters */
  423. 0, /* Check time */
  424. 0, /* internal flags */
  425. 0, /* flags */
  426. X509_PURPOSE_SMIME_SIGN, /* purpose */
  427. X509_TRUST_EMAIL, /* trust */
  428. -1, /* depth */
  429. -1, /* auth_level */
  430. NULL, /* policies */
  431. vpm_empty_id},
  432. {
  433. "ssl_client", /* SSL/TLS client parameters */
  434. 0, /* Check time */
  435. 0, /* internal flags */
  436. 0, /* flags */
  437. X509_PURPOSE_SSL_CLIENT, /* purpose */
  438. X509_TRUST_SSL_CLIENT, /* trust */
  439. -1, /* depth */
  440. -1, /* auth_level */
  441. NULL, /* policies */
  442. vpm_empty_id},
  443. {
  444. "ssl_server", /* SSL/TLS server parameters */
  445. 0, /* Check time */
  446. 0, /* internal flags */
  447. 0, /* flags */
  448. X509_PURPOSE_SSL_SERVER, /* purpose */
  449. X509_TRUST_SSL_SERVER, /* trust */
  450. -1, /* depth */
  451. -1, /* auth_level */
  452. NULL, /* policies */
  453. vpm_empty_id}
  454. };
  455. static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
  456. static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
  457. {
  458. return strcmp(a->name, b->name);
  459. }
  460. DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
  461. IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
  462. static int param_cmp(const X509_VERIFY_PARAM *const *a,
  463. const X509_VERIFY_PARAM *const *b)
  464. {
  465. return strcmp((*a)->name, (*b)->name);
  466. }
  467. int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
  468. {
  469. int idx;
  470. X509_VERIFY_PARAM *ptmp;
  471. if (param_table == NULL) {
  472. param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
  473. if (param_table == NULL)
  474. return 0;
  475. } else {
  476. idx = sk_X509_VERIFY_PARAM_find(param_table, param);
  477. if (idx >= 0) {
  478. ptmp = sk_X509_VERIFY_PARAM_delete(param_table, idx);
  479. X509_VERIFY_PARAM_free(ptmp);
  480. }
  481. }
  482. if (!sk_X509_VERIFY_PARAM_push(param_table, param))
  483. return 0;
  484. return 1;
  485. }
  486. int X509_VERIFY_PARAM_get_count(void)
  487. {
  488. int num = OSSL_NELEM(default_table);
  489. if (param_table)
  490. num += sk_X509_VERIFY_PARAM_num(param_table);
  491. return num;
  492. }
  493. const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
  494. {
  495. int num = OSSL_NELEM(default_table);
  496. if (id < num)
  497. return default_table + id;
  498. return sk_X509_VERIFY_PARAM_value(param_table, id - num);
  499. }
  500. const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
  501. {
  502. int idx;
  503. X509_VERIFY_PARAM pm;
  504. pm.name = (char *)name;
  505. if (param_table != NULL) {
  506. idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
  507. if (idx >= 0)
  508. return sk_X509_VERIFY_PARAM_value(param_table, idx);
  509. }
  510. return OBJ_bsearch_table(&pm, default_table, OSSL_NELEM(default_table));
  511. }
  512. void X509_VERIFY_PARAM_table_cleanup(void)
  513. {
  514. sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free);
  515. param_table = NULL;
  516. }