* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
#include <openssl/evp.h>
#include <openssl/x509.h>
-int X509_set_version(X509 *x, long version)
+int
+X509_set_version(X509 *x, long version)
{
- if (x == NULL) return(0);
+ if (x == NULL)
+ return (0);
if (x->cert_info->version == NULL) {
- if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL)
- return(0);
+ if ((x->cert_info->version = M_ASN1_INTEGER_new()) == NULL)
+ return (0);
}
- return(ASN1_INTEGER_set(x->cert_info->version,version));
+ return (ASN1_INTEGER_set(x->cert_info->version, version));
}
-int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
+int
+X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
{
ASN1_INTEGER *in;
- if (x == NULL) return(0);
- in=x->cert_info->serialNumber;
+ if (x == NULL)
+ return (0);
+ in = x->cert_info->serialNumber;
if (in != serial) {
- in=M_ASN1_INTEGER_dup(serial);
+ in = M_ASN1_INTEGER_dup(serial);
if (in != NULL) {
M_ASN1_INTEGER_free(x->cert_info->serialNumber);
- x->cert_info->serialNumber=in;
+ x->cert_info->serialNumber = in;
}
}
- return(in != NULL);
+ return (in != NULL);
}
-int X509_set_issuer_name(X509 *x, X509_NAME *name)
+int
+X509_set_issuer_name(X509 *x, X509_NAME *name)
{
- if ((x == NULL) || (x->cert_info == NULL)) return(0);
- return(X509_NAME_set(&x->cert_info->issuer,name));
+ if ((x == NULL) || (x->cert_info == NULL))
+ return (0);
+ return (X509_NAME_set(&x->cert_info->issuer, name));
}
-int X509_set_subject_name(X509 *x, X509_NAME *name)
+int
+X509_set_subject_name(X509 *x, X509_NAME *name)
{
- if ((x == NULL) || (x->cert_info == NULL)) return(0);
- return(X509_NAME_set(&x->cert_info->subject,name));
+ if ((x == NULL) || (x->cert_info == NULL))
+ return (0);
+ return (X509_NAME_set(&x->cert_info->subject, name));
}
-int X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
+int
+X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
{
ASN1_TIME *in;
- if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
- in=x->cert_info->validity->notBefore;
+ if ((x == NULL) || (x->cert_info->validity == NULL))
+ return (0);
+ in = x->cert_info->validity->notBefore;
if (in != tm) {
- in=M_ASN1_TIME_dup(tm);
+ in = M_ASN1_TIME_dup(tm);
if (in != NULL) {
M_ASN1_TIME_free(x->cert_info->validity->notBefore);
- x->cert_info->validity->notBefore=in;
+ x->cert_info->validity->notBefore = in;
}
}
- return(in != NULL);
+ return (in != NULL);
}
-int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
+int
+X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
{
ASN1_TIME *in;
- if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
- in=x->cert_info->validity->notAfter;
+ if ((x == NULL) || (x->cert_info->validity == NULL))
+ return (0);
+ in = x->cert_info->validity->notAfter;
if (in != tm) {
- in=M_ASN1_TIME_dup(tm);
+ in = M_ASN1_TIME_dup(tm);
if (in != NULL) {
M_ASN1_TIME_free(x->cert_info->validity->notAfter);
- x->cert_info->validity->notAfter=in;
+ x->cert_info->validity->notAfter = in;
}
}
- return(in != NULL);
+ return (in != NULL);
}
-int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
+int
+X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
{
- if ((x == NULL) || (x->cert_info == NULL)) return(0);
- return(X509_PUBKEY_set(&(x->cert_info->key),pkey));
+ if ((x == NULL) || (x->cert_info == NULL))
+ return (0);
+ return (X509_PUBKEY_set(&(x->cert_info->key), pkey));
}
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
#include <openssl/x509v3.h>
-static int tr_cmp(const X509_TRUST * const *a,
- const X509_TRUST * const *b);
+static int tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b);
static void trtable_free(X509_TRUST *p);
static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
*/
static X509_TRUST trstandard[] = {
-{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
-{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
-{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
-{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
-{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
-{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
-{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL},
-{X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
+ {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
+ {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
+ {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
+ {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
+ {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
+ {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
+ {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL},
+ {X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
};
#define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST))
static STACK_OF(X509_TRUST) *trtable = NULL;
-static int tr_cmp(const X509_TRUST * const *a,
- const X509_TRUST * const *b)
+static int
+tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b)
{
return (*a)->trust - (*b)->trust;
}
-int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
+int
+(*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
{
int (*oldtrust)(int , X509 *, int);
+
oldtrust = default_trust;
default_trust = trust;
return oldtrust;
}
-
-int X509_check_trust(X509 *x, int id, int flags)
+int
+X509_check_trust(X509 *x, int id, int flags)
{
X509_TRUST *pt;
int idx;
- if(id == -1) return 1;
+
+ if (id == -1)
+ return 1;
idx = X509_TRUST_get_by_id(id);
- if(idx == -1) return default_trust(id, x, flags);
+ if (idx == -1)
+ return default_trust(id, x, flags);
pt = X509_TRUST_get0(idx);
return pt->check_trust(pt, x, flags);
}
-int X509_TRUST_get_count(void)
+int
+X509_TRUST_get_count(void)
{
- if(!trtable) return X509_TRUST_COUNT;
+ if (!trtable)
+ return X509_TRUST_COUNT;
return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
}
-X509_TRUST * X509_TRUST_get0(int idx)
+X509_TRUST *
+X509_TRUST_get0(int idx)
{
- if(idx < 0) return NULL;
- if(idx < (int)X509_TRUST_COUNT) return trstandard + idx;
+ if (idx < 0)
+ return NULL;
+ if (idx < (int)X509_TRUST_COUNT)
+ return trstandard + idx;
return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
}
-int X509_TRUST_get_by_id(int id)
+int
+X509_TRUST_get_by_id(int id)
{
X509_TRUST tmp;
int idx;
- if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
- return id - X509_TRUST_MIN;
+
+ if ((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
+ return id - X509_TRUST_MIN;
tmp.trust = id;
- if(!trtable) return -1;
+ if (!trtable)
+ return -1;
idx = sk_X509_TRUST_find(trtable, &tmp);
- if(idx == -1) return -1;
+ if (idx == -1)
+ return -1;
return idx + X509_TRUST_COUNT;
}
-int X509_TRUST_set(int *t, int trust)
+int
+X509_TRUST_set(int *t, int trust)
{
- if(X509_TRUST_get_by_id(trust) == -1) {
+ if (X509_TRUST_get_by_id(trust) == -1) {
X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST);
return 0;
}
return 1;
}
-int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
- char *name, int arg1, void *arg2)
+int
+X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
+ char *name, int arg1, void *arg2)
{
int idx;
X509_TRUST *trtmp;
+
/* This is set according to what we change: application can't set it */
flags &= ~X509_TRUST_DYNAMIC;
/* This will always be set for application modified trust entries */
/* Get existing entry if any */
idx = X509_TRUST_get_by_id(id);
/* Need a new entry */
- if(idx == -1) {
- if(!(trtmp = malloc(sizeof(X509_TRUST)))) {
- X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+ if (idx == -1) {
+ if (!(trtmp = malloc(sizeof(X509_TRUST)))) {
+ X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
trtmp->flags = X509_TRUST_DYNAMIC;
trtmp = X509_TRUST_get0(idx);
/* free existing name if dynamic */
- if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name);
+ if (trtmp->flags & X509_TRUST_DYNAMIC_NAME)
+ free(trtmp->name);
/* dup supplied name */
- if(!(trtmp->name = BUF_strdup(name))) {
- X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+ if (!(trtmp->name = BUF_strdup(name))) {
+ X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
/* Keep the dynamic flag of existing entry */
trtmp->arg2 = arg2;
/* If its a new entry manage the dynamic table */
- if(idx == -1) {
- if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
- X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+ if (idx == -1) {
+ if (!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
+ X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
if (!sk_X509_TRUST_push(trtable, trtmp)) {
- X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
}
return 1;
}
-static void trtable_free(X509_TRUST *p)
+static void
+trtable_free(X509_TRUST *p)
{
- if(!p) return;
+ if (!p)
+ return;
if (p->flags & X509_TRUST_DYNAMIC) {
if (p->flags & X509_TRUST_DYNAMIC_NAME)
free(p->name);
}
}
-void X509_TRUST_cleanup(void)
+void
+X509_TRUST_cleanup(void)
{
unsigned int i;
- for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i);
+
+ for(i = 0; i < X509_TRUST_COUNT; i++)
+ trtable_free(trstandard + i);
sk_X509_TRUST_pop_free(trtable, trtable_free);
trtable = NULL;
}
-int X509_TRUST_get_flags(X509_TRUST *xp)
+int
+X509_TRUST_get_flags(X509_TRUST *xp)
{
return xp->flags;
}
-char *X509_TRUST_get0_name(X509_TRUST *xp)
+char *
+X509_TRUST_get0_name(X509_TRUST *xp)
{
return xp->name;
}
-int X509_TRUST_get_trust(X509_TRUST *xp)
+int
+X509_TRUST_get_trust(X509_TRUST *xp)
{
return xp->trust;
}
-static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
+static int
+trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
{
- if(x->aux && (x->aux->trust || x->aux->reject))
+ if (x->aux && (x->aux->trust || x->aux->reject))
return obj_trust(trust->arg1, x, flags);
/* we don't have any trust settings: for compatibility
* we return trusted if it is self signed
return trust_compat(trust, x, flags);
}
-static int trust_1oid(X509_TRUST *trust, X509 *x, int flags)
+static int
+trust_1oid(X509_TRUST *trust, X509 *x, int flags)
{
- if(x->aux) return obj_trust(trust->arg1, x, flags);
+ if (x->aux)
+ return obj_trust(trust->arg1, x, flags);
return X509_TRUST_UNTRUSTED;
}
-static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
+static int
+trust_compat(X509_TRUST *trust, X509 *x, int flags)
{
X509_check_purpose(x, -1, 0);
- if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED;
- else return X509_TRUST_UNTRUSTED;
+ if (x->ex_flags & EXFLAG_SS)
+ return X509_TRUST_TRUSTED;
+ else
+ return X509_TRUST_UNTRUSTED;
}
-static int obj_trust(int id, X509 *x, int flags)
+static int
+obj_trust(int id, X509 *x, int flags)
{
ASN1_OBJECT *obj;
int i;
X509_CERT_AUX *ax;
+
ax = x->aux;
- if(!ax) return X509_TRUST_UNTRUSTED;
- if(ax->reject) {
- for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
+ if (!ax)
+ return X509_TRUST_UNTRUSTED;
+ if (ax->reject) {
+ for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
obj = sk_ASN1_OBJECT_value(ax->reject, i);
- if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED;
+ if (OBJ_obj2nid(obj) == id)
+ return X509_TRUST_REJECTED;
}
- }
- if(ax->trust) {
- for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
+ }
+ if (ax->trust) {
+ for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
obj = sk_ASN1_OBJECT_value(ax->trust, i);
- if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED;
+ if (OBJ_obj2nid(obj) == id)
+ return X509_TRUST_TRUSTED;
}
}
return X509_TRUST_UNTRUSTED;
}
-
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
#include <openssl/x509.h>
#include <openssl/objects.h>
-const char *X509_verify_cert_error_string(long n)
+const char *
+X509_verify_cert_error_string(long n)
{
static char buf[100];
case X509_V_ERR_NO_EXPLICIT_POLICY:
return("no explicit policy");
case X509_V_ERR_DIFFERENT_CRL_SCOPE:
- return("Different CRL scope");
+ return("Different CRL scope");
case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
- return("Unsupported extension feature");
- case X509_V_ERR_UNNESTED_RESOURCE:
- return("RFC 3779 resource not subset of parent's resources");
-
+ return("Unsupported extension feature");
+ case X509_V_ERR_UNNESTED_RESOURCE:
+ return("RFC 3779 resource not subset of parent's resources");
case X509_V_ERR_PERMITTED_VIOLATION:
return("permitted subtree violation");
case X509_V_ERR_EXCLUDED_VIOLATION:
return("CRL path validation error");
default:
- snprintf(buf,sizeof buf,"error number %ld",n);
- return(buf);
+ snprintf(buf, sizeof buf, "error number %ld", n);
+ return (buf);
}
}
-
-
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
#include <openssl/x509.h>
#include <openssl/x509v3.h>
-int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
+int
+X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
{
- if (x == NULL) return(0);
- return(sk_X509_EXTENSION_num(x));
+ if (x == NULL)
+ return (0);
+ return (sk_X509_EXTENSION_num(x));
}
-int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,
- int lastpos)
+int
+X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos)
{
ASN1_OBJECT *obj;
- obj=OBJ_nid2obj(nid);
- if (obj == NULL) return(-2);
- return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
+ obj = OBJ_nid2obj(nid);
+ if (obj == NULL)
+ return (-2);
+ return (X509v3_get_ext_by_OBJ(x, obj, lastpos));
}
-int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
- int lastpos)
+int
+X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
+ int lastpos)
{
int n;
X509_EXTENSION *ex;
- if (sk == NULL) return(-1);
+ if (sk == NULL)
+ return (-1);
lastpos++;
if (lastpos < 0)
- lastpos=0;
- n=sk_X509_EXTENSION_num(sk);
- for ( ; lastpos < n; lastpos++) {
- ex=sk_X509_EXTENSION_value(sk,lastpos);
- if (OBJ_cmp(ex->object,obj) == 0)
- return(lastpos);
+ lastpos = 0;
+ n = sk_X509_EXTENSION_num(sk);
+ for (; lastpos < n; lastpos++) {
+ ex = sk_X509_EXTENSION_value(sk, lastpos);
+ if (OBJ_cmp(ex->object, obj) == 0)
+ return (lastpos);
}
- return(-1);
+ return (-1);
}
-int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
- int lastpos)
+int
+X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
+ int lastpos)
{
int n;
X509_EXTENSION *ex;
- if (sk == NULL) return(-1);
+ if (sk == NULL)
+ return (-1);
lastpos++;
if (lastpos < 0)
- lastpos=0;
- n=sk_X509_EXTENSION_num(sk);
- for ( ; lastpos < n; lastpos++) {
- ex=sk_X509_EXTENSION_value(sk,lastpos);
- if ( ((ex->critical > 0) && crit) ||
- ((ex->critical <= 0) && !crit))
- return(lastpos);
+ lastpos = 0;
+ n = sk_X509_EXTENSION_num(sk);
+ for (; lastpos < n; lastpos++) {
+ ex = sk_X509_EXTENSION_value(sk, lastpos);
+ if (((ex->critical > 0) && crit) ||
+ ((ex->critical <= 0) && !crit))
+ return (lastpos);
}
- return(-1);
+ return (-1);
}
-X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
+X509_EXTENSION *
+X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
{
if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
return NULL;
else
- return sk_X509_EXTENSION_value(x,loc);
+ return sk_X509_EXTENSION_value(x, loc);
}
-X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
+X509_EXTENSION *
+X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
{
X509_EXTENSION *ret;
if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
- return(NULL);
- ret=sk_X509_EXTENSION_delete(x,loc);
- return(ret);
+ return (NULL);
+ ret = sk_X509_EXTENSION_delete(x, loc);
+ return (ret);
}
-STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
- X509_EXTENSION *ex, int loc)
+STACK_OF(X509_EXTENSION) *
+X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc)
{
- X509_EXTENSION *new_ex=NULL;
+ X509_EXTENSION *new_ex = NULL;
int n;
- STACK_OF(X509_EXTENSION) *sk=NULL;
+ STACK_OF(X509_EXTENSION) *sk = NULL;
if (x == NULL) {
- X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER);
+ X509err(X509_F_X509V3_ADD_EXT, ERR_R_PASSED_NULL_PARAMETER);
goto err2;
}
if (*x == NULL) {
- if ((sk=sk_X509_EXTENSION_new_null()) == NULL)
+ if ((sk = sk_X509_EXTENSION_new_null()) == NULL)
goto err;
} else
sk= *x;
- n=sk_X509_EXTENSION_num(sk);
- if (loc > n) loc=n;
- else if (loc < 0) loc=n;
+ n = sk_X509_EXTENSION_num(sk);
+ if (loc > n)
+ loc = n;
+ else if (loc < 0)
+ loc = n;
- if ((new_ex=X509_EXTENSION_dup(ex)) == NULL)
+ if ((new_ex = X509_EXTENSION_dup(ex)) == NULL)
goto err2;
- if (!sk_X509_EXTENSION_insert(sk,new_ex,loc))
+ if (!sk_X509_EXTENSION_insert(sk, new_ex, loc))
goto err;
if (*x == NULL)
- *x=sk;
- return(sk);
+ *x = sk;
+ return (sk);
+
err:
- X509err(X509_F_X509V3_ADD_EXT,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509V3_ADD_EXT, ERR_R_MALLOC_FAILURE);
err2:
- if (new_ex != NULL) X509_EXTENSION_free(new_ex);
- if (sk != NULL) sk_X509_EXTENSION_free(sk);
- return(NULL);
+ if (new_ex != NULL)
+ X509_EXTENSION_free(new_ex);
+ if (sk != NULL)
+ sk_X509_EXTENSION_free(sk);
+ return (NULL);
}
-X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid,
- int crit, ASN1_OCTET_STRING *data)
+X509_EXTENSION *
+X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit,
+ ASN1_OCTET_STRING *data)
{
ASN1_OBJECT *obj;
X509_EXTENSION *ret;
- obj=OBJ_nid2obj(nid);
+ obj = OBJ_nid2obj(nid);
if (obj == NULL) {
- X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID);
- return(NULL);
+ X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,
+ X509_R_UNKNOWN_NID);
+ return (NULL);
}
- ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data);
- if (ret == NULL) ASN1_OBJECT_free(obj);
- return(ret);
+ ret = X509_EXTENSION_create_by_OBJ(ex, obj, crit, data);
+ if (ret == NULL)
+ ASN1_OBJECT_free(obj);
+ return (ret);
}
-X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
- ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data)
+X509_EXTENSION *
+X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, ASN1_OBJECT *obj, int crit,
+ ASN1_OCTET_STRING *data)
{
X509_EXTENSION *ret;
if ((ex == NULL) || (*ex == NULL)) {
- if ((ret=X509_EXTENSION_new()) == NULL)
- {
- X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
- return(NULL);
+ if ((ret = X509_EXTENSION_new()) == NULL) {
+ X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,
+ ERR_R_MALLOC_FAILURE);
+ return (NULL);
}
} else
ret= *ex;
- if (!X509_EXTENSION_set_object(ret,obj))
+ if (!X509_EXTENSION_set_object(ret, obj))
goto err;
- if (!X509_EXTENSION_set_critical(ret,crit))
+ if (!X509_EXTENSION_set_critical(ret, crit))
goto err;
- if (!X509_EXTENSION_set_data(ret,data))
+ if (!X509_EXTENSION_set_data(ret, data))
goto err;
-
- if ((ex != NULL) && (*ex == NULL)) *ex=ret;
- return(ret);
+
+ if ((ex != NULL) && (*ex == NULL))
+ *ex = ret;
+ return (ret);
+
err:
if ((ex == NULL) || (ret != *ex))
X509_EXTENSION_free(ret);
- return(NULL);
+ return (NULL);
}
-int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
+int
+X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
{
if ((ex == NULL) || (obj == NULL))
- return(0);
+ return (0);
ASN1_OBJECT_free(ex->object);
- ex->object=OBJ_dup(obj);
- return(1);
+ ex->object = OBJ_dup(obj);
+ return (1);
}
-int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
+int
+X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
{
- if (ex == NULL) return(0);
- ex->critical=(crit)?0xFF:-1;
- return(1);
+ if (ex == NULL)
+ return (0);
+ ex->critical = (crit) ? 0xFF : -1;
+ return (1);
}
-int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
+int
+X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
{
int i;
- if (ex == NULL) return(0);
- i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length);
- if (!i) return(0);
- return(1);
+ if (ex == NULL)
+ return (0);
+ i = M_ASN1_OCTET_STRING_set(ex->value, data->data, data->length);
+ if (!i)
+ return (0);
+ return (1);
}
-ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex)
+ASN1_OBJECT *
+X509_EXTENSION_get_object(X509_EXTENSION *ex)
{
- if (ex == NULL) return(NULL);
- return(ex->object);
+ if (ex == NULL)
+ return (NULL);
+ return (ex->object);
}
-ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
+ASN1_OCTET_STRING *
+X509_EXTENSION_get_data(X509_EXTENSION *ex)
{
- if (ex == NULL) return(NULL);
- return(ex->value);
+ if (ex == NULL)
+ return (NULL);
+ return (ex->value);
}
-int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
+int
+X509_EXTENSION_get_critical(X509_EXTENSION *ex)
{
- if (ex == NULL) return(0);
- if(ex->critical > 0) return 1;
+ if (ex == NULL)
+ return (0);
+ if (ex->critical > 0)
+ return 1;
return 0;
}
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
#define CRL_SCORE_TIME_DELTA 0x002
-static int null_callback(int ok,X509_STORE_CTX *e);
+static int null_callback(int ok, X509_STORE_CTX *e);
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
static int check_chain_extensions(X509_STORE_CTX *ctx);
static int check_policy(X509_STORE_CTX *ctx);
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
- unsigned int *preasons,
- X509_CRL *crl, X509 *x);
+ unsigned int *preasons, X509_CRL *crl, X509 *x);
static int get_crl_delta(X509_STORE_CTX *ctx,
- X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
+ X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
- X509_CRL *base, STACK_OF(X509_CRL) *crls);
-static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
- X509 **pissuer, int *pcrl_score);
+ X509_CRL *base, STACK_OF(X509_CRL) *crls);
+static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
+ int *pcrl_score);
static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
- unsigned int *preasons);
+ unsigned int *preasons);
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
-static int check_crl_chain(X509_STORE_CTX *ctx,
- STACK_OF(X509) *cert_path,
- STACK_OF(X509) *crl_path);
+static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
+ STACK_OF(X509) *crl_path);
static int internal_verify(X509_STORE_CTX *ctx);
const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
-static int null_callback(int ok, X509_STORE_CTX *e)
+static int
+null_callback(int ok, X509_STORE_CTX *e)
{
return ok;
}
#if 0
-static int x509_subject_cmp(X509 **a, X509 **b)
+static int
+x509_subject_cmp(X509 **a, X509 **b)
{
- return X509_subject_name_cmp(*a,*b);
+ return X509_subject_name_cmp(*a, *b);
}
#endif
-int X509_verify_cert(X509_STORE_CTX *ctx)
+int
+X509_verify_cert(X509_STORE_CTX *ctx)
{
- X509 *x,*xtmp,*chain_ss=NULL;
+ X509 *x, *xtmp, *chain_ss = NULL;
int bad_chain = 0;
X509_VERIFY_PARAM *param = ctx->param;
- int depth,i,ok=0;
+ int depth, i, ok = 0;
int num;
- int (*cb)(int xok,X509_STORE_CTX *xctx);
- STACK_OF(X509) *sktmp=NULL;
+ int (*cb)(int xok, X509_STORE_CTX *xctx);
+ STACK_OF(X509) *sktmp = NULL;
+
if (ctx->cert == NULL) {
- X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
+ X509err(X509_F_X509_VERIFY_CERT,
+ X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
return -1;
}
- cb=ctx->verify_cb;
+ cb = ctx->verify_cb;
/* first we make sure the chain we are going to build is
* present and that the first entry is in place */
if (ctx->chain == NULL) {
- if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
- (!sk_X509_push(ctx->chain,ctx->cert))) {
- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+ if (((ctx->chain = sk_X509_new_null()) == NULL) ||
+ (!sk_X509_push(ctx->chain, ctx->cert))) {
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
goto end;
}
- CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
- ctx->last_untrusted=1;
+ CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509);
+ ctx->last_untrusted = 1;
}
/* We use a temporary STACK so we can chop and hack at it */
- if (ctx->untrusted != NULL
- && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) {
- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+ if (ctx->untrusted != NULL &&
+ (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
goto end;
}
- num=sk_X509_num(ctx->chain);
- x=sk_X509_value(ctx->chain,num-1);
- depth=param->depth;
-
+ num = sk_X509_num(ctx->chain);
+ x = sk_X509_value(ctx->chain, num - 1);
+ depth = param->depth;
for (;;) {
/* If we have enough, we break */
- if (depth < num) break; /* FIXME: If this happens, we should take
- * note of it and, if appropriate, use the
- * X509_V_ERR_CERT_CHAIN_TOO_LONG error
- * code later.
- */
+ if (depth < num)
+ break; /* FIXME: If this happens, we should take
+ * note of it and, if appropriate, use the
+ * X509_V_ERR_CERT_CHAIN_TOO_LONG error
+ * code later.
+ */
/* If we are self signed, we break */
- if (ctx->check_issued(ctx, x,x)) break;
+ if (ctx->check_issued(ctx, x, x))
+ break;
/* If we were passed a cert chain, use it first */
if (ctx->untrusted != NULL) {
- xtmp=find_issuer(ctx, sktmp,x);
+ xtmp = find_issuer(ctx, sktmp, x);
if (xtmp != NULL) {
- if (!sk_X509_push(ctx->chain,xtmp)) {
- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+ if (!sk_X509_push(ctx->chain, xtmp)) {
+ X509err(X509_F_X509_VERIFY_CERT,
+ ERR_R_MALLOC_FAILURE);
goto end;
}
- CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
- (void)sk_X509_delete_ptr(sktmp,xtmp);
+ CRYPTO_add(&xtmp->references, 1,
+ CRYPTO_LOCK_X509);
+ (void)sk_X509_delete_ptr(sktmp, xtmp);
ctx->last_untrusted++;
- x=xtmp;
+ x = xtmp;
num++;
/* reparse the full chain for
* the next one */
* is self signed.
*/
- i=sk_X509_num(ctx->chain);
- x=sk_X509_value(ctx->chain,i-1);
+ i = sk_X509_num(ctx->chain);
+ x = sk_X509_value(ctx->chain, i - 1);
if (ctx->check_issued(ctx, x, x)) {
/* we have a self signed certificate */
if (sk_X509_num(ctx->chain) == 1) {
*/
ok = ctx->get_issuer(&xtmp, ctx, x);
if ((ok <= 0) || X509_cmp(x, xtmp)) {
- ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
- ctx->current_cert=x;
- ctx->error_depth=i-1;
- if (ok == 1) X509_free(xtmp);
+ ctx->error =
+ X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
+ ctx->current_cert = x;
+ ctx->error_depth = i - 1;
+ if (ok == 1)
+ X509_free(xtmp);
bad_chain = 1;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
} else {
/* We have a match: replace certificate with store version
* so we get any trust settings.
X509_free(x);
x = xtmp;
(void)sk_X509_set(ctx->chain, i - 1, x);
- ctx->last_untrusted=0;
+ ctx->last_untrusted = 0;
}
} else {
/* extract and save self signed certificate for later use */
- chain_ss=sk_X509_pop(ctx->chain);
+ chain_ss = sk_X509_pop(ctx->chain);
ctx->last_untrusted--;
num--;
- x=sk_X509_value(ctx->chain,num-1);
+ x = sk_X509_value(ctx->chain, num - 1);
}
}
/* We now lookup certs from the certificate store */
for (;;) {
/* If we have enough, we break */
- if (depth < num) break;
+ if (depth < num)
+ break;
/* If we are self signed, we break */
- if (ctx->check_issued(ctx,x,x)) break;
+ if (ctx->check_issued(ctx, x, x))
+ break;
ok = ctx->get_issuer(&xtmp, ctx, x);
-
- if (ok < 0) return ok;
- if (ok == 0) break;
+ if (ok < 0)
+ return ok;
+ if (ok == 0)
+ break;
x = xtmp;
- if (!sk_X509_push(ctx->chain,x)) {
+ if (!sk_X509_push(ctx->chain, x)) {
X509_free(xtmp);
- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
return 0;
}
num++;
/* we now have our chain, lets check it... */
/* Is last certificate looked up self signed? */
- if (!ctx->check_issued(ctx,x,x)) {
- if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
+ if (!ctx->check_issued(ctx, x, x)) {
+ if ((chain_ss == NULL) ||
+ !ctx->check_issued(ctx, x, chain_ss)) {
if (ctx->last_untrusted >= num)
- ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
else
- ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
- ctx->current_cert=x;
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
+ ctx->current_cert = x;
} else {
- sk_X509_push(ctx->chain,chain_ss);
+ sk_X509_push(ctx->chain, chain_ss);
num++;
- ctx->last_untrusted=num;
- ctx->current_cert=chain_ss;
- ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
- chain_ss=NULL;
+ ctx->last_untrusted = num;
+ ctx->current_cert = chain_ss;
+ ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
+ chain_ss = NULL;
}
- ctx->error_depth=num-1;
+ ctx->error_depth = num - 1;
bad_chain = 1;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
/* We have the chain complete: now we need to check its purpose */
ok = check_chain_extensions(ctx);
- if (!ok) goto end;
+ if (!ok)
+ goto end;
/* Check name constraints */
ok = check_name_constraints(ctx);
-
- if (!ok) goto end;
+
+ if (!ok)
+ goto end;
/* The chain extensions are OK: check trust */
- if (param->trust > 0) ok = check_trust(ctx);
+ if (param->trust > 0)
+ ok = check_trust(ctx);
- if (!ok) goto end;
+ if (!ok)
+ goto end;
/* We may as well copy down any DSA parameters that are required */
- X509_get_pubkey_parameters(NULL,ctx->chain);
+ X509_get_pubkey_parameters(NULL, ctx->chain);
/* Check revocation status: we do this after copying parameters
* because they may be needed for CRL signature verification.
*/
ok = ctx->check_revocation(ctx);
- if(!ok) goto end;
+ if (!ok)
+ goto end;
/* At this point, we have a chain and need to verify it */
if (ctx->verify != NULL)
- ok=ctx->verify(ctx);
+ ok = ctx->verify(ctx);
else
- ok=internal_verify(ctx);
- if(!ok) goto end;
+ ok = internal_verify(ctx);
+ if (!ok)
+ goto end;
#ifndef OPENSSL_NO_RFC3779
/* RFC 3779 path validation, now that CRL check has been done */
ok = v3_asid_validate_path(ctx);
- if (!ok) goto end;
+ if (!ok)
+ goto end;
ok = v3_addr_validate_path(ctx);
- if (!ok) goto end;
+ if (!ok)
+ goto end;
#endif
/* If we get this far evaluate policies */
if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
ok = ctx->check_policy(ctx);
- if(!ok) goto end;
+ if (!ok)
+ goto end;
if (0) {
end:
- X509_get_pubkey_parameters(NULL,ctx->chain);
+ X509_get_pubkey_parameters(NULL, ctx->chain);
}
- if (sktmp != NULL) sk_X509_free(sktmp);
- if (chain_ss != NULL) X509_free(chain_ss);
+ if (sktmp != NULL)
+ sk_X509_free(sktmp);
+ if (chain_ss != NULL)
+ X509_free(chain_ss);
return ok;
}
/* Given a STACK_OF(X509) find the issuer of cert (if any)
*/
-static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
+static X509 *
+find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
{
int i;
X509 *issuer;
+
for (i = 0; i < sk_X509_num(sk); i++) {
issuer = sk_X509_value(sk, i);
if (ctx->check_issued(ctx, x, issuer))
/* Given a possible certificate and issuer check them */
-static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
+static int
+check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
int ret;
+
ret = X509_check_issued(issuer, x);
if (ret == X509_V_OK)
return 1;
/* Alternative lookup method: look from a STACK stored in other_ctx */
-static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
+static int
+get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
*issuer = find_issuer(ctx, ctx->other_ctx, x);
if (*issuer) {
- CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
+ CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
return 1;
} else
return 0;
}
-
/* Check a certificate chains extensions for consistency
* with the supplied purpose
*/
-static int check_chain_extensions(X509_STORE_CTX *ctx)
+static int
+check_chain_extensions(X509_STORE_CTX *ctx)
{
#ifdef OPENSSL_NO_CHAIN_VERIFY
return 1;
#else
- int i, ok=0, must_be_ca, plen = 0;
+ int i, ok = 0, must_be_ca, plen = 0;
X509 *x;
- int (*cb)(int xok,X509_STORE_CTX *xctx);
+ int (*cb)(int xok, X509_STORE_CTX *xctx);
int proxy_path_length = 0;
int purpose;
int allow_proxy_certs;
- cb=ctx->verify_cb;
+
+ cb = ctx->verify_cb;
/* must_be_ca can have 1 of 3 values:
-1: we accept both CA and non-CA certificates, to allow direct
purpose = X509_PURPOSE_CRL_SIGN;
} else {
allow_proxy_certs =
- !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
+ !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
/* A hack to keep people who don't want to modify their
software happy */
if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
for (i = 0; i < ctx->last_untrusted; i++) {
int ret;
x = sk_X509_value(ctx->chain, i);
- if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
- && (x->ex_flags & EXFLAG_CRITICAL)) {
+ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
+ (x->ex_flags & EXFLAG_CRITICAL)) {
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
ctx->error_depth = i;
ctx->current_cert = x;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
ctx->error_depth = i;
ctx->current_cert = x;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
ret = X509_check_ca(x);
- switch(must_be_ca) {
+ switch (must_be_ca) {
case -1:
- if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
- && (ret != 1) && (ret != 0)) {
+ if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
+ (ret != 1) && (ret != 0)) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_CA;
} else
ret = 1;
break;
default:
- if ((ret == 0)
- || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
- && (ret != 1))) {
+ if ((ret == 0) ||
+ ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
+ (ret != 1))) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_CA;
} else
if (ret == 0) {
ctx->error_depth = i;
ctx->current_cert = x;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
if (ctx->param->purpose > 0) {
ret = X509_check_purpose(x, purpose, must_be_ca > 0);
- if ((ret == 0)
- || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
- && (ret != 1))) {
+ if ((ret == 0) ||
+ ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
+ (ret != 1))) {
ctx->error = X509_V_ERR_INVALID_PURPOSE;
ctx->error_depth = i;
ctx->current_cert = x;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
}
/* Check pathlen if not self issued */
- if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
- && (x->ex_pathlen != -1)
- && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
+ if ((i > 1) && !(x->ex_flags & EXFLAG_SI) &&
+ (x->ex_pathlen != -1) &&
+ (plen > (x->ex_pathlen + proxy_path_length + 1))) {
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
ctx->current_cert = x;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
/* Increment path length if not self issued */
if (!(x->ex_flags & EXFLAG_SI))
if (x->ex_flags & EXFLAG_PROXY) {
if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
ctx->error =
- X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
+ X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
ctx->current_cert = x;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
proxy_path_length++;
must_be_ca = 0;
must_be_ca = 1;
}
ok = 1;
- end:
+
+end:
return ok;
#endif
}
-static int check_name_constraints(X509_STORE_CTX *ctx)
+static int
+check_name_constraints(X509_STORE_CTX *ctx)
{
X509 *x;
int i, j, rv;
+
/* Check name constraints for all certificates */
for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
x = sk_X509_value(ctx->chain, i);
ctx->error = rv;
ctx->error_depth = i;
ctx->current_cert = x;
- if (!ctx->verify_cb(0,ctx))
+ if (!ctx->verify_cb(0, ctx))
return 0;
}
}
return 1;
}
-static int check_trust(X509_STORE_CTX *ctx)
+static int
+check_trust(X509_STORE_CTX *ctx)
{
#ifdef OPENSSL_NO_CHAIN_VERIFY
return 1;
#else
int i, ok;
X509 *x;
- int (*cb)(int xok,X509_STORE_CTX *xctx);
- cb=ctx->verify_cb;
-/* For now just check the last certificate in the chain */
+ int (*cb)(int xok, X509_STORE_CTX *xctx);
+
+ cb = ctx->verify_cb;
+ /* For now just check the last certificate in the chain */
i = sk_X509_num(ctx->chain) - 1;
x = sk_X509_value(ctx->chain, i);
ok = X509_check_trust(x, ctx->param->trust, 0);
#endif
}
-static int check_revocation(X509_STORE_CTX *ctx)
+static int
+check_revocation(X509_STORE_CTX *ctx)
{
int i, last, ok;
+
if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
return 1;
if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
return 1;
last = 0;
}
- for(i = 0; i <= last; i++) {
+ for (i = 0; i <= last; i++) {
ctx->error_depth = i;
ok = check_cert(ctx);
- if (!ok) return ok;
+ if (!ok)
+ return ok;
}
return 1;
}
-static int check_cert(X509_STORE_CTX *ctx) {
+static int
+check_cert(X509_STORE_CTX *ctx)
+{
X509_CRL *crl = NULL, *dcrl = NULL;
X509 *x;
int ok, cnum;
unsigned int last_reasons;
+
cnum = ctx->error_depth;
x = sk_X509_value(ctx->chain, cnum);
ctx->current_cert = x;
/* If error looking up CRL, nothing we can do except
* notify callback
*/
- if(!ok) {
+ if (!ok) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
ok = ctx->verify_cb(0, ctx);
goto err;
goto err;
}
}
+
err:
X509_CRL_free(crl);
X509_CRL_free(dcrl);
ctx->current_crl = NULL;
return ok;
-
}
/* Check CRL times against values in X509_STORE_CTX */
-static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
+static int
+check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
{
time_t *ptime;
int i;
+
if (notify)
ctx->current_crl = crl;
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
else
ptime = NULL;
- i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
+ i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
if (i == 0) {
if (!notify)
return 0;
- ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
+ ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
if (!ctx->verify_cb(0, ctx))
return 0;
}
if (i > 0) {
if (!notify)
return 0;
- ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
+ ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
if (!ctx->verify_cb(0, ctx))
return 0;
}
- if(X509_CRL_get_nextUpdate(crl)) {
- i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
+ if (X509_CRL_get_nextUpdate(crl)) {
+ i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
if (i == 0) {
if (!notify)
return 0;
- ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
+ ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
if (!ctx->verify_cb(0, ctx))
return 0;
}
/* Ignore expiry of base CRL is delta is valid */
- if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
+ if ((i < 0) &&
+ !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
if (!notify)
return 0;
- ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
+ ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
if (!ctx->verify_cb(0, ctx))
return 0;
}
return 1;
}
-static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
- X509 **pissuer, int *pscore, unsigned int *preasons,
- STACK_OF(X509_CRL) *crls)
+static int
+get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
+ X509 **pissuer, int *pscore, unsigned int *preasons,
+ STACK_OF(X509_CRL) *crls)
{
int i, crl_score, best_score = *pscore;
unsigned int reasons, best_reasons = 0;
* both present or both absent. If both present all fields must be identical.
*/
-static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
+static int
+crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
{
ASN1_OCTET_STRING *exta, *extb;
int i;
+
i = X509_CRL_get_ext_by_NID(a, nid, -1);
if (i >= 0) {
/* Can't have multiple occurrences */
i = X509_CRL_get_ext_by_NID(b, nid, -1);
if (i >= 0) {
-
if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
return 0;
extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
if (!exta || !extb)
return 0;
-
if (ASN1_OCTET_STRING_cmp(exta, extb))
return 0;
/* See if a base and delta are compatible */
-static int check_delta_base(X509_CRL *delta, X509_CRL *base)
+static int
+check_delta_base(X509_CRL *delta, X509_CRL *base)
{
/* Delta CRL must be a delta */
if (!delta->base_crl_number)
- return 0;
+ return 0;
/* Base must have a CRL number */
if (!base->crl_number)
- return 0;
+ return 0;
/* Issuer names must match */
if (X509_NAME_cmp(X509_CRL_get_issuer(base),
- X509_CRL_get_issuer(delta)))
+ X509_CRL_get_issuer(delta)))
return 0;
/* AKID and IDP must match */
if (!crl_extension_match(delta, base, NID_authority_key_identifier))
- return 0;
+ return 0;
if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
- return 0;
+ return 0;
/* Delta CRL base number must not exceed Full CRL number. */
if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
- return 0;
+ return 0;
/* Delta CRL number must exceed full CRL number */
if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
- return 1;
+ return 1;
return 0;
}
* or retrieve a chain of deltas...
*/
-static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
- X509_CRL *base, STACK_OF(X509_CRL) *crls)
+static void
+get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base,
+ STACK_OF(X509_CRL) *crls)
{
X509_CRL *delta;
int i;
+
if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
return;
if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
* no new reasons the CRL is rejected, otherwise reasons is updated.
*/
-static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
- unsigned int *preasons,
- X509_CRL *crl, X509 *x)
+static int
+get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons,
+ X509_CRL *crl, X509 *x)
{
-
int crl_score = 0;
unsigned int tmp_reasons = *preasons, crl_reasons;
*preasons = tmp_reasons;
return crl_score;
-
}
-static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
- X509 **pissuer, int *pcrl_score)
+static void
+crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
+ int *pcrl_score)
{
X509 *crl_issuer = NULL;
X509_NAME *cnm = X509_CRL_get_issuer(crl);
/* Check the path of a CRL issuer certificate. This creates a new
* X509_STORE_CTX and populates it with most of the parameters from the
* parent. This could be optimised somewhat since a lot of path checking
- * will be duplicated by the parent, but this will rarely be used in
+ * will be duplicated by the parent, but this will rarely be used in
* practice.
*/
-static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
+static int
+check_crl_path(X509_STORE_CTX *ctx, X509 *x)
{
X509_STORE_CTX crl_ctx;
int ret;
+
/* Don't allow recursive CRL path validation */
if (ctx->parent)
return 0;
goto err;
/* Check chain is acceptable */
-
ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
- err:
+
+err:
X509_STORE_CTX_cleanup(&crl_ctx);
return ret;
}
* until this is resolved we use the RFC5280 version
*/
-static int check_crl_chain(X509_STORE_CTX *ctx,
- STACK_OF(X509) *cert_path,
- STACK_OF(X509) *crl_path)
+static int
+check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
+ STACK_OF(X509) *crl_path)
{
X509 *cert_ta, *crl_ta;
+
cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
if (!X509_cmp(cert_ta, crl_ta))
* 4. One is NULL: automatic match.
*/
-
-static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
+static int
+idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
{
X509_NAME *nm = NULL;
GENERAL_NAMES *gens = NULL;
GENERAL_NAME *gena, *genb;
int i, j;
+
if (!a || !b)
return 1;
if (a->type == 1) {
/* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
if (nm) {
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
- gena = sk_GENERAL_NAME_value(gens, i);
+ gena = sk_GENERAL_NAME_value(gens, i);
if (gena->type != GEN_DIRNAME)
continue;
if (!X509_NAME_cmp(nm, gena->d.directoryName))
}
return 0;
-
}
-static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
+static int
+crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
{
int i;
X509_NAME *nm = X509_CRL_get_issuer(crl);
+
/* If no CRLissuer return is successful iff don't need a match */
if (!dp->CRLissuer)
return !!(crl_score & CRL_SCORE_ISSUER_NAME);
/* Check CRLDP and IDP */
-static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
- unsigned int *preasons)
+static int
+crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons)
{
int i;
+
if (crl->idp_flags & IDP_ONLYATTR)
return 0;
if (x->ex_flags & EXFLAG_CA) {
DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
if (crldp_check_crlissuer(dp, crl, crl_score)) {
if (!crl->idp ||
- idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
+ idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
*preasons &= dp->dp_reasons;
return 1;
}
}
}
- if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
+ if ((!crl->idp || !crl->idp->distpoint) &&
+ (crl_score & CRL_SCORE_ISSUER_NAME))
return 1;
return 0;
}
/* Retrieve CRL corresponding to current certificate.
* If deltas enabled try to find a delta CRL too
*/
-
-static int get_crl_delta(X509_STORE_CTX *ctx,
- X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
+
+static int
+get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
{
int ok;
X509 *issuer = NULL;
X509_CRL *crl = NULL, *dcrl = NULL;
STACK_OF(X509_CRL) *skcrl;
X509_NAME *nm = X509_get_issuer_name(x);
- reasons = ctx->current_reasons;
- ok = get_crl_sk(ctx, &crl, &dcrl,
- &issuer, &crl_score, &reasons, ctx->crls);
+ reasons = ctx->current_reasons;
+ ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons,
+ ctx->crls);
if (ok)
goto done;
/* Lookup CRLs from store */
-
skcrl = ctx->lookup_crls(ctx, nm);
/* If no CRLs found and a near match from get_crl_sk use that */
sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
- done:
+done:
/* If we got any kind of CRL use it and return success */
if (crl) {
}
/* Check CRL validity */
-static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
+static int
+check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
{
X509 *issuer = NULL;
EVP_PKEY *ikey = NULL;
int ok = 0, chnum, cnum;
+
cnum = ctx->error_depth;
chnum = sk_X509_num(ctx->chain) - 1;
/* if we have an alternative CRL issuer cert use that */
} else {
issuer = sk_X509_value(ctx->chain, chnum);
/* If not self signed, can't check signature */
- if(!ctx->check_issued(ctx, issuer, issuer)) {
+ if (!ctx->check_issued(ctx, issuer, issuer)) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
ok = ctx->verify_cb(0, ctx);
- if(!ok) goto err;
+ if (!ok)
+ goto err;
}
}
- if(issuer) {
+ if (issuer) {
/* Skip most tests for deltas because they have already
* been done
*/
if (!crl->base_crl_number) {
/* Check for cRLSign bit if keyUsage present */
if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
- !(issuer->ex_kusage & KU_CRL_SIGN)) {
+ !(issuer->ex_kusage & KU_CRL_SIGN)) {
ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
ok = ctx->verify_cb(0, ctx);
- if(!ok) goto err;
+ if (!ok)
+ goto err;
}
if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
ok = ctx->verify_cb(0, ctx);
- if(!ok) goto err;
+ if (!ok)
+ goto err;
}
if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
- if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
+ if (check_crl_path(ctx,
+ ctx->current_issuer) <= 0) {
ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
ok = ctx->verify_cb(0, ctx);
- if(!ok) goto err;
+ if (!ok)
+ goto err;
}
}
if (crl->idp_flags & IDP_INVALID) {
ctx->error = X509_V_ERR_INVALID_EXTENSION;
ok = ctx->verify_cb(0, ctx);
- if(!ok) goto err;
+ if (!ok)
+ goto err;
}
/* Attempt to get issuer certificate public key */
ikey = X509_get_pubkey(issuer);
- if(!ikey) {
- ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+ if (!ikey) {
+ ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
ok = ctx->verify_cb(0, ctx);
- if (!ok) goto err;
+ if (!ok)
+ goto err;
} else {
/* Verify CRL signature */
- if(X509_CRL_verify(crl, ikey) <= 0) {
- ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
+ if (X509_CRL_verify(crl, ikey) <= 0) {
+ ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
ok = ctx->verify_cb(0, ctx);
- if (!ok) goto err;
+ if (!ok)
+ goto err;
}
}
}
}
/* Check certificate against CRL */
-static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
+static int
+cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
{
int ok;
X509_REVOKED *rev;
+
/* The rules changed for this... previously if a CRL contained
* unhandled critical extensions it could still be used to indicate
- * a certificate was revoked. This has since been changed since
+ * a certificate was revoked. This has since been changed since
* critical extension can change the meaning of CRL entries.
*/
- if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
- && (crl->flags & EXFLAG_CRITICAL)) {
+ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
+ (crl->flags & EXFLAG_CRITICAL)) {
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
ok = ctx->verify_cb(0, ctx);
- if(!ok)
+ if (!ok)
return 0;
}
/* Look for serial number of certificate in CRL
return 1;
}
-static int check_policy(X509_STORE_CTX *ctx)
+static int
+check_policy(X509_STORE_CTX *ctx)
{
int ret;
+
if (ctx->parent)
return 1;
ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
- ctx->param->policies, ctx->param->flags);
+ ctx->param->policies, ctx->param->flags);
if (ret == 0) {
- X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE);
return 0;
}
/* Invalid or inconsistent extensions */
continue;
ctx->current_cert = x;
ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
- if(!ctx->verify_cb(0, ctx))
+ if (!ctx->verify_cb(0, ctx))
return 0;
}
return 1;
return 1;
}
-static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
+static int
+check_cert_time(X509_STORE_CTX *ctx, X509 *x)
{
time_t *ptime;
int i;
else
ptime = NULL;
- i=X509_cmp_time(X509_get_notBefore(x), ptime);
+ i = X509_cmp_time(X509_get_notBefore(x), ptime);
if (i == 0) {
- ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
- ctx->current_cert=x;
+ ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
+ ctx->current_cert = x;
if (!ctx->verify_cb(0, ctx))
return 0;
}
if (i > 0) {
- ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
- ctx->current_cert=x;
+ ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
+ ctx->current_cert = x;
if (!ctx->verify_cb(0, ctx))
return 0;
}
- i=X509_cmp_time(X509_get_notAfter(x), ptime);
+ i = X509_cmp_time(X509_get_notAfter(x), ptime);
if (i == 0) {
- ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
- ctx->current_cert=x;
+ ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
+ ctx->current_cert = x;
if (!ctx->verify_cb(0, ctx))
return 0;
}
if (i < 0) {
- ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
- ctx->current_cert=x;
+ ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
+ ctx->current_cert = x;
if (!ctx->verify_cb(0, ctx))
return 0;
}
return 1;
}
-static int internal_verify(X509_STORE_CTX *ctx)
+static int
+internal_verify(X509_STORE_CTX *ctx)
{
- int ok=0,n;
- X509 *xs,*xi;
- EVP_PKEY *pkey=NULL;
- int (*cb)(int xok,X509_STORE_CTX *xctx);
+ int ok = 0, n;
+ X509 *xs, *xi;
+ EVP_PKEY *pkey = NULL;
+ int (*cb)(int xok, X509_STORE_CTX *xctx);
- cb=ctx->verify_cb;
+ cb = ctx->verify_cb;
- n=sk_X509_num(ctx->chain);
- ctx->error_depth=n-1;
+ n = sk_X509_num(ctx->chain);
+ ctx->error_depth = n - 1;
n--;
- xi=sk_X509_value(ctx->chain,n);
+ xi = sk_X509_value(ctx->chain, n);
if (ctx->check_issued(ctx, xi, xi))
- xs=xi;
+ xs = xi;
else {
if (n <= 0) {
- ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
- ctx->current_cert=xi;
- ok=cb(0,ctx);
+ ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
+ ctx->current_cert = xi;
+ ok = cb(0, ctx);
goto end;
} else {
n--;
- ctx->error_depth=n;
- xs=sk_X509_value(ctx->chain,n);
+ ctx->error_depth = n;
+ xs = sk_X509_value(ctx->chain, n);
}
}
/* ctx->error=0; not needed */
while (n >= 0) {
- ctx->error_depth=n;
+ ctx->error_depth = n;
/* Skip signature check for self signed certificates unless
* explicitly asked for. It doesn't add any security and
* just wastes time.
*/
- if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
- if ((pkey=X509_get_pubkey(xi)) == NULL) {
- ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
- ctx->current_cert=xi;
- ok=(*cb)(0,ctx);
- if (!ok) goto end;
- } else if (X509_verify(xs,pkey) <= 0) {
- ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
- ctx->current_cert=xs;
- ok=(*cb)(0,ctx);
+ if (!xs->valid && (xs != xi ||
+ (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
+ if ((pkey = X509_get_pubkey(xi)) == NULL) {
+ ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+ ctx->current_cert = xi;
+ ok = (*cb)(0, ctx);
+ if (!ok)
+ goto end;
+ } else if (X509_verify(xs, pkey) <= 0) {
+ ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
+ ctx->current_cert = xs;
+ ok = (*cb)(0, ctx);
if (!ok) {
EVP_PKEY_free(pkey);
goto end;
}
}
EVP_PKEY_free(pkey);
- pkey=NULL;
+ pkey = NULL;
}
xs->valid = 1;
goto end;
/* The last error (if any) is still in the error value */
- ctx->current_issuer=xi;
- ctx->current_cert=xs;
- ok=(*cb)(1,ctx);
- if (!ok) goto end;
+ ctx->current_issuer = xi;
+ ctx->current_cert = xs;
+ ok = (*cb)(1, ctx);
+ if (!ok)
+ goto end;
n--;
if (n >= 0) {
- xi=xs;
- xs=sk_X509_value(ctx->chain,n);
+ xi = xs;
+ xs = sk_X509_value(ctx->chain, n);
}
}
- ok=1;
+ ok = 1;
+
end:
return ok;
}
-int X509_cmp_current_time(const ASN1_TIME *ctm)
+int
+X509_cmp_current_time(const ASN1_TIME *ctm)
{
return X509_cmp_time(ctm, NULL);
}
-int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
+int
+X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
{
char *str;
ASN1_TIME atm;
long offset;
- char buff1[24],buff2[24],*p;
- int i,j;
+ char buff1[24], buff2[24], *p;
+ int i, j;
- p=buff1;
- i=ctm->length;
- str=(char *)ctm->data;
+ p = buff1;
+ i = ctm->length;
+ str = (char *)ctm->data;
if (ctm->type == V_ASN1_UTCTIME) {
- if ((i < 11) || (i > 17)) return 0;
- memcpy(p,str,10);
- p+=10;
- str+=10;
+ if ((i < 11) || (i > 17))
+ return 0;
+ memcpy(p, str, 10);
+ p += 10;
+ str += 10;
} else {
- if (i < 13) return 0;
- memcpy(p,str,12);
- p+=12;
- str+=12;
+ if (i < 13)
+ return 0;
+ memcpy(p, str, 12);
+ p += 12;
+ str += 12;
}
if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
- *(p++)='0';
- *(p++)='0';
- } else {
- *(p++)= *(str++);
- *(p++)= *(str++);
+ *(p++) = '0';
+ *(p++) = '0';
+ } else {
+ *(p++) = *(str++);
+ *(p++) = *(str++);
/* Skip any fractional seconds... */
if (*str == '.') {
str++;
- while ((*str >= '0') && (*str <= '9')) str++;
+ while ((*str >= '0') && (*str <= '9'))
+ str++;
}
-
}
- *(p++)='Z';
- *(p++)='\0';
+ *(p++) = 'Z';
+ *(p++) = '\0';
if (*str == 'Z')
- offset=0;
+ offset = 0;
else {
if ((*str != '+') && (*str != '-'))
return 0;
- offset=((str[1]-'0')*10+(str[2]-'0'))*60;
- offset+=(str[3]-'0')*10+(str[4]-'0');
+ offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
+ offset += (str[3] - '0') * 10 + (str[4] - '0');
if (*str == '-')
- offset= -offset;
+ offset = -offset;
}
- atm.type=ctm->type;
+ atm.type = ctm->type;
atm.flags = 0;
- atm.length=sizeof(buff2);
- atm.data=(unsigned char *)buff2;
+ atm.length = sizeof(buff2);
+ atm.data = (unsigned char *)buff2;
- if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
+ if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL)
return 0;
if (ctm->type == V_ASN1_UTCTIME) {
- i=(buff1[0]-'0')*10+(buff1[1]-'0');
- if (i < 50) i+=100; /* cf. RFC 2459 */
- j=(buff2[0]-'0')*10+(buff2[1]-'0');
- if (j < 50) j+=100;
-
- if (i < j) return -1;
- if (i > j) return 1;
+ i = (buff1[0] - '0') * 10 + (buff1[1] - '0');
+ if (i < 50)
+ i += 100; /* cf. RFC 2459 */
+ j = (buff2[0] - '0') * 10 + (buff2[1] - '0');
+ if (j < 50)
+ j += 100;
+ if (i < j)
+ return -1;
+ if (i > j)
+ return 1;
}
- i=strcmp(buff1,buff2);
+ i = strcmp(buff1, buff2);
if (i == 0) /* wait a second then return younger :-) */
return -1;
else
return i;
}
-ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
+ASN1_TIME *
+X509_gmtime_adj(ASN1_TIME *s, long adj)
{
return X509_time_adj(s, adj, NULL);
}
-ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
+ASN1_TIME *
+X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
{
return X509_time_adj_ex(s, 0, offset_sec, in_tm);
}
-ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
- int offset_day, long offset_sec, time_t *in_tm)
+ASN1_TIME *
+X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_tm)
{
time_t t;
- if (in_tm) t = *in_tm;
- else time(&t);
+ if (in_tm)
+ t = *in_tm;
+ else
+ time(&t);
if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
if (s->type == V_ASN1_UTCTIME)
- return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
+ return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec);
if (s->type == V_ASN1_GENERALIZEDTIME)
return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
- offset_sec);
+ offset_sec);
}
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
}
-int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
+int
+X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
{
- EVP_PKEY *ktmp=NULL,*ktmp2;
- int i,j;
+ EVP_PKEY *ktmp = NULL, *ktmp2;
+ int i, j;
- if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
+ if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey))
+ return 1;
- for (i=0; i<sk_X509_num(chain); i++) {
- ktmp=X509_get_pubkey(sk_X509_value(chain,i));
+ for (i = 0; i < sk_X509_num(chain); i++) {
+ ktmp = X509_get_pubkey(sk_X509_value(chain, i));
if (ktmp == NULL) {
- X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
+ X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
+ X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
return 0;
}
if (!EVP_PKEY_missing_parameters(ktmp))
break;
else {
EVP_PKEY_free(ktmp);
- ktmp=NULL;
+ ktmp = NULL;
}
}
if (ktmp == NULL) {
- X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
+ X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
+ X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
return 0;
}
/* first, populate the other certs */
- for (j=i-1; j >= 0; j--) {
- ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
- EVP_PKEY_copy_parameters(ktmp2,ktmp);
+ for (j = i - 1; j >= 0; j--) {
+ ktmp2 = X509_get_pubkey(sk_X509_value(chain, j));
+ EVP_PKEY_copy_parameters(ktmp2, ktmp);
EVP_PKEY_free(ktmp2);
}
-
- if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
+
+ if (pkey != NULL)
+ EVP_PKEY_copy_parameters(pkey, ktmp);
EVP_PKEY_free(ktmp);
return 1;
}
-int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
- CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+int
+X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
{
/* This function is (usually) called only once, by
* SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
- return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
- new_func, dup_func, free_func);
+ return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX,
+ argl, argp, new_func, dup_func, free_func);
}
-int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
+int
+X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
{
- return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
+ return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
}
-void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
+void *
+X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
{
- return CRYPTO_get_ex_data(&ctx->ex_data,idx);
+ return CRYPTO_get_ex_data(&ctx->ex_data, idx);
}
-int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
+int
+X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
{
return ctx->error;
}
-void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
+void
+X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
{
- ctx->error=err;
+ ctx->error = err;
}
-int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
+int
+X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
{
return ctx->error_depth;
}
-X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
+X509 *
+X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
{
return ctx->current_cert;
}
int i;
X509 *x;
STACK_OF(X509) *chain;
- if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
+
+ if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain)))
+ return NULL;
for (i = 0; i < sk_X509_num(chain); i++) {
x = sk_X509_value(chain, i);
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
return chain;
}
-X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
+X509 *
+X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
{
return ctx->current_issuer;
}
-X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
+X509_CRL *
+X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
{
return ctx->current_crl;
}
-X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
+X509_STORE_CTX *
+X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
{
return ctx->parent;
}
-void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
+void
+X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
{
- ctx->cert=x;
+ ctx->cert = x;
}
-void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+void
+X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
{
- ctx->untrusted=sk;
+ ctx->untrusted = sk;
}
-void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
+void
+X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
{
- ctx->crls=sk;
+ ctx->crls = sk;
}
-int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
+int
+X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
{
return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
}
-int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
+int
+X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
{
return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
}
* aren't set then we use the default of SSL client/server.
*/
-int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
- int purpose, int trust)
+int
+X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
+ int purpose, int trust)
{
int idx;
+
/* If purpose not set use default */
- if (!purpose) purpose = def_purpose;
+ if (!purpose)
+ purpose = def_purpose;
/* If we have a purpose then check it is valid */
if (purpose) {
X509_PURPOSE *ptmp;
idx = X509_PURPOSE_get_by_id(purpose);
if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
- X509_R_UNKNOWN_PURPOSE_ID);
+ X509_R_UNKNOWN_PURPOSE_ID);
return 0;
}
ptmp = X509_PURPOSE_get0(idx);
idx = X509_PURPOSE_get_by_id(def_purpose);
if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
- X509_R_UNKNOWN_PURPOSE_ID);
+ X509_R_UNKNOWN_PURPOSE_ID);
return 0;
}
ptmp = X509_PURPOSE_get0(idx);
}
/* If trust not set then get from purpose default */
- if (!trust) trust = ptmp->trust;
+ if (!trust)
+ trust = ptmp->trust;
}
if (trust) {
idx = X509_TRUST_get_by_id(trust);
if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
- X509_R_UNKNOWN_TRUST_ID);
+ X509_R_UNKNOWN_TRUST_ID);
return 0;
}
}
- if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
- if (trust && !ctx->param->trust) ctx->param->trust = trust;
+ if (purpose && !ctx->param->purpose)
+ ctx->param->purpose = purpose;
+ if (trust && !ctx->param->trust)
+ ctx->param->trust = trust;
return 1;
}
-X509_STORE_CTX *X509_STORE_CTX_new(void)
+X509_STORE_CTX *
+X509_STORE_CTX_new(void)
{
X509_STORE_CTX *ctx;
+
ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX));
if (!ctx) {
- X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
memset(ctx, 0, sizeof(X509_STORE_CTX));
return ctx;
}
-void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
+void
+X509_STORE_CTX_free(X509_STORE_CTX *ctx)
{
X509_STORE_CTX_cleanup(ctx);
free(ctx);
}
-int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
- STACK_OF(X509) *chain)
+int
+X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
+ STACK_OF(X509) *chain)
{
int ret = 1;
- ctx->ctx=store;
- ctx->current_method=0;
- ctx->cert=x509;
- ctx->untrusted=chain;
+
+ ctx->ctx = store;
+ ctx->current_method = 0;
+ ctx->cert = x509;
+ ctx->untrusted = chain;
ctx->crls = NULL;
- ctx->last_untrusted=0;
- ctx->other_ctx=NULL;
- ctx->valid=0;
- ctx->chain=NULL;
- ctx->error=0;
- ctx->explicit_policy=0;
- ctx->error_depth=0;
- ctx->current_cert=NULL;
- ctx->current_issuer=NULL;
- ctx->current_crl=NULL;
- ctx->current_crl_score=0;
- ctx->current_reasons=0;
+ ctx->last_untrusted = 0;
+ ctx->other_ctx = NULL;
+ ctx->valid = 0;
+ ctx->chain = NULL;
+ ctx->error = 0;
+ ctx->explicit_policy = 0;
+ ctx->error_depth = 0;
+ ctx->current_cert = NULL;
+ ctx->current_issuer = NULL;
+ ctx->current_crl = NULL;
+ ctx->current_crl_score = 0;
+ ctx->current_reasons = 0;
ctx->tree = NULL;
ctx->parent = NULL;
ctx->param = X509_VERIFY_PARAM_new();
if (!ctx->param) {
- X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
return 0;
}
* use defaults.
*/
-
if (store)
ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
else
if (ret)
ret = X509_VERIFY_PARAM_inherit(ctx->param,
- X509_VERIFY_PARAM_lookup("default"));
+ X509_VERIFY_PARAM_lookup("default"));
if (ret == 0) {
- X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
return 0;
}
* X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
* corresponding "new" here and remove this bogus initialisation. */
/* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
- if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
- &(ctx->ex_data))) {
+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
+ &(ctx->ex_data))) {
free(ctx);
- X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
return 0;
}
return 1;
* This avoids X509_STORE nastiness where it isn't needed.
*/
-void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+void
+X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
{
ctx->other_ctx = sk;
ctx->get_issuer = get_issuer_sk;
}
-void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
+void
+X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
{
- if (ctx->cleanup) ctx->cleanup(ctx);
+ if (ctx->cleanup)
+ ctx->cleanup(ctx);
if (ctx->param != NULL) {
if (ctx->parent == NULL)
X509_VERIFY_PARAM_free(ctx->param);
- ctx->param=NULL;
+ ctx->param = NULL;
}
if (ctx->tree != NULL) {
X509_policy_tree_free(ctx->tree);
- ctx->tree=NULL;
+ ctx->tree = NULL;
}
if (ctx->chain != NULL) {
- sk_X509_pop_free(ctx->chain,X509_free);
- ctx->chain=NULL;
+ sk_X509_pop_free(ctx->chain, X509_free);
+ ctx->chain = NULL;
}
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
- memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX,
+ ctx, &(ctx->ex_data));
+ memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
}
-void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
+void
+X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
{
X509_VERIFY_PARAM_set_depth(ctx->param, depth);
}
-void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
+void
+X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
{
X509_VERIFY_PARAM_set_flags(ctx->param, flags);
}
-void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
+void
+X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
{
X509_VERIFY_PARAM_set_time(ctx->param, t);
}
-void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
- int (*verify_cb)(int, X509_STORE_CTX *))
+void
+X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
+ int (*verify_cb)(int, X509_STORE_CTX *))
{
- ctx->verify_cb=verify_cb;
+ ctx->verify_cb = verify_cb;
}
-X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
+X509_POLICY_TREE *
+X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
{
return ctx->tree;
}
-int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
+int
+X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
{
return ctx->explicit_policy;
}
-int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
+int
+X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
{
const X509_VERIFY_PARAM *param;
param = X509_VERIFY_PARAM_lookup(name);
return X509_VERIFY_PARAM_inherit(ctx->param, param);
}
-X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
+X509_VERIFY_PARAM *
+X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
{
return ctx->param;
}
-void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
+void
+X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
{
if (ctx->param)
X509_VERIFY_PARAM_free(ctx->param);
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
/* X509_VERIFY_PARAM functions */
-static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
+static void
+x509_verify_param_zero(X509_VERIFY_PARAM *param)
{
if (!param)
return;
}
}
-X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
+X509_VERIFY_PARAM *
+X509_VERIFY_PARAM_new(void)
{
X509_VERIFY_PARAM *param;
+
param = malloc(sizeof(X509_VERIFY_PARAM));
memset(param, 0, sizeof(X509_VERIFY_PARAM));
x509_verify_param_zero(param);
return param;
}
-void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
+void
+X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
{
x509_verify_param_zero(param);
free(param);
* for SSL servers or clients but only if the application has not set new
* ones.
*
- * The "inh_flags" field determines how this function behaves.
+ * The "inh_flags" field determines how this function behaves.
*
* Normally any values which are set in the default are not copied from the
* destination and verify flags are ORed together.
#define x509_verify_param_copy(field, def) \
if (test_x509_verify_param_copy(field, def)) \
dest->field = src->field
-
-int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
- const X509_VERIFY_PARAM *src)
+
+int
+X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src)
{
unsigned long inh_flags;
int to_default, to_overwrite;
+
if (!src)
return 1;
inh_flags = dest->inh_flags | src->inh_flags;
return 1;
}
-int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
- const X509_VERIFY_PARAM *from)
+int
+X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from)
{
unsigned long save_flags = to->inh_flags;
int ret;
+
to->inh_flags |= X509_VP_FLAG_DEFAULT;
ret = X509_VERIFY_PARAM_inherit(to, from);
to->inh_flags = save_flags;
return ret;
}
-int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
+int
+X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
{
if (param->name)
free(param->name);
return 0;
}
-int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
+int
+X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
{
param->flags |= flags;
if (flags & X509_V_FLAG_POLICY_MASK)
return 1;
}
-int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
+int
+X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
{
param->flags &= ~flags;
return 1;
}
-unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
+unsigned long
+X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
{
return param->flags;
}
-int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
+int
+X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
{
return X509_PURPOSE_set(¶m->purpose, purpose);
}
-int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
+int
+X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
{
return X509_TRUST_set(¶m->trust, trust);
}
-void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
+void
+X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
{
param->depth = depth;
}
-void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
+void
+X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
{
param->check_time = t;
param->flags |= X509_V_FLAG_USE_CHECK_TIME;
}
-int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
+int
+X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
{
if (!param->policies) {
param->policies = sk_ASN1_OBJECT_new_null();
return 1;
}
-int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
- STACK_OF(ASN1_OBJECT) *policies)
+int
+X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
+ STACK_OF(ASN1_OBJECT) *policies)
{
int i;
ASN1_OBJECT *oid, *doid;
+
if (!param)
return 0;
if (param->policies)
return 1;
}
-int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
+int
+X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
{
return param->depth;
}
static const X509_VERIFY_PARAM default_table[] = {
{
- "default", /* X509 default parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- 0, /* purpose */
- 0, /* trust */
- 100, /* depth */
- NULL /* policies */
+ "default", /* X509 default parameters */
+ 0, /* Check time */
+ 0, /* internal flags */
+ 0, /* flags */
+ 0, /* purpose */
+ 0, /* trust */
+ 100, /* depth */
+ NULL /* policies */
},
{
- "pkcs7", /* S/MIME sign parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- X509_PURPOSE_SMIME_SIGN, /* purpose */
- X509_TRUST_EMAIL, /* trust */
- -1, /* depth */
- NULL /* policies */
+ "pkcs7", /* S/MIME sign parameters */
+ 0, /* Check time */
+ 0, /* internal flags */
+ 0, /* flags */
+ X509_PURPOSE_SMIME_SIGN, /* purpose */
+ X509_TRUST_EMAIL, /* trust */
+ -1, /* depth */
+ NULL /* policies */
},
{
- "smime_sign", /* S/MIME sign parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- X509_PURPOSE_SMIME_SIGN, /* purpose */
- X509_TRUST_EMAIL, /* trust */
- -1, /* depth */
- NULL /* policies */
+ "smime_sign", /* S/MIME sign parameters */
+ 0, /* Check time */
+ 0, /* internal flags */
+ 0, /* flags */
+ X509_PURPOSE_SMIME_SIGN, /* purpose */
+ X509_TRUST_EMAIL, /* trust */
+ -1, /* depth */
+ NULL /* policies */
},
{
- "ssl_client", /* SSL/TLS client parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- X509_PURPOSE_SSL_CLIENT, /* purpose */
- X509_TRUST_SSL_CLIENT, /* trust */
- -1, /* depth */
- NULL /* policies */
+ "ssl_client", /* SSL/TLS client parameters */
+ 0, /* Check time */
+ 0, /* internal flags */
+ 0, /* flags */
+ X509_PURPOSE_SSL_CLIENT, /* purpose */
+ X509_TRUST_SSL_CLIENT, /* trust */
+ -1, /* depth */
+ NULL /* policies */
},
{
- "ssl_server", /* SSL/TLS server parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- X509_PURPOSE_SSL_SERVER, /* purpose */
- X509_TRUST_SSL_SERVER, /* trust */
- -1, /* depth */
- NULL /* policies */
+ "ssl_server", /* SSL/TLS server parameters */
+ 0, /* Check time */
+ 0, /* internal flags */
+ 0, /* flags */
+ X509_PURPOSE_SSL_SERVER, /* purpose */
+ X509_TRUST_SSL_SERVER, /* trust */
+ -1, /* depth */
+ NULL /* policies */
}
};
static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
-static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
-
+static int
+table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
{
return strcmp(a->name, b->name);
}
-DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
- table);
-IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
- table);
+DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
-static int param_cmp(const X509_VERIFY_PARAM * const *a,
- const X509_VERIFY_PARAM * const *b)
+static int
+param_cmp(const X509_VERIFY_PARAM * const *a,
+ const X509_VERIFY_PARAM * const *b)
{
return strcmp((*a)->name, (*b)->name);
}
-int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
+int
+X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
{
int idx;
X509_VERIFY_PARAM *ptmp;
+
if (!param_table) {
param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
if (!param_table)
return 1;
}
-const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
+const X509_VERIFY_PARAM *
+X509_VERIFY_PARAM_lookup(const char *name)
{
int idx;
X509_VERIFY_PARAM pm;
return sk_X509_VERIFY_PARAM_value(param_table, idx);
}
return OBJ_bsearch_table(&pm, default_table,
- sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
+ sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
}
-void X509_VERIFY_PARAM_table_cleanup(void)
+void
+X509_VERIFY_PARAM_table_cleanup(void)
{
if (param_table)
sk_X509_VERIFY_PARAM_pop_free(param_table,
- X509_VERIFY_PARAM_free);
+ X509_VERIFY_PARAM_free);
param_table = NULL;
}
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
#include <openssl/evp.h>
#include <openssl/x509.h>
-int X509_set_version(X509 *x, long version)
+int
+X509_set_version(X509 *x, long version)
{
- if (x == NULL) return(0);
+ if (x == NULL)
+ return (0);
if (x->cert_info->version == NULL) {
- if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL)
- return(0);
+ if ((x->cert_info->version = M_ASN1_INTEGER_new()) == NULL)
+ return (0);
}
- return(ASN1_INTEGER_set(x->cert_info->version,version));
+ return (ASN1_INTEGER_set(x->cert_info->version, version));
}
-int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
+int
+X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
{
ASN1_INTEGER *in;
- if (x == NULL) return(0);
- in=x->cert_info->serialNumber;
+ if (x == NULL)
+ return (0);
+ in = x->cert_info->serialNumber;
if (in != serial) {
- in=M_ASN1_INTEGER_dup(serial);
+ in = M_ASN1_INTEGER_dup(serial);
if (in != NULL) {
M_ASN1_INTEGER_free(x->cert_info->serialNumber);
- x->cert_info->serialNumber=in;
+ x->cert_info->serialNumber = in;
}
}
- return(in != NULL);
+ return (in != NULL);
}
-int X509_set_issuer_name(X509 *x, X509_NAME *name)
+int
+X509_set_issuer_name(X509 *x, X509_NAME *name)
{
- if ((x == NULL) || (x->cert_info == NULL)) return(0);
- return(X509_NAME_set(&x->cert_info->issuer,name));
+ if ((x == NULL) || (x->cert_info == NULL))
+ return (0);
+ return (X509_NAME_set(&x->cert_info->issuer, name));
}
-int X509_set_subject_name(X509 *x, X509_NAME *name)
+int
+X509_set_subject_name(X509 *x, X509_NAME *name)
{
- if ((x == NULL) || (x->cert_info == NULL)) return(0);
- return(X509_NAME_set(&x->cert_info->subject,name));
+ if ((x == NULL) || (x->cert_info == NULL))
+ return (0);
+ return (X509_NAME_set(&x->cert_info->subject, name));
}
-int X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
+int
+X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
{
ASN1_TIME *in;
- if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
- in=x->cert_info->validity->notBefore;
+ if ((x == NULL) || (x->cert_info->validity == NULL))
+ return (0);
+ in = x->cert_info->validity->notBefore;
if (in != tm) {
- in=M_ASN1_TIME_dup(tm);
+ in = M_ASN1_TIME_dup(tm);
if (in != NULL) {
M_ASN1_TIME_free(x->cert_info->validity->notBefore);
- x->cert_info->validity->notBefore=in;
+ x->cert_info->validity->notBefore = in;
}
}
- return(in != NULL);
+ return (in != NULL);
}
-int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
+int
+X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
{
ASN1_TIME *in;
- if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
- in=x->cert_info->validity->notAfter;
+ if ((x == NULL) || (x->cert_info->validity == NULL))
+ return (0);
+ in = x->cert_info->validity->notAfter;
if (in != tm) {
- in=M_ASN1_TIME_dup(tm);
+ in = M_ASN1_TIME_dup(tm);
if (in != NULL) {
M_ASN1_TIME_free(x->cert_info->validity->notAfter);
- x->cert_info->validity->notAfter=in;
+ x->cert_info->validity->notAfter = in;
}
}
- return(in != NULL);
+ return (in != NULL);
}
-int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
+int
+X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
{
- if ((x == NULL) || (x->cert_info == NULL)) return(0);
- return(X509_PUBKEY_set(&(x->cert_info->key),pkey));
+ if ((x == NULL) || (x->cert_info == NULL))
+ return (0);
+ return (X509_PUBKEY_set(&(x->cert_info->key), pkey));
}
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
#include <openssl/x509v3.h>
-static int tr_cmp(const X509_TRUST * const *a,
- const X509_TRUST * const *b);
+static int tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b);
static void trtable_free(X509_TRUST *p);
static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
*/
static X509_TRUST trstandard[] = {
-{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
-{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
-{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
-{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
-{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
-{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
-{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL},
-{X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
+ {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
+ {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
+ {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
+ {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
+ {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
+ {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
+ {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL},
+ {X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
};
#define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST))
static STACK_OF(X509_TRUST) *trtable = NULL;
-static int tr_cmp(const X509_TRUST * const *a,
- const X509_TRUST * const *b)
+static int
+tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b)
{
return (*a)->trust - (*b)->trust;
}
-int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
+int
+(*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
{
int (*oldtrust)(int , X509 *, int);
+
oldtrust = default_trust;
default_trust = trust;
return oldtrust;
}
-
-int X509_check_trust(X509 *x, int id, int flags)
+int
+X509_check_trust(X509 *x, int id, int flags)
{
X509_TRUST *pt;
int idx;
- if(id == -1) return 1;
+
+ if (id == -1)
+ return 1;
idx = X509_TRUST_get_by_id(id);
- if(idx == -1) return default_trust(id, x, flags);
+ if (idx == -1)
+ return default_trust(id, x, flags);
pt = X509_TRUST_get0(idx);
return pt->check_trust(pt, x, flags);
}
-int X509_TRUST_get_count(void)
+int
+X509_TRUST_get_count(void)
{
- if(!trtable) return X509_TRUST_COUNT;
+ if (!trtable)
+ return X509_TRUST_COUNT;
return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
}
-X509_TRUST * X509_TRUST_get0(int idx)
+X509_TRUST *
+X509_TRUST_get0(int idx)
{
- if(idx < 0) return NULL;
- if(idx < (int)X509_TRUST_COUNT) return trstandard + idx;
+ if (idx < 0)
+ return NULL;
+ if (idx < (int)X509_TRUST_COUNT)
+ return trstandard + idx;
return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
}
-int X509_TRUST_get_by_id(int id)
+int
+X509_TRUST_get_by_id(int id)
{
X509_TRUST tmp;
int idx;
- if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
- return id - X509_TRUST_MIN;
+
+ if ((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
+ return id - X509_TRUST_MIN;
tmp.trust = id;
- if(!trtable) return -1;
+ if (!trtable)
+ return -1;
idx = sk_X509_TRUST_find(trtable, &tmp);
- if(idx == -1) return -1;
+ if (idx == -1)
+ return -1;
return idx + X509_TRUST_COUNT;
}
-int X509_TRUST_set(int *t, int trust)
+int
+X509_TRUST_set(int *t, int trust)
{
- if(X509_TRUST_get_by_id(trust) == -1) {
+ if (X509_TRUST_get_by_id(trust) == -1) {
X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST);
return 0;
}
return 1;
}
-int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
- char *name, int arg1, void *arg2)
+int
+X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
+ char *name, int arg1, void *arg2)
{
int idx;
X509_TRUST *trtmp;
+
/* This is set according to what we change: application can't set it */
flags &= ~X509_TRUST_DYNAMIC;
/* This will always be set for application modified trust entries */
/* Get existing entry if any */
idx = X509_TRUST_get_by_id(id);
/* Need a new entry */
- if(idx == -1) {
- if(!(trtmp = malloc(sizeof(X509_TRUST)))) {
- X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+ if (idx == -1) {
+ if (!(trtmp = malloc(sizeof(X509_TRUST)))) {
+ X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
trtmp->flags = X509_TRUST_DYNAMIC;
trtmp = X509_TRUST_get0(idx);
/* free existing name if dynamic */
- if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name);
+ if (trtmp->flags & X509_TRUST_DYNAMIC_NAME)
+ free(trtmp->name);
/* dup supplied name */
- if(!(trtmp->name = BUF_strdup(name))) {
- X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+ if (!(trtmp->name = BUF_strdup(name))) {
+ X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
/* Keep the dynamic flag of existing entry */
trtmp->arg2 = arg2;
/* If its a new entry manage the dynamic table */
- if(idx == -1) {
- if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
- X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+ if (idx == -1) {
+ if (!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
+ X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
if (!sk_X509_TRUST_push(trtable, trtmp)) {
- X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
return 0;
}
}
return 1;
}
-static void trtable_free(X509_TRUST *p)
+static void
+trtable_free(X509_TRUST *p)
{
- if(!p) return;
+ if (!p)
+ return;
if (p->flags & X509_TRUST_DYNAMIC) {
if (p->flags & X509_TRUST_DYNAMIC_NAME)
free(p->name);
}
}
-void X509_TRUST_cleanup(void)
+void
+X509_TRUST_cleanup(void)
{
unsigned int i;
- for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i);
+
+ for(i = 0; i < X509_TRUST_COUNT; i++)
+ trtable_free(trstandard + i);
sk_X509_TRUST_pop_free(trtable, trtable_free);
trtable = NULL;
}
-int X509_TRUST_get_flags(X509_TRUST *xp)
+int
+X509_TRUST_get_flags(X509_TRUST *xp)
{
return xp->flags;
}
-char *X509_TRUST_get0_name(X509_TRUST *xp)
+char *
+X509_TRUST_get0_name(X509_TRUST *xp)
{
return xp->name;
}
-int X509_TRUST_get_trust(X509_TRUST *xp)
+int
+X509_TRUST_get_trust(X509_TRUST *xp)
{
return xp->trust;
}
-static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
+static int
+trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
{
- if(x->aux && (x->aux->trust || x->aux->reject))
+ if (x->aux && (x->aux->trust || x->aux->reject))
return obj_trust(trust->arg1, x, flags);
/* we don't have any trust settings: for compatibility
* we return trusted if it is self signed
return trust_compat(trust, x, flags);
}
-static int trust_1oid(X509_TRUST *trust, X509 *x, int flags)
+static int
+trust_1oid(X509_TRUST *trust, X509 *x, int flags)
{
- if(x->aux) return obj_trust(trust->arg1, x, flags);
+ if (x->aux)
+ return obj_trust(trust->arg1, x, flags);
return X509_TRUST_UNTRUSTED;
}
-static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
+static int
+trust_compat(X509_TRUST *trust, X509 *x, int flags)
{
X509_check_purpose(x, -1, 0);
- if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED;
- else return X509_TRUST_UNTRUSTED;
+ if (x->ex_flags & EXFLAG_SS)
+ return X509_TRUST_TRUSTED;
+ else
+ return X509_TRUST_UNTRUSTED;
}
-static int obj_trust(int id, X509 *x, int flags)
+static int
+obj_trust(int id, X509 *x, int flags)
{
ASN1_OBJECT *obj;
int i;
X509_CERT_AUX *ax;
+
ax = x->aux;
- if(!ax) return X509_TRUST_UNTRUSTED;
- if(ax->reject) {
- for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
+ if (!ax)
+ return X509_TRUST_UNTRUSTED;
+ if (ax->reject) {
+ for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
obj = sk_ASN1_OBJECT_value(ax->reject, i);
- if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED;
+ if (OBJ_obj2nid(obj) == id)
+ return X509_TRUST_REJECTED;
}
- }
- if(ax->trust) {
- for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
+ }
+ if (ax->trust) {
+ for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
obj = sk_ASN1_OBJECT_value(ax->trust, i);
- if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED;
+ if (OBJ_obj2nid(obj) == id)
+ return X509_TRUST_TRUSTED;
}
}
return X509_TRUST_UNTRUSTED;
}
-
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
#include <openssl/x509.h>
#include <openssl/objects.h>
-const char *X509_verify_cert_error_string(long n)
+const char *
+X509_verify_cert_error_string(long n)
{
static char buf[100];
case X509_V_ERR_NO_EXPLICIT_POLICY:
return("no explicit policy");
case X509_V_ERR_DIFFERENT_CRL_SCOPE:
- return("Different CRL scope");
+ return("Different CRL scope");
case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:
- return("Unsupported extension feature");
- case X509_V_ERR_UNNESTED_RESOURCE:
- return("RFC 3779 resource not subset of parent's resources");
-
+ return("Unsupported extension feature");
+ case X509_V_ERR_UNNESTED_RESOURCE:
+ return("RFC 3779 resource not subset of parent's resources");
case X509_V_ERR_PERMITTED_VIOLATION:
return("permitted subtree violation");
case X509_V_ERR_EXCLUDED_VIOLATION:
return("CRL path validation error");
default:
- snprintf(buf,sizeof buf,"error number %ld",n);
- return(buf);
+ snprintf(buf, sizeof buf, "error number %ld", n);
+ return (buf);
}
}
-
-
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
#include <openssl/x509.h>
#include <openssl/x509v3.h>
-int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
+int
+X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
{
- if (x == NULL) return(0);
- return(sk_X509_EXTENSION_num(x));
+ if (x == NULL)
+ return (0);
+ return (sk_X509_EXTENSION_num(x));
}
-int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,
- int lastpos)
+int
+X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos)
{
ASN1_OBJECT *obj;
- obj=OBJ_nid2obj(nid);
- if (obj == NULL) return(-2);
- return(X509v3_get_ext_by_OBJ(x,obj,lastpos));
+ obj = OBJ_nid2obj(nid);
+ if (obj == NULL)
+ return (-2);
+ return (X509v3_get_ext_by_OBJ(x, obj, lastpos));
}
-int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
- int lastpos)
+int
+X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj,
+ int lastpos)
{
int n;
X509_EXTENSION *ex;
- if (sk == NULL) return(-1);
+ if (sk == NULL)
+ return (-1);
lastpos++;
if (lastpos < 0)
- lastpos=0;
- n=sk_X509_EXTENSION_num(sk);
- for ( ; lastpos < n; lastpos++) {
- ex=sk_X509_EXTENSION_value(sk,lastpos);
- if (OBJ_cmp(ex->object,obj) == 0)
- return(lastpos);
+ lastpos = 0;
+ n = sk_X509_EXTENSION_num(sk);
+ for (; lastpos < n; lastpos++) {
+ ex = sk_X509_EXTENSION_value(sk, lastpos);
+ if (OBJ_cmp(ex->object, obj) == 0)
+ return (lastpos);
}
- return(-1);
+ return (-1);
}
-int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
- int lastpos)
+int
+X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
+ int lastpos)
{
int n;
X509_EXTENSION *ex;
- if (sk == NULL) return(-1);
+ if (sk == NULL)
+ return (-1);
lastpos++;
if (lastpos < 0)
- lastpos=0;
- n=sk_X509_EXTENSION_num(sk);
- for ( ; lastpos < n; lastpos++) {
- ex=sk_X509_EXTENSION_value(sk,lastpos);
- if ( ((ex->critical > 0) && crit) ||
- ((ex->critical <= 0) && !crit))
- return(lastpos);
+ lastpos = 0;
+ n = sk_X509_EXTENSION_num(sk);
+ for (; lastpos < n; lastpos++) {
+ ex = sk_X509_EXTENSION_value(sk, lastpos);
+ if (((ex->critical > 0) && crit) ||
+ ((ex->critical <= 0) && !crit))
+ return (lastpos);
}
- return(-1);
+ return (-1);
}
-X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
+X509_EXTENSION *
+X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
{
if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
return NULL;
else
- return sk_X509_EXTENSION_value(x,loc);
+ return sk_X509_EXTENSION_value(x, loc);
}
-X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
+X509_EXTENSION *
+X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
{
X509_EXTENSION *ret;
if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
- return(NULL);
- ret=sk_X509_EXTENSION_delete(x,loc);
- return(ret);
+ return (NULL);
+ ret = sk_X509_EXTENSION_delete(x, loc);
+ return (ret);
}
-STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
- X509_EXTENSION *ex, int loc)
+STACK_OF(X509_EXTENSION) *
+X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc)
{
- X509_EXTENSION *new_ex=NULL;
+ X509_EXTENSION *new_ex = NULL;
int n;
- STACK_OF(X509_EXTENSION) *sk=NULL;
+ STACK_OF(X509_EXTENSION) *sk = NULL;
if (x == NULL) {
- X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER);
+ X509err(X509_F_X509V3_ADD_EXT, ERR_R_PASSED_NULL_PARAMETER);
goto err2;
}
if (*x == NULL) {
- if ((sk=sk_X509_EXTENSION_new_null()) == NULL)
+ if ((sk = sk_X509_EXTENSION_new_null()) == NULL)
goto err;
} else
sk= *x;
- n=sk_X509_EXTENSION_num(sk);
- if (loc > n) loc=n;
- else if (loc < 0) loc=n;
+ n = sk_X509_EXTENSION_num(sk);
+ if (loc > n)
+ loc = n;
+ else if (loc < 0)
+ loc = n;
- if ((new_ex=X509_EXTENSION_dup(ex)) == NULL)
+ if ((new_ex = X509_EXTENSION_dup(ex)) == NULL)
goto err2;
- if (!sk_X509_EXTENSION_insert(sk,new_ex,loc))
+ if (!sk_X509_EXTENSION_insert(sk, new_ex, loc))
goto err;
if (*x == NULL)
- *x=sk;
- return(sk);
+ *x = sk;
+ return (sk);
+
err:
- X509err(X509_F_X509V3_ADD_EXT,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509V3_ADD_EXT, ERR_R_MALLOC_FAILURE);
err2:
- if (new_ex != NULL) X509_EXTENSION_free(new_ex);
- if (sk != NULL) sk_X509_EXTENSION_free(sk);
- return(NULL);
+ if (new_ex != NULL)
+ X509_EXTENSION_free(new_ex);
+ if (sk != NULL)
+ sk_X509_EXTENSION_free(sk);
+ return (NULL);
}
-X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid,
- int crit, ASN1_OCTET_STRING *data)
+X509_EXTENSION *
+X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit,
+ ASN1_OCTET_STRING *data)
{
ASN1_OBJECT *obj;
X509_EXTENSION *ret;
- obj=OBJ_nid2obj(nid);
+ obj = OBJ_nid2obj(nid);
if (obj == NULL) {
- X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID);
- return(NULL);
+ X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,
+ X509_R_UNKNOWN_NID);
+ return (NULL);
}
- ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data);
- if (ret == NULL) ASN1_OBJECT_free(obj);
- return(ret);
+ ret = X509_EXTENSION_create_by_OBJ(ex, obj, crit, data);
+ if (ret == NULL)
+ ASN1_OBJECT_free(obj);
+ return (ret);
}
-X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
- ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data)
+X509_EXTENSION *
+X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, ASN1_OBJECT *obj, int crit,
+ ASN1_OCTET_STRING *data)
{
X509_EXTENSION *ret;
if ((ex == NULL) || (*ex == NULL)) {
- if ((ret=X509_EXTENSION_new()) == NULL)
- {
- X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
- return(NULL);
+ if ((ret = X509_EXTENSION_new()) == NULL) {
+ X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,
+ ERR_R_MALLOC_FAILURE);
+ return (NULL);
}
} else
ret= *ex;
- if (!X509_EXTENSION_set_object(ret,obj))
+ if (!X509_EXTENSION_set_object(ret, obj))
goto err;
- if (!X509_EXTENSION_set_critical(ret,crit))
+ if (!X509_EXTENSION_set_critical(ret, crit))
goto err;
- if (!X509_EXTENSION_set_data(ret,data))
+ if (!X509_EXTENSION_set_data(ret, data))
goto err;
-
- if ((ex != NULL) && (*ex == NULL)) *ex=ret;
- return(ret);
+
+ if ((ex != NULL) && (*ex == NULL))
+ *ex = ret;
+ return (ret);
+
err:
if ((ex == NULL) || (ret != *ex))
X509_EXTENSION_free(ret);
- return(NULL);
+ return (NULL);
}
-int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
+int
+X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
{
if ((ex == NULL) || (obj == NULL))
- return(0);
+ return (0);
ASN1_OBJECT_free(ex->object);
- ex->object=OBJ_dup(obj);
- return(1);
+ ex->object = OBJ_dup(obj);
+ return (1);
}
-int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
+int
+X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
{
- if (ex == NULL) return(0);
- ex->critical=(crit)?0xFF:-1;
- return(1);
+ if (ex == NULL)
+ return (0);
+ ex->critical = (crit) ? 0xFF : -1;
+ return (1);
}
-int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
+int
+X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
{
int i;
- if (ex == NULL) return(0);
- i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length);
- if (!i) return(0);
- return(1);
+ if (ex == NULL)
+ return (0);
+ i = M_ASN1_OCTET_STRING_set(ex->value, data->data, data->length);
+ if (!i)
+ return (0);
+ return (1);
}
-ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex)
+ASN1_OBJECT *
+X509_EXTENSION_get_object(X509_EXTENSION *ex)
{
- if (ex == NULL) return(NULL);
- return(ex->object);
+ if (ex == NULL)
+ return (NULL);
+ return (ex->object);
}
-ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
+ASN1_OCTET_STRING *
+X509_EXTENSION_get_data(X509_EXTENSION *ex)
{
- if (ex == NULL) return(NULL);
- return(ex->value);
+ if (ex == NULL)
+ return (NULL);
+ return (ex->value);
}
-int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
+int
+X509_EXTENSION_get_critical(X509_EXTENSION *ex)
{
- if (ex == NULL) return(0);
- if(ex->critical > 0) return 1;
+ if (ex == NULL)
+ return (0);
+ if (ex->critical > 0)
+ return 1;
return 0;
}
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
#define CRL_SCORE_TIME_DELTA 0x002
-static int null_callback(int ok,X509_STORE_CTX *e);
+static int null_callback(int ok, X509_STORE_CTX *e);
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
static int check_chain_extensions(X509_STORE_CTX *ctx);
static int check_policy(X509_STORE_CTX *ctx);
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
- unsigned int *preasons,
- X509_CRL *crl, X509 *x);
+ unsigned int *preasons, X509_CRL *crl, X509 *x);
static int get_crl_delta(X509_STORE_CTX *ctx,
- X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
+ X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
- X509_CRL *base, STACK_OF(X509_CRL) *crls);
-static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
- X509 **pissuer, int *pcrl_score);
+ X509_CRL *base, STACK_OF(X509_CRL) *crls);
+static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
+ int *pcrl_score);
static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
- unsigned int *preasons);
+ unsigned int *preasons);
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
-static int check_crl_chain(X509_STORE_CTX *ctx,
- STACK_OF(X509) *cert_path,
- STACK_OF(X509) *crl_path);
+static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
+ STACK_OF(X509) *crl_path);
static int internal_verify(X509_STORE_CTX *ctx);
const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
-static int null_callback(int ok, X509_STORE_CTX *e)
+static int
+null_callback(int ok, X509_STORE_CTX *e)
{
return ok;
}
#if 0
-static int x509_subject_cmp(X509 **a, X509 **b)
+static int
+x509_subject_cmp(X509 **a, X509 **b)
{
- return X509_subject_name_cmp(*a,*b);
+ return X509_subject_name_cmp(*a, *b);
}
#endif
-int X509_verify_cert(X509_STORE_CTX *ctx)
+int
+X509_verify_cert(X509_STORE_CTX *ctx)
{
- X509 *x,*xtmp,*chain_ss=NULL;
+ X509 *x, *xtmp, *chain_ss = NULL;
int bad_chain = 0;
X509_VERIFY_PARAM *param = ctx->param;
- int depth,i,ok=0;
+ int depth, i, ok = 0;
int num;
- int (*cb)(int xok,X509_STORE_CTX *xctx);
- STACK_OF(X509) *sktmp=NULL;
+ int (*cb)(int xok, X509_STORE_CTX *xctx);
+ STACK_OF(X509) *sktmp = NULL;
+
if (ctx->cert == NULL) {
- X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
+ X509err(X509_F_X509_VERIFY_CERT,
+ X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
return -1;
}
- cb=ctx->verify_cb;
+ cb = ctx->verify_cb;
/* first we make sure the chain we are going to build is
* present and that the first entry is in place */
if (ctx->chain == NULL) {
- if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
- (!sk_X509_push(ctx->chain,ctx->cert))) {
- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+ if (((ctx->chain = sk_X509_new_null()) == NULL) ||
+ (!sk_X509_push(ctx->chain, ctx->cert))) {
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
goto end;
}
- CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
- ctx->last_untrusted=1;
+ CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509);
+ ctx->last_untrusted = 1;
}
/* We use a temporary STACK so we can chop and hack at it */
- if (ctx->untrusted != NULL
- && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) {
- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+ if (ctx->untrusted != NULL &&
+ (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
goto end;
}
- num=sk_X509_num(ctx->chain);
- x=sk_X509_value(ctx->chain,num-1);
- depth=param->depth;
-
+ num = sk_X509_num(ctx->chain);
+ x = sk_X509_value(ctx->chain, num - 1);
+ depth = param->depth;
for (;;) {
/* If we have enough, we break */
- if (depth < num) break; /* FIXME: If this happens, we should take
- * note of it and, if appropriate, use the
- * X509_V_ERR_CERT_CHAIN_TOO_LONG error
- * code later.
- */
+ if (depth < num)
+ break; /* FIXME: If this happens, we should take
+ * note of it and, if appropriate, use the
+ * X509_V_ERR_CERT_CHAIN_TOO_LONG error
+ * code later.
+ */
/* If we are self signed, we break */
- if (ctx->check_issued(ctx, x,x)) break;
+ if (ctx->check_issued(ctx, x, x))
+ break;
/* If we were passed a cert chain, use it first */
if (ctx->untrusted != NULL) {
- xtmp=find_issuer(ctx, sktmp,x);
+ xtmp = find_issuer(ctx, sktmp, x);
if (xtmp != NULL) {
- if (!sk_X509_push(ctx->chain,xtmp)) {
- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+ if (!sk_X509_push(ctx->chain, xtmp)) {
+ X509err(X509_F_X509_VERIFY_CERT,
+ ERR_R_MALLOC_FAILURE);
goto end;
}
- CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
- (void)sk_X509_delete_ptr(sktmp,xtmp);
+ CRYPTO_add(&xtmp->references, 1,
+ CRYPTO_LOCK_X509);
+ (void)sk_X509_delete_ptr(sktmp, xtmp);
ctx->last_untrusted++;
- x=xtmp;
+ x = xtmp;
num++;
/* reparse the full chain for
* the next one */
* is self signed.
*/
- i=sk_X509_num(ctx->chain);
- x=sk_X509_value(ctx->chain,i-1);
+ i = sk_X509_num(ctx->chain);
+ x = sk_X509_value(ctx->chain, i - 1);
if (ctx->check_issued(ctx, x, x)) {
/* we have a self signed certificate */
if (sk_X509_num(ctx->chain) == 1) {
*/
ok = ctx->get_issuer(&xtmp, ctx, x);
if ((ok <= 0) || X509_cmp(x, xtmp)) {
- ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
- ctx->current_cert=x;
- ctx->error_depth=i-1;
- if (ok == 1) X509_free(xtmp);
+ ctx->error =
+ X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
+ ctx->current_cert = x;
+ ctx->error_depth = i - 1;
+ if (ok == 1)
+ X509_free(xtmp);
bad_chain = 1;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
} else {
/* We have a match: replace certificate with store version
* so we get any trust settings.
X509_free(x);
x = xtmp;
(void)sk_X509_set(ctx->chain, i - 1, x);
- ctx->last_untrusted=0;
+ ctx->last_untrusted = 0;
}
} else {
/* extract and save self signed certificate for later use */
- chain_ss=sk_X509_pop(ctx->chain);
+ chain_ss = sk_X509_pop(ctx->chain);
ctx->last_untrusted--;
num--;
- x=sk_X509_value(ctx->chain,num-1);
+ x = sk_X509_value(ctx->chain, num - 1);
}
}
/* We now lookup certs from the certificate store */
for (;;) {
/* If we have enough, we break */
- if (depth < num) break;
+ if (depth < num)
+ break;
/* If we are self signed, we break */
- if (ctx->check_issued(ctx,x,x)) break;
+ if (ctx->check_issued(ctx, x, x))
+ break;
ok = ctx->get_issuer(&xtmp, ctx, x);
-
- if (ok < 0) return ok;
- if (ok == 0) break;
+ if (ok < 0)
+ return ok;
+ if (ok == 0)
+ break;
x = xtmp;
- if (!sk_X509_push(ctx->chain,x)) {
+ if (!sk_X509_push(ctx->chain, x)) {
X509_free(xtmp);
- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
return 0;
}
num++;
/* we now have our chain, lets check it... */
/* Is last certificate looked up self signed? */
- if (!ctx->check_issued(ctx,x,x)) {
- if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
+ if (!ctx->check_issued(ctx, x, x)) {
+ if ((chain_ss == NULL) ||
+ !ctx->check_issued(ctx, x, chain_ss)) {
if (ctx->last_untrusted >= num)
- ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
else
- ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
- ctx->current_cert=x;
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
+ ctx->current_cert = x;
} else {
- sk_X509_push(ctx->chain,chain_ss);
+ sk_X509_push(ctx->chain, chain_ss);
num++;
- ctx->last_untrusted=num;
- ctx->current_cert=chain_ss;
- ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
- chain_ss=NULL;
+ ctx->last_untrusted = num;
+ ctx->current_cert = chain_ss;
+ ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
+ chain_ss = NULL;
}
- ctx->error_depth=num-1;
+ ctx->error_depth = num - 1;
bad_chain = 1;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
/* We have the chain complete: now we need to check its purpose */
ok = check_chain_extensions(ctx);
- if (!ok) goto end;
+ if (!ok)
+ goto end;
/* Check name constraints */
ok = check_name_constraints(ctx);
-
- if (!ok) goto end;
+
+ if (!ok)
+ goto end;
/* The chain extensions are OK: check trust */
- if (param->trust > 0) ok = check_trust(ctx);
+ if (param->trust > 0)
+ ok = check_trust(ctx);
- if (!ok) goto end;
+ if (!ok)
+ goto end;
/* We may as well copy down any DSA parameters that are required */
- X509_get_pubkey_parameters(NULL,ctx->chain);
+ X509_get_pubkey_parameters(NULL, ctx->chain);
/* Check revocation status: we do this after copying parameters
* because they may be needed for CRL signature verification.
*/
ok = ctx->check_revocation(ctx);
- if(!ok) goto end;
+ if (!ok)
+ goto end;
/* At this point, we have a chain and need to verify it */
if (ctx->verify != NULL)
- ok=ctx->verify(ctx);
+ ok = ctx->verify(ctx);
else
- ok=internal_verify(ctx);
- if(!ok) goto end;
+ ok = internal_verify(ctx);
+ if (!ok)
+ goto end;
#ifndef OPENSSL_NO_RFC3779
/* RFC 3779 path validation, now that CRL check has been done */
ok = v3_asid_validate_path(ctx);
- if (!ok) goto end;
+ if (!ok)
+ goto end;
ok = v3_addr_validate_path(ctx);
- if (!ok) goto end;
+ if (!ok)
+ goto end;
#endif
/* If we get this far evaluate policies */
if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
ok = ctx->check_policy(ctx);
- if(!ok) goto end;
+ if (!ok)
+ goto end;
if (0) {
end:
- X509_get_pubkey_parameters(NULL,ctx->chain);
+ X509_get_pubkey_parameters(NULL, ctx->chain);
}
- if (sktmp != NULL) sk_X509_free(sktmp);
- if (chain_ss != NULL) X509_free(chain_ss);
+ if (sktmp != NULL)
+ sk_X509_free(sktmp);
+ if (chain_ss != NULL)
+ X509_free(chain_ss);
return ok;
}
/* Given a STACK_OF(X509) find the issuer of cert (if any)
*/
-static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
+static X509 *
+find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
{
int i;
X509 *issuer;
+
for (i = 0; i < sk_X509_num(sk); i++) {
issuer = sk_X509_value(sk, i);
if (ctx->check_issued(ctx, x, issuer))
/* Given a possible certificate and issuer check them */
-static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
+static int
+check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
int ret;
+
ret = X509_check_issued(issuer, x);
if (ret == X509_V_OK)
return 1;
/* Alternative lookup method: look from a STACK stored in other_ctx */
-static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
+static int
+get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
*issuer = find_issuer(ctx, ctx->other_ctx, x);
if (*issuer) {
- CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
+ CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
return 1;
} else
return 0;
}
-
/* Check a certificate chains extensions for consistency
* with the supplied purpose
*/
-static int check_chain_extensions(X509_STORE_CTX *ctx)
+static int
+check_chain_extensions(X509_STORE_CTX *ctx)
{
#ifdef OPENSSL_NO_CHAIN_VERIFY
return 1;
#else
- int i, ok=0, must_be_ca, plen = 0;
+ int i, ok = 0, must_be_ca, plen = 0;
X509 *x;
- int (*cb)(int xok,X509_STORE_CTX *xctx);
+ int (*cb)(int xok, X509_STORE_CTX *xctx);
int proxy_path_length = 0;
int purpose;
int allow_proxy_certs;
- cb=ctx->verify_cb;
+
+ cb = ctx->verify_cb;
/* must_be_ca can have 1 of 3 values:
-1: we accept both CA and non-CA certificates, to allow direct
purpose = X509_PURPOSE_CRL_SIGN;
} else {
allow_proxy_certs =
- !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
+ !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
/* A hack to keep people who don't want to modify their
software happy */
if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
for (i = 0; i < ctx->last_untrusted; i++) {
int ret;
x = sk_X509_value(ctx->chain, i);
- if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
- && (x->ex_flags & EXFLAG_CRITICAL)) {
+ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
+ (x->ex_flags & EXFLAG_CRITICAL)) {
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
ctx->error_depth = i;
ctx->current_cert = x;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
ctx->error_depth = i;
ctx->current_cert = x;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
ret = X509_check_ca(x);
- switch(must_be_ca) {
+ switch (must_be_ca) {
case -1:
- if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
- && (ret != 1) && (ret != 0)) {
+ if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
+ (ret != 1) && (ret != 0)) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_CA;
} else
ret = 1;
break;
default:
- if ((ret == 0)
- || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
- && (ret != 1))) {
+ if ((ret == 0) ||
+ ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
+ (ret != 1))) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_CA;
} else
if (ret == 0) {
ctx->error_depth = i;
ctx->current_cert = x;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
if (ctx->param->purpose > 0) {
ret = X509_check_purpose(x, purpose, must_be_ca > 0);
- if ((ret == 0)
- || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
- && (ret != 1))) {
+ if ((ret == 0) ||
+ ((ctx->param->flags & X509_V_FLAG_X509_STRICT) &&
+ (ret != 1))) {
ctx->error = X509_V_ERR_INVALID_PURPOSE;
ctx->error_depth = i;
ctx->current_cert = x;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
}
/* Check pathlen if not self issued */
- if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
- && (x->ex_pathlen != -1)
- && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
+ if ((i > 1) && !(x->ex_flags & EXFLAG_SI) &&
+ (x->ex_pathlen != -1) &&
+ (plen > (x->ex_pathlen + proxy_path_length + 1))) {
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
ctx->current_cert = x;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
/* Increment path length if not self issued */
if (!(x->ex_flags & EXFLAG_SI))
if (x->ex_flags & EXFLAG_PROXY) {
if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
ctx->error =
- X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
+ X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
ctx->current_cert = x;
- ok=cb(0,ctx);
- if (!ok) goto end;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
}
proxy_path_length++;
must_be_ca = 0;
must_be_ca = 1;
}
ok = 1;
- end:
+
+end:
return ok;
#endif
}
-static int check_name_constraints(X509_STORE_CTX *ctx)
+static int
+check_name_constraints(X509_STORE_CTX *ctx)
{
X509 *x;
int i, j, rv;
+
/* Check name constraints for all certificates */
for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
x = sk_X509_value(ctx->chain, i);
ctx->error = rv;
ctx->error_depth = i;
ctx->current_cert = x;
- if (!ctx->verify_cb(0,ctx))
+ if (!ctx->verify_cb(0, ctx))
return 0;
}
}
return 1;
}
-static int check_trust(X509_STORE_CTX *ctx)
+static int
+check_trust(X509_STORE_CTX *ctx)
{
#ifdef OPENSSL_NO_CHAIN_VERIFY
return 1;
#else
int i, ok;
X509 *x;
- int (*cb)(int xok,X509_STORE_CTX *xctx);
- cb=ctx->verify_cb;
-/* For now just check the last certificate in the chain */
+ int (*cb)(int xok, X509_STORE_CTX *xctx);
+
+ cb = ctx->verify_cb;
+ /* For now just check the last certificate in the chain */
i = sk_X509_num(ctx->chain) - 1;
x = sk_X509_value(ctx->chain, i);
ok = X509_check_trust(x, ctx->param->trust, 0);
#endif
}
-static int check_revocation(X509_STORE_CTX *ctx)
+static int
+check_revocation(X509_STORE_CTX *ctx)
{
int i, last, ok;
+
if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
return 1;
if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
return 1;
last = 0;
}
- for(i = 0; i <= last; i++) {
+ for (i = 0; i <= last; i++) {
ctx->error_depth = i;
ok = check_cert(ctx);
- if (!ok) return ok;
+ if (!ok)
+ return ok;
}
return 1;
}
-static int check_cert(X509_STORE_CTX *ctx) {
+static int
+check_cert(X509_STORE_CTX *ctx)
+{
X509_CRL *crl = NULL, *dcrl = NULL;
X509 *x;
int ok, cnum;
unsigned int last_reasons;
+
cnum = ctx->error_depth;
x = sk_X509_value(ctx->chain, cnum);
ctx->current_cert = x;
/* If error looking up CRL, nothing we can do except
* notify callback
*/
- if(!ok) {
+ if (!ok) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
ok = ctx->verify_cb(0, ctx);
goto err;
goto err;
}
}
+
err:
X509_CRL_free(crl);
X509_CRL_free(dcrl);
ctx->current_crl = NULL;
return ok;
-
}
/* Check CRL times against values in X509_STORE_CTX */
-static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
+static int
+check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
{
time_t *ptime;
int i;
+
if (notify)
ctx->current_crl = crl;
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
else
ptime = NULL;
- i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
+ i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
if (i == 0) {
if (!notify)
return 0;
- ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
+ ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
if (!ctx->verify_cb(0, ctx))
return 0;
}
if (i > 0) {
if (!notify)
return 0;
- ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
+ ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
if (!ctx->verify_cb(0, ctx))
return 0;
}
- if(X509_CRL_get_nextUpdate(crl)) {
- i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
+ if (X509_CRL_get_nextUpdate(crl)) {
+ i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
if (i == 0) {
if (!notify)
return 0;
- ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
+ ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
if (!ctx->verify_cb(0, ctx))
return 0;
}
/* Ignore expiry of base CRL is delta is valid */
- if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
+ if ((i < 0) &&
+ !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
if (!notify)
return 0;
- ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
+ ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
if (!ctx->verify_cb(0, ctx))
return 0;
}
return 1;
}
-static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
- X509 **pissuer, int *pscore, unsigned int *preasons,
- STACK_OF(X509_CRL) *crls)
+static int
+get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
+ X509 **pissuer, int *pscore, unsigned int *preasons,
+ STACK_OF(X509_CRL) *crls)
{
int i, crl_score, best_score = *pscore;
unsigned int reasons, best_reasons = 0;
* both present or both absent. If both present all fields must be identical.
*/
-static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
+static int
+crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
{
ASN1_OCTET_STRING *exta, *extb;
int i;
+
i = X509_CRL_get_ext_by_NID(a, nid, -1);
if (i >= 0) {
/* Can't have multiple occurrences */
i = X509_CRL_get_ext_by_NID(b, nid, -1);
if (i >= 0) {
-
if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
return 0;
extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
if (!exta || !extb)
return 0;
-
if (ASN1_OCTET_STRING_cmp(exta, extb))
return 0;
/* See if a base and delta are compatible */
-static int check_delta_base(X509_CRL *delta, X509_CRL *base)
+static int
+check_delta_base(X509_CRL *delta, X509_CRL *base)
{
/* Delta CRL must be a delta */
if (!delta->base_crl_number)
- return 0;
+ return 0;
/* Base must have a CRL number */
if (!base->crl_number)
- return 0;
+ return 0;
/* Issuer names must match */
if (X509_NAME_cmp(X509_CRL_get_issuer(base),
- X509_CRL_get_issuer(delta)))
+ X509_CRL_get_issuer(delta)))
return 0;
/* AKID and IDP must match */
if (!crl_extension_match(delta, base, NID_authority_key_identifier))
- return 0;
+ return 0;
if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
- return 0;
+ return 0;
/* Delta CRL base number must not exceed Full CRL number. */
if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
- return 0;
+ return 0;
/* Delta CRL number must exceed full CRL number */
if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
- return 1;
+ return 1;
return 0;
}
* or retrieve a chain of deltas...
*/
-static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
- X509_CRL *base, STACK_OF(X509_CRL) *crls)
+static void
+get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base,
+ STACK_OF(X509_CRL) *crls)
{
X509_CRL *delta;
int i;
+
if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
return;
if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
* no new reasons the CRL is rejected, otherwise reasons is updated.
*/
-static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
- unsigned int *preasons,
- X509_CRL *crl, X509 *x)
+static int
+get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons,
+ X509_CRL *crl, X509 *x)
{
-
int crl_score = 0;
unsigned int tmp_reasons = *preasons, crl_reasons;
*preasons = tmp_reasons;
return crl_score;
-
}
-static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
- X509 **pissuer, int *pcrl_score)
+static void
+crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
+ int *pcrl_score)
{
X509 *crl_issuer = NULL;
X509_NAME *cnm = X509_CRL_get_issuer(crl);
/* Check the path of a CRL issuer certificate. This creates a new
* X509_STORE_CTX and populates it with most of the parameters from the
* parent. This could be optimised somewhat since a lot of path checking
- * will be duplicated by the parent, but this will rarely be used in
+ * will be duplicated by the parent, but this will rarely be used in
* practice.
*/
-static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
+static int
+check_crl_path(X509_STORE_CTX *ctx, X509 *x)
{
X509_STORE_CTX crl_ctx;
int ret;
+
/* Don't allow recursive CRL path validation */
if (ctx->parent)
return 0;
goto err;
/* Check chain is acceptable */
-
ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
- err:
+
+err:
X509_STORE_CTX_cleanup(&crl_ctx);
return ret;
}
* until this is resolved we use the RFC5280 version
*/
-static int check_crl_chain(X509_STORE_CTX *ctx,
- STACK_OF(X509) *cert_path,
- STACK_OF(X509) *crl_path)
+static int
+check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
+ STACK_OF(X509) *crl_path)
{
X509 *cert_ta, *crl_ta;
+
cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
if (!X509_cmp(cert_ta, crl_ta))
* 4. One is NULL: automatic match.
*/
-
-static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
+static int
+idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
{
X509_NAME *nm = NULL;
GENERAL_NAMES *gens = NULL;
GENERAL_NAME *gena, *genb;
int i, j;
+
if (!a || !b)
return 1;
if (a->type == 1) {
/* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
if (nm) {
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
- gena = sk_GENERAL_NAME_value(gens, i);
+ gena = sk_GENERAL_NAME_value(gens, i);
if (gena->type != GEN_DIRNAME)
continue;
if (!X509_NAME_cmp(nm, gena->d.directoryName))
}
return 0;
-
}
-static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
+static int
+crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
{
int i;
X509_NAME *nm = X509_CRL_get_issuer(crl);
+
/* If no CRLissuer return is successful iff don't need a match */
if (!dp->CRLissuer)
return !!(crl_score & CRL_SCORE_ISSUER_NAME);
/* Check CRLDP and IDP */
-static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
- unsigned int *preasons)
+static int
+crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons)
{
int i;
+
if (crl->idp_flags & IDP_ONLYATTR)
return 0;
if (x->ex_flags & EXFLAG_CA) {
DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
if (crldp_check_crlissuer(dp, crl, crl_score)) {
if (!crl->idp ||
- idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
+ idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
*preasons &= dp->dp_reasons;
return 1;
}
}
}
- if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
+ if ((!crl->idp || !crl->idp->distpoint) &&
+ (crl_score & CRL_SCORE_ISSUER_NAME))
return 1;
return 0;
}
/* Retrieve CRL corresponding to current certificate.
* If deltas enabled try to find a delta CRL too
*/
-
-static int get_crl_delta(X509_STORE_CTX *ctx,
- X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
+
+static int
+get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
{
int ok;
X509 *issuer = NULL;
X509_CRL *crl = NULL, *dcrl = NULL;
STACK_OF(X509_CRL) *skcrl;
X509_NAME *nm = X509_get_issuer_name(x);
- reasons = ctx->current_reasons;
- ok = get_crl_sk(ctx, &crl, &dcrl,
- &issuer, &crl_score, &reasons, ctx->crls);
+ reasons = ctx->current_reasons;
+ ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons,
+ ctx->crls);
if (ok)
goto done;
/* Lookup CRLs from store */
-
skcrl = ctx->lookup_crls(ctx, nm);
/* If no CRLs found and a near match from get_crl_sk use that */
sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
- done:
+done:
/* If we got any kind of CRL use it and return success */
if (crl) {
}
/* Check CRL validity */
-static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
+static int
+check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
{
X509 *issuer = NULL;
EVP_PKEY *ikey = NULL;
int ok = 0, chnum, cnum;
+
cnum = ctx->error_depth;
chnum = sk_X509_num(ctx->chain) - 1;
/* if we have an alternative CRL issuer cert use that */
} else {
issuer = sk_X509_value(ctx->chain, chnum);
/* If not self signed, can't check signature */
- if(!ctx->check_issued(ctx, issuer, issuer)) {
+ if (!ctx->check_issued(ctx, issuer, issuer)) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
ok = ctx->verify_cb(0, ctx);
- if(!ok) goto err;
+ if (!ok)
+ goto err;
}
}
- if(issuer) {
+ if (issuer) {
/* Skip most tests for deltas because they have already
* been done
*/
if (!crl->base_crl_number) {
/* Check for cRLSign bit if keyUsage present */
if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
- !(issuer->ex_kusage & KU_CRL_SIGN)) {
+ !(issuer->ex_kusage & KU_CRL_SIGN)) {
ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
ok = ctx->verify_cb(0, ctx);
- if(!ok) goto err;
+ if (!ok)
+ goto err;
}
if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
ok = ctx->verify_cb(0, ctx);
- if(!ok) goto err;
+ if (!ok)
+ goto err;
}
if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
- if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
+ if (check_crl_path(ctx,
+ ctx->current_issuer) <= 0) {
ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
ok = ctx->verify_cb(0, ctx);
- if(!ok) goto err;
+ if (!ok)
+ goto err;
}
}
if (crl->idp_flags & IDP_INVALID) {
ctx->error = X509_V_ERR_INVALID_EXTENSION;
ok = ctx->verify_cb(0, ctx);
- if(!ok) goto err;
+ if (!ok)
+ goto err;
}
/* Attempt to get issuer certificate public key */
ikey = X509_get_pubkey(issuer);
- if(!ikey) {
- ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+ if (!ikey) {
+ ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
ok = ctx->verify_cb(0, ctx);
- if (!ok) goto err;
+ if (!ok)
+ goto err;
} else {
/* Verify CRL signature */
- if(X509_CRL_verify(crl, ikey) <= 0) {
- ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
+ if (X509_CRL_verify(crl, ikey) <= 0) {
+ ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
ok = ctx->verify_cb(0, ctx);
- if (!ok) goto err;
+ if (!ok)
+ goto err;
}
}
}
}
/* Check certificate against CRL */
-static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
+static int
+cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
{
int ok;
X509_REVOKED *rev;
+
/* The rules changed for this... previously if a CRL contained
* unhandled critical extensions it could still be used to indicate
- * a certificate was revoked. This has since been changed since
+ * a certificate was revoked. This has since been changed since
* critical extension can change the meaning of CRL entries.
*/
- if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
- && (crl->flags & EXFLAG_CRITICAL)) {
+ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
+ (crl->flags & EXFLAG_CRITICAL)) {
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
ok = ctx->verify_cb(0, ctx);
- if(!ok)
+ if (!ok)
return 0;
}
/* Look for serial number of certificate in CRL
return 1;
}
-static int check_policy(X509_STORE_CTX *ctx)
+static int
+check_policy(X509_STORE_CTX *ctx)
{
int ret;
+
if (ctx->parent)
return 1;
ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
- ctx->param->policies, ctx->param->flags);
+ ctx->param->policies, ctx->param->flags);
if (ret == 0) {
- X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE);
return 0;
}
/* Invalid or inconsistent extensions */
continue;
ctx->current_cert = x;
ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
- if(!ctx->verify_cb(0, ctx))
+ if (!ctx->verify_cb(0, ctx))
return 0;
}
return 1;
return 1;
}
-static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
+static int
+check_cert_time(X509_STORE_CTX *ctx, X509 *x)
{
time_t *ptime;
int i;
else
ptime = NULL;
- i=X509_cmp_time(X509_get_notBefore(x), ptime);
+ i = X509_cmp_time(X509_get_notBefore(x), ptime);
if (i == 0) {
- ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
- ctx->current_cert=x;
+ ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
+ ctx->current_cert = x;
if (!ctx->verify_cb(0, ctx))
return 0;
}
if (i > 0) {
- ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
- ctx->current_cert=x;
+ ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
+ ctx->current_cert = x;
if (!ctx->verify_cb(0, ctx))
return 0;
}
- i=X509_cmp_time(X509_get_notAfter(x), ptime);
+ i = X509_cmp_time(X509_get_notAfter(x), ptime);
if (i == 0) {
- ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
- ctx->current_cert=x;
+ ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
+ ctx->current_cert = x;
if (!ctx->verify_cb(0, ctx))
return 0;
}
if (i < 0) {
- ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
- ctx->current_cert=x;
+ ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
+ ctx->current_cert = x;
if (!ctx->verify_cb(0, ctx))
return 0;
}
return 1;
}
-static int internal_verify(X509_STORE_CTX *ctx)
+static int
+internal_verify(X509_STORE_CTX *ctx)
{
- int ok=0,n;
- X509 *xs,*xi;
- EVP_PKEY *pkey=NULL;
- int (*cb)(int xok,X509_STORE_CTX *xctx);
+ int ok = 0, n;
+ X509 *xs, *xi;
+ EVP_PKEY *pkey = NULL;
+ int (*cb)(int xok, X509_STORE_CTX *xctx);
- cb=ctx->verify_cb;
+ cb = ctx->verify_cb;
- n=sk_X509_num(ctx->chain);
- ctx->error_depth=n-1;
+ n = sk_X509_num(ctx->chain);
+ ctx->error_depth = n - 1;
n--;
- xi=sk_X509_value(ctx->chain,n);
+ xi = sk_X509_value(ctx->chain, n);
if (ctx->check_issued(ctx, xi, xi))
- xs=xi;
+ xs = xi;
else {
if (n <= 0) {
- ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
- ctx->current_cert=xi;
- ok=cb(0,ctx);
+ ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
+ ctx->current_cert = xi;
+ ok = cb(0, ctx);
goto end;
} else {
n--;
- ctx->error_depth=n;
- xs=sk_X509_value(ctx->chain,n);
+ ctx->error_depth = n;
+ xs = sk_X509_value(ctx->chain, n);
}
}
/* ctx->error=0; not needed */
while (n >= 0) {
- ctx->error_depth=n;
+ ctx->error_depth = n;
/* Skip signature check for self signed certificates unless
* explicitly asked for. It doesn't add any security and
* just wastes time.
*/
- if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
- if ((pkey=X509_get_pubkey(xi)) == NULL) {
- ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
- ctx->current_cert=xi;
- ok=(*cb)(0,ctx);
- if (!ok) goto end;
- } else if (X509_verify(xs,pkey) <= 0) {
- ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
- ctx->current_cert=xs;
- ok=(*cb)(0,ctx);
+ if (!xs->valid && (xs != xi ||
+ (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
+ if ((pkey = X509_get_pubkey(xi)) == NULL) {
+ ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+ ctx->current_cert = xi;
+ ok = (*cb)(0, ctx);
+ if (!ok)
+ goto end;
+ } else if (X509_verify(xs, pkey) <= 0) {
+ ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
+ ctx->current_cert = xs;
+ ok = (*cb)(0, ctx);
if (!ok) {
EVP_PKEY_free(pkey);
goto end;
}
}
EVP_PKEY_free(pkey);
- pkey=NULL;
+ pkey = NULL;
}
xs->valid = 1;
goto end;
/* The last error (if any) is still in the error value */
- ctx->current_issuer=xi;
- ctx->current_cert=xs;
- ok=(*cb)(1,ctx);
- if (!ok) goto end;
+ ctx->current_issuer = xi;
+ ctx->current_cert = xs;
+ ok = (*cb)(1, ctx);
+ if (!ok)
+ goto end;
n--;
if (n >= 0) {
- xi=xs;
- xs=sk_X509_value(ctx->chain,n);
+ xi = xs;
+ xs = sk_X509_value(ctx->chain, n);
}
}
- ok=1;
+ ok = 1;
+
end:
return ok;
}
-int X509_cmp_current_time(const ASN1_TIME *ctm)
+int
+X509_cmp_current_time(const ASN1_TIME *ctm)
{
return X509_cmp_time(ctm, NULL);
}
-int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
+int
+X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
{
char *str;
ASN1_TIME atm;
long offset;
- char buff1[24],buff2[24],*p;
- int i,j;
+ char buff1[24], buff2[24], *p;
+ int i, j;
- p=buff1;
- i=ctm->length;
- str=(char *)ctm->data;
+ p = buff1;
+ i = ctm->length;
+ str = (char *)ctm->data;
if (ctm->type == V_ASN1_UTCTIME) {
- if ((i < 11) || (i > 17)) return 0;
- memcpy(p,str,10);
- p+=10;
- str+=10;
+ if ((i < 11) || (i > 17))
+ return 0;
+ memcpy(p, str, 10);
+ p += 10;
+ str += 10;
} else {
- if (i < 13) return 0;
- memcpy(p,str,12);
- p+=12;
- str+=12;
+ if (i < 13)
+ return 0;
+ memcpy(p, str, 12);
+ p += 12;
+ str += 12;
}
if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
- *(p++)='0';
- *(p++)='0';
- } else {
- *(p++)= *(str++);
- *(p++)= *(str++);
+ *(p++) = '0';
+ *(p++) = '0';
+ } else {
+ *(p++) = *(str++);
+ *(p++) = *(str++);
/* Skip any fractional seconds... */
if (*str == '.') {
str++;
- while ((*str >= '0') && (*str <= '9')) str++;
+ while ((*str >= '0') && (*str <= '9'))
+ str++;
}
-
}
- *(p++)='Z';
- *(p++)='\0';
+ *(p++) = 'Z';
+ *(p++) = '\0';
if (*str == 'Z')
- offset=0;
+ offset = 0;
else {
if ((*str != '+') && (*str != '-'))
return 0;
- offset=((str[1]-'0')*10+(str[2]-'0'))*60;
- offset+=(str[3]-'0')*10+(str[4]-'0');
+ offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
+ offset += (str[3] - '0') * 10 + (str[4] - '0');
if (*str == '-')
- offset= -offset;
+ offset = -offset;
}
- atm.type=ctm->type;
+ atm.type = ctm->type;
atm.flags = 0;
- atm.length=sizeof(buff2);
- atm.data=(unsigned char *)buff2;
+ atm.length = sizeof(buff2);
+ atm.data = (unsigned char *)buff2;
- if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
+ if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL)
return 0;
if (ctm->type == V_ASN1_UTCTIME) {
- i=(buff1[0]-'0')*10+(buff1[1]-'0');
- if (i < 50) i+=100; /* cf. RFC 2459 */
- j=(buff2[0]-'0')*10+(buff2[1]-'0');
- if (j < 50) j+=100;
-
- if (i < j) return -1;
- if (i > j) return 1;
+ i = (buff1[0] - '0') * 10 + (buff1[1] - '0');
+ if (i < 50)
+ i += 100; /* cf. RFC 2459 */
+ j = (buff2[0] - '0') * 10 + (buff2[1] - '0');
+ if (j < 50)
+ j += 100;
+ if (i < j)
+ return -1;
+ if (i > j)
+ return 1;
}
- i=strcmp(buff1,buff2);
+ i = strcmp(buff1, buff2);
if (i == 0) /* wait a second then return younger :-) */
return -1;
else
return i;
}
-ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
+ASN1_TIME *
+X509_gmtime_adj(ASN1_TIME *s, long adj)
{
return X509_time_adj(s, adj, NULL);
}
-ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
+ASN1_TIME *
+X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
{
return X509_time_adj_ex(s, 0, offset_sec, in_tm);
}
-ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
- int offset_day, long offset_sec, time_t *in_tm)
+ASN1_TIME *
+X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_tm)
{
time_t t;
- if (in_tm) t = *in_tm;
- else time(&t);
+ if (in_tm)
+ t = *in_tm;
+ else
+ time(&t);
if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
if (s->type == V_ASN1_UTCTIME)
- return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
+ return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec);
if (s->type == V_ASN1_GENERALIZEDTIME)
return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
- offset_sec);
+ offset_sec);
}
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
}
-int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
+int
+X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
{
- EVP_PKEY *ktmp=NULL,*ktmp2;
- int i,j;
+ EVP_PKEY *ktmp = NULL, *ktmp2;
+ int i, j;
- if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
+ if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey))
+ return 1;
- for (i=0; i<sk_X509_num(chain); i++) {
- ktmp=X509_get_pubkey(sk_X509_value(chain,i));
+ for (i = 0; i < sk_X509_num(chain); i++) {
+ ktmp = X509_get_pubkey(sk_X509_value(chain, i));
if (ktmp == NULL) {
- X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
+ X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
+ X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
return 0;
}
if (!EVP_PKEY_missing_parameters(ktmp))
break;
else {
EVP_PKEY_free(ktmp);
- ktmp=NULL;
+ ktmp = NULL;
}
}
if (ktmp == NULL) {
- X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
+ X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
+ X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
return 0;
}
/* first, populate the other certs */
- for (j=i-1; j >= 0; j--) {
- ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
- EVP_PKEY_copy_parameters(ktmp2,ktmp);
+ for (j = i - 1; j >= 0; j--) {
+ ktmp2 = X509_get_pubkey(sk_X509_value(chain, j));
+ EVP_PKEY_copy_parameters(ktmp2, ktmp);
EVP_PKEY_free(ktmp2);
}
-
- if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
+
+ if (pkey != NULL)
+ EVP_PKEY_copy_parameters(pkey, ktmp);
EVP_PKEY_free(ktmp);
return 1;
}
-int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
- CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+int
+X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
{
/* This function is (usually) called only once, by
* SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
- return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
- new_func, dup_func, free_func);
+ return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX,
+ argl, argp, new_func, dup_func, free_func);
}
-int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
+int
+X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
{
- return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
+ return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
}
-void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
+void *
+X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
{
- return CRYPTO_get_ex_data(&ctx->ex_data,idx);
+ return CRYPTO_get_ex_data(&ctx->ex_data, idx);
}
-int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
+int
+X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
{
return ctx->error;
}
-void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
+void
+X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
{
- ctx->error=err;
+ ctx->error = err;
}
-int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
+int
+X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
{
return ctx->error_depth;
}
-X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
+X509 *
+X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
{
return ctx->current_cert;
}
int i;
X509 *x;
STACK_OF(X509) *chain;
- if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
+
+ if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain)))
+ return NULL;
for (i = 0; i < sk_X509_num(chain); i++) {
x = sk_X509_value(chain, i);
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
return chain;
}
-X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
+X509 *
+X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
{
return ctx->current_issuer;
}
-X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
+X509_CRL *
+X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
{
return ctx->current_crl;
}
-X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
+X509_STORE_CTX *
+X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
{
return ctx->parent;
}
-void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
+void
+X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
{
- ctx->cert=x;
+ ctx->cert = x;
}
-void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+void
+X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
{
- ctx->untrusted=sk;
+ ctx->untrusted = sk;
}
-void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
+void
+X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
{
- ctx->crls=sk;
+ ctx->crls = sk;
}
-int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
+int
+X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
{
return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
}
-int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
+int
+X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
{
return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
}
* aren't set then we use the default of SSL client/server.
*/
-int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
- int purpose, int trust)
+int
+X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
+ int purpose, int trust)
{
int idx;
+
/* If purpose not set use default */
- if (!purpose) purpose = def_purpose;
+ if (!purpose)
+ purpose = def_purpose;
/* If we have a purpose then check it is valid */
if (purpose) {
X509_PURPOSE *ptmp;
idx = X509_PURPOSE_get_by_id(purpose);
if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
- X509_R_UNKNOWN_PURPOSE_ID);
+ X509_R_UNKNOWN_PURPOSE_ID);
return 0;
}
ptmp = X509_PURPOSE_get0(idx);
idx = X509_PURPOSE_get_by_id(def_purpose);
if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
- X509_R_UNKNOWN_PURPOSE_ID);
+ X509_R_UNKNOWN_PURPOSE_ID);
return 0;
}
ptmp = X509_PURPOSE_get0(idx);
}
/* If trust not set then get from purpose default */
- if (!trust) trust = ptmp->trust;
+ if (!trust)
+ trust = ptmp->trust;
}
if (trust) {
idx = X509_TRUST_get_by_id(trust);
if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
- X509_R_UNKNOWN_TRUST_ID);
+ X509_R_UNKNOWN_TRUST_ID);
return 0;
}
}
- if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
- if (trust && !ctx->param->trust) ctx->param->trust = trust;
+ if (purpose && !ctx->param->purpose)
+ ctx->param->purpose = purpose;
+ if (trust && !ctx->param->trust)
+ ctx->param->trust = trust;
return 1;
}
-X509_STORE_CTX *X509_STORE_CTX_new(void)
+X509_STORE_CTX *
+X509_STORE_CTX_new(void)
{
X509_STORE_CTX *ctx;
+
ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX));
if (!ctx) {
- X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
memset(ctx, 0, sizeof(X509_STORE_CTX));
return ctx;
}
-void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
+void
+X509_STORE_CTX_free(X509_STORE_CTX *ctx)
{
X509_STORE_CTX_cleanup(ctx);
free(ctx);
}
-int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
- STACK_OF(X509) *chain)
+int
+X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
+ STACK_OF(X509) *chain)
{
int ret = 1;
- ctx->ctx=store;
- ctx->current_method=0;
- ctx->cert=x509;
- ctx->untrusted=chain;
+
+ ctx->ctx = store;
+ ctx->current_method = 0;
+ ctx->cert = x509;
+ ctx->untrusted = chain;
ctx->crls = NULL;
- ctx->last_untrusted=0;
- ctx->other_ctx=NULL;
- ctx->valid=0;
- ctx->chain=NULL;
- ctx->error=0;
- ctx->explicit_policy=0;
- ctx->error_depth=0;
- ctx->current_cert=NULL;
- ctx->current_issuer=NULL;
- ctx->current_crl=NULL;
- ctx->current_crl_score=0;
- ctx->current_reasons=0;
+ ctx->last_untrusted = 0;
+ ctx->other_ctx = NULL;
+ ctx->valid = 0;
+ ctx->chain = NULL;
+ ctx->error = 0;
+ ctx->explicit_policy = 0;
+ ctx->error_depth = 0;
+ ctx->current_cert = NULL;
+ ctx->current_issuer = NULL;
+ ctx->current_crl = NULL;
+ ctx->current_crl_score = 0;
+ ctx->current_reasons = 0;
ctx->tree = NULL;
ctx->parent = NULL;
ctx->param = X509_VERIFY_PARAM_new();
if (!ctx->param) {
- X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
return 0;
}
* use defaults.
*/
-
if (store)
ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
else
if (ret)
ret = X509_VERIFY_PARAM_inherit(ctx->param,
- X509_VERIFY_PARAM_lookup("default"));
+ X509_VERIFY_PARAM_lookup("default"));
if (ret == 0) {
- X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
return 0;
}
* X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
* corresponding "new" here and remove this bogus initialisation. */
/* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
- if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
- &(ctx->ex_data))) {
+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
+ &(ctx->ex_data))) {
free(ctx);
- X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
+ X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
return 0;
}
return 1;
* This avoids X509_STORE nastiness where it isn't needed.
*/
-void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+void
+X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
{
ctx->other_ctx = sk;
ctx->get_issuer = get_issuer_sk;
}
-void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
+void
+X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
{
- if (ctx->cleanup) ctx->cleanup(ctx);
+ if (ctx->cleanup)
+ ctx->cleanup(ctx);
if (ctx->param != NULL) {
if (ctx->parent == NULL)
X509_VERIFY_PARAM_free(ctx->param);
- ctx->param=NULL;
+ ctx->param = NULL;
}
if (ctx->tree != NULL) {
X509_policy_tree_free(ctx->tree);
- ctx->tree=NULL;
+ ctx->tree = NULL;
}
if (ctx->chain != NULL) {
- sk_X509_pop_free(ctx->chain,X509_free);
- ctx->chain=NULL;
+ sk_X509_pop_free(ctx->chain, X509_free);
+ ctx->chain = NULL;
}
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
- memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX,
+ ctx, &(ctx->ex_data));
+ memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
}
-void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
+void
+X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
{
X509_VERIFY_PARAM_set_depth(ctx->param, depth);
}
-void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
+void
+X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
{
X509_VERIFY_PARAM_set_flags(ctx->param, flags);
}
-void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
+void
+X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
{
X509_VERIFY_PARAM_set_time(ctx->param, t);
}
-void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
- int (*verify_cb)(int, X509_STORE_CTX *))
+void
+X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
+ int (*verify_cb)(int, X509_STORE_CTX *))
{
- ctx->verify_cb=verify_cb;
+ ctx->verify_cb = verify_cb;
}
-X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
+X509_POLICY_TREE *
+X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
{
return ctx->tree;
}
-int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
+int
+X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
{
return ctx->explicit_policy;
}
-int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
+int
+X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
{
const X509_VERIFY_PARAM *param;
param = X509_VERIFY_PARAM_lookup(name);
return X509_VERIFY_PARAM_inherit(ctx->param, param);
}
-X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
+X509_VERIFY_PARAM *
+X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
{
return ctx->param;
}
-void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
+void
+X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
{
if (ctx->param)
X509_VERIFY_PARAM_free(ctx->param);
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
/* X509_VERIFY_PARAM functions */
-static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
+static void
+x509_verify_param_zero(X509_VERIFY_PARAM *param)
{
if (!param)
return;
}
}
-X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
+X509_VERIFY_PARAM *
+X509_VERIFY_PARAM_new(void)
{
X509_VERIFY_PARAM *param;
+
param = malloc(sizeof(X509_VERIFY_PARAM));
memset(param, 0, sizeof(X509_VERIFY_PARAM));
x509_verify_param_zero(param);
return param;
}
-void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
+void
+X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
{
x509_verify_param_zero(param);
free(param);
* for SSL servers or clients but only if the application has not set new
* ones.
*
- * The "inh_flags" field determines how this function behaves.
+ * The "inh_flags" field determines how this function behaves.
*
* Normally any values which are set in the default are not copied from the
* destination and verify flags are ORed together.
#define x509_verify_param_copy(field, def) \
if (test_x509_verify_param_copy(field, def)) \
dest->field = src->field
-
-int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
- const X509_VERIFY_PARAM *src)
+
+int
+X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src)
{
unsigned long inh_flags;
int to_default, to_overwrite;
+
if (!src)
return 1;
inh_flags = dest->inh_flags | src->inh_flags;
return 1;
}
-int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
- const X509_VERIFY_PARAM *from)
+int
+X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from)
{
unsigned long save_flags = to->inh_flags;
int ret;
+
to->inh_flags |= X509_VP_FLAG_DEFAULT;
ret = X509_VERIFY_PARAM_inherit(to, from);
to->inh_flags = save_flags;
return ret;
}
-int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
+int
+X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
{
if (param->name)
free(param->name);
return 0;
}
-int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
+int
+X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
{
param->flags |= flags;
if (flags & X509_V_FLAG_POLICY_MASK)
return 1;
}
-int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
+int
+X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
{
param->flags &= ~flags;
return 1;
}
-unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
+unsigned long
+X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
{
return param->flags;
}
-int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
+int
+X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
{
return X509_PURPOSE_set(¶m->purpose, purpose);
}
-int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
+int
+X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
{
return X509_TRUST_set(¶m->trust, trust);
}
-void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
+void
+X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
{
param->depth = depth;
}
-void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
+void
+X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
{
param->check_time = t;
param->flags |= X509_V_FLAG_USE_CHECK_TIME;
}
-int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
+int
+X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
{
if (!param->policies) {
param->policies = sk_ASN1_OBJECT_new_null();
return 1;
}
-int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
- STACK_OF(ASN1_OBJECT) *policies)
+int
+X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
+ STACK_OF(ASN1_OBJECT) *policies)
{
int i;
ASN1_OBJECT *oid, *doid;
+
if (!param)
return 0;
if (param->policies)
return 1;
}
-int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
+int
+X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
{
return param->depth;
}
static const X509_VERIFY_PARAM default_table[] = {
{
- "default", /* X509 default parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- 0, /* purpose */
- 0, /* trust */
- 100, /* depth */
- NULL /* policies */
+ "default", /* X509 default parameters */
+ 0, /* Check time */
+ 0, /* internal flags */
+ 0, /* flags */
+ 0, /* purpose */
+ 0, /* trust */
+ 100, /* depth */
+ NULL /* policies */
},
{
- "pkcs7", /* S/MIME sign parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- X509_PURPOSE_SMIME_SIGN, /* purpose */
- X509_TRUST_EMAIL, /* trust */
- -1, /* depth */
- NULL /* policies */
+ "pkcs7", /* S/MIME sign parameters */
+ 0, /* Check time */
+ 0, /* internal flags */
+ 0, /* flags */
+ X509_PURPOSE_SMIME_SIGN, /* purpose */
+ X509_TRUST_EMAIL, /* trust */
+ -1, /* depth */
+ NULL /* policies */
},
{
- "smime_sign", /* S/MIME sign parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- X509_PURPOSE_SMIME_SIGN, /* purpose */
- X509_TRUST_EMAIL, /* trust */
- -1, /* depth */
- NULL /* policies */
+ "smime_sign", /* S/MIME sign parameters */
+ 0, /* Check time */
+ 0, /* internal flags */
+ 0, /* flags */
+ X509_PURPOSE_SMIME_SIGN, /* purpose */
+ X509_TRUST_EMAIL, /* trust */
+ -1, /* depth */
+ NULL /* policies */
},
{
- "ssl_client", /* SSL/TLS client parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- X509_PURPOSE_SSL_CLIENT, /* purpose */
- X509_TRUST_SSL_CLIENT, /* trust */
- -1, /* depth */
- NULL /* policies */
+ "ssl_client", /* SSL/TLS client parameters */
+ 0, /* Check time */
+ 0, /* internal flags */
+ 0, /* flags */
+ X509_PURPOSE_SSL_CLIENT, /* purpose */
+ X509_TRUST_SSL_CLIENT, /* trust */
+ -1, /* depth */
+ NULL /* policies */
},
{
- "ssl_server", /* SSL/TLS server parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- X509_PURPOSE_SSL_SERVER, /* purpose */
- X509_TRUST_SSL_SERVER, /* trust */
- -1, /* depth */
- NULL /* policies */
+ "ssl_server", /* SSL/TLS server parameters */
+ 0, /* Check time */
+ 0, /* internal flags */
+ 0, /* flags */
+ X509_PURPOSE_SSL_SERVER, /* purpose */
+ X509_TRUST_SSL_SERVER, /* trust */
+ -1, /* depth */
+ NULL /* policies */
}
};
static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
-static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
-
+static int
+table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
{
return strcmp(a->name, b->name);
}
-DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
- table);
-IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM,
- table);
+DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
-static int param_cmp(const X509_VERIFY_PARAM * const *a,
- const X509_VERIFY_PARAM * const *b)
+static int
+param_cmp(const X509_VERIFY_PARAM * const *a,
+ const X509_VERIFY_PARAM * const *b)
{
return strcmp((*a)->name, (*b)->name);
}
-int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
+int
+X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
{
int idx;
X509_VERIFY_PARAM *ptmp;
+
if (!param_table) {
param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
if (!param_table)
return 1;
}
-const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
+const X509_VERIFY_PARAM *
+X509_VERIFY_PARAM_lookup(const char *name)
{
int idx;
X509_VERIFY_PARAM pm;
return sk_X509_VERIFY_PARAM_value(param_table, idx);
}
return OBJ_bsearch_table(&pm, default_table,
- sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
+ sizeof(default_table)/sizeof(X509_VERIFY_PARAM));
}
-void X509_VERIFY_PARAM_table_cleanup(void)
+void
+X509_VERIFY_PARAM_table_cleanup(void)
{
if (param_table)
sk_X509_VERIFY_PARAM_pop_free(param_table,
- X509_VERIFY_PARAM_free);
+ X509_VERIFY_PARAM_free);
param_table = NULL;
}
projects / openbsd / commitdiff