From 15238b0871f66fc4a858b425dfc5973c29cc6e1f Mon Sep 17 00:00:00 2001 From: jsing Date: Sun, 20 Apr 2014 16:10:10 +0000 Subject: [PATCH] KNF. --- lib/libcrypto/x509/x509_set.c | 90 ++- lib/libcrypto/x509/x509_trs.c | 167 +++-- lib/libcrypto/x509/x509_txt.c | 30 +- lib/libcrypto/x509/x509_v3.c | 235 ++++--- lib/libcrypto/x509/x509_vfy.c | 972 +++++++++++++++----------- lib/libcrypto/x509/x509_vpm.c | 171 +++-- lib/libssl/src/crypto/x509/x509_set.c | 90 ++- lib/libssl/src/crypto/x509/x509_trs.c | 167 +++-- lib/libssl/src/crypto/x509/x509_txt.c | 30 +- lib/libssl/src/crypto/x509/x509_v3.c | 235 ++++--- lib/libssl/src/crypto/x509/x509_vfy.c | 972 +++++++++++++++----------- lib/libssl/src/crypto/x509/x509_vpm.c | 171 +++-- 12 files changed, 1902 insertions(+), 1428 deletions(-) diff --git a/lib/libcrypto/x509/x509_set.c b/lib/libcrypto/x509/x509_set.c index dfe9eb68fff..6fd2f857619 100644 --- a/lib/libcrypto/x509/x509_set.c +++ b/lib/libcrypto/x509/x509_set.c @@ -5,21 +5,21 @@ * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -63,78 +63,92 @@ #include #include -int X509_set_version(X509 *x, long version) +int +X509_set_version(X509 *x, long version) { - if (x == NULL) return(0); + if (x == NULL) + return (0); if (x->cert_info->version == NULL) { - if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL) - return(0); + if ((x->cert_info->version = M_ASN1_INTEGER_new()) == NULL) + return (0); } - return(ASN1_INTEGER_set(x->cert_info->version,version)); + return (ASN1_INTEGER_set(x->cert_info->version, version)); } -int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) +int +X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) { ASN1_INTEGER *in; - if (x == NULL) return(0); - in=x->cert_info->serialNumber; + if (x == NULL) + return (0); + in = x->cert_info->serialNumber; if (in != serial) { - in=M_ASN1_INTEGER_dup(serial); + in = M_ASN1_INTEGER_dup(serial); if (in != NULL) { M_ASN1_INTEGER_free(x->cert_info->serialNumber); - x->cert_info->serialNumber=in; + x->cert_info->serialNumber = in; } } - return(in != NULL); + return (in != NULL); } -int X509_set_issuer_name(X509 *x, X509_NAME *name) +int +X509_set_issuer_name(X509 *x, X509_NAME *name) { - if ((x == NULL) || (x->cert_info == NULL)) return(0); - return(X509_NAME_set(&x->cert_info->issuer,name)); + if ((x == NULL) || (x->cert_info == NULL)) + return (0); + return (X509_NAME_set(&x->cert_info->issuer, name)); } -int X509_set_subject_name(X509 *x, X509_NAME *name) +int +X509_set_subject_name(X509 *x, X509_NAME *name) { - if ((x == NULL) || (x->cert_info == NULL)) return(0); - return(X509_NAME_set(&x->cert_info->subject,name)); + if ((x == NULL) || (x->cert_info == NULL)) + return (0); + return (X509_NAME_set(&x->cert_info->subject, name)); } -int X509_set_notBefore(X509 *x, const ASN1_TIME *tm) +int +X509_set_notBefore(X509 *x, const ASN1_TIME *tm) { ASN1_TIME *in; - if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); - in=x->cert_info->validity->notBefore; + if ((x == NULL) || (x->cert_info->validity == NULL)) + return (0); + in = x->cert_info->validity->notBefore; if (in != tm) { - in=M_ASN1_TIME_dup(tm); + in = M_ASN1_TIME_dup(tm); if (in != NULL) { M_ASN1_TIME_free(x->cert_info->validity->notBefore); - x->cert_info->validity->notBefore=in; + x->cert_info->validity->notBefore = in; } } - return(in != NULL); + return (in != NULL); } -int X509_set_notAfter(X509 *x, const ASN1_TIME *tm) +int +X509_set_notAfter(X509 *x, const ASN1_TIME *tm) { ASN1_TIME *in; - if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); - in=x->cert_info->validity->notAfter; + if ((x == NULL) || (x->cert_info->validity == NULL)) + return (0); + in = x->cert_info->validity->notAfter; if (in != tm) { - in=M_ASN1_TIME_dup(tm); + in = M_ASN1_TIME_dup(tm); if (in != NULL) { M_ASN1_TIME_free(x->cert_info->validity->notAfter); - x->cert_info->validity->notAfter=in; + x->cert_info->validity->notAfter = in; } } - return(in != NULL); + return (in != NULL); } -int X509_set_pubkey(X509 *x, EVP_PKEY *pkey) +int +X509_set_pubkey(X509 *x, EVP_PKEY *pkey) { - if ((x == NULL) || (x->cert_info == NULL)) return(0); - return(X509_PUBKEY_set(&(x->cert_info->key),pkey)); + if ((x == NULL) || (x->cert_info == NULL)) + return (0); + return (X509_PUBKEY_set(&(x->cert_info->key), pkey)); } diff --git a/lib/libcrypto/x509/x509_trs.c b/lib/libcrypto/x509/x509_trs.c index bdda53ec6bb..90fd1285913 100644 --- a/lib/libcrypto/x509/x509_trs.c +++ b/lib/libcrypto/x509/x509_trs.c @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -61,8 +61,7 @@ #include -static int tr_cmp(const X509_TRUST * const *a, - const X509_TRUST * const *b); +static int tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b); static void trtable_free(X509_TRUST *p); static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags); @@ -78,14 +77,14 @@ static int (*default_trust)(int id, X509 *x, int flags) = obj_trust; */ static X509_TRUST trstandard[] = { -{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL}, -{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, -{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL}, -{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, -{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL}, -{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL}, -{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}, -{X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL} + {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL}, + {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, + {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL}, + {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, + {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL}, + {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL}, + {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}, + {X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL} }; #define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST)) @@ -94,61 +93,76 @@ IMPLEMENT_STACK_OF(X509_TRUST) static STACK_OF(X509_TRUST) *trtable = NULL; -static int tr_cmp(const X509_TRUST * const *a, - const X509_TRUST * const *b) +static int +tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b) { return (*a)->trust - (*b)->trust; } -int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int) +int +(*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int) { int (*oldtrust)(int , X509 *, int); + oldtrust = default_trust; default_trust = trust; return oldtrust; } - -int X509_check_trust(X509 *x, int id, int flags) +int +X509_check_trust(X509 *x, int id, int flags) { X509_TRUST *pt; int idx; - if(id == -1) return 1; + + if (id == -1) + return 1; idx = X509_TRUST_get_by_id(id); - if(idx == -1) return default_trust(id, x, flags); + if (idx == -1) + return default_trust(id, x, flags); pt = X509_TRUST_get0(idx); return pt->check_trust(pt, x, flags); } -int X509_TRUST_get_count(void) +int +X509_TRUST_get_count(void) { - if(!trtable) return X509_TRUST_COUNT; + if (!trtable) + return X509_TRUST_COUNT; return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT; } -X509_TRUST * X509_TRUST_get0(int idx) +X509_TRUST * +X509_TRUST_get0(int idx) { - if(idx < 0) return NULL; - if(idx < (int)X509_TRUST_COUNT) return trstandard + idx; + if (idx < 0) + return NULL; + if (idx < (int)X509_TRUST_COUNT) + return trstandard + idx; return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT); } -int X509_TRUST_get_by_id(int id) +int +X509_TRUST_get_by_id(int id) { X509_TRUST tmp; int idx; - if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX)) - return id - X509_TRUST_MIN; + + if ((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX)) + return id - X509_TRUST_MIN; tmp.trust = id; - if(!trtable) return -1; + if (!trtable) + return -1; idx = sk_X509_TRUST_find(trtable, &tmp); - if(idx == -1) return -1; + if (idx == -1) + return -1; return idx + X509_TRUST_COUNT; } -int X509_TRUST_set(int *t, int trust) +int +X509_TRUST_set(int *t, int trust) { - if(X509_TRUST_get_by_id(trust) == -1) { + if (X509_TRUST_get_by_id(trust) == -1) { X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST); return 0; } @@ -156,11 +170,13 @@ int X509_TRUST_set(int *t, int trust) return 1; } -int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), - char *name, int arg1, void *arg2) +int +X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), + char *name, int arg1, void *arg2) { int idx; X509_TRUST *trtmp; + /* This is set according to what we change: application can't set it */ flags &= ~X509_TRUST_DYNAMIC; /* This will always be set for application modified trust entries */ @@ -168,9 +184,9 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), /* Get existing entry if any */ idx = X509_TRUST_get_by_id(id); /* Need a new entry */ - if(idx == -1) { - if(!(trtmp = malloc(sizeof(X509_TRUST)))) { - X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + if (idx == -1) { + if (!(trtmp = malloc(sizeof(X509_TRUST)))) { + X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); return 0; } trtmp->flags = X509_TRUST_DYNAMIC; @@ -178,10 +194,11 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), trtmp = X509_TRUST_get0(idx); /* free existing name if dynamic */ - if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name); + if (trtmp->flags & X509_TRUST_DYNAMIC_NAME) + free(trtmp->name); /* dup supplied name */ - if(!(trtmp->name = BUF_strdup(name))) { - X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + if (!(trtmp->name = BUF_strdup(name))) { + X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); return 0; } /* Keep the dynamic flag of existing entry */ @@ -195,22 +212,24 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), trtmp->arg2 = arg2; /* If its a new entry manage the dynamic table */ - if(idx == -1) { - if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { - X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + if (idx == -1) { + if (!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { + X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); return 0; } if (!sk_X509_TRUST_push(trtable, trtmp)) { - X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); return 0; } } return 1; } -static void trtable_free(X509_TRUST *p) +static void +trtable_free(X509_TRUST *p) { - if(!p) return; + if (!p) + return; if (p->flags & X509_TRUST_DYNAMIC) { if (p->flags & X509_TRUST_DYNAMIC_NAME) free(p->name); @@ -218,32 +237,39 @@ static void trtable_free(X509_TRUST *p) } } -void X509_TRUST_cleanup(void) +void +X509_TRUST_cleanup(void) { unsigned int i; - for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i); + + for(i = 0; i < X509_TRUST_COUNT; i++) + trtable_free(trstandard + i); sk_X509_TRUST_pop_free(trtable, trtable_free); trtable = NULL; } -int X509_TRUST_get_flags(X509_TRUST *xp) +int +X509_TRUST_get_flags(X509_TRUST *xp) { return xp->flags; } -char *X509_TRUST_get0_name(X509_TRUST *xp) +char * +X509_TRUST_get0_name(X509_TRUST *xp) { return xp->name; } -int X509_TRUST_get_trust(X509_TRUST *xp) +int +X509_TRUST_get_trust(X509_TRUST *xp) { return xp->trust; } -static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) +static int +trust_1oidany(X509_TRUST *trust, X509 *x, int flags) { - if(x->aux && (x->aux->trust || x->aux->reject)) + if (x->aux && (x->aux->trust || x->aux->reject)) return obj_trust(trust->arg1, x, flags); /* we don't have any trust settings: for compatibility * we return trusted if it is self signed @@ -251,38 +277,47 @@ static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) return trust_compat(trust, x, flags); } -static int trust_1oid(X509_TRUST *trust, X509 *x, int flags) +static int +trust_1oid(X509_TRUST *trust, X509 *x, int flags) { - if(x->aux) return obj_trust(trust->arg1, x, flags); + if (x->aux) + return obj_trust(trust->arg1, x, flags); return X509_TRUST_UNTRUSTED; } -static int trust_compat(X509_TRUST *trust, X509 *x, int flags) +static int +trust_compat(X509_TRUST *trust, X509 *x, int flags) { X509_check_purpose(x, -1, 0); - if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED; - else return X509_TRUST_UNTRUSTED; + if (x->ex_flags & EXFLAG_SS) + return X509_TRUST_TRUSTED; + else + return X509_TRUST_UNTRUSTED; } -static int obj_trust(int id, X509 *x, int flags) +static int +obj_trust(int id, X509 *x, int flags) { ASN1_OBJECT *obj; int i; X509_CERT_AUX *ax; + ax = x->aux; - if(!ax) return X509_TRUST_UNTRUSTED; - if(ax->reject) { - for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { + if (!ax) + return X509_TRUST_UNTRUSTED; + if (ax->reject) { + for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { obj = sk_ASN1_OBJECT_value(ax->reject, i); - if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED; + if (OBJ_obj2nid(obj) == id) + return X509_TRUST_REJECTED; } - } - if(ax->trust) { - for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { + } + if (ax->trust) { + for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { obj = sk_ASN1_OBJECT_value(ax->trust, i); - if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED; + if (OBJ_obj2nid(obj) == id) + return X509_TRUST_TRUSTED; } } return X509_TRUST_UNTRUSTED; } - diff --git a/lib/libcrypto/x509/x509_txt.c b/lib/libcrypto/x509/x509_txt.c index 8caf18a9553..31a909a12ca 100644 --- a/lib/libcrypto/x509/x509_txt.c +++ b/lib/libcrypto/x509/x509_txt.c @@ -5,21 +5,21 @@ * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -68,7 +68,8 @@ #include #include -const char *X509_verify_cert_error_string(long n) +const char * +X509_verify_cert_error_string(long n) { static char buf[100]; @@ -162,12 +163,11 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_NO_EXPLICIT_POLICY: return("no explicit policy"); case X509_V_ERR_DIFFERENT_CRL_SCOPE: - return("Different CRL scope"); + return("Different CRL scope"); case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: - return("Unsupported extension feature"); - case X509_V_ERR_UNNESTED_RESOURCE: - return("RFC 3779 resource not subset of parent's resources"); - + return("Unsupported extension feature"); + case X509_V_ERR_UNNESTED_RESOURCE: + return("RFC 3779 resource not subset of parent's resources"); case X509_V_ERR_PERMITTED_VIOLATION: return("permitted subtree violation"); case X509_V_ERR_EXCLUDED_VIOLATION: @@ -184,9 +184,7 @@ const char *X509_verify_cert_error_string(long n) return("CRL path validation error"); default: - snprintf(buf,sizeof buf,"error number %ld",n); - return(buf); + snprintf(buf, sizeof buf, "error number %ld", n); + return (buf); } } - - diff --git a/lib/libcrypto/x509/x509_v3.c b/lib/libcrypto/x509/x509_v3.c index f41fab3367b..cabace584b0 100644 --- a/lib/libcrypto/x509/x509_v3.c +++ b/lib/libcrypto/x509/x509_v3.c @@ -5,21 +5,21 @@ * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -65,202 +65,235 @@ #include #include -int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) +int +X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) { - if (x == NULL) return(0); - return(sk_X509_EXTENSION_num(x)); + if (x == NULL) + return (0); + return (sk_X509_EXTENSION_num(x)); } -int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, - int lastpos) +int +X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos) { ASN1_OBJECT *obj; - obj=OBJ_nid2obj(nid); - if (obj == NULL) return(-2); - return(X509v3_get_ext_by_OBJ(x,obj,lastpos)); + obj = OBJ_nid2obj(nid); + if (obj == NULL) + return (-2); + return (X509v3_get_ext_by_OBJ(x, obj, lastpos)); } -int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj, - int lastpos) +int +X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj, + int lastpos) { int n; X509_EXTENSION *ex; - if (sk == NULL) return(-1); + if (sk == NULL) + return (-1); lastpos++; if (lastpos < 0) - lastpos=0; - n=sk_X509_EXTENSION_num(sk); - for ( ; lastpos < n; lastpos++) { - ex=sk_X509_EXTENSION_value(sk,lastpos); - if (OBJ_cmp(ex->object,obj) == 0) - return(lastpos); + lastpos = 0; + n = sk_X509_EXTENSION_num(sk); + for (; lastpos < n; lastpos++) { + ex = sk_X509_EXTENSION_value(sk, lastpos); + if (OBJ_cmp(ex->object, obj) == 0) + return (lastpos); } - return(-1); + return (-1); } -int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, - int lastpos) +int +X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, + int lastpos) { int n; X509_EXTENSION *ex; - if (sk == NULL) return(-1); + if (sk == NULL) + return (-1); lastpos++; if (lastpos < 0) - lastpos=0; - n=sk_X509_EXTENSION_num(sk); - for ( ; lastpos < n; lastpos++) { - ex=sk_X509_EXTENSION_value(sk,lastpos); - if ( ((ex->critical > 0) && crit) || - ((ex->critical <= 0) && !crit)) - return(lastpos); + lastpos = 0; + n = sk_X509_EXTENSION_num(sk); + for (; lastpos < n; lastpos++) { + ex = sk_X509_EXTENSION_value(sk, lastpos); + if (((ex->critical > 0) && crit) || + ((ex->critical <= 0) && !crit)) + return (lastpos); } - return(-1); + return (-1); } -X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc) +X509_EXTENSION * +X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc) { if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) return NULL; else - return sk_X509_EXTENSION_value(x,loc); + return sk_X509_EXTENSION_value(x, loc); } -X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc) +X509_EXTENSION * +X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc) { X509_EXTENSION *ret; if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) - return(NULL); - ret=sk_X509_EXTENSION_delete(x,loc); - return(ret); + return (NULL); + ret = sk_X509_EXTENSION_delete(x, loc); + return (ret); } -STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, - X509_EXTENSION *ex, int loc) +STACK_OF(X509_EXTENSION) * +X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc) { - X509_EXTENSION *new_ex=NULL; + X509_EXTENSION *new_ex = NULL; int n; - STACK_OF(X509_EXTENSION) *sk=NULL; + STACK_OF(X509_EXTENSION) *sk = NULL; if (x == NULL) { - X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER); + X509err(X509_F_X509V3_ADD_EXT, ERR_R_PASSED_NULL_PARAMETER); goto err2; } if (*x == NULL) { - if ((sk=sk_X509_EXTENSION_new_null()) == NULL) + if ((sk = sk_X509_EXTENSION_new_null()) == NULL) goto err; } else sk= *x; - n=sk_X509_EXTENSION_num(sk); - if (loc > n) loc=n; - else if (loc < 0) loc=n; + n = sk_X509_EXTENSION_num(sk); + if (loc > n) + loc = n; + else if (loc < 0) + loc = n; - if ((new_ex=X509_EXTENSION_dup(ex)) == NULL) + if ((new_ex = X509_EXTENSION_dup(ex)) == NULL) goto err2; - if (!sk_X509_EXTENSION_insert(sk,new_ex,loc)) + if (!sk_X509_EXTENSION_insert(sk, new_ex, loc)) goto err; if (*x == NULL) - *x=sk; - return(sk); + *x = sk; + return (sk); + err: - X509err(X509_F_X509V3_ADD_EXT,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509V3_ADD_EXT, ERR_R_MALLOC_FAILURE); err2: - if (new_ex != NULL) X509_EXTENSION_free(new_ex); - if (sk != NULL) sk_X509_EXTENSION_free(sk); - return(NULL); + if (new_ex != NULL) + X509_EXTENSION_free(new_ex); + if (sk != NULL) + sk_X509_EXTENSION_free(sk); + return (NULL); } -X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, - int crit, ASN1_OCTET_STRING *data) +X509_EXTENSION * +X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit, + ASN1_OCTET_STRING *data) { ASN1_OBJECT *obj; X509_EXTENSION *ret; - obj=OBJ_nid2obj(nid); + obj = OBJ_nid2obj(nid); if (obj == NULL) { - X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID); - return(NULL); + X509err(X509_F_X509_EXTENSION_CREATE_BY_NID, + X509_R_UNKNOWN_NID); + return (NULL); } - ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data); - if (ret == NULL) ASN1_OBJECT_free(obj); - return(ret); + ret = X509_EXTENSION_create_by_OBJ(ex, obj, crit, data); + if (ret == NULL) + ASN1_OBJECT_free(obj); + return (ret); } -X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, - ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data) +X509_EXTENSION * +X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, ASN1_OBJECT *obj, int crit, + ASN1_OCTET_STRING *data) { X509_EXTENSION *ret; if ((ex == NULL) || (*ex == NULL)) { - if ((ret=X509_EXTENSION_new()) == NULL) - { - X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE); - return(NULL); + if ((ret = X509_EXTENSION_new()) == NULL) { + X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ, + ERR_R_MALLOC_FAILURE); + return (NULL); } } else ret= *ex; - if (!X509_EXTENSION_set_object(ret,obj)) + if (!X509_EXTENSION_set_object(ret, obj)) goto err; - if (!X509_EXTENSION_set_critical(ret,crit)) + if (!X509_EXTENSION_set_critical(ret, crit)) goto err; - if (!X509_EXTENSION_set_data(ret,data)) + if (!X509_EXTENSION_set_data(ret, data)) goto err; - - if ((ex != NULL) && (*ex == NULL)) *ex=ret; - return(ret); + + if ((ex != NULL) && (*ex == NULL)) + *ex = ret; + return (ret); + err: if ((ex == NULL) || (ret != *ex)) X509_EXTENSION_free(ret); - return(NULL); + return (NULL); } -int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj) +int +X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj) { if ((ex == NULL) || (obj == NULL)) - return(0); + return (0); ASN1_OBJECT_free(ex->object); - ex->object=OBJ_dup(obj); - return(1); + ex->object = OBJ_dup(obj); + return (1); } -int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) +int +X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) { - if (ex == NULL) return(0); - ex->critical=(crit)?0xFF:-1; - return(1); + if (ex == NULL) + return (0); + ex->critical = (crit) ? 0xFF : -1; + return (1); } -int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) +int +X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) { int i; - if (ex == NULL) return(0); - i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length); - if (!i) return(0); - return(1); + if (ex == NULL) + return (0); + i = M_ASN1_OCTET_STRING_set(ex->value, data->data, data->length); + if (!i) + return (0); + return (1); } -ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex) +ASN1_OBJECT * +X509_EXTENSION_get_object(X509_EXTENSION *ex) { - if (ex == NULL) return(NULL); - return(ex->object); + if (ex == NULL) + return (NULL); + return (ex->object); } -ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex) +ASN1_OCTET_STRING * +X509_EXTENSION_get_data(X509_EXTENSION *ex) { - if (ex == NULL) return(NULL); - return(ex->value); + if (ex == NULL) + return (NULL); + return (ex->value); } -int X509_EXTENSION_get_critical(X509_EXTENSION *ex) +int +X509_EXTENSION_get_critical(X509_EXTENSION *ex) { - if (ex == NULL) return(0); - if(ex->critical > 0) return 1; + if (ex == NULL) + return (0); + if (ex->critical > 0) + return 1; return 0; } diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 6e9dd7cc6a5..0024904c20b 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -5,21 +5,21 @@ * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -108,7 +108,7 @@ #define CRL_SCORE_TIME_DELTA 0x002 -static int null_callback(int ok,X509_STORE_CTX *e); +static int null_callback(int ok, X509_STORE_CTX *e); static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); static int check_chain_extensions(X509_STORE_CTX *ctx); @@ -119,100 +119,106 @@ static int check_cert(X509_STORE_CTX *ctx); static int check_policy(X509_STORE_CTX *ctx); static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, - unsigned int *preasons, - X509_CRL *crl, X509 *x); + unsigned int *preasons, X509_CRL *crl, X509 *x); static int get_crl_delta(X509_STORE_CTX *ctx, - X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); + X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, - X509_CRL *base, STACK_OF(X509_CRL) *crls); -static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, - X509 **pissuer, int *pcrl_score); + X509_CRL *base, STACK_OF(X509_CRL) *crls); +static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, + int *pcrl_score); static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, - unsigned int *preasons); + unsigned int *preasons); static int check_crl_path(X509_STORE_CTX *ctx, X509 *x); -static int check_crl_chain(X509_STORE_CTX *ctx, - STACK_OF(X509) *cert_path, - STACK_OF(X509) *crl_path); +static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, + STACK_OF(X509) *crl_path); static int internal_verify(X509_STORE_CTX *ctx); const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; -static int null_callback(int ok, X509_STORE_CTX *e) +static int +null_callback(int ok, X509_STORE_CTX *e) { return ok; } #if 0 -static int x509_subject_cmp(X509 **a, X509 **b) +static int +x509_subject_cmp(X509 **a, X509 **b) { - return X509_subject_name_cmp(*a,*b); + return X509_subject_name_cmp(*a, *b); } #endif -int X509_verify_cert(X509_STORE_CTX *ctx) +int +X509_verify_cert(X509_STORE_CTX *ctx) { - X509 *x,*xtmp,*chain_ss=NULL; + X509 *x, *xtmp, *chain_ss = NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; - int depth,i,ok=0; + int depth, i, ok = 0; int num; - int (*cb)(int xok,X509_STORE_CTX *xctx); - STACK_OF(X509) *sktmp=NULL; + int (*cb)(int xok, X509_STORE_CTX *xctx); + STACK_OF(X509) *sktmp = NULL; + if (ctx->cert == NULL) { - X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); + X509err(X509_F_X509_VERIFY_CERT, + X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; } - cb=ctx->verify_cb; + cb = ctx->verify_cb; /* first we make sure the chain we are going to build is * present and that the first entry is in place */ if (ctx->chain == NULL) { - if ( ((ctx->chain=sk_X509_new_null()) == NULL) || - (!sk_X509_push(ctx->chain,ctx->cert))) { - X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); + if (((ctx->chain = sk_X509_new_null()) == NULL) || + (!sk_X509_push(ctx->chain, ctx->cert))) { + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); goto end; } - CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); - ctx->last_untrusted=1; + CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); + ctx->last_untrusted = 1; } /* We use a temporary STACK so we can chop and hack at it */ - if (ctx->untrusted != NULL - && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) { - X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); + if (ctx->untrusted != NULL && + (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); goto end; } - num=sk_X509_num(ctx->chain); - x=sk_X509_value(ctx->chain,num-1); - depth=param->depth; - + num = sk_X509_num(ctx->chain); + x = sk_X509_value(ctx->chain, num - 1); + depth = param->depth; for (;;) { /* If we have enough, we break */ - if (depth < num) break; /* FIXME: If this happens, we should take - * note of it and, if appropriate, use the - * X509_V_ERR_CERT_CHAIN_TOO_LONG error - * code later. - */ + if (depth < num) + break; /* FIXME: If this happens, we should take + * note of it and, if appropriate, use the + * X509_V_ERR_CERT_CHAIN_TOO_LONG error + * code later. + */ /* If we are self signed, we break */ - if (ctx->check_issued(ctx, x,x)) break; + if (ctx->check_issued(ctx, x, x)) + break; /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) { - xtmp=find_issuer(ctx, sktmp,x); + xtmp = find_issuer(ctx, sktmp, x); if (xtmp != NULL) { - if (!sk_X509_push(ctx->chain,xtmp)) { - X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); + if (!sk_X509_push(ctx->chain, xtmp)) { + X509err(X509_F_X509_VERIFY_CERT, + ERR_R_MALLOC_FAILURE); goto end; } - CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); - (void)sk_X509_delete_ptr(sktmp,xtmp); + CRYPTO_add(&xtmp->references, 1, + CRYPTO_LOCK_X509); + (void)sk_X509_delete_ptr(sktmp, xtmp); ctx->last_untrusted++; - x=xtmp; + x = xtmp; num++; /* reparse the full chain for * the next one */ @@ -230,8 +236,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) * is self signed. */ - i=sk_X509_num(ctx->chain); - x=sk_X509_value(ctx->chain,i-1); + i = sk_X509_num(ctx->chain); + x = sk_X509_value(ctx->chain, i - 1); if (ctx->check_issued(ctx, x, x)) { /* we have a self signed certificate */ if (sk_X509_num(ctx->chain) == 1) { @@ -241,13 +247,16 @@ int X509_verify_cert(X509_STORE_CTX *ctx) */ ok = ctx->get_issuer(&xtmp, ctx, x); if ((ok <= 0) || X509_cmp(x, xtmp)) { - ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; - ctx->current_cert=x; - ctx->error_depth=i-1; - if (ok == 1) X509_free(xtmp); + ctx->error = + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; + ctx->current_cert = x; + ctx->error_depth = i - 1; + if (ok == 1) + X509_free(xtmp); bad_chain = 1; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } else { /* We have a match: replace certificate with store version * so we get any trust settings. @@ -255,34 +264,37 @@ int X509_verify_cert(X509_STORE_CTX *ctx) X509_free(x); x = xtmp; (void)sk_X509_set(ctx->chain, i - 1, x); - ctx->last_untrusted=0; + ctx->last_untrusted = 0; } } else { /* extract and save self signed certificate for later use */ - chain_ss=sk_X509_pop(ctx->chain); + chain_ss = sk_X509_pop(ctx->chain); ctx->last_untrusted--; num--; - x=sk_X509_value(ctx->chain,num-1); + x = sk_X509_value(ctx->chain, num - 1); } } /* We now lookup certs from the certificate store */ for (;;) { /* If we have enough, we break */ - if (depth < num) break; + if (depth < num) + break; /* If we are self signed, we break */ - if (ctx->check_issued(ctx,x,x)) break; + if (ctx->check_issued(ctx, x, x)) + break; ok = ctx->get_issuer(&xtmp, ctx, x); - - if (ok < 0) return ok; - if (ok == 0) break; + if (ok < 0) + return ok; + if (ok == 0) + break; x = xtmp; - if (!sk_X509_push(ctx->chain,x)) { + if (!sk_X509_push(ctx->chain, x)) { X509_free(xtmp); - X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); return 0; } num++; @@ -291,81 +303,94 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* we now have our chain, lets check it... */ /* Is last certificate looked up self signed? */ - if (!ctx->check_issued(ctx,x,x)) { - if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { + if (!ctx->check_issued(ctx, x, x)) { + if ((chain_ss == NULL) || + !ctx->check_issued(ctx, x, chain_ss)) { if (ctx->last_untrusted >= num) - ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; + ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; else - ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; - ctx->current_cert=x; + ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; + ctx->current_cert = x; } else { - sk_X509_push(ctx->chain,chain_ss); + sk_X509_push(ctx->chain, chain_ss); num++; - ctx->last_untrusted=num; - ctx->current_cert=chain_ss; - ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; - chain_ss=NULL; + ctx->last_untrusted = num; + ctx->current_cert = chain_ss; + ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; + chain_ss = NULL; } - ctx->error_depth=num-1; + ctx->error_depth = num - 1; bad_chain = 1; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } /* We have the chain complete: now we need to check its purpose */ ok = check_chain_extensions(ctx); - if (!ok) goto end; + if (!ok) + goto end; /* Check name constraints */ ok = check_name_constraints(ctx); - - if (!ok) goto end; + + if (!ok) + goto end; /* The chain extensions are OK: check trust */ - if (param->trust > 0) ok = check_trust(ctx); + if (param->trust > 0) + ok = check_trust(ctx); - if (!ok) goto end; + if (!ok) + goto end; /* We may as well copy down any DSA parameters that are required */ - X509_get_pubkey_parameters(NULL,ctx->chain); + X509_get_pubkey_parameters(NULL, ctx->chain); /* Check revocation status: we do this after copying parameters * because they may be needed for CRL signature verification. */ ok = ctx->check_revocation(ctx); - if(!ok) goto end; + if (!ok) + goto end; /* At this point, we have a chain and need to verify it */ if (ctx->verify != NULL) - ok=ctx->verify(ctx); + ok = ctx->verify(ctx); else - ok=internal_verify(ctx); - if(!ok) goto end; + ok = internal_verify(ctx); + if (!ok) + goto end; #ifndef OPENSSL_NO_RFC3779 /* RFC 3779 path validation, now that CRL check has been done */ ok = v3_asid_validate_path(ctx); - if (!ok) goto end; + if (!ok) + goto end; ok = v3_addr_validate_path(ctx); - if (!ok) goto end; + if (!ok) + goto end; #endif /* If we get this far evaluate policies */ if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) ok = ctx->check_policy(ctx); - if(!ok) goto end; + if (!ok) + goto end; if (0) { end: - X509_get_pubkey_parameters(NULL,ctx->chain); + X509_get_pubkey_parameters(NULL, ctx->chain); } - if (sktmp != NULL) sk_X509_free(sktmp); - if (chain_ss != NULL) X509_free(chain_ss); + if (sktmp != NULL) + sk_X509_free(sktmp); + if (chain_ss != NULL) + X509_free(chain_ss); return ok; } @@ -373,10 +398,12 @@ end: /* Given a STACK_OF(X509) find the issuer of cert (if any) */ -static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) +static X509 * +find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { int i; X509 *issuer; + for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); if (ctx->check_issued(ctx, x, issuer)) @@ -387,9 +414,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) /* Given a possible certificate and issuer check them */ -static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) +static int +check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { int ret; + ret = X509_check_issued(issuer, x); if (ret == X509_V_OK) return 1; @@ -405,33 +434,35 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) /* Alternative lookup method: look from a STACK stored in other_ctx */ -static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) +static int +get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { *issuer = find_issuer(ctx, ctx->other_ctx, x); if (*issuer) { - CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); + CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509); return 1; } else return 0; } - /* Check a certificate chains extensions for consistency * with the supplied purpose */ -static int check_chain_extensions(X509_STORE_CTX *ctx) +static int +check_chain_extensions(X509_STORE_CTX *ctx) { #ifdef OPENSSL_NO_CHAIN_VERIFY return 1; #else - int i, ok=0, must_be_ca, plen = 0; + int i, ok = 0, must_be_ca, plen = 0; X509 *x; - int (*cb)(int xok,X509_STORE_CTX *xctx); + int (*cb)(int xok, X509_STORE_CTX *xctx); int proxy_path_length = 0; int purpose; int allow_proxy_certs; - cb=ctx->verify_cb; + + cb = ctx->verify_cb; /* must_be_ca can have 1 of 3 values: -1: we accept both CA and non-CA certificates, to allow direct @@ -449,7 +480,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) purpose = X509_PURPOSE_CRL_SIGN; } else { allow_proxy_certs = - !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); + !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); /* A hack to keep people who don't want to modify their software happy */ if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) @@ -461,26 +492,28 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) for (i = 0; i < ctx->last_untrusted; i++) { int ret; x = sk_X509_value(ctx->chain, i); - if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (x->ex_flags & EXFLAG_CRITICAL)) { + if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) && + (x->ex_flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; ctx->error_depth = i; ctx->current_cert = x; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; ctx->error_depth = i; ctx->current_cert = x; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } ret = X509_check_ca(x); - switch(must_be_ca) { + switch (must_be_ca) { case -1: - if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1) && (ret != 0)) { + if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && + (ret != 1) && (ret != 0)) { ret = 0; ctx->error = X509_V_ERR_INVALID_CA; } else @@ -494,9 +527,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ret = 1; break; default: - if ((ret == 0) - || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) { + if ((ret == 0) || + ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && + (ret != 1))) { ret = 0; ctx->error = X509_V_ERR_INVALID_CA; } else @@ -506,30 +539,33 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (ret == 0) { ctx->error_depth = i; ctx->current_cert = x; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } if (ctx->param->purpose > 0) { ret = X509_check_purpose(x, purpose, must_be_ca > 0); - if ((ret == 0) - || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) { + if ((ret == 0) || + ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && + (ret != 1))) { ctx->error = X509_V_ERR_INVALID_PURPOSE; ctx->error_depth = i; ctx->current_cert = x; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } } /* Check pathlen if not self issued */ - if ((i > 1) && !(x->ex_flags & EXFLAG_SI) - && (x->ex_pathlen != -1) - && (plen > (x->ex_pathlen + proxy_path_length + 1))) { + if ((i > 1) && !(x->ex_flags & EXFLAG_SI) && + (x->ex_pathlen != -1) && + (plen > (x->ex_pathlen + proxy_path_length + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } /* Increment path length if not self issued */ if (!(x->ex_flags & EXFLAG_SI)) @@ -541,11 +577,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (x->ex_flags & EXFLAG_PROXY) { if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { ctx->error = - X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; + X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } proxy_path_length++; must_be_ca = 0; @@ -553,15 +590,18 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) must_be_ca = 1; } ok = 1; - end: + +end: return ok; #endif } -static int check_name_constraints(X509_STORE_CTX *ctx) +static int +check_name_constraints(X509_STORE_CTX *ctx) { X509 *x; int i, j, rv; + /* Check name constraints for all certificates */ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { x = sk_X509_value(ctx->chain, i); @@ -581,7 +621,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) ctx->error = rv; ctx->error_depth = i; ctx->current_cert = x; - if (!ctx->verify_cb(0,ctx)) + if (!ctx->verify_cb(0, ctx)) return 0; } } @@ -590,16 +630,18 @@ static int check_name_constraints(X509_STORE_CTX *ctx) return 1; } -static int check_trust(X509_STORE_CTX *ctx) +static int +check_trust(X509_STORE_CTX *ctx) { #ifdef OPENSSL_NO_CHAIN_VERIFY return 1; #else int i, ok; X509 *x; - int (*cb)(int xok,X509_STORE_CTX *xctx); - cb=ctx->verify_cb; -/* For now just check the last certificate in the chain */ + int (*cb)(int xok, X509_STORE_CTX *xctx); + + cb = ctx->verify_cb; + /* For now just check the last certificate in the chain */ i = sk_X509_num(ctx->chain) - 1; x = sk_X509_value(ctx->chain, i); ok = X509_check_trust(x, ctx->param->trust, 0); @@ -616,9 +658,11 @@ static int check_trust(X509_STORE_CTX *ctx) #endif } -static int check_revocation(X509_STORE_CTX *ctx) +static int +check_revocation(X509_STORE_CTX *ctx) { int i, last, ok; + if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) return 1; if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) @@ -629,19 +673,23 @@ static int check_revocation(X509_STORE_CTX *ctx) return 1; last = 0; } - for(i = 0; i <= last; i++) { + for (i = 0; i <= last; i++) { ctx->error_depth = i; ok = check_cert(ctx); - if (!ok) return ok; + if (!ok) + return ok; } return 1; } -static int check_cert(X509_STORE_CTX *ctx) { +static int +check_cert(X509_STORE_CTX *ctx) +{ X509_CRL *crl = NULL, *dcrl = NULL; X509 *x; int ok, cnum; unsigned int last_reasons; + cnum = ctx->error_depth; x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; @@ -658,7 +706,7 @@ static int check_cert(X509_STORE_CTX *ctx) { /* If error looking up CRL, nothing we can do except * notify callback */ - if(!ok) { + if (!ok) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; ok = ctx->verify_cb(0, ctx); goto err; @@ -698,21 +746,23 @@ static int check_cert(X509_STORE_CTX *ctx) { goto err; } } + err: X509_CRL_free(crl); X509_CRL_free(dcrl); ctx->current_crl = NULL; return ok; - } /* Check CRL times against values in X509_STORE_CTX */ -static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) +static int +check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { time_t *ptime; int i; + if (notify) ctx->current_crl = crl; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) @@ -720,11 +770,11 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) else ptime = NULL; - i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); + i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); if (i == 0) { if (!notify) return 0; - ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; + ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; if (!ctx->verify_cb(0, ctx)) return 0; } @@ -732,26 +782,27 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) if (i > 0) { if (!notify) return 0; - ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; + ctx->error = X509_V_ERR_CRL_NOT_YET_VALID; if (!ctx->verify_cb(0, ctx)) return 0; } - if(X509_CRL_get_nextUpdate(crl)) { - i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); + if (X509_CRL_get_nextUpdate(crl)) { + i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); if (i == 0) { if (!notify) return 0; - ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; + ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; if (!ctx->verify_cb(0, ctx)) return 0; } /* Ignore expiry of base CRL is delta is valid */ - if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { + if ((i < 0) && + !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { if (!notify) return 0; - ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; + ctx->error = X509_V_ERR_CRL_HAS_EXPIRED; if (!ctx->verify_cb(0, ctx)) return 0; } @@ -763,9 +814,10 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) return 1; } -static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, - X509 **pissuer, int *pscore, unsigned int *preasons, - STACK_OF(X509_CRL) *crls) +static int +get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, + X509 **pissuer, int *pscore, unsigned int *preasons, + STACK_OF(X509_CRL) *crls) { int i, crl_score, best_score = *pscore; unsigned int reasons, best_reasons = 0; @@ -811,10 +863,12 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, * both present or both absent. If both present all fields must be identical. */ -static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) +static int +crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) { ASN1_OCTET_STRING *exta, *extb; int i; + i = X509_CRL_get_ext_by_NID(a, nid, -1); if (i >= 0) { /* Can't have multiple occurrences */ @@ -827,7 +881,6 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) i = X509_CRL_get_ext_by_NID(b, nid, -1); if (i >= 0) { - if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) return 0; extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); @@ -840,7 +893,6 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) if (!exta || !extb) return 0; - if (ASN1_OCTET_STRING_cmp(exta, extb)) return 0; @@ -849,29 +901,30 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) /* See if a base and delta are compatible */ -static int check_delta_base(X509_CRL *delta, X509_CRL *base) +static int +check_delta_base(X509_CRL *delta, X509_CRL *base) { /* Delta CRL must be a delta */ if (!delta->base_crl_number) - return 0; + return 0; /* Base must have a CRL number */ if (!base->crl_number) - return 0; + return 0; /* Issuer names must match */ if (X509_NAME_cmp(X509_CRL_get_issuer(base), - X509_CRL_get_issuer(delta))) + X509_CRL_get_issuer(delta))) return 0; /* AKID and IDP must match */ if (!crl_extension_match(delta, base, NID_authority_key_identifier)) - return 0; + return 0; if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) - return 0; + return 0; /* Delta CRL base number must not exceed Full CRL number. */ if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) - return 0; + return 0; /* Delta CRL number must exceed full CRL number */ if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) - return 1; + return 1; return 0; } @@ -879,11 +932,13 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base) * or retrieve a chain of deltas... */ -static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, - X509_CRL *base, STACK_OF(X509_CRL) *crls) +static void +get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base, + STACK_OF(X509_CRL) *crls) { X509_CRL *delta; int i; + if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) return; if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) @@ -908,11 +963,10 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, * no new reasons the CRL is rejected, otherwise reasons is updated. */ -static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, - unsigned int *preasons, - X509_CRL *crl, X509 *x) +static int +get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, + X509_CRL *crl, X509 *x) { - int crl_score = 0; unsigned int tmp_reasons = *preasons, crl_reasons; @@ -968,11 +1022,11 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, *preasons = tmp_reasons; return crl_score; - } -static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, - X509 **pissuer, int *pcrl_score) +static void +crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, + int *pcrl_score) { X509 *crl_issuer = NULL; X509_NAME *cnm = X509_CRL_get_issuer(crl); @@ -1026,14 +1080,16 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, /* Check the path of a CRL issuer certificate. This creates a new * X509_STORE_CTX and populates it with most of the parameters from the * parent. This could be optimised somewhat since a lot of path checking - * will be duplicated by the parent, but this will rarely be used in + * will be duplicated by the parent, but this will rarely be used in * practice. */ -static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) +static int +check_crl_path(X509_STORE_CTX *ctx, X509 *x) { X509_STORE_CTX crl_ctx; int ret; + /* Don't allow recursive CRL path validation */ if (ctx->parent) return 0; @@ -1054,9 +1110,9 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) goto err; /* Check chain is acceptable */ - ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); - err: + +err: X509_STORE_CTX_cleanup(&crl_ctx); return ret; } @@ -1069,11 +1125,12 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) * until this is resolved we use the RFC5280 version */ -static int check_crl_chain(X509_STORE_CTX *ctx, - STACK_OF(X509) *cert_path, - STACK_OF(X509) *crl_path) +static int +check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, + STACK_OF(X509) *crl_path) { X509 *cert_ta, *crl_ta; + cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); if (!X509_cmp(cert_ta, crl_ta)) @@ -1088,13 +1145,14 @@ static int check_crl_chain(X509_STORE_CTX *ctx, * 4. One is NULL: automatic match. */ - -static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) +static int +idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) { X509_NAME *nm = NULL; GENERAL_NAMES *gens = NULL; GENERAL_NAME *gena, *genb; int i, j; + if (!a || !b) return 1; if (a->type == 1) { @@ -1123,7 +1181,7 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ if (nm) { for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { - gena = sk_GENERAL_NAME_value(gens, i); + gena = sk_GENERAL_NAME_value(gens, i); if (gena->type != GEN_DIRNAME) continue; if (!X509_NAME_cmp(nm, gena->d.directoryName)) @@ -1144,13 +1202,14 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) } return 0; - } -static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) +static int +crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) { int i; X509_NAME *nm = X509_CRL_get_issuer(crl); + /* If no CRLissuer return is successful iff don't need a match */ if (!dp->CRLissuer) return !!(crl_score & CRL_SCORE_ISSUER_NAME); @@ -1166,10 +1225,11 @@ static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) /* Check CRLDP and IDP */ -static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, - unsigned int *preasons) +static int +crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons) { int i; + if (crl->idp_flags & IDP_ONLYATTR) return 0; if (x->ex_flags & EXFLAG_CA) { @@ -1184,13 +1244,14 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); if (crldp_check_crlissuer(dp, crl, crl_score)) { if (!crl->idp || - idp_check_dp(dp->distpoint, crl->idp->distpoint)) { + idp_check_dp(dp->distpoint, crl->idp->distpoint)) { *preasons &= dp->dp_reasons; return 1; } } } - if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) + if ((!crl->idp || !crl->idp->distpoint) && + (crl_score & CRL_SCORE_ISSUER_NAME)) return 1; return 0; } @@ -1198,9 +1259,9 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, /* Retrieve CRL corresponding to current certificate. * If deltas enabled try to find a delta CRL too */ - -static int get_crl_delta(X509_STORE_CTX *ctx, - X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) + +static int +get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) { int ok; X509 *issuer = NULL; @@ -1209,15 +1270,14 @@ static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL *crl = NULL, *dcrl = NULL; STACK_OF(X509_CRL) *skcrl; X509_NAME *nm = X509_get_issuer_name(x); - reasons = ctx->current_reasons; - ok = get_crl_sk(ctx, &crl, &dcrl, - &issuer, &crl_score, &reasons, ctx->crls); + reasons = ctx->current_reasons; + ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, + ctx->crls); if (ok) goto done; /* Lookup CRLs from store */ - skcrl = ctx->lookup_crls(ctx, nm); /* If no CRLs found and a near match from get_crl_sk use that */ @@ -1228,7 +1288,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx, sk_X509_CRL_pop_free(skcrl, X509_CRL_free); - done: +done: /* If we got any kind of CRL use it and return success */ if (crl) { @@ -1244,11 +1304,13 @@ static int get_crl_delta(X509_STORE_CTX *ctx, } /* Check CRL validity */ -static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) +static int +check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) { X509 *issuer = NULL; EVP_PKEY *ikey = NULL; int ok = 0, chnum, cnum; + cnum = ctx->error_depth; chnum = sk_X509_num(ctx->chain) - 1; /* if we have an alternative CRL issuer cert use that */ @@ -1262,44 +1324,50 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) } else { issuer = sk_X509_value(ctx->chain, chnum); /* If not self signed, can't check signature */ - if(!ctx->check_issued(ctx, issuer, issuer)) { + if (!ctx->check_issued(ctx, issuer, issuer)) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; + if (!ok) + goto err; } } - if(issuer) { + if (issuer) { /* Skip most tests for deltas because they have already * been done */ if (!crl->base_crl_number) { /* Check for cRLSign bit if keyUsage present */ if ((issuer->ex_flags & EXFLAG_KUSAGE) && - !(issuer->ex_kusage & KU_CRL_SIGN)) { + !(issuer->ex_kusage & KU_CRL_SIGN)) { ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; + if (!ok) + goto err; } if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; + if (!ok) + goto err; } if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { - if (check_crl_path(ctx, ctx->current_issuer) <= 0) { + if (check_crl_path(ctx, + ctx->current_issuer) <= 0) { ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; + if (!ok) + goto err; } } if (crl->idp_flags & IDP_INVALID) { ctx->error = X509_V_ERR_INVALID_EXTENSION; ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; + if (!ok) + goto err; } @@ -1314,16 +1382,18 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) /* Attempt to get issuer certificate public key */ ikey = X509_get_pubkey(issuer); - if(!ikey) { - ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; + if (!ikey) { + ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ok = ctx->verify_cb(0, ctx); - if (!ok) goto err; + if (!ok) + goto err; } else { /* Verify CRL signature */ - if(X509_CRL_verify(crl, ikey) <= 0) { - ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; + if (X509_CRL_verify(crl, ikey) <= 0) { + ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE; ok = ctx->verify_cb(0, ctx); - if (!ok) goto err; + if (!ok) + goto err; } } } @@ -1336,20 +1406,22 @@ err: } /* Check certificate against CRL */ -static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) +static int +cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { int ok; X509_REVOKED *rev; + /* The rules changed for this... previously if a CRL contained * unhandled critical extensions it could still be used to indicate - * a certificate was revoked. This has since been changed since + * a certificate was revoked. This has since been changed since * critical extension can change the meaning of CRL entries. */ - if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (crl->flags & EXFLAG_CRITICAL)) { + if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) && + (crl->flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; ok = ctx->verify_cb(0, ctx); - if(!ok) + if (!ok) return 0; } /* Look for serial number of certificate in CRL @@ -1367,15 +1439,17 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) return 1; } -static int check_policy(X509_STORE_CTX *ctx) +static int +check_policy(X509_STORE_CTX *ctx) { int ret; + if (ctx->parent) return 1; ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, - ctx->param->policies, ctx->param->flags); + ctx->param->policies, ctx->param->flags); if (ret == 0) { - X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); + X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE); return 0; } /* Invalid or inconsistent extensions */ @@ -1391,7 +1465,7 @@ static int check_policy(X509_STORE_CTX *ctx) continue; ctx->current_cert = x; ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; - if(!ctx->verify_cb(0, ctx)) + if (!ctx->verify_cb(0, ctx)) return 0; } return 1; @@ -1412,7 +1486,8 @@ static int check_policy(X509_STORE_CTX *ctx) return 1; } -static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) +static int +check_cert_time(X509_STORE_CTX *ctx, X509 *x) { time_t *ptime; int i; @@ -1422,32 +1497,32 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) else ptime = NULL; - i=X509_cmp_time(X509_get_notBefore(x), ptime); + i = X509_cmp_time(X509_get_notBefore(x), ptime); if (i == 0) { - ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; - ctx->current_cert=x; + ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; + ctx->current_cert = x; if (!ctx->verify_cb(0, ctx)) return 0; } if (i > 0) { - ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; - ctx->current_cert=x; + ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; + ctx->current_cert = x; if (!ctx->verify_cb(0, ctx)) return 0; } - i=X509_cmp_time(X509_get_notAfter(x), ptime); + i = X509_cmp_time(X509_get_notAfter(x), ptime); if (i == 0) { - ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; - ctx->current_cert=x; + ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; + ctx->current_cert = x; if (!ctx->verify_cb(0, ctx)) return 0; } if (i < 0) { - ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; - ctx->current_cert=x; + ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; + ctx->current_cert = x; if (!ctx->verify_cb(0, ctx)) return 0; } @@ -1455,60 +1530,63 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) return 1; } -static int internal_verify(X509_STORE_CTX *ctx) +static int +internal_verify(X509_STORE_CTX *ctx) { - int ok=0,n; - X509 *xs,*xi; - EVP_PKEY *pkey=NULL; - int (*cb)(int xok,X509_STORE_CTX *xctx); + int ok = 0, n; + X509 *xs, *xi; + EVP_PKEY *pkey = NULL; + int (*cb)(int xok, X509_STORE_CTX *xctx); - cb=ctx->verify_cb; + cb = ctx->verify_cb; - n=sk_X509_num(ctx->chain); - ctx->error_depth=n-1; + n = sk_X509_num(ctx->chain); + ctx->error_depth = n - 1; n--; - xi=sk_X509_value(ctx->chain,n); + xi = sk_X509_value(ctx->chain, n); if (ctx->check_issued(ctx, xi, xi)) - xs=xi; + xs = xi; else { if (n <= 0) { - ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; - ctx->current_cert=xi; - ok=cb(0,ctx); + ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; + ctx->current_cert = xi; + ok = cb(0, ctx); goto end; } else { n--; - ctx->error_depth=n; - xs=sk_X509_value(ctx->chain,n); + ctx->error_depth = n; + xs = sk_X509_value(ctx->chain, n); } } /* ctx->error=0; not needed */ while (n >= 0) { - ctx->error_depth=n; + ctx->error_depth = n; /* Skip signature check for self signed certificates unless * explicitly asked for. It doesn't add any security and * just wastes time. */ - if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { - if ((pkey=X509_get_pubkey(xi)) == NULL) { - ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; - ctx->current_cert=xi; - ok=(*cb)(0,ctx); - if (!ok) goto end; - } else if (X509_verify(xs,pkey) <= 0) { - ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; - ctx->current_cert=xs; - ok=(*cb)(0,ctx); + if (!xs->valid && (xs != xi || + (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { + if ((pkey = X509_get_pubkey(xi)) == NULL) { + ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; + ctx->current_cert = xi; + ok = (*cb)(0, ctx); + if (!ok) + goto end; + } else if (X509_verify(xs, pkey) <= 0) { + ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE; + ctx->current_cert = xs; + ok = (*cb)(0, ctx); if (!ok) { EVP_PKEY_free(pkey); goto end; } } EVP_PKEY_free(pkey); - pkey=NULL; + pkey = NULL; } xs->valid = 1; @@ -1518,200 +1596,225 @@ static int internal_verify(X509_STORE_CTX *ctx) goto end; /* The last error (if any) is still in the error value */ - ctx->current_issuer=xi; - ctx->current_cert=xs; - ok=(*cb)(1,ctx); - if (!ok) goto end; + ctx->current_issuer = xi; + ctx->current_cert = xs; + ok = (*cb)(1, ctx); + if (!ok) + goto end; n--; if (n >= 0) { - xi=xs; - xs=sk_X509_value(ctx->chain,n); + xi = xs; + xs = sk_X509_value(ctx->chain, n); } } - ok=1; + ok = 1; + end: return ok; } -int X509_cmp_current_time(const ASN1_TIME *ctm) +int +X509_cmp_current_time(const ASN1_TIME *ctm) { return X509_cmp_time(ctm, NULL); } -int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) +int +X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) { char *str; ASN1_TIME atm; long offset; - char buff1[24],buff2[24],*p; - int i,j; + char buff1[24], buff2[24], *p; + int i, j; - p=buff1; - i=ctm->length; - str=(char *)ctm->data; + p = buff1; + i = ctm->length; + str = (char *)ctm->data; if (ctm->type == V_ASN1_UTCTIME) { - if ((i < 11) || (i > 17)) return 0; - memcpy(p,str,10); - p+=10; - str+=10; + if ((i < 11) || (i > 17)) + return 0; + memcpy(p, str, 10); + p += 10; + str += 10; } else { - if (i < 13) return 0; - memcpy(p,str,12); - p+=12; - str+=12; + if (i < 13) + return 0; + memcpy(p, str, 12); + p += 12; + str += 12; } if ((*str == 'Z') || (*str == '-') || (*str == '+')) { - *(p++)='0'; - *(p++)='0'; - } else { - *(p++)= *(str++); - *(p++)= *(str++); + *(p++) = '0'; + *(p++) = '0'; + } else { + *(p++) = *(str++); + *(p++) = *(str++); /* Skip any fractional seconds... */ if (*str == '.') { str++; - while ((*str >= '0') && (*str <= '9')) str++; + while ((*str >= '0') && (*str <= '9')) + str++; } - } - *(p++)='Z'; - *(p++)='\0'; + *(p++) = 'Z'; + *(p++) = '\0'; if (*str == 'Z') - offset=0; + offset = 0; else { if ((*str != '+') && (*str != '-')) return 0; - offset=((str[1]-'0')*10+(str[2]-'0'))*60; - offset+=(str[3]-'0')*10+(str[4]-'0'); + offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; + offset += (str[3] - '0') * 10 + (str[4] - '0'); if (*str == '-') - offset= -offset; + offset = -offset; } - atm.type=ctm->type; + atm.type = ctm->type; atm.flags = 0; - atm.length=sizeof(buff2); - atm.data=(unsigned char *)buff2; + atm.length = sizeof(buff2); + atm.data = (unsigned char *)buff2; - if (X509_time_adj(&atm, offset*60, cmp_time) == NULL) + if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL) return 0; if (ctm->type == V_ASN1_UTCTIME) { - i=(buff1[0]-'0')*10+(buff1[1]-'0'); - if (i < 50) i+=100; /* cf. RFC 2459 */ - j=(buff2[0]-'0')*10+(buff2[1]-'0'); - if (j < 50) j+=100; - - if (i < j) return -1; - if (i > j) return 1; + i = (buff1[0] - '0') * 10 + (buff1[1] - '0'); + if (i < 50) + i += 100; /* cf. RFC 2459 */ + j = (buff2[0] - '0') * 10 + (buff2[1] - '0'); + if (j < 50) + j += 100; + if (i < j) + return -1; + if (i > j) + return 1; } - i=strcmp(buff1,buff2); + i = strcmp(buff1, buff2); if (i == 0) /* wait a second then return younger :-) */ return -1; else return i; } -ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) +ASN1_TIME * +X509_gmtime_adj(ASN1_TIME *s, long adj) { return X509_time_adj(s, adj, NULL); } -ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) +ASN1_TIME * +X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) { return X509_time_adj_ex(s, 0, offset_sec, in_tm); } -ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, - int offset_day, long offset_sec, time_t *in_tm) +ASN1_TIME * +X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_tm) { time_t t; - if (in_tm) t = *in_tm; - else time(&t); + if (in_tm) + t = *in_tm; + else + time(&t); if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) { if (s->type == V_ASN1_UTCTIME) - return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); + return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec); if (s->type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, - offset_sec); + offset_sec); } return ASN1_TIME_adj(s, t, offset_day, offset_sec); } -int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) +int +X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) { - EVP_PKEY *ktmp=NULL,*ktmp2; - int i,j; + EVP_PKEY *ktmp = NULL, *ktmp2; + int i, j; - if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; + if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) + return 1; - for (i=0; i= 0; j--) { - ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); - EVP_PKEY_copy_parameters(ktmp2,ktmp); + for (j = i - 1; j >= 0; j--) { + ktmp2 = X509_get_pubkey(sk_X509_value(chain, j)); + EVP_PKEY_copy_parameters(ktmp2, ktmp); EVP_PKEY_free(ktmp2); } - - if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); + + if (pkey != NULL) + EVP_PKEY_copy_parameters(pkey, ktmp); EVP_PKEY_free(ktmp); return 1; } -int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, - CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) +int +X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) { /* This function is (usually) called only once, by * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ - return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, - new_func, dup_func, free_func); + return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, + argl, argp, new_func, dup_func, free_func); } -int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) +int +X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) { - return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); + return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); } -void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) +void * +X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) { - return CRYPTO_get_ex_data(&ctx->ex_data,idx); + return CRYPTO_get_ex_data(&ctx->ex_data, idx); } -int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) +int +X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) { return ctx->error; } -void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) +void +X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) { - ctx->error=err; + ctx->error = err; } -int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) +int +X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) { return ctx->error_depth; } -X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) +X509 * +X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) { return ctx->current_cert; } @@ -1726,7 +1829,9 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) int i; X509 *x; STACK_OF(X509) *chain; - if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; + + if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) + return NULL; for (i = 0; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); @@ -1734,42 +1839,50 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) return chain; } -X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) +X509 * +X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) { return ctx->current_issuer; } -X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) +X509_CRL * +X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) { return ctx->current_crl; } -X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) +X509_STORE_CTX * +X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) { return ctx->parent; } -void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) +void +X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) { - ctx->cert=x; + ctx->cert = x; } -void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +void +X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { - ctx->untrusted=sk; + ctx->untrusted = sk; } -void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) +void +X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) { - ctx->crls=sk; + ctx->crls = sk; } -int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) +int +X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) { return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); } -int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) +int +X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) { return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); } @@ -1784,19 +1897,22 @@ int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) * aren't set then we use the default of SSL client/server. */ -int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, - int purpose, int trust) +int +X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, + int purpose, int trust) { int idx; + /* If purpose not set use default */ - if (!purpose) purpose = def_purpose; + if (!purpose) + purpose = def_purpose; /* If we have a purpose then check it is valid */ if (purpose) { X509_PURPOSE *ptmp; idx = X509_PURPOSE_get_by_id(purpose); if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, - X509_R_UNKNOWN_PURPOSE_ID); + X509_R_UNKNOWN_PURPOSE_ID); return 0; } ptmp = X509_PURPOSE_get0(idx); @@ -1804,74 +1920,82 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, idx = X509_PURPOSE_get_by_id(def_purpose); if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, - X509_R_UNKNOWN_PURPOSE_ID); + X509_R_UNKNOWN_PURPOSE_ID); return 0; } ptmp = X509_PURPOSE_get0(idx); } /* If trust not set then get from purpose default */ - if (!trust) trust = ptmp->trust; + if (!trust) + trust = ptmp->trust; } if (trust) { idx = X509_TRUST_get_by_id(trust); if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, - X509_R_UNKNOWN_TRUST_ID); + X509_R_UNKNOWN_TRUST_ID); return 0; } } - if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; - if (trust && !ctx->param->trust) ctx->param->trust = trust; + if (purpose && !ctx->param->purpose) + ctx->param->purpose = purpose; + if (trust && !ctx->param->trust) + ctx->param->trust = trust; return 1; } -X509_STORE_CTX *X509_STORE_CTX_new(void) +X509_STORE_CTX * +X509_STORE_CTX_new(void) { X509_STORE_CTX *ctx; + ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX)); if (!ctx) { - X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE); return NULL; } memset(ctx, 0, sizeof(X509_STORE_CTX)); return ctx; } -void X509_STORE_CTX_free(X509_STORE_CTX *ctx) +void +X509_STORE_CTX_free(X509_STORE_CTX *ctx) { X509_STORE_CTX_cleanup(ctx); free(ctx); } -int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, - STACK_OF(X509) *chain) +int +X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, + STACK_OF(X509) *chain) { int ret = 1; - ctx->ctx=store; - ctx->current_method=0; - ctx->cert=x509; - ctx->untrusted=chain; + + ctx->ctx = store; + ctx->current_method = 0; + ctx->cert = x509; + ctx->untrusted = chain; ctx->crls = NULL; - ctx->last_untrusted=0; - ctx->other_ctx=NULL; - ctx->valid=0; - ctx->chain=NULL; - ctx->error=0; - ctx->explicit_policy=0; - ctx->error_depth=0; - ctx->current_cert=NULL; - ctx->current_issuer=NULL; - ctx->current_crl=NULL; - ctx->current_crl_score=0; - ctx->current_reasons=0; + ctx->last_untrusted = 0; + ctx->other_ctx = NULL; + ctx->valid = 0; + ctx->chain = NULL; + ctx->error = 0; + ctx->explicit_policy = 0; + ctx->error_depth = 0; + ctx->current_cert = NULL; + ctx->current_issuer = NULL; + ctx->current_crl = NULL; + ctx->current_crl_score = 0; + ctx->current_reasons = 0; ctx->tree = NULL; ctx->parent = NULL; ctx->param = X509_VERIFY_PARAM_new(); if (!ctx->param) { - X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); return 0; } @@ -1879,7 +2003,6 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, * use defaults. */ - if (store) ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); else @@ -1893,10 +2016,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, if (ret) ret = X509_VERIFY_PARAM_inherit(ctx->param, - X509_VERIFY_PARAM_lookup("default")); + X509_VERIFY_PARAM_lookup("default")); if (ret == 0) { - X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); return 0; } @@ -1957,10 +2080,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a * corresponding "new" here and remove this bogus initialisation. */ /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ - if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, - &(ctx->ex_data))) { + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, + &(ctx->ex_data))) { free(ctx); - X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); return 0; } return 1; @@ -1970,64 +2093,75 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, * This avoids X509_STORE nastiness where it isn't needed. */ -void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +void +X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { ctx->other_ctx = sk; ctx->get_issuer = get_issuer_sk; } -void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) +void +X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) { - if (ctx->cleanup) ctx->cleanup(ctx); + if (ctx->cleanup) + ctx->cleanup(ctx); if (ctx->param != NULL) { if (ctx->parent == NULL) X509_VERIFY_PARAM_free(ctx->param); - ctx->param=NULL; + ctx->param = NULL; } if (ctx->tree != NULL) { X509_policy_tree_free(ctx->tree); - ctx->tree=NULL; + ctx->tree = NULL; } if (ctx->chain != NULL) { - sk_X509_pop_free(ctx->chain,X509_free); - ctx->chain=NULL; + sk_X509_pop_free(ctx->chain, X509_free); + ctx->chain = NULL; } - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); - memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, + ctx, &(ctx->ex_data)); + memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA)); } -void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) +void +X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) { X509_VERIFY_PARAM_set_depth(ctx->param, depth); } -void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) +void +X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) { X509_VERIFY_PARAM_set_flags(ctx->param, flags); } -void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) +void +X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) { X509_VERIFY_PARAM_set_time(ctx->param, t); } -void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, - int (*verify_cb)(int, X509_STORE_CTX *)) +void +X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, + int (*verify_cb)(int, X509_STORE_CTX *)) { - ctx->verify_cb=verify_cb; + ctx->verify_cb = verify_cb; } -X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) +X509_POLICY_TREE * +X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) { return ctx->tree; } -int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) +int +X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) { return ctx->explicit_policy; } -int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) +int +X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) { const X509_VERIFY_PARAM *param; param = X509_VERIFY_PARAM_lookup(name); @@ -2036,12 +2170,14 @@ int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) return X509_VERIFY_PARAM_inherit(ctx->param, param); } -X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) +X509_VERIFY_PARAM * +X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) { return ctx->param; } -void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) +void +X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) { if (ctx->param) X509_VERIFY_PARAM_free(ctx->param); diff --git a/lib/libcrypto/x509/x509_vpm.c b/lib/libcrypto/x509/x509_vpm.c index 7f0824f75ee..f0d2a0902ef 100644 --- a/lib/libcrypto/x509/x509_vpm.c +++ b/lib/libcrypto/x509/x509_vpm.c @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -67,7 +67,8 @@ /* X509_VERIFY_PARAM functions */ -static void x509_verify_param_zero(X509_VERIFY_PARAM *param) +static void +x509_verify_param_zero(X509_VERIFY_PARAM *param) { if (!param) return; @@ -84,16 +85,19 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) } } -X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) +X509_VERIFY_PARAM * +X509_VERIFY_PARAM_new(void) { X509_VERIFY_PARAM *param; + param = malloc(sizeof(X509_VERIFY_PARAM)); memset(param, 0, sizeof(X509_VERIFY_PARAM)); x509_verify_param_zero(param); return param; } -void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) +void +X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) { x509_verify_param_zero(param); free(param); @@ -109,7 +113,7 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) * for SSL servers or clients but only if the application has not set new * ones. * - * The "inh_flags" field determines how this function behaves. + * The "inh_flags" field determines how this function behaves. * * Normally any values which are set in the default are not copied from the * destination and verify flags are ORed together. @@ -141,13 +145,14 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) #define x509_verify_param_copy(field, def) \ if (test_x509_verify_param_copy(field, def)) \ dest->field = src->field - -int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, - const X509_VERIFY_PARAM *src) + +int +X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src) { unsigned long inh_flags; int to_default, to_overwrite; + if (!src) return 1; inh_flags = dest->inh_flags | src->inh_flags; @@ -193,18 +198,20 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, return 1; } -int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, - const X509_VERIFY_PARAM *from) +int +X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from) { unsigned long save_flags = to->inh_flags; int ret; + to->inh_flags |= X509_VP_FLAG_DEFAULT; ret = X509_VERIFY_PARAM_inherit(to, from); to->inh_flags = save_flags; return ret; } -int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) +int +X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) { if (param->name) free(param->name); @@ -214,7 +221,8 @@ int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) return 0; } -int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) +int +X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) { param->flags |= flags; if (flags & X509_V_FLAG_POLICY_MASK) @@ -222,39 +230,46 @@ int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) return 1; } -int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags) +int +X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags) { param->flags &= ~flags; return 1; } -unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) +unsigned long +X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) { return param->flags; } -int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) +int +X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) { return X509_PURPOSE_set(¶m->purpose, purpose); } -int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) +int +X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) { return X509_TRUST_set(¶m->trust, trust); } -void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) +void +X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) { param->depth = depth; } -void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) +void +X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) { param->check_time = t; param->flags |= X509_V_FLAG_USE_CHECK_TIME; } -int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) +int +X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) { if (!param->policies) { param->policies = sk_ASN1_OBJECT_new_null(); @@ -266,11 +281,13 @@ int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) return 1; } -int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, - STACK_OF(ASN1_OBJECT) *policies) +int +X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, + STACK_OF(ASN1_OBJECT) *policies) { int i; ASN1_OBJECT *oid, *doid; + if (!param) return 0; if (param->policies) @@ -299,7 +316,8 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, return 1; } -int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) +int +X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) { return param->depth; } @@ -312,80 +330,81 @@ int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) static const X509_VERIFY_PARAM default_table[] = { { - "default", /* X509 default parameters */ - 0, /* Check time */ - 0, /* internal flags */ - 0, /* flags */ - 0, /* purpose */ - 0, /* trust */ - 100, /* depth */ - NULL /* policies */ + "default", /* X509 default parameters */ + 0, /* Check time */ + 0, /* internal flags */ + 0, /* flags */ + 0, /* purpose */ + 0, /* trust */ + 100, /* depth */ + NULL /* policies */ }, { - "pkcs7", /* S/MIME sign parameters */ - 0, /* Check time */ - 0, /* internal flags */ - 0, /* flags */ - X509_PURPOSE_SMIME_SIGN, /* purpose */ - X509_TRUST_EMAIL, /* trust */ - -1, /* depth */ - NULL /* policies */ + "pkcs7", /* S/MIME sign parameters */ + 0, /* Check time */ + 0, /* internal flags */ + 0, /* flags */ + X509_PURPOSE_SMIME_SIGN, /* purpose */ + X509_TRUST_EMAIL, /* trust */ + -1, /* depth */ + NULL /* policies */ }, { - "smime_sign", /* S/MIME sign parameters */ - 0, /* Check time */ - 0, /* internal flags */ - 0, /* flags */ - X509_PURPOSE_SMIME_SIGN, /* purpose */ - X509_TRUST_EMAIL, /* trust */ - -1, /* depth */ - NULL /* policies */ + "smime_sign", /* S/MIME sign parameters */ + 0, /* Check time */ + 0, /* internal flags */ + 0, /* flags */ + X509_PURPOSE_SMIME_SIGN, /* purpose */ + X509_TRUST_EMAIL, /* trust */ + -1, /* depth */ + NULL /* policies */ }, { - "ssl_client", /* SSL/TLS client parameters */ - 0, /* Check time */ - 0, /* internal flags */ - 0, /* flags */ - X509_PURPOSE_SSL_CLIENT, /* purpose */ - X509_TRUST_SSL_CLIENT, /* trust */ - -1, /* depth */ - NULL /* policies */ + "ssl_client", /* SSL/TLS client parameters */ + 0, /* Check time */ + 0, /* internal flags */ + 0, /* flags */ + X509_PURPOSE_SSL_CLIENT, /* purpose */ + X509_TRUST_SSL_CLIENT, /* trust */ + -1, /* depth */ + NULL /* policies */ }, { - "ssl_server", /* SSL/TLS server parameters */ - 0, /* Check time */ - 0, /* internal flags */ - 0, /* flags */ - X509_PURPOSE_SSL_SERVER, /* purpose */ - X509_TRUST_SSL_SERVER, /* trust */ - -1, /* depth */ - NULL /* policies */ + "ssl_server", /* SSL/TLS server parameters */ + 0, /* Check time */ + 0, /* internal flags */ + 0, /* flags */ + X509_PURPOSE_SSL_SERVER, /* purpose */ + X509_TRUST_SSL_SERVER, /* trust */ + -1, /* depth */ + NULL /* policies */ } }; static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL; -static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b) - +static int +table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b) { return strcmp(a->name, b->name); } -DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, - table); -IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, - table); +DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table); +IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table); -static int param_cmp(const X509_VERIFY_PARAM * const *a, - const X509_VERIFY_PARAM * const *b) +static int +param_cmp(const X509_VERIFY_PARAM * const *a, + const X509_VERIFY_PARAM * const *b) { return strcmp((*a)->name, (*b)->name); } -int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) +int +X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) { int idx; X509_VERIFY_PARAM *ptmp; + if (!param_table) { param_table = sk_X509_VERIFY_PARAM_new(param_cmp); if (!param_table) @@ -403,7 +422,8 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) return 1; } -const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) +const X509_VERIFY_PARAM * +X509_VERIFY_PARAM_lookup(const char *name) { int idx; X509_VERIFY_PARAM pm; @@ -415,13 +435,14 @@ const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) return sk_X509_VERIFY_PARAM_value(param_table, idx); } return OBJ_bsearch_table(&pm, default_table, - sizeof(default_table)/sizeof(X509_VERIFY_PARAM)); + sizeof(default_table)/sizeof(X509_VERIFY_PARAM)); } -void X509_VERIFY_PARAM_table_cleanup(void) +void +X509_VERIFY_PARAM_table_cleanup(void) { if (param_table) sk_X509_VERIFY_PARAM_pop_free(param_table, - X509_VERIFY_PARAM_free); + X509_VERIFY_PARAM_free); param_table = NULL; } diff --git a/lib/libssl/src/crypto/x509/x509_set.c b/lib/libssl/src/crypto/x509/x509_set.c index dfe9eb68fff..6fd2f857619 100644 --- a/lib/libssl/src/crypto/x509/x509_set.c +++ b/lib/libssl/src/crypto/x509/x509_set.c @@ -5,21 +5,21 @@ * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -63,78 +63,92 @@ #include #include -int X509_set_version(X509 *x, long version) +int +X509_set_version(X509 *x, long version) { - if (x == NULL) return(0); + if (x == NULL) + return (0); if (x->cert_info->version == NULL) { - if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL) - return(0); + if ((x->cert_info->version = M_ASN1_INTEGER_new()) == NULL) + return (0); } - return(ASN1_INTEGER_set(x->cert_info->version,version)); + return (ASN1_INTEGER_set(x->cert_info->version, version)); } -int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) +int +X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) { ASN1_INTEGER *in; - if (x == NULL) return(0); - in=x->cert_info->serialNumber; + if (x == NULL) + return (0); + in = x->cert_info->serialNumber; if (in != serial) { - in=M_ASN1_INTEGER_dup(serial); + in = M_ASN1_INTEGER_dup(serial); if (in != NULL) { M_ASN1_INTEGER_free(x->cert_info->serialNumber); - x->cert_info->serialNumber=in; + x->cert_info->serialNumber = in; } } - return(in != NULL); + return (in != NULL); } -int X509_set_issuer_name(X509 *x, X509_NAME *name) +int +X509_set_issuer_name(X509 *x, X509_NAME *name) { - if ((x == NULL) || (x->cert_info == NULL)) return(0); - return(X509_NAME_set(&x->cert_info->issuer,name)); + if ((x == NULL) || (x->cert_info == NULL)) + return (0); + return (X509_NAME_set(&x->cert_info->issuer, name)); } -int X509_set_subject_name(X509 *x, X509_NAME *name) +int +X509_set_subject_name(X509 *x, X509_NAME *name) { - if ((x == NULL) || (x->cert_info == NULL)) return(0); - return(X509_NAME_set(&x->cert_info->subject,name)); + if ((x == NULL) || (x->cert_info == NULL)) + return (0); + return (X509_NAME_set(&x->cert_info->subject, name)); } -int X509_set_notBefore(X509 *x, const ASN1_TIME *tm) +int +X509_set_notBefore(X509 *x, const ASN1_TIME *tm) { ASN1_TIME *in; - if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); - in=x->cert_info->validity->notBefore; + if ((x == NULL) || (x->cert_info->validity == NULL)) + return (0); + in = x->cert_info->validity->notBefore; if (in != tm) { - in=M_ASN1_TIME_dup(tm); + in = M_ASN1_TIME_dup(tm); if (in != NULL) { M_ASN1_TIME_free(x->cert_info->validity->notBefore); - x->cert_info->validity->notBefore=in; + x->cert_info->validity->notBefore = in; } } - return(in != NULL); + return (in != NULL); } -int X509_set_notAfter(X509 *x, const ASN1_TIME *tm) +int +X509_set_notAfter(X509 *x, const ASN1_TIME *tm) { ASN1_TIME *in; - if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); - in=x->cert_info->validity->notAfter; + if ((x == NULL) || (x->cert_info->validity == NULL)) + return (0); + in = x->cert_info->validity->notAfter; if (in != tm) { - in=M_ASN1_TIME_dup(tm); + in = M_ASN1_TIME_dup(tm); if (in != NULL) { M_ASN1_TIME_free(x->cert_info->validity->notAfter); - x->cert_info->validity->notAfter=in; + x->cert_info->validity->notAfter = in; } } - return(in != NULL); + return (in != NULL); } -int X509_set_pubkey(X509 *x, EVP_PKEY *pkey) +int +X509_set_pubkey(X509 *x, EVP_PKEY *pkey) { - if ((x == NULL) || (x->cert_info == NULL)) return(0); - return(X509_PUBKEY_set(&(x->cert_info->key),pkey)); + if ((x == NULL) || (x->cert_info == NULL)) + return (0); + return (X509_PUBKEY_set(&(x->cert_info->key), pkey)); } diff --git a/lib/libssl/src/crypto/x509/x509_trs.c b/lib/libssl/src/crypto/x509/x509_trs.c index bdda53ec6bb..90fd1285913 100644 --- a/lib/libssl/src/crypto/x509/x509_trs.c +++ b/lib/libssl/src/crypto/x509/x509_trs.c @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -61,8 +61,7 @@ #include -static int tr_cmp(const X509_TRUST * const *a, - const X509_TRUST * const *b); +static int tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b); static void trtable_free(X509_TRUST *p); static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags); @@ -78,14 +77,14 @@ static int (*default_trust)(int id, X509 *x, int flags) = obj_trust; */ static X509_TRUST trstandard[] = { -{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL}, -{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, -{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL}, -{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, -{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL}, -{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL}, -{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}, -{X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL} + {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL}, + {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, + {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL}, + {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, + {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL}, + {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL}, + {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}, + {X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL} }; #define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST)) @@ -94,61 +93,76 @@ IMPLEMENT_STACK_OF(X509_TRUST) static STACK_OF(X509_TRUST) *trtable = NULL; -static int tr_cmp(const X509_TRUST * const *a, - const X509_TRUST * const *b) +static int +tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b) { return (*a)->trust - (*b)->trust; } -int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int) +int +(*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int) { int (*oldtrust)(int , X509 *, int); + oldtrust = default_trust; default_trust = trust; return oldtrust; } - -int X509_check_trust(X509 *x, int id, int flags) +int +X509_check_trust(X509 *x, int id, int flags) { X509_TRUST *pt; int idx; - if(id == -1) return 1; + + if (id == -1) + return 1; idx = X509_TRUST_get_by_id(id); - if(idx == -1) return default_trust(id, x, flags); + if (idx == -1) + return default_trust(id, x, flags); pt = X509_TRUST_get0(idx); return pt->check_trust(pt, x, flags); } -int X509_TRUST_get_count(void) +int +X509_TRUST_get_count(void) { - if(!trtable) return X509_TRUST_COUNT; + if (!trtable) + return X509_TRUST_COUNT; return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT; } -X509_TRUST * X509_TRUST_get0(int idx) +X509_TRUST * +X509_TRUST_get0(int idx) { - if(idx < 0) return NULL; - if(idx < (int)X509_TRUST_COUNT) return trstandard + idx; + if (idx < 0) + return NULL; + if (idx < (int)X509_TRUST_COUNT) + return trstandard + idx; return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT); } -int X509_TRUST_get_by_id(int id) +int +X509_TRUST_get_by_id(int id) { X509_TRUST tmp; int idx; - if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX)) - return id - X509_TRUST_MIN; + + if ((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX)) + return id - X509_TRUST_MIN; tmp.trust = id; - if(!trtable) return -1; + if (!trtable) + return -1; idx = sk_X509_TRUST_find(trtable, &tmp); - if(idx == -1) return -1; + if (idx == -1) + return -1; return idx + X509_TRUST_COUNT; } -int X509_TRUST_set(int *t, int trust) +int +X509_TRUST_set(int *t, int trust) { - if(X509_TRUST_get_by_id(trust) == -1) { + if (X509_TRUST_get_by_id(trust) == -1) { X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST); return 0; } @@ -156,11 +170,13 @@ int X509_TRUST_set(int *t, int trust) return 1; } -int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), - char *name, int arg1, void *arg2) +int +X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), + char *name, int arg1, void *arg2) { int idx; X509_TRUST *trtmp; + /* This is set according to what we change: application can't set it */ flags &= ~X509_TRUST_DYNAMIC; /* This will always be set for application modified trust entries */ @@ -168,9 +184,9 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), /* Get existing entry if any */ idx = X509_TRUST_get_by_id(id); /* Need a new entry */ - if(idx == -1) { - if(!(trtmp = malloc(sizeof(X509_TRUST)))) { - X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + if (idx == -1) { + if (!(trtmp = malloc(sizeof(X509_TRUST)))) { + X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); return 0; } trtmp->flags = X509_TRUST_DYNAMIC; @@ -178,10 +194,11 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), trtmp = X509_TRUST_get0(idx); /* free existing name if dynamic */ - if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name); + if (trtmp->flags & X509_TRUST_DYNAMIC_NAME) + free(trtmp->name); /* dup supplied name */ - if(!(trtmp->name = BUF_strdup(name))) { - X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + if (!(trtmp->name = BUF_strdup(name))) { + X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); return 0; } /* Keep the dynamic flag of existing entry */ @@ -195,22 +212,24 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), trtmp->arg2 = arg2; /* If its a new entry manage the dynamic table */ - if(idx == -1) { - if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { - X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + if (idx == -1) { + if (!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { + X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); return 0; } if (!sk_X509_TRUST_push(trtable, trtmp)) { - X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE); return 0; } } return 1; } -static void trtable_free(X509_TRUST *p) +static void +trtable_free(X509_TRUST *p) { - if(!p) return; + if (!p) + return; if (p->flags & X509_TRUST_DYNAMIC) { if (p->flags & X509_TRUST_DYNAMIC_NAME) free(p->name); @@ -218,32 +237,39 @@ static void trtable_free(X509_TRUST *p) } } -void X509_TRUST_cleanup(void) +void +X509_TRUST_cleanup(void) { unsigned int i; - for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i); + + for(i = 0; i < X509_TRUST_COUNT; i++) + trtable_free(trstandard + i); sk_X509_TRUST_pop_free(trtable, trtable_free); trtable = NULL; } -int X509_TRUST_get_flags(X509_TRUST *xp) +int +X509_TRUST_get_flags(X509_TRUST *xp) { return xp->flags; } -char *X509_TRUST_get0_name(X509_TRUST *xp) +char * +X509_TRUST_get0_name(X509_TRUST *xp) { return xp->name; } -int X509_TRUST_get_trust(X509_TRUST *xp) +int +X509_TRUST_get_trust(X509_TRUST *xp) { return xp->trust; } -static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) +static int +trust_1oidany(X509_TRUST *trust, X509 *x, int flags) { - if(x->aux && (x->aux->trust || x->aux->reject)) + if (x->aux && (x->aux->trust || x->aux->reject)) return obj_trust(trust->arg1, x, flags); /* we don't have any trust settings: for compatibility * we return trusted if it is self signed @@ -251,38 +277,47 @@ static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) return trust_compat(trust, x, flags); } -static int trust_1oid(X509_TRUST *trust, X509 *x, int flags) +static int +trust_1oid(X509_TRUST *trust, X509 *x, int flags) { - if(x->aux) return obj_trust(trust->arg1, x, flags); + if (x->aux) + return obj_trust(trust->arg1, x, flags); return X509_TRUST_UNTRUSTED; } -static int trust_compat(X509_TRUST *trust, X509 *x, int flags) +static int +trust_compat(X509_TRUST *trust, X509 *x, int flags) { X509_check_purpose(x, -1, 0); - if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED; - else return X509_TRUST_UNTRUSTED; + if (x->ex_flags & EXFLAG_SS) + return X509_TRUST_TRUSTED; + else + return X509_TRUST_UNTRUSTED; } -static int obj_trust(int id, X509 *x, int flags) +static int +obj_trust(int id, X509 *x, int flags) { ASN1_OBJECT *obj; int i; X509_CERT_AUX *ax; + ax = x->aux; - if(!ax) return X509_TRUST_UNTRUSTED; - if(ax->reject) { - for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { + if (!ax) + return X509_TRUST_UNTRUSTED; + if (ax->reject) { + for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { obj = sk_ASN1_OBJECT_value(ax->reject, i); - if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED; + if (OBJ_obj2nid(obj) == id) + return X509_TRUST_REJECTED; } - } - if(ax->trust) { - for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { + } + if (ax->trust) { + for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { obj = sk_ASN1_OBJECT_value(ax->trust, i); - if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED; + if (OBJ_obj2nid(obj) == id) + return X509_TRUST_TRUSTED; } } return X509_TRUST_UNTRUSTED; } - diff --git a/lib/libssl/src/crypto/x509/x509_txt.c b/lib/libssl/src/crypto/x509/x509_txt.c index 8caf18a9553..31a909a12ca 100644 --- a/lib/libssl/src/crypto/x509/x509_txt.c +++ b/lib/libssl/src/crypto/x509/x509_txt.c @@ -5,21 +5,21 @@ * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -68,7 +68,8 @@ #include #include -const char *X509_verify_cert_error_string(long n) +const char * +X509_verify_cert_error_string(long n) { static char buf[100]; @@ -162,12 +163,11 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_NO_EXPLICIT_POLICY: return("no explicit policy"); case X509_V_ERR_DIFFERENT_CRL_SCOPE: - return("Different CRL scope"); + return("Different CRL scope"); case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: - return("Unsupported extension feature"); - case X509_V_ERR_UNNESTED_RESOURCE: - return("RFC 3779 resource not subset of parent's resources"); - + return("Unsupported extension feature"); + case X509_V_ERR_UNNESTED_RESOURCE: + return("RFC 3779 resource not subset of parent's resources"); case X509_V_ERR_PERMITTED_VIOLATION: return("permitted subtree violation"); case X509_V_ERR_EXCLUDED_VIOLATION: @@ -184,9 +184,7 @@ const char *X509_verify_cert_error_string(long n) return("CRL path validation error"); default: - snprintf(buf,sizeof buf,"error number %ld",n); - return(buf); + snprintf(buf, sizeof buf, "error number %ld", n); + return (buf); } } - - diff --git a/lib/libssl/src/crypto/x509/x509_v3.c b/lib/libssl/src/crypto/x509/x509_v3.c index f41fab3367b..cabace584b0 100644 --- a/lib/libssl/src/crypto/x509/x509_v3.c +++ b/lib/libssl/src/crypto/x509/x509_v3.c @@ -5,21 +5,21 @@ * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -65,202 +65,235 @@ #include #include -int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) +int +X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) { - if (x == NULL) return(0); - return(sk_X509_EXTENSION_num(x)); + if (x == NULL) + return (0); + return (sk_X509_EXTENSION_num(x)); } -int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, - int lastpos) +int +X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos) { ASN1_OBJECT *obj; - obj=OBJ_nid2obj(nid); - if (obj == NULL) return(-2); - return(X509v3_get_ext_by_OBJ(x,obj,lastpos)); + obj = OBJ_nid2obj(nid); + if (obj == NULL) + return (-2); + return (X509v3_get_ext_by_OBJ(x, obj, lastpos)); } -int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj, - int lastpos) +int +X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj, + int lastpos) { int n; X509_EXTENSION *ex; - if (sk == NULL) return(-1); + if (sk == NULL) + return (-1); lastpos++; if (lastpos < 0) - lastpos=0; - n=sk_X509_EXTENSION_num(sk); - for ( ; lastpos < n; lastpos++) { - ex=sk_X509_EXTENSION_value(sk,lastpos); - if (OBJ_cmp(ex->object,obj) == 0) - return(lastpos); + lastpos = 0; + n = sk_X509_EXTENSION_num(sk); + for (; lastpos < n; lastpos++) { + ex = sk_X509_EXTENSION_value(sk, lastpos); + if (OBJ_cmp(ex->object, obj) == 0) + return (lastpos); } - return(-1); + return (-1); } -int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, - int lastpos) +int +X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, + int lastpos) { int n; X509_EXTENSION *ex; - if (sk == NULL) return(-1); + if (sk == NULL) + return (-1); lastpos++; if (lastpos < 0) - lastpos=0; - n=sk_X509_EXTENSION_num(sk); - for ( ; lastpos < n; lastpos++) { - ex=sk_X509_EXTENSION_value(sk,lastpos); - if ( ((ex->critical > 0) && crit) || - ((ex->critical <= 0) && !crit)) - return(lastpos); + lastpos = 0; + n = sk_X509_EXTENSION_num(sk); + for (; lastpos < n; lastpos++) { + ex = sk_X509_EXTENSION_value(sk, lastpos); + if (((ex->critical > 0) && crit) || + ((ex->critical <= 0) && !crit)) + return (lastpos); } - return(-1); + return (-1); } -X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc) +X509_EXTENSION * +X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc) { if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) return NULL; else - return sk_X509_EXTENSION_value(x,loc); + return sk_X509_EXTENSION_value(x, loc); } -X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc) +X509_EXTENSION * +X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc) { X509_EXTENSION *ret; if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) - return(NULL); - ret=sk_X509_EXTENSION_delete(x,loc); - return(ret); + return (NULL); + ret = sk_X509_EXTENSION_delete(x, loc); + return (ret); } -STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, - X509_EXTENSION *ex, int loc) +STACK_OF(X509_EXTENSION) * +X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc) { - X509_EXTENSION *new_ex=NULL; + X509_EXTENSION *new_ex = NULL; int n; - STACK_OF(X509_EXTENSION) *sk=NULL; + STACK_OF(X509_EXTENSION) *sk = NULL; if (x == NULL) { - X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER); + X509err(X509_F_X509V3_ADD_EXT, ERR_R_PASSED_NULL_PARAMETER); goto err2; } if (*x == NULL) { - if ((sk=sk_X509_EXTENSION_new_null()) == NULL) + if ((sk = sk_X509_EXTENSION_new_null()) == NULL) goto err; } else sk= *x; - n=sk_X509_EXTENSION_num(sk); - if (loc > n) loc=n; - else if (loc < 0) loc=n; + n = sk_X509_EXTENSION_num(sk); + if (loc > n) + loc = n; + else if (loc < 0) + loc = n; - if ((new_ex=X509_EXTENSION_dup(ex)) == NULL) + if ((new_ex = X509_EXTENSION_dup(ex)) == NULL) goto err2; - if (!sk_X509_EXTENSION_insert(sk,new_ex,loc)) + if (!sk_X509_EXTENSION_insert(sk, new_ex, loc)) goto err; if (*x == NULL) - *x=sk; - return(sk); + *x = sk; + return (sk); + err: - X509err(X509_F_X509V3_ADD_EXT,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509V3_ADD_EXT, ERR_R_MALLOC_FAILURE); err2: - if (new_ex != NULL) X509_EXTENSION_free(new_ex); - if (sk != NULL) sk_X509_EXTENSION_free(sk); - return(NULL); + if (new_ex != NULL) + X509_EXTENSION_free(new_ex); + if (sk != NULL) + sk_X509_EXTENSION_free(sk); + return (NULL); } -X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, - int crit, ASN1_OCTET_STRING *data) +X509_EXTENSION * +X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit, + ASN1_OCTET_STRING *data) { ASN1_OBJECT *obj; X509_EXTENSION *ret; - obj=OBJ_nid2obj(nid); + obj = OBJ_nid2obj(nid); if (obj == NULL) { - X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID); - return(NULL); + X509err(X509_F_X509_EXTENSION_CREATE_BY_NID, + X509_R_UNKNOWN_NID); + return (NULL); } - ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data); - if (ret == NULL) ASN1_OBJECT_free(obj); - return(ret); + ret = X509_EXTENSION_create_by_OBJ(ex, obj, crit, data); + if (ret == NULL) + ASN1_OBJECT_free(obj); + return (ret); } -X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, - ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data) +X509_EXTENSION * +X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, ASN1_OBJECT *obj, int crit, + ASN1_OCTET_STRING *data) { X509_EXTENSION *ret; if ((ex == NULL) || (*ex == NULL)) { - if ((ret=X509_EXTENSION_new()) == NULL) - { - X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE); - return(NULL); + if ((ret = X509_EXTENSION_new()) == NULL) { + X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ, + ERR_R_MALLOC_FAILURE); + return (NULL); } } else ret= *ex; - if (!X509_EXTENSION_set_object(ret,obj)) + if (!X509_EXTENSION_set_object(ret, obj)) goto err; - if (!X509_EXTENSION_set_critical(ret,crit)) + if (!X509_EXTENSION_set_critical(ret, crit)) goto err; - if (!X509_EXTENSION_set_data(ret,data)) + if (!X509_EXTENSION_set_data(ret, data)) goto err; - - if ((ex != NULL) && (*ex == NULL)) *ex=ret; - return(ret); + + if ((ex != NULL) && (*ex == NULL)) + *ex = ret; + return (ret); + err: if ((ex == NULL) || (ret != *ex)) X509_EXTENSION_free(ret); - return(NULL); + return (NULL); } -int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj) +int +X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj) { if ((ex == NULL) || (obj == NULL)) - return(0); + return (0); ASN1_OBJECT_free(ex->object); - ex->object=OBJ_dup(obj); - return(1); + ex->object = OBJ_dup(obj); + return (1); } -int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) +int +X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) { - if (ex == NULL) return(0); - ex->critical=(crit)?0xFF:-1; - return(1); + if (ex == NULL) + return (0); + ex->critical = (crit) ? 0xFF : -1; + return (1); } -int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) +int +X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) { int i; - if (ex == NULL) return(0); - i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length); - if (!i) return(0); - return(1); + if (ex == NULL) + return (0); + i = M_ASN1_OCTET_STRING_set(ex->value, data->data, data->length); + if (!i) + return (0); + return (1); } -ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex) +ASN1_OBJECT * +X509_EXTENSION_get_object(X509_EXTENSION *ex) { - if (ex == NULL) return(NULL); - return(ex->object); + if (ex == NULL) + return (NULL); + return (ex->object); } -ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex) +ASN1_OCTET_STRING * +X509_EXTENSION_get_data(X509_EXTENSION *ex) { - if (ex == NULL) return(NULL); - return(ex->value); + if (ex == NULL) + return (NULL); + return (ex->value); } -int X509_EXTENSION_get_critical(X509_EXTENSION *ex) +int +X509_EXTENSION_get_critical(X509_EXTENSION *ex) { - if (ex == NULL) return(0); - if(ex->critical > 0) return 1; + if (ex == NULL) + return (0); + if (ex->critical > 0) + return 1; return 0; } diff --git a/lib/libssl/src/crypto/x509/x509_vfy.c b/lib/libssl/src/crypto/x509/x509_vfy.c index 6e9dd7cc6a5..0024904c20b 100644 --- a/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/lib/libssl/src/crypto/x509/x509_vfy.c @@ -5,21 +5,21 @@ * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -108,7 +108,7 @@ #define CRL_SCORE_TIME_DELTA 0x002 -static int null_callback(int ok,X509_STORE_CTX *e); +static int null_callback(int ok, X509_STORE_CTX *e); static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); static int check_chain_extensions(X509_STORE_CTX *ctx); @@ -119,100 +119,106 @@ static int check_cert(X509_STORE_CTX *ctx); static int check_policy(X509_STORE_CTX *ctx); static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, - unsigned int *preasons, - X509_CRL *crl, X509 *x); + unsigned int *preasons, X509_CRL *crl, X509 *x); static int get_crl_delta(X509_STORE_CTX *ctx, - X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); + X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, - X509_CRL *base, STACK_OF(X509_CRL) *crls); -static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, - X509 **pissuer, int *pcrl_score); + X509_CRL *base, STACK_OF(X509_CRL) *crls); +static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, + int *pcrl_score); static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, - unsigned int *preasons); + unsigned int *preasons); static int check_crl_path(X509_STORE_CTX *ctx, X509 *x); -static int check_crl_chain(X509_STORE_CTX *ctx, - STACK_OF(X509) *cert_path, - STACK_OF(X509) *crl_path); +static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, + STACK_OF(X509) *crl_path); static int internal_verify(X509_STORE_CTX *ctx); const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; -static int null_callback(int ok, X509_STORE_CTX *e) +static int +null_callback(int ok, X509_STORE_CTX *e) { return ok; } #if 0 -static int x509_subject_cmp(X509 **a, X509 **b) +static int +x509_subject_cmp(X509 **a, X509 **b) { - return X509_subject_name_cmp(*a,*b); + return X509_subject_name_cmp(*a, *b); } #endif -int X509_verify_cert(X509_STORE_CTX *ctx) +int +X509_verify_cert(X509_STORE_CTX *ctx) { - X509 *x,*xtmp,*chain_ss=NULL; + X509 *x, *xtmp, *chain_ss = NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; - int depth,i,ok=0; + int depth, i, ok = 0; int num; - int (*cb)(int xok,X509_STORE_CTX *xctx); - STACK_OF(X509) *sktmp=NULL; + int (*cb)(int xok, X509_STORE_CTX *xctx); + STACK_OF(X509) *sktmp = NULL; + if (ctx->cert == NULL) { - X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); + X509err(X509_F_X509_VERIFY_CERT, + X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; } - cb=ctx->verify_cb; + cb = ctx->verify_cb; /* first we make sure the chain we are going to build is * present and that the first entry is in place */ if (ctx->chain == NULL) { - if ( ((ctx->chain=sk_X509_new_null()) == NULL) || - (!sk_X509_push(ctx->chain,ctx->cert))) { - X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); + if (((ctx->chain = sk_X509_new_null()) == NULL) || + (!sk_X509_push(ctx->chain, ctx->cert))) { + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); goto end; } - CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); - ctx->last_untrusted=1; + CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); + ctx->last_untrusted = 1; } /* We use a temporary STACK so we can chop and hack at it */ - if (ctx->untrusted != NULL - && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) { - X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); + if (ctx->untrusted != NULL && + (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); goto end; } - num=sk_X509_num(ctx->chain); - x=sk_X509_value(ctx->chain,num-1); - depth=param->depth; - + num = sk_X509_num(ctx->chain); + x = sk_X509_value(ctx->chain, num - 1); + depth = param->depth; for (;;) { /* If we have enough, we break */ - if (depth < num) break; /* FIXME: If this happens, we should take - * note of it and, if appropriate, use the - * X509_V_ERR_CERT_CHAIN_TOO_LONG error - * code later. - */ + if (depth < num) + break; /* FIXME: If this happens, we should take + * note of it and, if appropriate, use the + * X509_V_ERR_CERT_CHAIN_TOO_LONG error + * code later. + */ /* If we are self signed, we break */ - if (ctx->check_issued(ctx, x,x)) break; + if (ctx->check_issued(ctx, x, x)) + break; /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) { - xtmp=find_issuer(ctx, sktmp,x); + xtmp = find_issuer(ctx, sktmp, x); if (xtmp != NULL) { - if (!sk_X509_push(ctx->chain,xtmp)) { - X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); + if (!sk_X509_push(ctx->chain, xtmp)) { + X509err(X509_F_X509_VERIFY_CERT, + ERR_R_MALLOC_FAILURE); goto end; } - CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); - (void)sk_X509_delete_ptr(sktmp,xtmp); + CRYPTO_add(&xtmp->references, 1, + CRYPTO_LOCK_X509); + (void)sk_X509_delete_ptr(sktmp, xtmp); ctx->last_untrusted++; - x=xtmp; + x = xtmp; num++; /* reparse the full chain for * the next one */ @@ -230,8 +236,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) * is self signed. */ - i=sk_X509_num(ctx->chain); - x=sk_X509_value(ctx->chain,i-1); + i = sk_X509_num(ctx->chain); + x = sk_X509_value(ctx->chain, i - 1); if (ctx->check_issued(ctx, x, x)) { /* we have a self signed certificate */ if (sk_X509_num(ctx->chain) == 1) { @@ -241,13 +247,16 @@ int X509_verify_cert(X509_STORE_CTX *ctx) */ ok = ctx->get_issuer(&xtmp, ctx, x); if ((ok <= 0) || X509_cmp(x, xtmp)) { - ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; - ctx->current_cert=x; - ctx->error_depth=i-1; - if (ok == 1) X509_free(xtmp); + ctx->error = + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; + ctx->current_cert = x; + ctx->error_depth = i - 1; + if (ok == 1) + X509_free(xtmp); bad_chain = 1; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } else { /* We have a match: replace certificate with store version * so we get any trust settings. @@ -255,34 +264,37 @@ int X509_verify_cert(X509_STORE_CTX *ctx) X509_free(x); x = xtmp; (void)sk_X509_set(ctx->chain, i - 1, x); - ctx->last_untrusted=0; + ctx->last_untrusted = 0; } } else { /* extract and save self signed certificate for later use */ - chain_ss=sk_X509_pop(ctx->chain); + chain_ss = sk_X509_pop(ctx->chain); ctx->last_untrusted--; num--; - x=sk_X509_value(ctx->chain,num-1); + x = sk_X509_value(ctx->chain, num - 1); } } /* We now lookup certs from the certificate store */ for (;;) { /* If we have enough, we break */ - if (depth < num) break; + if (depth < num) + break; /* If we are self signed, we break */ - if (ctx->check_issued(ctx,x,x)) break; + if (ctx->check_issued(ctx, x, x)) + break; ok = ctx->get_issuer(&xtmp, ctx, x); - - if (ok < 0) return ok; - if (ok == 0) break; + if (ok < 0) + return ok; + if (ok == 0) + break; x = xtmp; - if (!sk_X509_push(ctx->chain,x)) { + if (!sk_X509_push(ctx->chain, x)) { X509_free(xtmp); - X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); return 0; } num++; @@ -291,81 +303,94 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* we now have our chain, lets check it... */ /* Is last certificate looked up self signed? */ - if (!ctx->check_issued(ctx,x,x)) { - if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { + if (!ctx->check_issued(ctx, x, x)) { + if ((chain_ss == NULL) || + !ctx->check_issued(ctx, x, chain_ss)) { if (ctx->last_untrusted >= num) - ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; + ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; else - ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; - ctx->current_cert=x; + ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; + ctx->current_cert = x; } else { - sk_X509_push(ctx->chain,chain_ss); + sk_X509_push(ctx->chain, chain_ss); num++; - ctx->last_untrusted=num; - ctx->current_cert=chain_ss; - ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; - chain_ss=NULL; + ctx->last_untrusted = num; + ctx->current_cert = chain_ss; + ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; + chain_ss = NULL; } - ctx->error_depth=num-1; + ctx->error_depth = num - 1; bad_chain = 1; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } /* We have the chain complete: now we need to check its purpose */ ok = check_chain_extensions(ctx); - if (!ok) goto end; + if (!ok) + goto end; /* Check name constraints */ ok = check_name_constraints(ctx); - - if (!ok) goto end; + + if (!ok) + goto end; /* The chain extensions are OK: check trust */ - if (param->trust > 0) ok = check_trust(ctx); + if (param->trust > 0) + ok = check_trust(ctx); - if (!ok) goto end; + if (!ok) + goto end; /* We may as well copy down any DSA parameters that are required */ - X509_get_pubkey_parameters(NULL,ctx->chain); + X509_get_pubkey_parameters(NULL, ctx->chain); /* Check revocation status: we do this after copying parameters * because they may be needed for CRL signature verification. */ ok = ctx->check_revocation(ctx); - if(!ok) goto end; + if (!ok) + goto end; /* At this point, we have a chain and need to verify it */ if (ctx->verify != NULL) - ok=ctx->verify(ctx); + ok = ctx->verify(ctx); else - ok=internal_verify(ctx); - if(!ok) goto end; + ok = internal_verify(ctx); + if (!ok) + goto end; #ifndef OPENSSL_NO_RFC3779 /* RFC 3779 path validation, now that CRL check has been done */ ok = v3_asid_validate_path(ctx); - if (!ok) goto end; + if (!ok) + goto end; ok = v3_addr_validate_path(ctx); - if (!ok) goto end; + if (!ok) + goto end; #endif /* If we get this far evaluate policies */ if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) ok = ctx->check_policy(ctx); - if(!ok) goto end; + if (!ok) + goto end; if (0) { end: - X509_get_pubkey_parameters(NULL,ctx->chain); + X509_get_pubkey_parameters(NULL, ctx->chain); } - if (sktmp != NULL) sk_X509_free(sktmp); - if (chain_ss != NULL) X509_free(chain_ss); + if (sktmp != NULL) + sk_X509_free(sktmp); + if (chain_ss != NULL) + X509_free(chain_ss); return ok; } @@ -373,10 +398,12 @@ end: /* Given a STACK_OF(X509) find the issuer of cert (if any) */ -static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) +static X509 * +find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { int i; X509 *issuer; + for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); if (ctx->check_issued(ctx, x, issuer)) @@ -387,9 +414,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) /* Given a possible certificate and issuer check them */ -static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) +static int +check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { int ret; + ret = X509_check_issued(issuer, x); if (ret == X509_V_OK) return 1; @@ -405,33 +434,35 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) /* Alternative lookup method: look from a STACK stored in other_ctx */ -static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) +static int +get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { *issuer = find_issuer(ctx, ctx->other_ctx, x); if (*issuer) { - CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); + CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509); return 1; } else return 0; } - /* Check a certificate chains extensions for consistency * with the supplied purpose */ -static int check_chain_extensions(X509_STORE_CTX *ctx) +static int +check_chain_extensions(X509_STORE_CTX *ctx) { #ifdef OPENSSL_NO_CHAIN_VERIFY return 1; #else - int i, ok=0, must_be_ca, plen = 0; + int i, ok = 0, must_be_ca, plen = 0; X509 *x; - int (*cb)(int xok,X509_STORE_CTX *xctx); + int (*cb)(int xok, X509_STORE_CTX *xctx); int proxy_path_length = 0; int purpose; int allow_proxy_certs; - cb=ctx->verify_cb; + + cb = ctx->verify_cb; /* must_be_ca can have 1 of 3 values: -1: we accept both CA and non-CA certificates, to allow direct @@ -449,7 +480,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) purpose = X509_PURPOSE_CRL_SIGN; } else { allow_proxy_certs = - !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); + !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); /* A hack to keep people who don't want to modify their software happy */ if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) @@ -461,26 +492,28 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) for (i = 0; i < ctx->last_untrusted; i++) { int ret; x = sk_X509_value(ctx->chain, i); - if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (x->ex_flags & EXFLAG_CRITICAL)) { + if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) && + (x->ex_flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; ctx->error_depth = i; ctx->current_cert = x; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; ctx->error_depth = i; ctx->current_cert = x; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } ret = X509_check_ca(x); - switch(must_be_ca) { + switch (must_be_ca) { case -1: - if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1) && (ret != 0)) { + if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && + (ret != 1) && (ret != 0)) { ret = 0; ctx->error = X509_V_ERR_INVALID_CA; } else @@ -494,9 +527,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ret = 1; break; default: - if ((ret == 0) - || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) { + if ((ret == 0) || + ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && + (ret != 1))) { ret = 0; ctx->error = X509_V_ERR_INVALID_CA; } else @@ -506,30 +539,33 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (ret == 0) { ctx->error_depth = i; ctx->current_cert = x; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } if (ctx->param->purpose > 0) { ret = X509_check_purpose(x, purpose, must_be_ca > 0); - if ((ret == 0) - || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) { + if ((ret == 0) || + ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && + (ret != 1))) { ctx->error = X509_V_ERR_INVALID_PURPOSE; ctx->error_depth = i; ctx->current_cert = x; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } } /* Check pathlen if not self issued */ - if ((i > 1) && !(x->ex_flags & EXFLAG_SI) - && (x->ex_pathlen != -1) - && (plen > (x->ex_pathlen + proxy_path_length + 1))) { + if ((i > 1) && !(x->ex_flags & EXFLAG_SI) && + (x->ex_pathlen != -1) && + (plen > (x->ex_pathlen + proxy_path_length + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } /* Increment path length if not self issued */ if (!(x->ex_flags & EXFLAG_SI)) @@ -541,11 +577,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (x->ex_flags & EXFLAG_PROXY) { if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { ctx->error = - X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; + X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; - ok=cb(0,ctx); - if (!ok) goto end; + ok = cb(0, ctx); + if (!ok) + goto end; } proxy_path_length++; must_be_ca = 0; @@ -553,15 +590,18 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) must_be_ca = 1; } ok = 1; - end: + +end: return ok; #endif } -static int check_name_constraints(X509_STORE_CTX *ctx) +static int +check_name_constraints(X509_STORE_CTX *ctx) { X509 *x; int i, j, rv; + /* Check name constraints for all certificates */ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { x = sk_X509_value(ctx->chain, i); @@ -581,7 +621,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) ctx->error = rv; ctx->error_depth = i; ctx->current_cert = x; - if (!ctx->verify_cb(0,ctx)) + if (!ctx->verify_cb(0, ctx)) return 0; } } @@ -590,16 +630,18 @@ static int check_name_constraints(X509_STORE_CTX *ctx) return 1; } -static int check_trust(X509_STORE_CTX *ctx) +static int +check_trust(X509_STORE_CTX *ctx) { #ifdef OPENSSL_NO_CHAIN_VERIFY return 1; #else int i, ok; X509 *x; - int (*cb)(int xok,X509_STORE_CTX *xctx); - cb=ctx->verify_cb; -/* For now just check the last certificate in the chain */ + int (*cb)(int xok, X509_STORE_CTX *xctx); + + cb = ctx->verify_cb; + /* For now just check the last certificate in the chain */ i = sk_X509_num(ctx->chain) - 1; x = sk_X509_value(ctx->chain, i); ok = X509_check_trust(x, ctx->param->trust, 0); @@ -616,9 +658,11 @@ static int check_trust(X509_STORE_CTX *ctx) #endif } -static int check_revocation(X509_STORE_CTX *ctx) +static int +check_revocation(X509_STORE_CTX *ctx) { int i, last, ok; + if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) return 1; if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) @@ -629,19 +673,23 @@ static int check_revocation(X509_STORE_CTX *ctx) return 1; last = 0; } - for(i = 0; i <= last; i++) { + for (i = 0; i <= last; i++) { ctx->error_depth = i; ok = check_cert(ctx); - if (!ok) return ok; + if (!ok) + return ok; } return 1; } -static int check_cert(X509_STORE_CTX *ctx) { +static int +check_cert(X509_STORE_CTX *ctx) +{ X509_CRL *crl = NULL, *dcrl = NULL; X509 *x; int ok, cnum; unsigned int last_reasons; + cnum = ctx->error_depth; x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; @@ -658,7 +706,7 @@ static int check_cert(X509_STORE_CTX *ctx) { /* If error looking up CRL, nothing we can do except * notify callback */ - if(!ok) { + if (!ok) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; ok = ctx->verify_cb(0, ctx); goto err; @@ -698,21 +746,23 @@ static int check_cert(X509_STORE_CTX *ctx) { goto err; } } + err: X509_CRL_free(crl); X509_CRL_free(dcrl); ctx->current_crl = NULL; return ok; - } /* Check CRL times against values in X509_STORE_CTX */ -static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) +static int +check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { time_t *ptime; int i; + if (notify) ctx->current_crl = crl; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) @@ -720,11 +770,11 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) else ptime = NULL; - i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); + i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); if (i == 0) { if (!notify) return 0; - ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; + ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; if (!ctx->verify_cb(0, ctx)) return 0; } @@ -732,26 +782,27 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) if (i > 0) { if (!notify) return 0; - ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; + ctx->error = X509_V_ERR_CRL_NOT_YET_VALID; if (!ctx->verify_cb(0, ctx)) return 0; } - if(X509_CRL_get_nextUpdate(crl)) { - i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); + if (X509_CRL_get_nextUpdate(crl)) { + i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); if (i == 0) { if (!notify) return 0; - ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; + ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; if (!ctx->verify_cb(0, ctx)) return 0; } /* Ignore expiry of base CRL is delta is valid */ - if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { + if ((i < 0) && + !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { if (!notify) return 0; - ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; + ctx->error = X509_V_ERR_CRL_HAS_EXPIRED; if (!ctx->verify_cb(0, ctx)) return 0; } @@ -763,9 +814,10 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) return 1; } -static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, - X509 **pissuer, int *pscore, unsigned int *preasons, - STACK_OF(X509_CRL) *crls) +static int +get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, + X509 **pissuer, int *pscore, unsigned int *preasons, + STACK_OF(X509_CRL) *crls) { int i, crl_score, best_score = *pscore; unsigned int reasons, best_reasons = 0; @@ -811,10 +863,12 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, * both present or both absent. If both present all fields must be identical. */ -static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) +static int +crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) { ASN1_OCTET_STRING *exta, *extb; int i; + i = X509_CRL_get_ext_by_NID(a, nid, -1); if (i >= 0) { /* Can't have multiple occurrences */ @@ -827,7 +881,6 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) i = X509_CRL_get_ext_by_NID(b, nid, -1); if (i >= 0) { - if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) return 0; extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); @@ -840,7 +893,6 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) if (!exta || !extb) return 0; - if (ASN1_OCTET_STRING_cmp(exta, extb)) return 0; @@ -849,29 +901,30 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) /* See if a base and delta are compatible */ -static int check_delta_base(X509_CRL *delta, X509_CRL *base) +static int +check_delta_base(X509_CRL *delta, X509_CRL *base) { /* Delta CRL must be a delta */ if (!delta->base_crl_number) - return 0; + return 0; /* Base must have a CRL number */ if (!base->crl_number) - return 0; + return 0; /* Issuer names must match */ if (X509_NAME_cmp(X509_CRL_get_issuer(base), - X509_CRL_get_issuer(delta))) + X509_CRL_get_issuer(delta))) return 0; /* AKID and IDP must match */ if (!crl_extension_match(delta, base, NID_authority_key_identifier)) - return 0; + return 0; if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) - return 0; + return 0; /* Delta CRL base number must not exceed Full CRL number. */ if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) - return 0; + return 0; /* Delta CRL number must exceed full CRL number */ if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) - return 1; + return 1; return 0; } @@ -879,11 +932,13 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base) * or retrieve a chain of deltas... */ -static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, - X509_CRL *base, STACK_OF(X509_CRL) *crls) +static void +get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base, + STACK_OF(X509_CRL) *crls) { X509_CRL *delta; int i; + if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) return; if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) @@ -908,11 +963,10 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, * no new reasons the CRL is rejected, otherwise reasons is updated. */ -static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, - unsigned int *preasons, - X509_CRL *crl, X509 *x) +static int +get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, + X509_CRL *crl, X509 *x) { - int crl_score = 0; unsigned int tmp_reasons = *preasons, crl_reasons; @@ -968,11 +1022,11 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, *preasons = tmp_reasons; return crl_score; - } -static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, - X509 **pissuer, int *pcrl_score) +static void +crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, + int *pcrl_score) { X509 *crl_issuer = NULL; X509_NAME *cnm = X509_CRL_get_issuer(crl); @@ -1026,14 +1080,16 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, /* Check the path of a CRL issuer certificate. This creates a new * X509_STORE_CTX and populates it with most of the parameters from the * parent. This could be optimised somewhat since a lot of path checking - * will be duplicated by the parent, but this will rarely be used in + * will be duplicated by the parent, but this will rarely be used in * practice. */ -static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) +static int +check_crl_path(X509_STORE_CTX *ctx, X509 *x) { X509_STORE_CTX crl_ctx; int ret; + /* Don't allow recursive CRL path validation */ if (ctx->parent) return 0; @@ -1054,9 +1110,9 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) goto err; /* Check chain is acceptable */ - ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); - err: + +err: X509_STORE_CTX_cleanup(&crl_ctx); return ret; } @@ -1069,11 +1125,12 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) * until this is resolved we use the RFC5280 version */ -static int check_crl_chain(X509_STORE_CTX *ctx, - STACK_OF(X509) *cert_path, - STACK_OF(X509) *crl_path) +static int +check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, + STACK_OF(X509) *crl_path) { X509 *cert_ta, *crl_ta; + cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); if (!X509_cmp(cert_ta, crl_ta)) @@ -1088,13 +1145,14 @@ static int check_crl_chain(X509_STORE_CTX *ctx, * 4. One is NULL: automatic match. */ - -static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) +static int +idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) { X509_NAME *nm = NULL; GENERAL_NAMES *gens = NULL; GENERAL_NAME *gena, *genb; int i, j; + if (!a || !b) return 1; if (a->type == 1) { @@ -1123,7 +1181,7 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ if (nm) { for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { - gena = sk_GENERAL_NAME_value(gens, i); + gena = sk_GENERAL_NAME_value(gens, i); if (gena->type != GEN_DIRNAME) continue; if (!X509_NAME_cmp(nm, gena->d.directoryName)) @@ -1144,13 +1202,14 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) } return 0; - } -static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) +static int +crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) { int i; X509_NAME *nm = X509_CRL_get_issuer(crl); + /* If no CRLissuer return is successful iff don't need a match */ if (!dp->CRLissuer) return !!(crl_score & CRL_SCORE_ISSUER_NAME); @@ -1166,10 +1225,11 @@ static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) /* Check CRLDP and IDP */ -static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, - unsigned int *preasons) +static int +crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons) { int i; + if (crl->idp_flags & IDP_ONLYATTR) return 0; if (x->ex_flags & EXFLAG_CA) { @@ -1184,13 +1244,14 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); if (crldp_check_crlissuer(dp, crl, crl_score)) { if (!crl->idp || - idp_check_dp(dp->distpoint, crl->idp->distpoint)) { + idp_check_dp(dp->distpoint, crl->idp->distpoint)) { *preasons &= dp->dp_reasons; return 1; } } } - if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) + if ((!crl->idp || !crl->idp->distpoint) && + (crl_score & CRL_SCORE_ISSUER_NAME)) return 1; return 0; } @@ -1198,9 +1259,9 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, /* Retrieve CRL corresponding to current certificate. * If deltas enabled try to find a delta CRL too */ - -static int get_crl_delta(X509_STORE_CTX *ctx, - X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) + +static int +get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) { int ok; X509 *issuer = NULL; @@ -1209,15 +1270,14 @@ static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL *crl = NULL, *dcrl = NULL; STACK_OF(X509_CRL) *skcrl; X509_NAME *nm = X509_get_issuer_name(x); - reasons = ctx->current_reasons; - ok = get_crl_sk(ctx, &crl, &dcrl, - &issuer, &crl_score, &reasons, ctx->crls); + reasons = ctx->current_reasons; + ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, + ctx->crls); if (ok) goto done; /* Lookup CRLs from store */ - skcrl = ctx->lookup_crls(ctx, nm); /* If no CRLs found and a near match from get_crl_sk use that */ @@ -1228,7 +1288,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx, sk_X509_CRL_pop_free(skcrl, X509_CRL_free); - done: +done: /* If we got any kind of CRL use it and return success */ if (crl) { @@ -1244,11 +1304,13 @@ static int get_crl_delta(X509_STORE_CTX *ctx, } /* Check CRL validity */ -static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) +static int +check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) { X509 *issuer = NULL; EVP_PKEY *ikey = NULL; int ok = 0, chnum, cnum; + cnum = ctx->error_depth; chnum = sk_X509_num(ctx->chain) - 1; /* if we have an alternative CRL issuer cert use that */ @@ -1262,44 +1324,50 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) } else { issuer = sk_X509_value(ctx->chain, chnum); /* If not self signed, can't check signature */ - if(!ctx->check_issued(ctx, issuer, issuer)) { + if (!ctx->check_issued(ctx, issuer, issuer)) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; + if (!ok) + goto err; } } - if(issuer) { + if (issuer) { /* Skip most tests for deltas because they have already * been done */ if (!crl->base_crl_number) { /* Check for cRLSign bit if keyUsage present */ if ((issuer->ex_flags & EXFLAG_KUSAGE) && - !(issuer->ex_kusage & KU_CRL_SIGN)) { + !(issuer->ex_kusage & KU_CRL_SIGN)) { ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; + if (!ok) + goto err; } if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; + if (!ok) + goto err; } if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { - if (check_crl_path(ctx, ctx->current_issuer) <= 0) { + if (check_crl_path(ctx, + ctx->current_issuer) <= 0) { ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; + if (!ok) + goto err; } } if (crl->idp_flags & IDP_INVALID) { ctx->error = X509_V_ERR_INVALID_EXTENSION; ok = ctx->verify_cb(0, ctx); - if(!ok) goto err; + if (!ok) + goto err; } @@ -1314,16 +1382,18 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) /* Attempt to get issuer certificate public key */ ikey = X509_get_pubkey(issuer); - if(!ikey) { - ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; + if (!ikey) { + ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ok = ctx->verify_cb(0, ctx); - if (!ok) goto err; + if (!ok) + goto err; } else { /* Verify CRL signature */ - if(X509_CRL_verify(crl, ikey) <= 0) { - ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; + if (X509_CRL_verify(crl, ikey) <= 0) { + ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE; ok = ctx->verify_cb(0, ctx); - if (!ok) goto err; + if (!ok) + goto err; } } } @@ -1336,20 +1406,22 @@ err: } /* Check certificate against CRL */ -static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) +static int +cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { int ok; X509_REVOKED *rev; + /* The rules changed for this... previously if a CRL contained * unhandled critical extensions it could still be used to indicate - * a certificate was revoked. This has since been changed since + * a certificate was revoked. This has since been changed since * critical extension can change the meaning of CRL entries. */ - if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (crl->flags & EXFLAG_CRITICAL)) { + if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) && + (crl->flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; ok = ctx->verify_cb(0, ctx); - if(!ok) + if (!ok) return 0; } /* Look for serial number of certificate in CRL @@ -1367,15 +1439,17 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) return 1; } -static int check_policy(X509_STORE_CTX *ctx) +static int +check_policy(X509_STORE_CTX *ctx) { int ret; + if (ctx->parent) return 1; ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, - ctx->param->policies, ctx->param->flags); + ctx->param->policies, ctx->param->flags); if (ret == 0) { - X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); + X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE); return 0; } /* Invalid or inconsistent extensions */ @@ -1391,7 +1465,7 @@ static int check_policy(X509_STORE_CTX *ctx) continue; ctx->current_cert = x; ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; - if(!ctx->verify_cb(0, ctx)) + if (!ctx->verify_cb(0, ctx)) return 0; } return 1; @@ -1412,7 +1486,8 @@ static int check_policy(X509_STORE_CTX *ctx) return 1; } -static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) +static int +check_cert_time(X509_STORE_CTX *ctx, X509 *x) { time_t *ptime; int i; @@ -1422,32 +1497,32 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) else ptime = NULL; - i=X509_cmp_time(X509_get_notBefore(x), ptime); + i = X509_cmp_time(X509_get_notBefore(x), ptime); if (i == 0) { - ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; - ctx->current_cert=x; + ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; + ctx->current_cert = x; if (!ctx->verify_cb(0, ctx)) return 0; } if (i > 0) { - ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; - ctx->current_cert=x; + ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; + ctx->current_cert = x; if (!ctx->verify_cb(0, ctx)) return 0; } - i=X509_cmp_time(X509_get_notAfter(x), ptime); + i = X509_cmp_time(X509_get_notAfter(x), ptime); if (i == 0) { - ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; - ctx->current_cert=x; + ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; + ctx->current_cert = x; if (!ctx->verify_cb(0, ctx)) return 0; } if (i < 0) { - ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; - ctx->current_cert=x; + ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; + ctx->current_cert = x; if (!ctx->verify_cb(0, ctx)) return 0; } @@ -1455,60 +1530,63 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) return 1; } -static int internal_verify(X509_STORE_CTX *ctx) +static int +internal_verify(X509_STORE_CTX *ctx) { - int ok=0,n; - X509 *xs,*xi; - EVP_PKEY *pkey=NULL; - int (*cb)(int xok,X509_STORE_CTX *xctx); + int ok = 0, n; + X509 *xs, *xi; + EVP_PKEY *pkey = NULL; + int (*cb)(int xok, X509_STORE_CTX *xctx); - cb=ctx->verify_cb; + cb = ctx->verify_cb; - n=sk_X509_num(ctx->chain); - ctx->error_depth=n-1; + n = sk_X509_num(ctx->chain); + ctx->error_depth = n - 1; n--; - xi=sk_X509_value(ctx->chain,n); + xi = sk_X509_value(ctx->chain, n); if (ctx->check_issued(ctx, xi, xi)) - xs=xi; + xs = xi; else { if (n <= 0) { - ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; - ctx->current_cert=xi; - ok=cb(0,ctx); + ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; + ctx->current_cert = xi; + ok = cb(0, ctx); goto end; } else { n--; - ctx->error_depth=n; - xs=sk_X509_value(ctx->chain,n); + ctx->error_depth = n; + xs = sk_X509_value(ctx->chain, n); } } /* ctx->error=0; not needed */ while (n >= 0) { - ctx->error_depth=n; + ctx->error_depth = n; /* Skip signature check for self signed certificates unless * explicitly asked for. It doesn't add any security and * just wastes time. */ - if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { - if ((pkey=X509_get_pubkey(xi)) == NULL) { - ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; - ctx->current_cert=xi; - ok=(*cb)(0,ctx); - if (!ok) goto end; - } else if (X509_verify(xs,pkey) <= 0) { - ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; - ctx->current_cert=xs; - ok=(*cb)(0,ctx); + if (!xs->valid && (xs != xi || + (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { + if ((pkey = X509_get_pubkey(xi)) == NULL) { + ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; + ctx->current_cert = xi; + ok = (*cb)(0, ctx); + if (!ok) + goto end; + } else if (X509_verify(xs, pkey) <= 0) { + ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE; + ctx->current_cert = xs; + ok = (*cb)(0, ctx); if (!ok) { EVP_PKEY_free(pkey); goto end; } } EVP_PKEY_free(pkey); - pkey=NULL; + pkey = NULL; } xs->valid = 1; @@ -1518,200 +1596,225 @@ static int internal_verify(X509_STORE_CTX *ctx) goto end; /* The last error (if any) is still in the error value */ - ctx->current_issuer=xi; - ctx->current_cert=xs; - ok=(*cb)(1,ctx); - if (!ok) goto end; + ctx->current_issuer = xi; + ctx->current_cert = xs; + ok = (*cb)(1, ctx); + if (!ok) + goto end; n--; if (n >= 0) { - xi=xs; - xs=sk_X509_value(ctx->chain,n); + xi = xs; + xs = sk_X509_value(ctx->chain, n); } } - ok=1; + ok = 1; + end: return ok; } -int X509_cmp_current_time(const ASN1_TIME *ctm) +int +X509_cmp_current_time(const ASN1_TIME *ctm) { return X509_cmp_time(ctm, NULL); } -int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) +int +X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) { char *str; ASN1_TIME atm; long offset; - char buff1[24],buff2[24],*p; - int i,j; + char buff1[24], buff2[24], *p; + int i, j; - p=buff1; - i=ctm->length; - str=(char *)ctm->data; + p = buff1; + i = ctm->length; + str = (char *)ctm->data; if (ctm->type == V_ASN1_UTCTIME) { - if ((i < 11) || (i > 17)) return 0; - memcpy(p,str,10); - p+=10; - str+=10; + if ((i < 11) || (i > 17)) + return 0; + memcpy(p, str, 10); + p += 10; + str += 10; } else { - if (i < 13) return 0; - memcpy(p,str,12); - p+=12; - str+=12; + if (i < 13) + return 0; + memcpy(p, str, 12); + p += 12; + str += 12; } if ((*str == 'Z') || (*str == '-') || (*str == '+')) { - *(p++)='0'; - *(p++)='0'; - } else { - *(p++)= *(str++); - *(p++)= *(str++); + *(p++) = '0'; + *(p++) = '0'; + } else { + *(p++) = *(str++); + *(p++) = *(str++); /* Skip any fractional seconds... */ if (*str == '.') { str++; - while ((*str >= '0') && (*str <= '9')) str++; + while ((*str >= '0') && (*str <= '9')) + str++; } - } - *(p++)='Z'; - *(p++)='\0'; + *(p++) = 'Z'; + *(p++) = '\0'; if (*str == 'Z') - offset=0; + offset = 0; else { if ((*str != '+') && (*str != '-')) return 0; - offset=((str[1]-'0')*10+(str[2]-'0'))*60; - offset+=(str[3]-'0')*10+(str[4]-'0'); + offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; + offset += (str[3] - '0') * 10 + (str[4] - '0'); if (*str == '-') - offset= -offset; + offset = -offset; } - atm.type=ctm->type; + atm.type = ctm->type; atm.flags = 0; - atm.length=sizeof(buff2); - atm.data=(unsigned char *)buff2; + atm.length = sizeof(buff2); + atm.data = (unsigned char *)buff2; - if (X509_time_adj(&atm, offset*60, cmp_time) == NULL) + if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL) return 0; if (ctm->type == V_ASN1_UTCTIME) { - i=(buff1[0]-'0')*10+(buff1[1]-'0'); - if (i < 50) i+=100; /* cf. RFC 2459 */ - j=(buff2[0]-'0')*10+(buff2[1]-'0'); - if (j < 50) j+=100; - - if (i < j) return -1; - if (i > j) return 1; + i = (buff1[0] - '0') * 10 + (buff1[1] - '0'); + if (i < 50) + i += 100; /* cf. RFC 2459 */ + j = (buff2[0] - '0') * 10 + (buff2[1] - '0'); + if (j < 50) + j += 100; + if (i < j) + return -1; + if (i > j) + return 1; } - i=strcmp(buff1,buff2); + i = strcmp(buff1, buff2); if (i == 0) /* wait a second then return younger :-) */ return -1; else return i; } -ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) +ASN1_TIME * +X509_gmtime_adj(ASN1_TIME *s, long adj) { return X509_time_adj(s, adj, NULL); } -ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) +ASN1_TIME * +X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) { return X509_time_adj_ex(s, 0, offset_sec, in_tm); } -ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, - int offset_day, long offset_sec, time_t *in_tm) +ASN1_TIME * +X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_tm) { time_t t; - if (in_tm) t = *in_tm; - else time(&t); + if (in_tm) + t = *in_tm; + else + time(&t); if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) { if (s->type == V_ASN1_UTCTIME) - return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); + return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec); if (s->type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, - offset_sec); + offset_sec); } return ASN1_TIME_adj(s, t, offset_day, offset_sec); } -int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) +int +X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) { - EVP_PKEY *ktmp=NULL,*ktmp2; - int i,j; + EVP_PKEY *ktmp = NULL, *ktmp2; + int i, j; - if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; + if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) + return 1; - for (i=0; i= 0; j--) { - ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); - EVP_PKEY_copy_parameters(ktmp2,ktmp); + for (j = i - 1; j >= 0; j--) { + ktmp2 = X509_get_pubkey(sk_X509_value(chain, j)); + EVP_PKEY_copy_parameters(ktmp2, ktmp); EVP_PKEY_free(ktmp2); } - - if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); + + if (pkey != NULL) + EVP_PKEY_copy_parameters(pkey, ktmp); EVP_PKEY_free(ktmp); return 1; } -int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, - CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) +int +X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) { /* This function is (usually) called only once, by * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ - return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, - new_func, dup_func, free_func); + return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, + argl, argp, new_func, dup_func, free_func); } -int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) +int +X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) { - return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); + return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); } -void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) +void * +X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) { - return CRYPTO_get_ex_data(&ctx->ex_data,idx); + return CRYPTO_get_ex_data(&ctx->ex_data, idx); } -int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) +int +X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) { return ctx->error; } -void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) +void +X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) { - ctx->error=err; + ctx->error = err; } -int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) +int +X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) { return ctx->error_depth; } -X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) +X509 * +X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) { return ctx->current_cert; } @@ -1726,7 +1829,9 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) int i; X509 *x; STACK_OF(X509) *chain; - if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; + + if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) + return NULL; for (i = 0; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); @@ -1734,42 +1839,50 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) return chain; } -X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) +X509 * +X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) { return ctx->current_issuer; } -X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) +X509_CRL * +X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) { return ctx->current_crl; } -X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) +X509_STORE_CTX * +X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) { return ctx->parent; } -void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) +void +X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) { - ctx->cert=x; + ctx->cert = x; } -void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +void +X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { - ctx->untrusted=sk; + ctx->untrusted = sk; } -void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) +void +X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) { - ctx->crls=sk; + ctx->crls = sk; } -int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) +int +X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) { return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); } -int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) +int +X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) { return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); } @@ -1784,19 +1897,22 @@ int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) * aren't set then we use the default of SSL client/server. */ -int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, - int purpose, int trust) +int +X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, + int purpose, int trust) { int idx; + /* If purpose not set use default */ - if (!purpose) purpose = def_purpose; + if (!purpose) + purpose = def_purpose; /* If we have a purpose then check it is valid */ if (purpose) { X509_PURPOSE *ptmp; idx = X509_PURPOSE_get_by_id(purpose); if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, - X509_R_UNKNOWN_PURPOSE_ID); + X509_R_UNKNOWN_PURPOSE_ID); return 0; } ptmp = X509_PURPOSE_get0(idx); @@ -1804,74 +1920,82 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, idx = X509_PURPOSE_get_by_id(def_purpose); if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, - X509_R_UNKNOWN_PURPOSE_ID); + X509_R_UNKNOWN_PURPOSE_ID); return 0; } ptmp = X509_PURPOSE_get0(idx); } /* If trust not set then get from purpose default */ - if (!trust) trust = ptmp->trust; + if (!trust) + trust = ptmp->trust; } if (trust) { idx = X509_TRUST_get_by_id(trust); if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, - X509_R_UNKNOWN_TRUST_ID); + X509_R_UNKNOWN_TRUST_ID); return 0; } } - if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; - if (trust && !ctx->param->trust) ctx->param->trust = trust; + if (purpose && !ctx->param->purpose) + ctx->param->purpose = purpose; + if (trust && !ctx->param->trust) + ctx->param->trust = trust; return 1; } -X509_STORE_CTX *X509_STORE_CTX_new(void) +X509_STORE_CTX * +X509_STORE_CTX_new(void) { X509_STORE_CTX *ctx; + ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX)); if (!ctx) { - X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE); return NULL; } memset(ctx, 0, sizeof(X509_STORE_CTX)); return ctx; } -void X509_STORE_CTX_free(X509_STORE_CTX *ctx) +void +X509_STORE_CTX_free(X509_STORE_CTX *ctx) { X509_STORE_CTX_cleanup(ctx); free(ctx); } -int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, - STACK_OF(X509) *chain) +int +X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, + STACK_OF(X509) *chain) { int ret = 1; - ctx->ctx=store; - ctx->current_method=0; - ctx->cert=x509; - ctx->untrusted=chain; + + ctx->ctx = store; + ctx->current_method = 0; + ctx->cert = x509; + ctx->untrusted = chain; ctx->crls = NULL; - ctx->last_untrusted=0; - ctx->other_ctx=NULL; - ctx->valid=0; - ctx->chain=NULL; - ctx->error=0; - ctx->explicit_policy=0; - ctx->error_depth=0; - ctx->current_cert=NULL; - ctx->current_issuer=NULL; - ctx->current_crl=NULL; - ctx->current_crl_score=0; - ctx->current_reasons=0; + ctx->last_untrusted = 0; + ctx->other_ctx = NULL; + ctx->valid = 0; + ctx->chain = NULL; + ctx->error = 0; + ctx->explicit_policy = 0; + ctx->error_depth = 0; + ctx->current_cert = NULL; + ctx->current_issuer = NULL; + ctx->current_crl = NULL; + ctx->current_crl_score = 0; + ctx->current_reasons = 0; ctx->tree = NULL; ctx->parent = NULL; ctx->param = X509_VERIFY_PARAM_new(); if (!ctx->param) { - X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); return 0; } @@ -1879,7 +2003,6 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, * use defaults. */ - if (store) ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); else @@ -1893,10 +2016,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, if (ret) ret = X509_VERIFY_PARAM_inherit(ctx->param, - X509_VERIFY_PARAM_lookup("default")); + X509_VERIFY_PARAM_lookup("default")); if (ret == 0) { - X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); return 0; } @@ -1957,10 +2080,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a * corresponding "new" here and remove this bogus initialisation. */ /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ - if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, - &(ctx->ex_data))) { + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, + &(ctx->ex_data))) { free(ctx); - X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); return 0; } return 1; @@ -1970,64 +2093,75 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, * This avoids X509_STORE nastiness where it isn't needed. */ -void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +void +X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { ctx->other_ctx = sk; ctx->get_issuer = get_issuer_sk; } -void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) +void +X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) { - if (ctx->cleanup) ctx->cleanup(ctx); + if (ctx->cleanup) + ctx->cleanup(ctx); if (ctx->param != NULL) { if (ctx->parent == NULL) X509_VERIFY_PARAM_free(ctx->param); - ctx->param=NULL; + ctx->param = NULL; } if (ctx->tree != NULL) { X509_policy_tree_free(ctx->tree); - ctx->tree=NULL; + ctx->tree = NULL; } if (ctx->chain != NULL) { - sk_X509_pop_free(ctx->chain,X509_free); - ctx->chain=NULL; + sk_X509_pop_free(ctx->chain, X509_free); + ctx->chain = NULL; } - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); - memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, + ctx, &(ctx->ex_data)); + memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA)); } -void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) +void +X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) { X509_VERIFY_PARAM_set_depth(ctx->param, depth); } -void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) +void +X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) { X509_VERIFY_PARAM_set_flags(ctx->param, flags); } -void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) +void +X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) { X509_VERIFY_PARAM_set_time(ctx->param, t); } -void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, - int (*verify_cb)(int, X509_STORE_CTX *)) +void +X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, + int (*verify_cb)(int, X509_STORE_CTX *)) { - ctx->verify_cb=verify_cb; + ctx->verify_cb = verify_cb; } -X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) +X509_POLICY_TREE * +X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) { return ctx->tree; } -int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) +int +X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) { return ctx->explicit_policy; } -int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) +int +X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) { const X509_VERIFY_PARAM *param; param = X509_VERIFY_PARAM_lookup(name); @@ -2036,12 +2170,14 @@ int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) return X509_VERIFY_PARAM_inherit(ctx->param, param); } -X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) +X509_VERIFY_PARAM * +X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) { return ctx->param; } -void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) +void +X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) { if (ctx->param) X509_VERIFY_PARAM_free(ctx->param); diff --git a/lib/libssl/src/crypto/x509/x509_vpm.c b/lib/libssl/src/crypto/x509/x509_vpm.c index 7f0824f75ee..f0d2a0902ef 100644 --- a/lib/libssl/src/crypto/x509/x509_vpm.c +++ b/lib/libssl/src/crypto/x509/x509_vpm.c @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -67,7 +67,8 @@ /* X509_VERIFY_PARAM functions */ -static void x509_verify_param_zero(X509_VERIFY_PARAM *param) +static void +x509_verify_param_zero(X509_VERIFY_PARAM *param) { if (!param) return; @@ -84,16 +85,19 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) } } -X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) +X509_VERIFY_PARAM * +X509_VERIFY_PARAM_new(void) { X509_VERIFY_PARAM *param; + param = malloc(sizeof(X509_VERIFY_PARAM)); memset(param, 0, sizeof(X509_VERIFY_PARAM)); x509_verify_param_zero(param); return param; } -void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) +void +X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) { x509_verify_param_zero(param); free(param); @@ -109,7 +113,7 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) * for SSL servers or clients but only if the application has not set new * ones. * - * The "inh_flags" field determines how this function behaves. + * The "inh_flags" field determines how this function behaves. * * Normally any values which are set in the default are not copied from the * destination and verify flags are ORed together. @@ -141,13 +145,14 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) #define x509_verify_param_copy(field, def) \ if (test_x509_verify_param_copy(field, def)) \ dest->field = src->field - -int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, - const X509_VERIFY_PARAM *src) + +int +X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src) { unsigned long inh_flags; int to_default, to_overwrite; + if (!src) return 1; inh_flags = dest->inh_flags | src->inh_flags; @@ -193,18 +198,20 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, return 1; } -int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, - const X509_VERIFY_PARAM *from) +int +X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from) { unsigned long save_flags = to->inh_flags; int ret; + to->inh_flags |= X509_VP_FLAG_DEFAULT; ret = X509_VERIFY_PARAM_inherit(to, from); to->inh_flags = save_flags; return ret; } -int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) +int +X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) { if (param->name) free(param->name); @@ -214,7 +221,8 @@ int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) return 0; } -int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) +int +X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) { param->flags |= flags; if (flags & X509_V_FLAG_POLICY_MASK) @@ -222,39 +230,46 @@ int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) return 1; } -int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags) +int +X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags) { param->flags &= ~flags; return 1; } -unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) +unsigned long +X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) { return param->flags; } -int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) +int +X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) { return X509_PURPOSE_set(¶m->purpose, purpose); } -int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) +int +X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) { return X509_TRUST_set(¶m->trust, trust); } -void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) +void +X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) { param->depth = depth; } -void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) +void +X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) { param->check_time = t; param->flags |= X509_V_FLAG_USE_CHECK_TIME; } -int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) +int +X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) { if (!param->policies) { param->policies = sk_ASN1_OBJECT_new_null(); @@ -266,11 +281,13 @@ int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) return 1; } -int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, - STACK_OF(ASN1_OBJECT) *policies) +int +X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, + STACK_OF(ASN1_OBJECT) *policies) { int i; ASN1_OBJECT *oid, *doid; + if (!param) return 0; if (param->policies) @@ -299,7 +316,8 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, return 1; } -int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) +int +X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) { return param->depth; } @@ -312,80 +330,81 @@ int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) static const X509_VERIFY_PARAM default_table[] = { { - "default", /* X509 default parameters */ - 0, /* Check time */ - 0, /* internal flags */ - 0, /* flags */ - 0, /* purpose */ - 0, /* trust */ - 100, /* depth */ - NULL /* policies */ + "default", /* X509 default parameters */ + 0, /* Check time */ + 0, /* internal flags */ + 0, /* flags */ + 0, /* purpose */ + 0, /* trust */ + 100, /* depth */ + NULL /* policies */ }, { - "pkcs7", /* S/MIME sign parameters */ - 0, /* Check time */ - 0, /* internal flags */ - 0, /* flags */ - X509_PURPOSE_SMIME_SIGN, /* purpose */ - X509_TRUST_EMAIL, /* trust */ - -1, /* depth */ - NULL /* policies */ + "pkcs7", /* S/MIME sign parameters */ + 0, /* Check time */ + 0, /* internal flags */ + 0, /* flags */ + X509_PURPOSE_SMIME_SIGN, /* purpose */ + X509_TRUST_EMAIL, /* trust */ + -1, /* depth */ + NULL /* policies */ }, { - "smime_sign", /* S/MIME sign parameters */ - 0, /* Check time */ - 0, /* internal flags */ - 0, /* flags */ - X509_PURPOSE_SMIME_SIGN, /* purpose */ - X509_TRUST_EMAIL, /* trust */ - -1, /* depth */ - NULL /* policies */ + "smime_sign", /* S/MIME sign parameters */ + 0, /* Check time */ + 0, /* internal flags */ + 0, /* flags */ + X509_PURPOSE_SMIME_SIGN, /* purpose */ + X509_TRUST_EMAIL, /* trust */ + -1, /* depth */ + NULL /* policies */ }, { - "ssl_client", /* SSL/TLS client parameters */ - 0, /* Check time */ - 0, /* internal flags */ - 0, /* flags */ - X509_PURPOSE_SSL_CLIENT, /* purpose */ - X509_TRUST_SSL_CLIENT, /* trust */ - -1, /* depth */ - NULL /* policies */ + "ssl_client", /* SSL/TLS client parameters */ + 0, /* Check time */ + 0, /* internal flags */ + 0, /* flags */ + X509_PURPOSE_SSL_CLIENT, /* purpose */ + X509_TRUST_SSL_CLIENT, /* trust */ + -1, /* depth */ + NULL /* policies */ }, { - "ssl_server", /* SSL/TLS server parameters */ - 0, /* Check time */ - 0, /* internal flags */ - 0, /* flags */ - X509_PURPOSE_SSL_SERVER, /* purpose */ - X509_TRUST_SSL_SERVER, /* trust */ - -1, /* depth */ - NULL /* policies */ + "ssl_server", /* SSL/TLS server parameters */ + 0, /* Check time */ + 0, /* internal flags */ + 0, /* flags */ + X509_PURPOSE_SSL_SERVER, /* purpose */ + X509_TRUST_SSL_SERVER, /* trust */ + -1, /* depth */ + NULL /* policies */ } }; static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL; -static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b) - +static int +table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b) { return strcmp(a->name, b->name); } -DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, - table); -IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, - table); +DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table); +IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table); -static int param_cmp(const X509_VERIFY_PARAM * const *a, - const X509_VERIFY_PARAM * const *b) +static int +param_cmp(const X509_VERIFY_PARAM * const *a, + const X509_VERIFY_PARAM * const *b) { return strcmp((*a)->name, (*b)->name); } -int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) +int +X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) { int idx; X509_VERIFY_PARAM *ptmp; + if (!param_table) { param_table = sk_X509_VERIFY_PARAM_new(param_cmp); if (!param_table) @@ -403,7 +422,8 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) return 1; } -const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) +const X509_VERIFY_PARAM * +X509_VERIFY_PARAM_lookup(const char *name) { int idx; X509_VERIFY_PARAM pm; @@ -415,13 +435,14 @@ const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) return sk_X509_VERIFY_PARAM_value(param_table, idx); } return OBJ_bsearch_table(&pm, default_table, - sizeof(default_table)/sizeof(X509_VERIFY_PARAM)); + sizeof(default_table)/sizeof(X509_VERIFY_PARAM)); } -void X509_VERIFY_PARAM_table_cleanup(void) +void +X509_VERIFY_PARAM_table_cleanup(void) { if (param_table) sk_X509_VERIFY_PARAM_pop_free(param_table, - X509_VERIFY_PARAM_free); + X509_VERIFY_PARAM_free); param_table = NULL; } -- 2.20.1