From 7609e5c6e86d6ccb954247e2a2e1e2234db9e9b2 Mon Sep 17 00:00:00 2001 From: tedu Date: Fri, 18 Apr 2014 01:59:00 +0000 Subject: [PATCH] blunt force knf --- lib/libcrypto/x509/x509_att.c | 42 +- lib/libcrypto/x509/x509_cmp.c | 109 ++- lib/libcrypto/x509/x509_d2.c | 18 +- lib/libcrypto/x509/x509_err.c | 17 +- lib/libcrypto/x509/x509_ext.c | 84 +-- lib/libcrypto/x509/x509_lu.c | 317 ++++----- lib/libcrypto/x509/x509_obj.c | 76 +-- lib/libcrypto/x509/x509_r2x.c | 19 +- lib/libcrypto/x509/x509_req.c | 49 +- lib/libcrypto/x509/x509_set.c | 60 +- lib/libcrypto/x509/x509_trs.c | 10 +- lib/libcrypto/x509/x509_txt.c | 7 +- lib/libcrypto/x509/x509_v3.c | 94 ++- lib/libcrypto/x509/x509_vfy.c | 910 +++++++++++--------------- lib/libcrypto/x509/x509_vpm.c | 135 ++-- lib/libcrypto/x509/x509cset.c | 70 +- lib/libcrypto/x509/x509name.c | 123 ++-- lib/libcrypto/x509/x509rset.c | 12 +- lib/libcrypto/x509/x509type.c | 17 +- lib/libssl/src/crypto/x509/x509_att.c | 42 +- lib/libssl/src/crypto/x509/x509_cmp.c | 109 ++- lib/libssl/src/crypto/x509/x509_d2.c | 18 +- lib/libssl/src/crypto/x509/x509_err.c | 17 +- lib/libssl/src/crypto/x509/x509_ext.c | 84 +-- lib/libssl/src/crypto/x509/x509_lu.c | 317 ++++----- lib/libssl/src/crypto/x509/x509_obj.c | 76 +-- lib/libssl/src/crypto/x509/x509_r2x.c | 19 +- lib/libssl/src/crypto/x509/x509_req.c | 49 +- lib/libssl/src/crypto/x509/x509_set.c | 60 +- lib/libssl/src/crypto/x509/x509_trs.c | 10 +- lib/libssl/src/crypto/x509/x509_txt.c | 7 +- lib/libssl/src/crypto/x509/x509_v3.c | 94 ++- lib/libssl/src/crypto/x509/x509_vfy.c | 910 +++++++++++--------------- lib/libssl/src/crypto/x509/x509_vpm.c | 135 ++-- lib/libssl/src/crypto/x509/x509cset.c | 70 +- lib/libssl/src/crypto/x509/x509name.c | 123 ++-- lib/libssl/src/crypto/x509/x509rset.c | 12 +- lib/libssl/src/crypto/x509/x509type.c | 17 +- 38 files changed, 1848 insertions(+), 2490 deletions(-) diff --git a/lib/libcrypto/x509/x509_att.c b/lib/libcrypto/x509/x509_att.c index 98460e89215..7f924fbe396 100644 --- a/lib/libcrypto/x509/x509_att.c +++ b/lib/libcrypto/x509/x509_att.c @@ -91,8 +91,7 @@ int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj, if (lastpos < 0) lastpos=0; n=sk_X509_ATTRIBUTE_num(sk); - for ( ; lastpos < n; lastpos++) - { + for ( ; lastpos < n; lastpos++) { ex=sk_X509_ATTRIBUTE_value(sk,lastpos); if (OBJ_cmp(ex->object,obj) == 0) return(lastpos); @@ -124,18 +123,15 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x, X509_ATTRIBUTE *new_attr=NULL; STACK_OF(X509_ATTRIBUTE) *sk=NULL; - if (x == NULL) - { + if (x == NULL) { X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER); goto err2; - } + } - if (*x == NULL) - { + if (*x == NULL) { if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL) goto err; - } - else + } else sk= *x; if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL) @@ -215,11 +211,10 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid, X509_ATTRIBUTE *ret; obj=OBJ_nid2obj(nid); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID); return(NULL); - } + } ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len); if (ret == NULL) ASN1_OBJECT_free(obj); return(ret); @@ -230,14 +225,12 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr, { X509_ATTRIBUTE *ret; - if ((attr == NULL) || (*attr == NULL)) - { - if ((ret=X509_ATTRIBUTE_new()) == NULL) - { + if ((attr == NULL) || (*attr == NULL)) { + if ((ret=X509_ATTRIBUTE_new()) == NULL) { X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE); return(NULL); - } } + } else ret= *attr; @@ -256,22 +249,21 @@ err: X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr, const char *atrname, int type, const unsigned char *bytes, int len) - { +{ ASN1_OBJECT *obj; X509_ATTRIBUTE *nattr; obj=OBJ_txt2obj(atrname, 0); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT, X509_R_INVALID_FIELD_NAME); ERR_add_error_data(2, "name=", atrname); return(NULL); - } + } nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len); ASN1_OBJECT_free(obj); return nattr; - } +} int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj) { @@ -310,12 +302,10 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat if (attrtype == 0) return 1; if(!(ttmp = ASN1_TYPE_new())) goto err; - if ((len == -1) && !(attrtype & MBSTRING_FLAG)) - { + if ((len == -1) && !(attrtype & MBSTRING_FLAG)) { if (!ASN1_TYPE_set1(ttmp, attrtype, data)) goto err; - } - else + } else ASN1_TYPE_set(ttmp, atype, stmp); if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err; return 1; diff --git a/lib/libcrypto/x509/x509_cmp.c b/lib/libcrypto/x509/x509_cmp.c index 2f1b8953e55..87c45964148 100644 --- a/lib/libcrypto/x509/x509_cmp.c +++ b/lib/libcrypto/x509/x509_cmp.c @@ -65,7 +65,7 @@ #include int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) - { +{ int i; X509_CINF *ai,*bi; @@ -74,11 +74,11 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber); if (i) return(i); return(X509_NAME_cmp(ai->issuer,bi->issuer)); - } +} #ifndef OPENSSL_NO_MD5 unsigned long X509_issuer_and_serial_hash(X509 *a) - { +{ unsigned long ret=0; EVP_MD_CTX ctx; unsigned char md[16]; @@ -102,68 +102,68 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) err: EVP_MD_CTX_cleanup(&ctx); return(ret); - } +} #endif int X509_issuer_name_cmp(const X509 *a, const X509 *b) - { +{ return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer)); - } +} int X509_subject_name_cmp(const X509 *a, const X509 *b) - { +{ return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject)); - } +} int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) - { +{ return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer)); - } +} #ifndef OPENSSL_NO_SHA int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) - { +{ return memcmp(a->sha1_hash, b->sha1_hash, 20); - } +} #endif X509_NAME *X509_get_issuer_name(X509 *a) - { +{ return(a->cert_info->issuer); - } +} unsigned long X509_issuer_name_hash(X509 *x) - { +{ return(X509_NAME_hash(x->cert_info->issuer)); - } +} #ifndef OPENSSL_NO_MD5 unsigned long X509_issuer_name_hash_old(X509 *x) - { +{ return(X509_NAME_hash_old(x->cert_info->issuer)); - } +} #endif X509_NAME *X509_get_subject_name(X509 *a) - { +{ return(a->cert_info->subject); - } +} ASN1_INTEGER *X509_get_serialNumber(X509 *a) - { +{ return(a->cert_info->serialNumber); - } +} unsigned long X509_subject_name_hash(X509 *x) - { +{ return(X509_NAME_hash(x->cert_info->subject)); - } +} #ifndef OPENSSL_NO_MD5 unsigned long X509_subject_name_hash_old(X509 *x) - { +{ return(X509_NAME_hash_old(x->cert_info->subject)); - } +} #endif #ifndef OPENSSL_NO_SHA @@ -188,24 +188,22 @@ int X509_cmp(const X509 *a, const X509 *b) int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) - { +{ int ret; /* Ensure canonical encoding is present and up to date */ - if (!a->canon_enc || a->modified) - { + if (!a->canon_enc || a->modified) { ret = i2d_X509_NAME((X509_NAME *)a, NULL); if (ret < 0) return -2; - } + } - if (!b->canon_enc || b->modified) - { + if (!b->canon_enc || b->modified) { ret = i2d_X509_NAME((X509_NAME *)b, NULL); if (ret < 0) return -2; - } + } ret = a->canon_enclen - b->canon_enclen; @@ -214,10 +212,10 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen); - } +} unsigned long X509_NAME_hash(X509_NAME *x) - { +{ unsigned long ret=0; unsigned char md[SHA_DIGEST_LENGTH]; @@ -231,7 +229,7 @@ unsigned long X509_NAME_hash(X509_NAME *x) ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) )&0xffffffffL; return(ret); - } +} #ifndef OPENSSL_NO_MD5 @@ -239,7 +237,7 @@ unsigned long X509_NAME_hash(X509_NAME *x) * this is reasonably efficient. */ unsigned long X509_NAME_hash_old(X509_NAME *x) - { +{ EVP_MD_CTX md_ctx; unsigned long ret=0; unsigned char md[16]; @@ -257,13 +255,13 @@ unsigned long X509_NAME_hash_old(X509_NAME *x) EVP_MD_CTX_cleanup(&md_ctx); return(ret); - } +} #endif /* Search a stack of X509 for a match */ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name, ASN1_INTEGER *serial) - { +{ int i; X509_CINF cinf; X509 x,*x509=NULL; @@ -274,44 +272,42 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name, cinf.serialNumber=serial; cinf.issuer=name; - for (i=0; icert_info == NULL)) return(NULL); return(X509_PUBKEY_get(x->cert_info->key)); - } +} ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x) - { +{ if(!x) return NULL; return x->cert_info->key->public_key; - } +} int X509_check_private_key(X509 *x, EVP_PKEY *k) - { +{ EVP_PKEY *xk; int ret; @@ -322,8 +318,7 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k) else ret = -2; - switch (ret) - { + switch (ret) { case 1: break; case 0: @@ -334,10 +329,10 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k) break; case -2: X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE); - } + } if (xk) EVP_PKEY_free(xk); if (ret > 0) return 1; return 0; - } +} diff --git a/lib/libcrypto/x509/x509_d2.c b/lib/libcrypto/x509/x509_d2.c index 51410cfd1a9..ed051093ac9 100644 --- a/lib/libcrypto/x509/x509_d2.c +++ b/lib/libcrypto/x509/x509_d2.c @@ -63,7 +63,7 @@ #ifndef OPENSSL_NO_STDIO int X509_STORE_set_default_paths(X509_STORE *ctx) - { +{ X509_LOOKUP *lookup; lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file()); @@ -78,30 +78,28 @@ int X509_STORE_set_default_paths(X509_STORE *ctx) ERR_clear_error(); return(1); - } +} int X509_STORE_load_locations(X509_STORE *ctx, const char *file, const char *path) - { +{ X509_LOOKUP *lookup; - if (file != NULL) - { + if (file != NULL) { lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file()); if (lookup == NULL) return(0); if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1) return(0); - } - if (path != NULL) - { + } + if (path != NULL) { lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir()); if (lookup == NULL) return(0); if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1) return(0); - } + } if ((path == NULL) && (file == NULL)) return(0); return(1); - } +} #endif diff --git a/lib/libcrypto/x509/x509_err.c b/lib/libcrypto/x509/x509_err.c index a01402f4167..ab5e8aaea2f 100644 --- a/lib/libcrypto/x509/x509_err.c +++ b/lib/libcrypto/x509/x509_err.c @@ -69,7 +69,7 @@ #define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason) static ERR_STRING_DATA X509_str_functs[]= - { +{ {ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"}, {ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"}, {ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"}, @@ -116,10 +116,10 @@ static ERR_STRING_DATA X509_str_functs[]= {ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"}, {ERR_FUNC(X509_F_X509_VERIFY_CERT), "X509_verify_cert"}, {0,NULL} - }; +}; static ERR_STRING_DATA X509_str_reasons[]= - { +{ {ERR_REASON(X509_R_BAD_X509_FILETYPE) ,"bad x509 filetype"}, {ERR_REASON(X509_R_BASE64_DECODE_ERROR) ,"base64 decode error"}, {ERR_REASON(X509_R_CANT_CHECK_DH_KEY) ,"cant check dh key"}, @@ -147,18 +147,17 @@ static ERR_STRING_DATA X509_str_reasons[]= {ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) ,"wrong lookup type"}, {ERR_REASON(X509_R_WRONG_TYPE) ,"wrong type"}, {0,NULL} - }; +}; #endif void ERR_load_X509_strings(void) - { +{ #ifndef OPENSSL_NO_ERR - if (ERR_func_error_string(X509_str_functs[0].error) == NULL) - { + if (ERR_func_error_string(X509_str_functs[0].error) == NULL) { ERR_load_strings(0,X509_str_functs); ERR_load_strings(0,X509_str_reasons); - } -#endif } +#endif +} diff --git a/lib/libcrypto/x509/x509_ext.c b/lib/libcrypto/x509/x509_ext.c index e7fdacb5e45..bdc489f3674 100644 --- a/lib/libcrypto/x509/x509_ext.c +++ b/lib/libcrypto/x509/x509_ext.c @@ -67,34 +67,34 @@ int X509_CRL_get_ext_count(X509_CRL *x) - { +{ return(X509v3_get_ext_count(x->crl->extensions)); - } +} int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos) - { +{ return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos)); - } +} int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos) - { +{ return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos)); - } +} int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos) - { +{ return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos)); - } +} X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc) - { +{ return(X509v3_get_ext(x->crl->extensions,loc)); - } +} X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc) - { +{ return(X509v3_delete_ext(x->crl->extensions,loc)); - } +} void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx) { @@ -108,44 +108,44 @@ int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit, } int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc) - { +{ return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL); - } +} int X509_get_ext_count(X509 *x) - { +{ return(X509v3_get_ext_count(x->cert_info->extensions)); - } +} int X509_get_ext_by_NID(X509 *x, int nid, int lastpos) - { +{ return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos)); - } +} int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos) - { +{ return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos)); - } +} int X509_get_ext_by_critical(X509 *x, int crit, int lastpos) - { +{ return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos)); - } +} X509_EXTENSION *X509_get_ext(X509 *x, int loc) - { +{ return(X509v3_get_ext(x->cert_info->extensions,loc)); - } +} X509_EXTENSION *X509_delete_ext(X509 *x, int loc) - { +{ return(X509v3_delete_ext(x->cert_info->extensions,loc)); - } +} int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc) - { +{ return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL); - } +} void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx) { @@ -160,40 +160,40 @@ int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, } int X509_REVOKED_get_ext_count(X509_REVOKED *x) - { +{ return(X509v3_get_ext_count(x->extensions)); - } +} int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos) - { +{ return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos)); - } +} int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj, int lastpos) - { +{ return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos)); - } +} int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos) - { +{ return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos)); - } +} X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc) - { +{ return(X509v3_get_ext(x->extensions,loc)); - } +} X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc) - { +{ return(X509v3_delete_ext(x->extensions,loc)); - } +} int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc) - { +{ return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL); - } +} void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx) { diff --git a/lib/libcrypto/x509/x509_lu.c b/lib/libcrypto/x509/x509_lu.c index 38b034bfeef..a89cd70313e 100644 --- a/lib/libcrypto/x509/x509_lu.c +++ b/lib/libcrypto/x509/x509_lu.c @@ -63,7 +63,7 @@ #include X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) - { +{ X509_LOOKUP *ret; ret=(X509_LOOKUP *)malloc(sizeof(X509_LOOKUP)); @@ -74,50 +74,49 @@ X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) ret->method=method; ret->method_data=NULL; ret->store_ctx=NULL; - if ((method->new_item != NULL) && !method->new_item(ret)) - { + if ((method->new_item != NULL) && !method->new_item(ret)) { free(ret); return NULL; - } - return ret; } + return ret; +} void X509_LOOKUP_free(X509_LOOKUP *ctx) - { +{ if (ctx == NULL) return; if ( (ctx->method != NULL) && (ctx->method->free != NULL)) (*ctx->method->free)(ctx); free(ctx); - } +} int X509_LOOKUP_init(X509_LOOKUP *ctx) - { +{ if (ctx->method == NULL) return 0; if (ctx->method->init != NULL) return ctx->method->init(ctx); else return 1; - } +} int X509_LOOKUP_shutdown(X509_LOOKUP *ctx) - { +{ if (ctx->method == NULL) return 0; if (ctx->method->shutdown != NULL) return ctx->method->shutdown(ctx); else return 1; - } +} int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret) - { +{ if (ctx->method == NULL) return -1; if (ctx->method->ctrl != NULL) return ctx->method->ctrl(ctx,cmd,argc,argl,ret); else return 1; - } +} int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, X509_OBJECT *ret) @@ -126,42 +125,41 @@ int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, return X509_LU_FAIL; if (ctx->skip) return 0; return ctx->method->get_by_subject(ctx,type,name,ret); - } +} int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name, ASN1_INTEGER *serial, X509_OBJECT *ret) - { +{ if ((ctx->method == NULL) || (ctx->method->get_by_issuer_serial == NULL)) return X509_LU_FAIL; return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret); - } +} int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, unsigned char *bytes, int len, X509_OBJECT *ret) - { +{ if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL)) return X509_LU_FAIL; return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret); - } +} int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len, X509_OBJECT *ret) - { +{ if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL)) return X509_LU_FAIL; return ctx->method->get_by_alias(ctx,type,str,len,ret); - } +} static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b) - { + { int ret; ret=((*a)->type - (*b)->type); if (ret) return ret; - switch ((*a)->type) - { + switch ((*a)->type) { case X509_LU_X509: ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509); break; @@ -171,12 +169,12 @@ static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * con default: /* abort(); */ return 0; - } - return ret; } + return ret; +} X509_STORE *X509_STORE_new(void) - { +{ X509_STORE *ret; if ((ret=(X509_STORE *)malloc(sizeof(X509_STORE))) == NULL) @@ -191,7 +189,7 @@ X509_STORE *X509_STORE_new(void) sk_X509_OBJECT_free(ret->objs); free(ret); return NULL; - } +} ret->get_issuer = 0; ret->check_issued = 0; @@ -203,37 +201,31 @@ X509_STORE *X509_STORE_new(void) ret->lookup_crls = 0; ret->cleanup = 0; - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) - { + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) { sk_X509_OBJECT_free(ret->objs); free(ret); return NULL; - } + } ret->references=1; return ret; - } +} static void cleanup(X509_OBJECT *a) - { - if (a->type == X509_LU_X509) - { +{ + if (a->type == X509_LU_X509) { X509_free(a->data.x509); - } - else if (a->type == X509_LU_CRL) - { + } else if (a->type == X509_LU_CRL) { X509_CRL_free(a->data.crl); - } - else - { + } else { /* abort(); */ - } + } free(a); - } +} void X509_STORE_free(X509_STORE *vfy) - { +{ int i; STACK_OF(X509_LOOKUP) *sk; X509_LOOKUP *lu; @@ -242,12 +234,11 @@ void X509_STORE_free(X509_STORE *vfy) return; sk=vfy->get_cert_methods; - for (i=0; iobjs, cleanup); @@ -255,43 +246,39 @@ void X509_STORE_free(X509_STORE *vfy) if (vfy->param) X509_VERIFY_PARAM_free(vfy->param); free(vfy); - } +} X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) - { +{ int i; STACK_OF(X509_LOOKUP) *sk; X509_LOOKUP *lu; sk=v->get_cert_methods; - for (i=0; imethod) - { + if (m == lu->method) { return lu; - } } + } /* a new one */ lu=X509_LOOKUP_new(m); if (lu == NULL) return NULL; - else - { + else { lu->store_ctx=v; if (sk_X509_LOOKUP_push(v->get_cert_methods,lu)) return lu; - else - { + else { X509_LOOKUP_free(lu); return NULL; - } } } +} int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, X509_OBJECT *ret) - { +{ X509_STORE *ctx=vs->ctx; X509_LOOKUP *lu; X509_OBJECT stmp,*tmp; @@ -301,27 +288,22 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name); CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); - if (tmp == NULL || type == X509_LU_CRL) - { - for (i=vs->current_method; iget_cert_methods); i++) - { + if (tmp == NULL || type == X509_LU_CRL) { + for (i=vs->current_method; iget_cert_methods); i++) { lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i); j=X509_LOOKUP_by_subject(lu,type,name,&stmp); - if (j < 0) - { + if (j < 0) { vs->current_method=j; return j; - } - else if (j) - { + } else if (j) { tmp= &stmp; break; - } } + } vs->current_method=0; if (tmp == NULL) return 0; - } + } /* if (ret->data.ptr != NULL) X509_OBJECT_free_contents(ret); */ @@ -332,20 +314,19 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, X509_OBJECT_up_ref_count(ret); return 1; - } +} int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) - { +{ X509_OBJECT *obj; int ret=1; if (x == NULL) return 0; obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT)); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE); return 0; - } + } obj->type=X509_LU_X509; obj->data.x509=x; @@ -353,32 +334,30 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) X509_OBJECT_up_ref_count(obj); - if (X509_OBJECT_retrieve_match(ctx->objs, obj)) - { + if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { X509_OBJECT_free_contents(obj); free(obj); X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE); ret=0; - } + } else sk_X509_OBJECT_push(ctx->objs, obj); CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return ret; - } +} int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) - { +{ X509_OBJECT *obj; int ret=1; if (x == NULL) return 0; obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT)); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE); return 0; - } + } obj->type=X509_LU_CRL; obj->data.crl=x; @@ -386,49 +365,46 @@ int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) X509_OBJECT_up_ref_count(obj); - if (X509_OBJECT_retrieve_match(ctx->objs, obj)) - { + if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { X509_OBJECT_free_contents(obj); free(obj); X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE); ret=0; - } - else sk_X509_OBJECT_push(ctx->objs, obj); + } else + sk_X509_OBJECT_push(ctx->objs, obj); CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return ret; - } +} void X509_OBJECT_up_ref_count(X509_OBJECT *a) - { - switch (a->type) - { +{ + switch (a->type) { case X509_LU_X509: CRYPTO_add(&a->data.x509->references,1,CRYPTO_LOCK_X509); break; case X509_LU_CRL: CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL); break; - } } +} void X509_OBJECT_free_contents(X509_OBJECT *a) - { - switch (a->type) - { +{ + switch (a->type) { case X509_LU_X509: X509_free(a->data.x509); break; case X509_LU_CRL: X509_CRL_free(a->data.crl); break; - } } +} static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name, int *pnmatch) - { +{ X509_OBJECT stmp; X509 x509_s; X509_CINF cinf_s; @@ -437,8 +413,7 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, int idx; stmp.type=type; - switch (type) - { + switch (type) { case X509_LU_X509: stmp.data.x509= &x509_s; x509_s.cert_info= &cinf_s; @@ -452,44 +427,42 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, default: /* abort(); */ return -1; - } + } idx = sk_X509_OBJECT_find(h,&stmp); - if (idx >= 0 && pnmatch) - { + if (idx >= 0 && pnmatch) { int tidx; const X509_OBJECT *tobj, *pstmp; *pnmatch = 1; pstmp = &stmp; - for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) - { + for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) { tobj = sk_X509_OBJECT_value(h, tidx); if (x509_object_cmp(&tobj, &pstmp)) break; (*pnmatch)++; - } } - return idx; } + return idx; +} int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name) - { +{ return x509_object_idx_cnt(h, type, name, NULL); - } +} X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name) - { +{ int idx; idx = X509_OBJECT_idx_by_subject(h, type, name); if (idx==-1) return NULL; return sk_X509_OBJECT_value(h, idx); - } +} STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) - { +{ int i, idx, cnt; STACK_OF(X509) *sk; X509 *x; @@ -497,48 +470,43 @@ STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) sk = sk_X509_new_null(); CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); - if (idx < 0) - { + if (idx < 0) { /* Nothing found in cache: do lookup to possibly add new * objects to cache */ X509_OBJECT xobj; CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); - if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) - { + if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) { sk_X509_free(sk); return NULL; - } + } X509_OBJECT_free_contents(&xobj); CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt); - if (idx < 0) - { + if (idx < 0) { CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); sk_X509_free(sk); return NULL; - } } - for (i = 0; i < cnt; i++, idx++) - { + } + for (i = 0; i < cnt; i++, idx++) { obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); x = obj->data.x509; CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); - if (!sk_X509_push(sk, x)) - { + if (!sk_X509_push(sk, x)) { CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); X509_free(x); sk_X509_pop_free(sk, X509_free); return NULL; - } } + } CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return sk; - } +} STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) - { +{ int i, idx, cnt; STACK_OF(X509_CRL) *sk; X509_CRL *x; @@ -551,66 +519,57 @@ STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) /* Always do lookup to possibly add new CRLs to cache */ CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); - if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) - { + if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) { sk_X509_CRL_free(sk); return NULL; - } + } X509_OBJECT_free_contents(&xobj); CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt); - if (idx < 0) - { + if (idx < 0) { CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); sk_X509_CRL_free(sk); return NULL; - } + } - for (i = 0; i < cnt; i++, idx++) - { + for (i = 0; i < cnt; i++, idx++) { obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); x = obj->data.crl; CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); - if (!sk_X509_CRL_push(sk, x)) - { + if (!sk_X509_CRL_push(sk, x)) { CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); X509_CRL_free(x); sk_X509_CRL_pop_free(sk, X509_CRL_free); return NULL; - } } + } CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return sk; - } +} X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x) - { +{ int idx, i; X509_OBJECT *obj; idx = sk_X509_OBJECT_find(h, x); if (idx == -1) return NULL; if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL)) return sk_X509_OBJECT_value(h, idx); - for (i = idx; i < sk_X509_OBJECT_num(h); i++) - { + for (i = idx; i < sk_X509_OBJECT_num(h); i++) { obj = sk_X509_OBJECT_value(h, i); if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x)) return NULL; - if (x->type == X509_LU_X509) - { + if (x->type == X509_LU_X509) { if (!X509_cmp(obj->data.x509, x->data.x509)) return obj; - } - else if (x->type == X509_LU_CRL) - { + } else if (x->type == X509_LU_CRL) { if (!X509_CRL_match(obj->data.crl, x->data.crl)) return obj; - } - else + } else return obj; - } - return NULL; } + return NULL; +} /* Try to get issuer certificate from store. Due to limitations @@ -625,95 +584,87 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x * -1 some other error. */ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) - { +{ X509_NAME *xn; X509_OBJECT obj, *pobj; int i, ok, idx, ret; xn=X509_get_issuer_name(x); ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj); - if (ok != X509_LU_X509) - { - if (ok == X509_LU_RETRY) - { + if (ok != X509_LU_X509) { + if (ok == X509_LU_RETRY) { X509_OBJECT_free_contents(&obj); X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY); return -1; - } - else if (ok != X509_LU_FAIL) - { + } else if (ok != X509_LU_FAIL) { X509_OBJECT_free_contents(&obj); /* not good :-(, break anyway */ return -1; - } - return 0; } + return 0; + } /* If certificate matches all OK */ - if (ctx->check_issued(ctx, x, obj.data.x509)) - { + if (ctx->check_issued(ctx, x, obj.data.x509)) { *issuer = obj.data.x509; return 1; - } + } X509_OBJECT_free_contents(&obj); /* Else find index of first cert accepted by 'check_issued' */ ret = 0; CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn); - if (idx != -1) /* should be true as we've had at least one match */ - { + if (idx != -1) /* should be true as we've had at least one match */ { /* Look through all matching certs for suitable issuer */ - for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) - { + for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) { pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i); /* See if we've run past the matches */ if (pobj->type != X509_LU_X509) break; if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) break; - if (ctx->check_issued(ctx, x, pobj->data.x509)) - { + if (ctx->check_issued(ctx, x, pobj->data.x509)) { *issuer = pobj->data.x509; X509_OBJECT_up_ref_count(pobj); ret = 1; break; - } } } + } CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return ret; - } +} int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags) - { +{ return X509_VERIFY_PARAM_set_flags(ctx->param, flags); - } +} int X509_STORE_set_depth(X509_STORE *ctx, int depth) - { +{ X509_VERIFY_PARAM_set_depth(ctx->param, depth); return 1; - } +} int X509_STORE_set_purpose(X509_STORE *ctx, int purpose) - { +{ return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose); - } +} int X509_STORE_set_trust(X509_STORE *ctx, int trust) - { +{ return X509_VERIFY_PARAM_set_trust(ctx->param, trust); - } +} int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param) - { +{ return X509_VERIFY_PARAM_set1(ctx->param, param); - } +} void X509_STORE_set_verify_cb(X509_STORE *ctx, int (*verify_cb)(int, X509_STORE_CTX *)) - { +{ ctx->verify_cb = verify_cb; - } +} IMPLEMENT_STACK_OF(X509_LOOKUP) IMPLEMENT_STACK_OF(X509_OBJECT) diff --git a/lib/libcrypto/x509/x509_obj.c b/lib/libcrypto/x509/x509_obj.c index 5f38315f22e..d0c02f833e1 100644 --- a/lib/libcrypto/x509/x509_obj.c +++ b/lib/libcrypto/x509/x509_obj.c @@ -64,7 +64,7 @@ #include char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) - { +{ X509_NAME_ENTRY *ne; int i; int n,lold,l,l1,l2,num,j,type; @@ -76,103 +76,85 @@ int i; int gs_doit[4]; char tmp_buf[80]; - if (buf == NULL) - { + if (buf == NULL) { if ((b=BUF_MEM_new()) == NULL) goto err; if (!BUF_MEM_grow(b,200)) goto err; b->data[0]='\0'; len=200; + } + if (a == NULL) { + if(b) { + buf=b->data; + free(b); } - if (a == NULL) - { - if(b) - { - buf=b->data; - free(b); - } - strlcpy(buf,"NO X509_NAME",len); - return buf; - } + strlcpy(buf,"NO X509_NAME",len); + return buf; + } len--; /* space for '\0' */ l=0; - for (i=0; ientries); i++) - { + for (i=0; ientries); i++) { ne=sk_X509_NAME_ENTRY_value(a->entries,i); n=OBJ_obj2nid(ne->object); - if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL)) - { + if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL)) { i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object); s=tmp_buf; - } + } l1=strlen(s); type=ne->value->type; num=ne->value->length; q=ne->value->data; - if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0)) - { + if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0)) { gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0; for (j=0; j '~')) l2+=3; - } + } lold=l; l+=1+l1+1+l2; - if (b != NULL) - { + if (b != NULL) { if (!BUF_MEM_grow(b,l+1)) goto err; p= &(b->data[lold]); - } - else if (l > len) - { + } else if (l > len) { break; - } - else + } else p= &(buf[lold]); *(p++)='/'; memcpy(p,s,(unsigned int)l1); p+=l1; *(p++)='='; q=ne->value->data; - for (j=0; j '~')) - { + if ((n < ' ') || (n > '~')) { *(p++)='\\'; *(p++)='x'; *(p++)=hex[(n>>4)&0x0f]; *(p++)=hex[n&0x0f]; - } - else + } else *(p++)=n; - } - *p='\0'; } - if (b != NULL) - { + *p='\0'; + } + if (b != NULL) { p=b->data; free(b); - } - else + } else p=buf; if (i == 0) *p = '\0'; @@ -181,5 +163,5 @@ err: X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE); if (b != NULL) BUF_MEM_free(b); return(NULL); - } +} diff --git a/lib/libcrypto/x509/x509_r2x.c b/lib/libcrypto/x509/x509_r2x.c index 254a14693d9..f084447334f 100644 --- a/lib/libcrypto/x509/x509_r2x.c +++ b/lib/libcrypto/x509/x509_r2x.c @@ -66,27 +66,25 @@ #include X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) - { +{ X509 *ret=NULL; X509_CINF *xi=NULL; X509_NAME *xn; - if ((ret=X509_new()) == NULL) - { + if ((ret=X509_new()) == NULL) { X509err(X509_F_X509_REQ_TO_X509,ERR_R_MALLOC_FAILURE); goto err; - } + } /* duplicate the request */ xi=ret->cert_info; - if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0) - { + if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0) { if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err; if (!ASN1_INTEGER_set(xi->version,2)) goto err; /* xi->extensions=ri->attributes; <- bad, should not ever be done ri->attributes=NULL; */ - } + } xn=X509_REQ_get_subject_name(r); if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0) @@ -103,12 +101,11 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) if (!X509_sign(ret,pkey,EVP_md5())) goto err; - if (0) - { + if (0) { err: X509_free(ret); ret=NULL; - } - return(ret); } + return(ret); +} diff --git a/lib/libcrypto/x509/x509_req.c b/lib/libcrypto/x509/x509_req.c index 1c5cee80309..12725ed7e95 100644 --- a/lib/libcrypto/x509/x509_req.c +++ b/lib/libcrypto/x509/x509_req.c @@ -68,18 +68,17 @@ #include X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) - { +{ X509_REQ *ret; X509_REQ_INFO *ri; int i; EVP_PKEY *pktmp; ret=X509_REQ_new(); - if (ret == NULL) - { + if (ret == NULL) { X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE); goto err; - } + } ri=ret->req_info; @@ -96,32 +95,30 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) EVP_PKEY_free(pktmp); if (!i) goto err; - if (pkey != NULL) - { + if (pkey != NULL) { if (!X509_REQ_sign(ret,pkey,md)) goto err; - } + } return(ret); err: X509_REQ_free(ret); return(NULL); - } +} EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req) - { +{ if ((req == NULL) || (req->req_info == NULL)) return(NULL); return(X509_PUBKEY_get(req->req_info->pubkey)); - } +} int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) - { +{ EVP_PKEY *xk=NULL; int ok=0; xk=X509_REQ_get_pubkey(x); - switch (EVP_PKEY_cmp(xk, k)) - { + switch (EVP_PKEY_cmp(xk, k)) { case 1: ok=1; break; @@ -133,26 +130,24 @@ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) break; case -2: #ifndef OPENSSL_NO_EC - if (k->type == EVP_PKEY_EC) - { + if (k->type == EVP_PKEY_EC) { X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB); break; - } + } #endif #ifndef OPENSSL_NO_DH - if (k->type == EVP_PKEY_DH) - { + if (k->type == EVP_PKEY_DH) { /* No idea */ X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY); break; - } + } #endif X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE); - } + } EVP_PKEY_free(xk); return(ok); - } +} /* It seems several organisations had the same idea of including a list of * extensions in a certificate request. There are at least two OIDs that are @@ -184,7 +179,7 @@ void X509_REQ_set_extension_nids(int *nids) } STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) - { +{ X509_ATTRIBUTE *attr; ASN1_TYPE *ext = NULL; int idx, *pnid; @@ -192,8 +187,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) if ((req == NULL) || (req->req_info == NULL) || !ext_nids) return(NULL); - for (pnid = ext_nids; *pnid != NID_undef; pnid++) - { + for (pnid = ext_nids; *pnid != NID_undef; pnid++) { idx = X509_REQ_get_attr_by_NID(req, *pnid, -1); if (idx == -1) continue; @@ -202,7 +196,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) else if(sk_ASN1_TYPE_num(attr->value.set)) ext = sk_ASN1_TYPE_value(attr->value.set, 0); break; - } + } if(!ext || (ext->type != V_ASN1_SEQUENCE)) return NULL; p = ext->value.sequence->data; @@ -235,11 +229,10 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts, at = NULL; attr->single = 0; attr->object = OBJ_nid2obj(nid); - if (!req->req_info->attributes) - { + if (!req->req_info->attributes) { if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null())) goto err; - } + } if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err; return 1; err: diff --git a/lib/libcrypto/x509/x509_set.c b/lib/libcrypto/x509/x509_set.c index 4b94fc58477..dfe9eb68fff 100644 --- a/lib/libcrypto/x509/x509_set.c +++ b/lib/libcrypto/x509/x509_set.c @@ -64,87 +64,77 @@ #include int X509_set_version(X509 *x, long version) - { +{ if (x == NULL) return(0); - if (x->cert_info->version == NULL) - { + if (x->cert_info->version == NULL) { if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL) return(0); - } - return(ASN1_INTEGER_set(x->cert_info->version,version)); } + return(ASN1_INTEGER_set(x->cert_info->version,version)); +} int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) - { +{ ASN1_INTEGER *in; if (x == NULL) return(0); in=x->cert_info->serialNumber; - if (in != serial) - { + if (in != serial) { in=M_ASN1_INTEGER_dup(serial); - if (in != NULL) - { + if (in != NULL) { M_ASN1_INTEGER_free(x->cert_info->serialNumber); x->cert_info->serialNumber=in; - } } - return(in != NULL); } + return(in != NULL); +} int X509_set_issuer_name(X509 *x, X509_NAME *name) - { +{ if ((x == NULL) || (x->cert_info == NULL)) return(0); return(X509_NAME_set(&x->cert_info->issuer,name)); - } +} int X509_set_subject_name(X509 *x, X509_NAME *name) - { +{ if ((x == NULL) || (x->cert_info == NULL)) return(0); return(X509_NAME_set(&x->cert_info->subject,name)); - } +} int X509_set_notBefore(X509 *x, const ASN1_TIME *tm) - { +{ ASN1_TIME *in; if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); in=x->cert_info->validity->notBefore; - if (in != tm) - { + if (in != tm) { in=M_ASN1_TIME_dup(tm); - if (in != NULL) - { + if (in != NULL) { M_ASN1_TIME_free(x->cert_info->validity->notBefore); x->cert_info->validity->notBefore=in; - } } - return(in != NULL); } + return(in != NULL); +} int X509_set_notAfter(X509 *x, const ASN1_TIME *tm) - { +{ ASN1_TIME *in; if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); in=x->cert_info->validity->notAfter; - if (in != tm) - { + if (in != tm) { in=M_ASN1_TIME_dup(tm); - if (in != NULL) - { + if (in != NULL) { M_ASN1_TIME_free(x->cert_info->validity->notAfter); x->cert_info->validity->notAfter=in; - } } - return(in != NULL); } + return(in != NULL); +} int X509_set_pubkey(X509 *x, EVP_PKEY *pkey) - { +{ if ((x == NULL) || (x->cert_info == NULL)) return(0); return(X509_PUBKEY_set(&(x->cert_info->key),pkey)); - } - - - +} diff --git a/lib/libcrypto/x509/x509_trs.c b/lib/libcrypto/x509/x509_trs.c index 7bb5094e640..bdda53ec6bb 100644 --- a/lib/libcrypto/x509/x509_trs.c +++ b/lib/libcrypto/x509/x509_trs.c @@ -174,7 +174,8 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), return 0; } trtmp->flags = X509_TRUST_DYNAMIC; - } else trtmp = X509_TRUST_get0(idx); + } else + trtmp = X509_TRUST_get0(idx); /* free existing name if dynamic */ if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name); @@ -208,15 +209,14 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), } static void trtable_free(X509_TRUST *p) - { +{ if(!p) return; - if (p->flags & X509_TRUST_DYNAMIC) - { + if (p->flags & X509_TRUST_DYNAMIC) { if (p->flags & X509_TRUST_DYNAMIC_NAME) free(p->name); free(p); - } } +} void X509_TRUST_cleanup(void) { diff --git a/lib/libcrypto/x509/x509_txt.c b/lib/libcrypto/x509/x509_txt.c index 27f6c7176ae..509948618e1 100644 --- a/lib/libcrypto/x509/x509_txt.c +++ b/lib/libcrypto/x509/x509_txt.c @@ -69,11 +69,10 @@ #include const char *X509_verify_cert_error_string(long n) - { +{ static char buf[100]; - switch ((int)n) - { + switch ((int)n) { case X509_V_OK: return("ok"); case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: @@ -187,7 +186,7 @@ const char *X509_verify_cert_error_string(long n) default: (void) snprintf(buf,sizeof buf,"error number %ld",n); return(buf); - } } +} diff --git a/lib/libcrypto/x509/x509_v3.c b/lib/libcrypto/x509/x509_v3.c index 42e6f0ab056..f41fab3367b 100644 --- a/lib/libcrypto/x509/x509_v3.c +++ b/lib/libcrypto/x509/x509_v3.c @@ -66,24 +66,24 @@ #include int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) - { +{ if (x == NULL) return(0); return(sk_X509_EXTENSION_num(x)); - } +} int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos) - { +{ ASN1_OBJECT *obj; obj=OBJ_nid2obj(nid); if (obj == NULL) return(-2); return(X509v3_get_ext_by_OBJ(x,obj,lastpos)); - } +} int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj, int lastpos) - { +{ int n; X509_EXTENSION *ex; @@ -92,18 +92,17 @@ int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj, if (lastpos < 0) lastpos=0; n=sk_X509_EXTENSION_num(sk); - for ( ; lastpos < n; lastpos++) - { + for ( ; lastpos < n; lastpos++) { ex=sk_X509_EXTENSION_value(sk,lastpos); if (OBJ_cmp(ex->object,obj) == 0) return(lastpos); - } - return(-1); } + return(-1); +} int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, int lastpos) - { +{ int n; X509_EXTENSION *ex; @@ -112,53 +111,49 @@ int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, if (lastpos < 0) lastpos=0; n=sk_X509_EXTENSION_num(sk); - for ( ; lastpos < n; lastpos++) - { + for ( ; lastpos < n; lastpos++) { ex=sk_X509_EXTENSION_value(sk,lastpos); if ( ((ex->critical > 0) && crit) || ((ex->critical <= 0) && !crit)) return(lastpos); - } - return(-1); } + return(-1); +} X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc) - { +{ if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) return NULL; else return sk_X509_EXTENSION_value(x,loc); - } +} X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc) - { +{ X509_EXTENSION *ret; if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) return(NULL); ret=sk_X509_EXTENSION_delete(x,loc); return(ret); - } +} STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc) - { +{ X509_EXTENSION *new_ex=NULL; int n; STACK_OF(X509_EXTENSION) *sk=NULL; - if (x == NULL) - { + if (x == NULL) { X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER); goto err2; - } + } - if (*x == NULL) - { + if (*x == NULL) { if ((sk=sk_X509_EXTENSION_new_null()) == NULL) goto err; - } - else + } else sk= *x; n=sk_X509_EXTENSION_num(sk); @@ -178,39 +173,36 @@ err2: if (new_ex != NULL) X509_EXTENSION_free(new_ex); if (sk != NULL) sk_X509_EXTENSION_free(sk); return(NULL); - } +} X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit, ASN1_OCTET_STRING *data) - { +{ ASN1_OBJECT *obj; X509_EXTENSION *ret; obj=OBJ_nid2obj(nid); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID); return(NULL); - } + } ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data); if (ret == NULL) ASN1_OBJECT_free(obj); return(ret); - } +} X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data) - { +{ X509_EXTENSION *ret; - if ((ex == NULL) || (*ex == NULL)) - { + if ((ex == NULL) || (*ex == NULL)) { if ((ret=X509_EXTENSION_new()) == NULL) - { + { X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE); return(NULL); - } } - else + } else ret= *ex; if (!X509_EXTENSION_set_object(ret,obj)) @@ -226,49 +218,49 @@ err: if ((ex == NULL) || (ret != *ex)) X509_EXTENSION_free(ret); return(NULL); - } +} int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj) - { +{ if ((ex == NULL) || (obj == NULL)) return(0); ASN1_OBJECT_free(ex->object); ex->object=OBJ_dup(obj); return(1); - } +} int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) - { +{ if (ex == NULL) return(0); ex->critical=(crit)?0xFF:-1; return(1); - } +} int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) - { +{ int i; if (ex == NULL) return(0); i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length); if (!i) return(0); return(1); - } +} ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex) - { +{ if (ex == NULL) return(NULL); return(ex->object); - } +} ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex) - { +{ if (ex == NULL) return(NULL); return(ex->value); - } +} int X509_EXTENSION_get_critical(X509_EXTENSION *ex) - { +{ if (ex == NULL) return(0); if(ex->critical > 0) return 1; return 0; - } +} diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 077bfd8f2d6..6e9dd7cc6a5 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -139,19 +139,19 @@ const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; static int null_callback(int ok, X509_STORE_CTX *e) - { +{ return ok; - } +} #if 0 static int x509_subject_cmp(X509 **a, X509 **b) - { +{ return X509_subject_name_cmp(*a,*b); - } +} #endif int X509_verify_cert(X509_STORE_CTX *ctx) - { +{ X509 *x,*xtmp,*chain_ss=NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; @@ -159,43 +159,38 @@ int X509_verify_cert(X509_STORE_CTX *ctx) int num; int (*cb)(int xok,X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp=NULL; - if (ctx->cert == NULL) - { + if (ctx->cert == NULL) { X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; - } + } cb=ctx->verify_cb; /* first we make sure the chain we are going to build is * present and that the first entry is in place */ - if (ctx->chain == NULL) - { + if (ctx->chain == NULL) { if ( ((ctx->chain=sk_X509_new_null()) == NULL) || - (!sk_X509_push(ctx->chain,ctx->cert))) - { + (!sk_X509_push(ctx->chain,ctx->cert))) { X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); goto end; - } + } CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); ctx->last_untrusted=1; - } + } /* We use a temporary STACK so we can chop and hack at it */ if (ctx->untrusted != NULL - && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) - { + && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) { X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); goto end; - } + } num=sk_X509_num(ctx->chain); x=sk_X509_value(ctx->chain,num-1); depth=param->depth; - for (;;) - { + for (;;) { /* If we have enough, we break */ if (depth < num) break; /* FIXME: If this happens, we should take * note of it and, if appropriate, use the @@ -207,16 +202,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (ctx->check_issued(ctx, x,x)) break; /* If we were passed a cert chain, use it first */ - if (ctx->untrusted != NULL) - { + if (ctx->untrusted != NULL) { xtmp=find_issuer(ctx, sktmp,x); - if (xtmp != NULL) - { - if (!sk_X509_push(ctx->chain,xtmp)) - { + if (xtmp != NULL) { + if (!sk_X509_push(ctx->chain,xtmp)) { X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); goto end; - } + } CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); (void)sk_X509_delete_ptr(sktmp,xtmp); ctx->last_untrusted++; @@ -225,10 +217,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* reparse the full chain for * the next one */ continue; - } } - break; } + break; + } /* at this point, chain should contain a list of untrusted * certificates. We now need to add at least one trusted one, @@ -240,18 +232,15 @@ int X509_verify_cert(X509_STORE_CTX *ctx) i=sk_X509_num(ctx->chain); x=sk_X509_value(ctx->chain,i-1); - if (ctx->check_issued(ctx, x, x)) - { + if (ctx->check_issued(ctx, x, x)) { /* we have a self signed certificate */ - if (sk_X509_num(ctx->chain) == 1) - { + if (sk_X509_num(ctx->chain) == 1) { /* We have a single self signed certificate: see if * we can find it in the store. We must have an exact * match to avoid possible impersonation. */ ok = ctx->get_issuer(&xtmp, ctx, x); - if ((ok <= 0) || X509_cmp(x, xtmp)) - { + if ((ok <= 0) || X509_cmp(x, xtmp)) { ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; ctx->current_cert=x; ctx->error_depth=i-1; @@ -259,9 +248,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) bad_chain = 1; ok=cb(0,ctx); if (!ok) goto end; - } - else - { + } else { /* We have a match: replace certificate with store version * so we get any trust settings. */ @@ -269,21 +256,18 @@ int X509_verify_cert(X509_STORE_CTX *ctx) x = xtmp; (void)sk_X509_set(ctx->chain, i - 1, x); ctx->last_untrusted=0; - } } - else - { + } else { /* extract and save self signed certificate for later use */ chain_ss=sk_X509_pop(ctx->chain); ctx->last_untrusted--; num--; x=sk_X509_value(ctx->chain,num-1); - } } + } /* We now lookup certs from the certificate store */ - for (;;) - { + for (;;) { /* If we have enough, we break */ if (depth < num) break; @@ -296,30 +280,25 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (ok == 0) break; x = xtmp; - if (!sk_X509_push(ctx->chain,x)) - { + if (!sk_X509_push(ctx->chain,x)) { X509_free(xtmp); X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); return 0; - } - num++; } + num++; + } /* we now have our chain, lets check it... */ /* Is last certificate looked up self signed? */ - if (!ctx->check_issued(ctx,x,x)) - { - if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) - { + if (!ctx->check_issued(ctx,x,x)) { + if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { if (ctx->last_untrusted >= num) ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; else ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; ctx->current_cert=x; - } - else - { + } else { sk_X509_push(ctx->chain,chain_ss); num++; @@ -327,13 +306,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx) ctx->current_cert=chain_ss; ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; chain_ss=NULL; - } + } ctx->error_depth=num-1; bad_chain = 1; ok=cb(0,ctx); if (!ok) goto end; - } + } /* We have the chain complete: now we need to check its purpose */ ok = check_chain_extensions(ctx); @@ -381,15 +360,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) ok = ctx->check_policy(ctx); if(!ok) goto end; - if (0) - { + if (0) { end: X509_get_pubkey_parameters(NULL,ctx->chain); - } + } if (sktmp != NULL) sk_X509_free(sktmp); if (chain_ss != NULL) X509_free(chain_ss); return ok; - } +} /* Given a STACK_OF(X509) find the issuer of cert (if any) @@ -399,12 +377,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { int i; X509 *issuer; - for (i = 0; i < sk_X509_num(sk); i++) - { + for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); if (ctx->check_issued(ctx, x, issuer)) return issuer; - } + } return NULL; } @@ -431,12 +408,10 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { *issuer = find_issuer(ctx, ctx->other_ctx, x); - if (*issuer) - { + if (*issuer) { CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); return 1; - } - else + } else return 0; } @@ -469,13 +444,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) must_be_ca = -1; /* CRL path validation */ - if (ctx->parent) - { + if (ctx->parent) { allow_proxy_certs = 0; purpose = X509_PURPOSE_CRL_SIGN; - } - else - { + } else { allow_proxy_certs = !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); /* A hack to keep people who don't want to modify their @@ -483,96 +455,82 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) allow_proxy_certs = 1; purpose = ctx->param->purpose; - } + } /* Check all untrusted certificates */ - for (i = 0; i < ctx->last_untrusted; i++) - { + for (i = 0; i < ctx->last_untrusted; i++) { int ret; x = sk_X509_value(ctx->chain, i); if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (x->ex_flags & EXFLAG_CRITICAL)) - { + && (x->ex_flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } - if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) - { + } + if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } + } ret = X509_check_ca(x); - switch(must_be_ca) - { + switch(must_be_ca) { case -1: if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1) && (ret != 0)) - { + && (ret != 1) && (ret != 0)) { ret = 0; ctx->error = X509_V_ERR_INVALID_CA; - } - else + } else ret = 1; break; case 0: - if (ret != 0) - { + if (ret != 0) { ret = 0; ctx->error = X509_V_ERR_INVALID_NON_CA; - } - else + } else ret = 1; break; default: if ((ret == 0) || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) - { + && (ret != 1))) { ret = 0; ctx->error = X509_V_ERR_INVALID_CA; - } - else + } else ret = 1; break; - } - if (ret == 0) - { + } + if (ret == 0) { ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } - if (ctx->param->purpose > 0) - { + } + if (ctx->param->purpose > 0) { ret = X509_check_purpose(x, purpose, must_be_ca > 0); if ((ret == 0) || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) - { + && (ret != 1))) { ctx->error = X509_V_ERR_INVALID_PURPOSE; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } } + } /* Check pathlen if not self issued */ if ((i > 1) && !(x->ex_flags & EXFLAG_SI) && (x->ex_pathlen != -1) - && (plen > (x->ex_pathlen + proxy_path_length + 1))) - { + && (plen > (x->ex_pathlen + proxy_path_length + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } + } /* Increment path length if not self issued */ if (!(x->ex_flags & EXFLAG_SI)) plen++; @@ -580,23 +538,20 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) certificate must be another proxy certificate or a EE certificate. If not, the next certificate must be a CA certificate. */ - if (x->ex_flags & EXFLAG_PROXY) - { - if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) - { + if (x->ex_flags & EXFLAG_PROXY) { + if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } + } proxy_path_length++; must_be_ca = 0; - } - else + } else must_be_ca = 1; - } + } ok = 1; end: return ok; @@ -604,12 +559,11 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) } static int check_name_constraints(X509_STORE_CTX *ctx) - { +{ X509 *x; int i, j, rv; /* Check name constraints for all certificates */ - for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) - { + for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { x = sk_X509_value(ctx->chain, i); /* Ignore self issued certs unless last in chain */ if (i && (x->ex_flags & EXFLAG_SI)) @@ -619,25 +573,22 @@ static int check_name_constraints(X509_STORE_CTX *ctx) * speaking needed but if it includes constraints it is to be * assumed it expects them to be obeyed. */ - for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) - { + for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) { NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; - if (nc) - { + if (nc) { rv = NAME_CONSTRAINTS_check(x, nc); - if (rv != X509_V_OK) - { + if (rv != X509_V_OK) { ctx->error = rv; ctx->error_depth = i; ctx->current_cert = x; if (!ctx->verify_cb(0,ctx)) return 0; - } } } } - return 1; } + return 1; +} static int check_trust(X509_STORE_CTX *ctx) { @@ -666,30 +617,27 @@ static int check_trust(X509_STORE_CTX *ctx) } static int check_revocation(X509_STORE_CTX *ctx) - { +{ int i, last, ok; if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) return 1; if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) last = sk_X509_num(ctx->chain) - 1; - else - { + else { /* If checking CRL paths this isn't the EE certificate */ if (ctx->parent) return 1; last = 0; - } - for(i = 0; i <= last; i++) - { + } + for(i = 0; i <= last; i++) { ctx->error_depth = i; ok = check_cert(ctx); if (!ok) return ok; - } - return 1; } + return 1; +} -static int check_cert(X509_STORE_CTX *ctx) - { +static int check_cert(X509_STORE_CTX *ctx) { X509_CRL *crl = NULL, *dcrl = NULL; X509 *x; int ok, cnum; @@ -700,8 +648,7 @@ static int check_cert(X509_STORE_CTX *ctx) ctx->current_issuer = NULL; ctx->current_crl_score = 0; ctx->current_reasons = 0; - while (ctx->current_reasons != CRLDP_ALL_REASONS) - { + while (ctx->current_reasons != CRLDP_ALL_REASONS) { last_reasons = ctx->current_reasons; /* Try to retrieve relevant CRL */ if (ctx->get_crl) @@ -711,36 +658,32 @@ static int check_cert(X509_STORE_CTX *ctx) /* If error looking up CRL, nothing we can do except * notify callback */ - if(!ok) - { + if(!ok) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; ok = ctx->verify_cb(0, ctx); goto err; - } + } ctx->current_crl = crl; ok = ctx->check_crl(ctx, crl); if (!ok) goto err; - if (dcrl) - { + if (dcrl) { ok = ctx->check_crl(ctx, dcrl); if (!ok) goto err; ok = ctx->cert_crl(ctx, dcrl, x); if (!ok) goto err; - } - else + } else ok = 1; /* Don't look in full CRL if delta reason is removefromCRL */ - if (ok != 2) - { + if (ok != 2) { ok = ctx->cert_crl(ctx, crl, x); if (!ok) goto err; - } + } X509_CRL_free(crl); X509_CRL_free(dcrl); @@ -749,26 +692,25 @@ static int check_cert(X509_STORE_CTX *ctx) /* If reasons not updated we wont get anywhere by * another iteration, so exit loop. */ - if (last_reasons == ctx->current_reasons) - { + if (last_reasons == ctx->current_reasons) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; ok = ctx->verify_cb(0, ctx); goto err; - } } - err: + } +err: X509_CRL_free(crl); X509_CRL_free(dcrl); ctx->current_crl = NULL; return ok; - } +} /* Check CRL times against values in X509_STORE_CTX */ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) - { +{ time_t *ptime; int i; if (notify) @@ -779,80 +721,72 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) ptime = NULL; i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); - if (i == 0) - { + if (i == 0) { if (!notify) return 0; ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; if (!ctx->verify_cb(0, ctx)) return 0; - } + } - if (i > 0) - { + if (i > 0) { if (!notify) return 0; ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; if (!ctx->verify_cb(0, ctx)) return 0; - } + } - if(X509_CRL_get_nextUpdate(crl)) - { + if(X509_CRL_get_nextUpdate(crl)) { i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); - if (i == 0) - { + if (i == 0) { if (!notify) return 0; ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; if (!ctx->verify_cb(0, ctx)) return 0; - } + } /* Ignore expiry of base CRL is delta is valid */ - if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) - { + if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { if (!notify) return 0; ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; if (!ctx->verify_cb(0, ctx)) return 0; - } } + } if (notify) ctx->current_crl = NULL; return 1; - } +} static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 **pissuer, int *pscore, unsigned int *preasons, STACK_OF(X509_CRL) *crls) - { +{ int i, crl_score, best_score = *pscore; unsigned int reasons, best_reasons = 0; X509 *x = ctx->current_cert; X509_CRL *crl, *best_crl = NULL; X509 *crl_issuer = NULL, *best_crl_issuer = NULL; - for (i = 0; i < sk_X509_CRL_num(crls); i++) - { + for (i = 0; i < sk_X509_CRL_num(crls); i++) { crl = sk_X509_CRL_value(crls, i); reasons = *preasons; crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); - if (crl_score > best_score) - { + if (crl_score > best_score) { best_crl = crl; best_crl_issuer = crl_issuer; best_score = crl_score; best_reasons = reasons; - } } + } - if (best_crl) - { + if (best_crl) { if (*pcrl) X509_CRL_free(*pcrl); *pcrl = best_crl; @@ -860,49 +794,44 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, *pscore = best_score; *preasons = best_reasons; CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); - if (*pdcrl) - { + if (*pdcrl) { X509_CRL_free(*pdcrl); *pdcrl = NULL; - } - get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); } + get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); + } if (best_score >= CRL_SCORE_VALID) return 1; return 0; - } +} /* Compare two CRL extensions for delta checking purposes. They should be * both present or both absent. If both present all fields must be identical. */ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) - { +{ ASN1_OCTET_STRING *exta, *extb; int i; i = X509_CRL_get_ext_by_NID(a, nid, -1); - if (i >= 0) - { + if (i >= 0) { /* Can't have multiple occurrences */ if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) return 0; exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); - } - else + } else exta = NULL; i = X509_CRL_get_ext_by_NID(b, nid, -1); - if (i >= 0) - { + if (i >= 0) { if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) return 0; extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); - } - else + } else extb = NULL; if (!exta && !extb) @@ -916,12 +845,12 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) return 0; return 1; - } +} /* See if a base and delta are compatible */ static int check_delta_base(X509_CRL *delta, X509_CRL *base) - { +{ /* Delta CRL must be a delta */ if (!delta->base_crl_number) return 0; @@ -944,7 +873,7 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base) if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) return 1; return 0; - } +} /* For a given base CRL find a delta... maybe extend to delta scoring * or retrieve a chain of deltas... @@ -952,27 +881,25 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base) static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base, STACK_OF(X509_CRL) *crls) - { +{ X509_CRL *delta; int i; if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) return; if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) return; - for (i = 0; i < sk_X509_CRL_num(crls); i++) - { + for (i = 0; i < sk_X509_CRL_num(crls); i++) { delta = sk_X509_CRL_value(crls, i); - if (check_delta_base(delta, base)) - { + if (check_delta_base(delta, base)) { if (check_crl_time(ctx, delta, 0)) *pscore |= CRL_SCORE_TIME_DELTA; CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); *dcrl = delta; return; - } } - *dcrl = NULL; } + *dcrl = NULL; +} /* For a given CRL return how suitable it is for the supplied certificate 'x'. * The return value is a mask of several criteria. @@ -984,7 +911,7 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, X509_CRL *crl, X509 *x) - { +{ int crl_score = 0; unsigned int tmp_reasons = *preasons, crl_reasons; @@ -995,27 +922,22 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, if (crl->idp_flags & IDP_INVALID) return 0; /* Reason codes or indirect CRLs need extended CRL support */ - if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) - { + if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) { if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) return 0; - } - else if (crl->idp_flags & IDP_REASONS) - { + } else if (crl->idp_flags & IDP_REASONS) { /* If no new reasons reject */ if (!(crl->idp_reasons & ~tmp_reasons)) return 0; - } + } /* Don't process deltas at this stage */ else if (crl->base_crl_number) return 0; /* If issuer name doesn't match certificate need indirect CRL */ - if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) - { + if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) { if (!(crl->idp_flags & IDP_INDIRECT)) return 0; - } - else + } else crl_score |= CRL_SCORE_ISSUER_NAME; if (!(crl->flags & EXFLAG_CRITICAL)) @@ -1035,24 +957,23 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, /* Check cert for matching CRL distribution points */ - if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) - { + if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) { /* If no new reasons reject */ if (!(crl_reasons & ~tmp_reasons)) return 0; tmp_reasons |= crl_reasons; crl_score |= CRL_SCORE_SCOPE; - } + } *preasons = tmp_reasons; return crl_score; - } +} static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, int *pcrl_score) - { +{ X509 *crl_issuer = NULL; X509_NAME *cnm = X509_CRL_get_issuer(crl); int cidx = ctx->error_depth; @@ -1063,28 +984,24 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, crl_issuer = sk_X509_value(ctx->chain, cidx); - if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) - { - if (*pcrl_score & CRL_SCORE_ISSUER_NAME) - { + if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { + if (*pcrl_score & CRL_SCORE_ISSUER_NAME) { *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT; *pissuer = crl_issuer; return; - } } + } - for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) - { + for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) { crl_issuer = sk_X509_value(ctx->chain, cidx); if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) continue; - if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) - { + if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH; *pissuer = crl_issuer; return; - } } + } /* Anything else needs extended CRL support */ @@ -1094,19 +1011,17 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, /* Otherwise the CRL issuer is not on the path. Look for it in the * set of untrusted certificates. */ - for (i = 0; i < sk_X509_num(ctx->untrusted); i++) - { + for (i = 0; i < sk_X509_num(ctx->untrusted); i++) { crl_issuer = sk_X509_value(ctx->untrusted, i); if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) continue; - if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) - { + if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { *pissuer = crl_issuer; *pcrl_score |= CRL_SCORE_AKID; return; - } } } +} /* Check the path of a CRL issuer certificate. This creates a new * X509_STORE_CTX and populates it with most of the parameters from the @@ -1116,7 +1031,7 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, */ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) - { +{ X509_STORE_CTX crl_ctx; int ret; /* Don't allow recursive CRL path validation */ @@ -1144,7 +1059,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) err: X509_STORE_CTX_cleanup(&crl_ctx); return ret; - } +} /* RFC3280 says nothing about the relationship between CRL path * and certificate path, which could lead to situations where a @@ -1157,14 +1072,14 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, STACK_OF(X509) *crl_path) - { +{ X509 *cert_ta, *crl_ta; cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); if (!X509_cmp(cert_ta, crl_ta)) return 1; return 0; - } +} /* Check for match between two dist point names: three separate cases. * 1. Both are relative names and compare X509_NAME types. @@ -1175,125 +1090,110 @@ static int check_crl_chain(X509_STORE_CTX *ctx, static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) - { +{ X509_NAME *nm = NULL; GENERAL_NAMES *gens = NULL; GENERAL_NAME *gena, *genb; int i, j; if (!a || !b) return 1; - if (a->type == 1) - { + if (a->type == 1) { if (!a->dpname) return 0; /* Case 1: two X509_NAME */ - if (b->type == 1) - { + if (b->type == 1) { if (!b->dpname) return 0; if (!X509_NAME_cmp(a->dpname, b->dpname)) return 1; else return 0; - } + } /* Case 2: set name and GENERAL_NAMES appropriately */ nm = a->dpname; gens = b->name.fullname; - } - else if (b->type == 1) - { + } else if (b->type == 1) { if (!b->dpname) return 0; /* Case 2: set name and GENERAL_NAMES appropriately */ gens = a->name.fullname; nm = b->dpname; - } + } /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ - if (nm) - { - for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) - { + if (nm) { + for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { gena = sk_GENERAL_NAME_value(gens, i); if (gena->type != GEN_DIRNAME) continue; if (!X509_NAME_cmp(nm, gena->d.directoryName)) return 1; - } - return 0; } + return 0; + } /* Else case 3: two GENERAL_NAMES */ - for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) - { + for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) { gena = sk_GENERAL_NAME_value(a->name.fullname, i); - for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) - { + for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) { genb = sk_GENERAL_NAME_value(b->name.fullname, j); if (!GENERAL_NAME_cmp(gena, genb)) return 1; - } } + } return 0; - } +} static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) - { +{ int i; X509_NAME *nm = X509_CRL_get_issuer(crl); /* If no CRLissuer return is successful iff don't need a match */ if (!dp->CRLissuer) return !!(crl_score & CRL_SCORE_ISSUER_NAME); - for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) - { + for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); if (gen->type != GEN_DIRNAME) continue; if (!X509_NAME_cmp(gen->d.directoryName, nm)) return 1; - } - return 0; } + return 0; +} /* Check CRLDP and IDP */ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons) - { +{ int i; if (crl->idp_flags & IDP_ONLYATTR) return 0; - if (x->ex_flags & EXFLAG_CA) - { + if (x->ex_flags & EXFLAG_CA) { if (crl->idp_flags & IDP_ONLYUSER) return 0; - } - else - { + } else { if (crl->idp_flags & IDP_ONLYCA) return 0; - } + } *preasons = crl->idp_reasons; - for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) - { + for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); - if (crldp_check_crlissuer(dp, crl, crl_score)) - { + if (crldp_check_crlissuer(dp, crl, crl_score)) { if (!crl->idp || - idp_check_dp(dp->distpoint, crl->idp->distpoint)) - { + idp_check_dp(dp->distpoint, crl->idp->distpoint)) { *preasons &= dp->dp_reasons; return 1; - } } } + } if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) return 1; return 0; - } +} /* Retrieve CRL corresponding to current certificate. * If deltas enabled try to find a delta CRL too @@ -1301,7 +1201,7 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) - { +{ int ok; X509 *issuer = NULL; int crl_score = 0; @@ -1331,129 +1231,113 @@ static int get_crl_delta(X509_STORE_CTX *ctx, done: /* If we got any kind of CRL use it and return success */ - if (crl) - { + if (crl) { ctx->current_issuer = issuer; ctx->current_crl_score = crl_score; ctx->current_reasons = reasons; *pcrl = crl; *pdcrl = dcrl; return 1; - } + } return 0; - } +} /* Check CRL validity */ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) - { +{ X509 *issuer = NULL; EVP_PKEY *ikey = NULL; int ok = 0, chnum, cnum; cnum = ctx->error_depth; chnum = sk_X509_num(ctx->chain) - 1; /* if we have an alternative CRL issuer cert use that */ - if (ctx->current_issuer) + if (ctx->current_issuer) { issuer = ctx->current_issuer; - - /* Else find CRL issuer: if not last certificate then issuer - * is next certificate in chain. - */ - else if (cnum < chnum) + } else if (cnum < chnum) { + /* Else find CRL issuer: if not last certificate then issuer + * is next certificate in chain. + */ issuer = sk_X509_value(ctx->chain, cnum + 1); - else - { + } else { issuer = sk_X509_value(ctx->chain, chnum); /* If not self signed, can't check signature */ - if(!ctx->check_issued(ctx, issuer, issuer)) - { + if(!ctx->check_issued(ctx, issuer, issuer)) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } } + } - if(issuer) - { + if(issuer) { /* Skip most tests for deltas because they have already * been done */ - if (!crl->base_crl_number) - { + if (!crl->base_crl_number) { /* Check for cRLSign bit if keyUsage present */ if ((issuer->ex_flags & EXFLAG_KUSAGE) && - !(issuer->ex_kusage & KU_CRL_SIGN)) - { + !(issuer->ex_kusage & KU_CRL_SIGN)) { ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } + } - if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) - { + if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } + } - if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) - { - if (check_crl_path(ctx, ctx->current_issuer) <= 0) - { + if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { + if (check_crl_path(ctx, ctx->current_issuer) <= 0) { ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } } + } - if (crl->idp_flags & IDP_INVALID) - { + if (crl->idp_flags & IDP_INVALID) { ctx->error = X509_V_ERR_INVALID_EXTENSION; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } + } - } + } - if (!(ctx->current_crl_score & CRL_SCORE_TIME)) - { + if (!(ctx->current_crl_score & CRL_SCORE_TIME)) { ok = check_crl_time(ctx, crl, 1); if (!ok) goto err; - } + } /* Attempt to get issuer certificate public key */ ikey = X509_get_pubkey(issuer); - if(!ikey) - { + if(!ikey) { ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ok = ctx->verify_cb(0, ctx); if (!ok) goto err; - } - else - { + } else { /* Verify CRL signature */ - if(X509_CRL_verify(crl, ikey) <= 0) - { + if(X509_CRL_verify(crl, ikey) <= 0) { ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; ok = ctx->verify_cb(0, ctx); if (!ok) goto err; - } } } + } ok = 1; - err: +err: EVP_PKEY_free(ikey); return ok; - } +} /* Check certificate against CRL */ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) - { +{ int ok; X509_REVOKED *rev; /* The rules changed for this... previously if a CRL contained @@ -1462,51 +1346,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) * critical extension can change the meaning of CRL entries. */ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (crl->flags & EXFLAG_CRITICAL)) - { + && (crl->flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; ok = ctx->verify_cb(0, ctx); if(!ok) return 0; - } + } /* Look for serial number of certificate in CRL * If found make sure reason is not removeFromCRL. */ - if (X509_CRL_get0_by_cert(crl, &rev, x)) - { + if (X509_CRL_get0_by_cert(crl, &rev, x)) { if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) return 2; ctx->error = X509_V_ERR_CERT_REVOKED; ok = ctx->verify_cb(0, ctx); if (!ok) return 0; - } + } return 1; - } +} static int check_policy(X509_STORE_CTX *ctx) - { +{ int ret; if (ctx->parent) return 1; ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, ctx->param->policies, ctx->param->flags); - if (ret == 0) - { + if (ret == 0) { X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); return 0; - } + } /* Invalid or inconsistent extensions */ - if (ret == -1) - { + if (ret == -1) { /* Locate certificates with bad extensions and notify * callback. */ X509 *x; int i; - for (i = 1; i < sk_X509_num(ctx->chain); i++) - { + for (i = 1; i < sk_X509_num(ctx->chain); i++) { x = sk_X509_value(ctx->chain, i); if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) continue; @@ -1514,29 +1393,27 @@ static int check_policy(X509_STORE_CTX *ctx) ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; if(!ctx->verify_cb(0, ctx)) return 0; - } - return 1; } - if (ret == -2) - { + return 1; + } + if (ret == -2) { ctx->current_cert = NULL; ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; return ctx->verify_cb(0, ctx); - } + } - if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) - { + if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { ctx->current_cert = NULL; ctx->error = X509_V_OK; if (!ctx->verify_cb(2, ctx)) return 0; - } + } return 1; - } +} static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) - { +{ time_t *ptime; int i; @@ -1546,44 +1423,40 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) ptime = NULL; i=X509_cmp_time(X509_get_notBefore(x), ptime); - if (i == 0) - { + if (i == 0) { ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; - } + } - if (i > 0) - { + if (i > 0) { ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; - } + } i=X509_cmp_time(X509_get_notAfter(x), ptime); - if (i == 0) - { + if (i == 0) { ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; - } + } - if (i < 0) - { + if (i < 0) { ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; - } + } return 1; - } +} static int internal_verify(X509_STORE_CTX *ctx) - { +{ int ok=0,n; X509 *xs,*xi; EVP_PKEY *pkey=NULL; @@ -1598,55 +1471,45 @@ static int internal_verify(X509_STORE_CTX *ctx) if (ctx->check_issued(ctx, xi, xi)) xs=xi; - else - { - if (n <= 0) - { + else { + if (n <= 0) { ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; ctx->current_cert=xi; ok=cb(0,ctx); goto end; - } - else - { + } else { n--; ctx->error_depth=n; xs=sk_X509_value(ctx->chain,n); - } } + } /* ctx->error=0; not needed */ - while (n >= 0) - { + while (n >= 0) { ctx->error_depth=n; /* Skip signature check for self signed certificates unless * explicitly asked for. It doesn't add any security and * just wastes time. */ - if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) - { - if ((pkey=X509_get_pubkey(xi)) == NULL) - { + if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { + if ((pkey=X509_get_pubkey(xi)) == NULL) { ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ctx->current_cert=xi; ok=(*cb)(0,ctx); if (!ok) goto end; - } - else if (X509_verify(xs,pkey) <= 0) - { + } else if (X509_verify(xs,pkey) <= 0) { ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; ctx->current_cert=xs; ok=(*cb)(0,ctx); - if (!ok) - { + if (!ok) { EVP_PKEY_free(pkey); goto end; - } } + } EVP_PKEY_free(pkey); pkey=NULL; - } + } xs->valid = 1; @@ -1661,16 +1524,15 @@ static int internal_verify(X509_STORE_CTX *ctx) if (!ok) goto end; n--; - if (n >= 0) - { + if (n >= 0) { xi=xs; xs=sk_X509_value(ctx->chain,n); - } } + } ok=1; end: return ok; - } +} int X509_cmp_current_time(const ASN1_TIME *ctm) { @@ -1678,7 +1540,7 @@ int X509_cmp_current_time(const ASN1_TIME *ctm) } int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) - { +{ char *str; ASN1_TIME atm; long offset; @@ -1688,49 +1550,44 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) p=buff1; i=ctm->length; str=(char *)ctm->data; - if (ctm->type == V_ASN1_UTCTIME) - { + if (ctm->type == V_ASN1_UTCTIME) { if ((i < 11) || (i > 17)) return 0; memcpy(p,str,10); p+=10; str+=10; - } - else - { + } else { if (i < 13) return 0; memcpy(p,str,12); p+=12; str+=12; - } + } - if ((*str == 'Z') || (*str == '-') || (*str == '+')) - { *(p++)='0'; *(p++)='0'; } - else - { + if ((*str == 'Z') || (*str == '-') || (*str == '+')) { + *(p++)='0'; + *(p++)='0'; + } else { *(p++)= *(str++); *(p++)= *(str++); /* Skip any fractional seconds... */ - if (*str == '.') - { + if (*str == '.') { str++; while ((*str >= '0') && (*str <= '9')) str++; - } - } + + } *(p++)='Z'; *(p++)='\0'; if (*str == 'Z') offset=0; - else - { + else { if ((*str != '+') && (*str != '-')) return 0; offset=((str[1]-'0')*10+(str[2]-'0'))*60; offset+=(str[3]-'0')*10+(str[4]-'0'); if (*str == '-') offset= -offset; - } + } atm.type=ctm->type; atm.flags = 0; atm.length=sizeof(buff2); @@ -1739,8 +1596,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) if (X509_time_adj(&atm, offset*60, cmp_time) == NULL) return 0; - if (ctm->type == V_ASN1_UTCTIME) - { + if (ctm->type == V_ASN1_UTCTIME) { i=(buff1[0]-'0')*10+(buff1[1]-'0'); if (i < 50) i+=100; /* cf. RFC 2459 */ j=(buff2[0]-'0')*10+(buff2[1]-'0'); @@ -1748,13 +1604,13 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) if (i < j) return -1; if (i > j) return 1; - } + } i=strcmp(buff1,buff2); if (i == 0) /* wait a second then return younger :-) */ return -1; else return i; - } +} ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) { @@ -1762,168 +1618,161 @@ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) } ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) - { +{ return X509_time_adj_ex(s, 0, offset_sec, in_tm); - } +} ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_tm) - { +{ time_t t; if (in_tm) t = *in_tm; else time(&t); - if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) - { + if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) { if (s->type == V_ASN1_UTCTIME) return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); if (s->type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec); - } - return ASN1_TIME_adj(s, t, offset_day, offset_sec); } + return ASN1_TIME_adj(s, t, offset_day, offset_sec); +} int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) - { +{ EVP_PKEY *ktmp=NULL,*ktmp2; int i,j; if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; - for (i=0; i= 0; j--) - { + for (j=i-1; j >= 0; j--) { ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); EVP_PKEY_copy_parameters(ktmp2,ktmp); EVP_PKEY_free(ktmp2); - } + } if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); EVP_PKEY_free(ktmp); return 1; - } +} int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) - { +{ /* This function is (usually) called only once, by * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, new_func, dup_func, free_func); - } +} int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) - { +{ return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); - } +} void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) - { +{ return CRYPTO_get_ex_data(&ctx->ex_data,idx); - } +} int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) - { +{ return ctx->error; - } +} void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) - { +{ ctx->error=err; - } +} int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) - { +{ return ctx->error_depth; - } +} X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) - { +{ return ctx->current_cert; - } +} STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) - { +{ return ctx->chain; - } +} STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) - { +{ int i; X509 *x; STACK_OF(X509) *chain; if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; - for (i = 0; i < sk_X509_num(chain); i++) - { + for (i = 0; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); - } - return chain; } + return chain; +} X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) - { +{ return ctx->current_issuer; - } +} X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) - { +{ return ctx->current_crl; - } +} X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) - { +{ return ctx->parent; - } +} void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) - { +{ ctx->cert=x; - } +} void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) - { +{ ctx->untrusted=sk; - } +} void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) - { +{ ctx->crls=sk; - } +} int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) - { +{ return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); - } +} int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) - { +{ return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); - } +} /* This function is used to set the X509_STORE_CTX purpose and trust * values. This is intended to be used when another structure has its @@ -1942,41 +1791,35 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, /* If purpose not set use default */ if (!purpose) purpose = def_purpose; /* If we have a purpose then check it is valid */ - if (purpose) - { + if (purpose) { X509_PURPOSE *ptmp; idx = X509_PURPOSE_get_by_id(purpose); - if (idx == -1) - { + if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_PURPOSE_ID); return 0; - } + } ptmp = X509_PURPOSE_get0(idx); - if (ptmp->trust == X509_TRUST_DEFAULT) - { + if (ptmp->trust == X509_TRUST_DEFAULT) { idx = X509_PURPOSE_get_by_id(def_purpose); - if (idx == -1) - { + if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_PURPOSE_ID); return 0; - } - ptmp = X509_PURPOSE_get0(idx); } + ptmp = X509_PURPOSE_get0(idx); + } /* If trust not set then get from purpose default */ if (!trust) trust = ptmp->trust; - } - if (trust) - { + } + if (trust) { idx = X509_TRUST_get_by_id(trust); - if (idx == -1) - { + if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_TRUST_ID); return 0; - } } + } if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; if (trust && !ctx->param->trust) ctx->param->trust = trust; @@ -1987,11 +1830,10 @@ X509_STORE_CTX *X509_STORE_CTX_new(void) { X509_STORE_CTX *ctx; ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX)); - if (!ctx) - { + if (!ctx) { X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); return NULL; - } + } memset(ctx, 0, sizeof(X509_STORE_CTX)); return ctx; } @@ -2004,7 +1846,7 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx) int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain) - { +{ int ret = 1; ctx->ctx=store; ctx->current_method=0; @@ -2028,11 +1870,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->param = X509_VERIFY_PARAM_new(); - if (!ctx->param) - { + if (!ctx->param) { X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); return 0; - } + } /* Inherit callbacks and flags from X509_STORE if not set * use defaults. @@ -2044,23 +1885,20 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, else ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; - if (store) - { + if (store) { ctx->verify_cb = store->verify_cb; ctx->cleanup = store->cleanup; - } - else + } else ctx->cleanup = 0; if (ret) ret = X509_VERIFY_PARAM_inherit(ctx->param, X509_VERIFY_PARAM_lookup("default")); - if (ret == 0) - { + if (ret == 0) { X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); return 0; - } + } if (store && store->check_issued) ctx->check_issued = store->check_issued; @@ -2120,14 +1958,13 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, * corresponding "new" here and remove this bogus initialisation. */ /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, - &(ctx->ex_data))) - { + &(ctx->ex_data))) { free(ctx); X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); return 0; - } - return 1; } + return 1; +} /* Set alternative lookup method: just a STACK of trusted certificates. * This avoids X509_STORE nastiness where it isn't needed. @@ -2140,79 +1977,76 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) } void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) - { +{ if (ctx->cleanup) ctx->cleanup(ctx); - if (ctx->param != NULL) - { + if (ctx->param != NULL) { if (ctx->parent == NULL) X509_VERIFY_PARAM_free(ctx->param); ctx->param=NULL; - } - if (ctx->tree != NULL) - { + } + if (ctx->tree != NULL) { X509_policy_tree_free(ctx->tree); ctx->tree=NULL; - } - if (ctx->chain != NULL) - { + } + if (ctx->chain != NULL) { sk_X509_pop_free(ctx->chain,X509_free); ctx->chain=NULL; - } + } CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); - } +} void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) - { +{ X509_VERIFY_PARAM_set_depth(ctx->param, depth); - } +} void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) - { +{ X509_VERIFY_PARAM_set_flags(ctx->param, flags); - } +} void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) - { +{ X509_VERIFY_PARAM_set_time(ctx->param, t); - } +} void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)) - { +{ ctx->verify_cb=verify_cb; - } +} X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) - { +{ return ctx->tree; - } +} int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) - { +{ return ctx->explicit_policy; - } +} int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) - { +{ const X509_VERIFY_PARAM *param; param = X509_VERIFY_PARAM_lookup(name); if (!param) return 0; return X509_VERIFY_PARAM_inherit(ctx->param, param); - } +} X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) - { +{ return ctx->param; - } +} void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) - { +{ if (ctx->param) X509_VERIFY_PARAM_free(ctx->param); ctx->param = param; - } +} IMPLEMENT_STACK_OF(X509) IMPLEMENT_ASN1_SET_OF(X509) diff --git a/lib/libcrypto/x509/x509_vpm.c b/lib/libcrypto/x509/x509_vpm.c index 5e3eba4029b..7f0824f75ee 100644 --- a/lib/libcrypto/x509/x509_vpm.c +++ b/lib/libcrypto/x509/x509_vpm.c @@ -68,7 +68,7 @@ /* X509_VERIFY_PARAM functions */ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) - { +{ if (!param) return; param->name = NULL; @@ -78,27 +78,26 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) param->inh_flags = 0; param->flags = 0; param->depth = -1; - if (param->policies) - { + if (param->policies) { sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); param->policies = NULL; - } } +} X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) - { +{ X509_VERIFY_PARAM *param; param = malloc(sizeof(X509_VERIFY_PARAM)); memset(param, 0, sizeof(X509_VERIFY_PARAM)); x509_verify_param_zero(param); return param; - } +} void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) - { +{ x509_verify_param_zero(param); free(param); - } +} /* This function determines how parameters are "inherited" from one structure * to another. There are several different ways this can happen. @@ -146,7 +145,7 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src) - { +{ unsigned long inh_flags; int to_default, to_overwrite; if (!src) @@ -175,104 +174,101 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, /* If overwrite or check time not set, copy across */ - if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) - { + if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) { dest->check_time = src->check_time; dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME; /* Don't need to copy flag: that is done below */ - } + } if (inh_flags & X509_VP_FLAG_RESET_FLAGS) dest->flags = 0; dest->flags |= src->flags; - if (test_x509_verify_param_copy(policies, NULL)) - { + if (test_x509_verify_param_copy(policies, NULL)) { if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies)) return 0; - } + } return 1; - } +} int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from) - { +{ unsigned long save_flags = to->inh_flags; int ret; to->inh_flags |= X509_VP_FLAG_DEFAULT; ret = X509_VERIFY_PARAM_inherit(to, from); to->inh_flags = save_flags; return ret; - } +} int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) - { +{ if (param->name) free(param->name); param->name = BUF_strdup(name); if (param->name) return 1; return 0; - } +} int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) - { +{ param->flags |= flags; if (flags & X509_V_FLAG_POLICY_MASK) param->flags |= X509_V_FLAG_POLICY_CHECK; return 1; - } +} int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags) - { +{ param->flags &= ~flags; return 1; - } +} unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) - { +{ return param->flags; - } +} int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) - { +{ return X509_PURPOSE_set(¶m->purpose, purpose); - } +} int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) - { +{ return X509_TRUST_set(¶m->trust, trust); - } +} void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) - { +{ param->depth = depth; - } +} void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) - { +{ param->check_time = t; param->flags |= X509_V_FLAG_USE_CHECK_TIME; - } +} int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) - { - if (!param->policies) - { +{ + if (!param->policies) { param->policies = sk_ASN1_OBJECT_new_null(); if (!param->policies) return 0; - } + } if (!sk_ASN1_OBJECT_push(param->policies, policy)) return 0; return 1; - } +} int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, STACK_OF(ASN1_OBJECT) *policies) - { +{ int i; ASN1_OBJECT *oid, *doid; if (!param) @@ -280,36 +276,33 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, if (param->policies) sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); - if (!policies) - { + if (!policies) { param->policies = NULL; return 1; - } + } param->policies = sk_ASN1_OBJECT_new_null(); if (!param->policies) return 0; - for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) - { + for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) { oid = sk_ASN1_OBJECT_value(policies, i); doid = OBJ_dup(oid); if (!doid) return 0; - if (!sk_ASN1_OBJECT_push(param->policies, doid)) - { + if (!sk_ASN1_OBJECT_push(param->policies, doid)) { ASN1_OBJECT_free(doid); return 0; - } } + } param->flags |= X509_V_FLAG_POLICY_CHECK; return 1; - } +} int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) - { +{ return param->depth; - } +} /* Default verify parameters: these are used for various * applications and can be overridden by the user specified table. @@ -367,15 +360,16 @@ static const X509_VERIFY_PARAM default_table[] = { X509_TRUST_SSL_SERVER, /* trust */ -1, /* depth */ NULL /* policies */ - }}; + } +}; static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL; static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b) - { +{ return strcmp(a->name, b->name); - } +} DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table); @@ -384,55 +378,50 @@ IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, static int param_cmp(const X509_VERIFY_PARAM * const *a, const X509_VERIFY_PARAM * const *b) - { +{ return strcmp((*a)->name, (*b)->name); - } +} int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) - { +{ int idx; X509_VERIFY_PARAM *ptmp; - if (!param_table) - { + if (!param_table) { param_table = sk_X509_VERIFY_PARAM_new(param_cmp); if (!param_table) return 0; - } - else - { + } else { idx = sk_X509_VERIFY_PARAM_find(param_table, param); - if (idx != -1) - { + if (idx != -1) { ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx); X509_VERIFY_PARAM_free(ptmp); (void)sk_X509_VERIFY_PARAM_delete(param_table, idx); - } } + } if (!sk_X509_VERIFY_PARAM_push(param_table, param)) return 0; return 1; - } +} const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) - { +{ int idx; X509_VERIFY_PARAM pm; pm.name = (char *)name; - if (param_table) - { + if (param_table) { idx = sk_X509_VERIFY_PARAM_find(param_table, &pm); if (idx != -1) return sk_X509_VERIFY_PARAM_value(param_table, idx); - } + } return OBJ_bsearch_table(&pm, default_table, sizeof(default_table)/sizeof(X509_VERIFY_PARAM)); - } +} void X509_VERIFY_PARAM_table_cleanup(void) - { +{ if (param_table) sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free); param_table = NULL; - } +} diff --git a/lib/libcrypto/x509/x509cset.c b/lib/libcrypto/x509/x509cset.c index 3109defb0b2..bb39cf4e04e 100644 --- a/lib/libcrypto/x509/x509cset.c +++ b/lib/libcrypto/x509/x509cset.c @@ -64,107 +64,97 @@ #include int X509_CRL_set_version(X509_CRL *x, long version) - { +{ if (x == NULL) return(0); - if (x->crl->version == NULL) - { + if (x->crl->version == NULL) { if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL) return(0); - } - return(ASN1_INTEGER_set(x->crl->version,version)); } + return(ASN1_INTEGER_set(x->crl->version,version)); +} int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name) - { +{ if ((x == NULL) || (x->crl == NULL)) return(0); return(X509_NAME_set(&x->crl->issuer,name)); - } +} int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) - { +{ ASN1_TIME *in; if (x == NULL) return(0); in=x->crl->lastUpdate; - if (in != tm) - { + if (in != tm) { in=M_ASN1_TIME_dup(tm); - if (in != NULL) - { + if (in != NULL) { M_ASN1_TIME_free(x->crl->lastUpdate); x->crl->lastUpdate=in; - } } - return(in != NULL); } + return(in != NULL); +} int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) - { +{ ASN1_TIME *in; if (x == NULL) return(0); in=x->crl->nextUpdate; - if (in != tm) - { + if (in != tm) { in=M_ASN1_TIME_dup(tm); - if (in != NULL) - { + if (in != NULL) { M_ASN1_TIME_free(x->crl->nextUpdate); x->crl->nextUpdate=in; - } } - return(in != NULL); } + return(in != NULL); +} int X509_CRL_sort(X509_CRL *c) - { +{ int i; X509_REVOKED *r; /* sort the data so it will be written in serial * number order */ sk_X509_REVOKED_sort(c->crl->revoked); - for (i=0; icrl->revoked); i++) - { + for (i=0; icrl->revoked); i++) { r=sk_X509_REVOKED_value(c->crl->revoked,i); r->sequence=i; - } + } c->crl->enc.modified = 1; return 1; - } +} int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) - { +{ ASN1_TIME *in; if (x == NULL) return(0); in=x->revocationDate; - if (in != tm) - { + if (in != tm) { in=M_ASN1_TIME_dup(tm); - if (in != NULL) - { + if (in != NULL) { M_ASN1_TIME_free(x->revocationDate); x->revocationDate=in; - } } - return(in != NULL); } + return(in != NULL); +} int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial) - { +{ ASN1_INTEGER *in; if (x == NULL) return(0); in=x->serialNumber; - if (in != serial) - { + if (in != serial) { in=M_ASN1_INTEGER_dup(serial); - if (in != NULL) - { + if (in != NULL) { M_ASN1_INTEGER_free(x->serialNumber); x->serialNumber=in; - } } - return(in != NULL); } + return(in != NULL); +} diff --git a/lib/libcrypto/x509/x509name.c b/lib/libcrypto/x509/x509name.c index 27bc4dc9a3e..729fb060f8d 100644 --- a/lib/libcrypto/x509/x509name.c +++ b/lib/libcrypto/x509/x509name.c @@ -65,17 +65,17 @@ #include int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len) - { +{ ASN1_OBJECT *obj; obj=OBJ_nid2obj(nid); if (obj == NULL) return(-1); return(X509_NAME_get_text_by_OBJ(name,obj,buf,len)); - } +} int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf, int len) - { +{ int i; ASN1_STRING *data; @@ -87,27 +87,27 @@ int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf, memcpy(buf,data->data,i); buf[i]='\0'; return(i); - } +} int X509_NAME_entry_count(X509_NAME *name) - { +{ if (name == NULL) return(0); return(sk_X509_NAME_ENTRY_num(name->entries)); - } +} int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos) - { +{ ASN1_OBJECT *obj; obj=OBJ_nid2obj(nid); if (obj == NULL) return(-2); return(X509_NAME_get_index_by_OBJ(name,obj,lastpos)); - } +} /* NOTE: you should be passsing -1, not 0 as lastpos */ int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int lastpos) - { +{ int n; X509_NAME_ENTRY *ne; STACK_OF(X509_NAME_ENTRY) *sk; @@ -117,26 +117,25 @@ int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, lastpos= -1; sk=name->entries; n=sk_X509_NAME_ENTRY_num(sk); - for (lastpos++; lastpos < n; lastpos++) - { + for (lastpos++; lastpos < n; lastpos++) { ne=sk_X509_NAME_ENTRY_value(sk,lastpos); if (OBJ_cmp(ne->object,obj) == 0) return(lastpos); - } - return(-1); } + return(-1); +} X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc) - { +{ if(name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc || loc < 0) return(NULL); else return(sk_X509_NAME_ENTRY_value(name->entries,loc)); - } +} X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc) - { +{ X509_NAME_ENTRY *ret; int i,n,set_prev,set_next; STACK_OF(X509_NAME_ENTRY) *sk; @@ -169,7 +168,7 @@ X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc) for (i=loc; iset--; return(ret); - } +} int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set) @@ -211,7 +210,7 @@ int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, * prepend to the guy we are about to stomp on. */ int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc, int set) - { +{ X509_NAME_ENTRY *new_name=NULL; int n,i,inc; STACK_OF(X509_NAME_ENTRY) *sk; @@ -224,101 +223,87 @@ int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc, name->modified=1; - if (set == -1) - { - if (loc == 0) - { + if (set == -1) { + if (loc == 0) { set=0; inc=1; - } - else - { + } else { set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set; inc=0; - } } - else /* if (set >= 0) */ - { - if (loc >= n) - { + } else /* if (set >= 0) */ { + if (loc >= n) { if (loc != 0) set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set+1; else set=0; - } - else + } else set=sk_X509_NAME_ENTRY_value(sk,loc)->set; inc=(set == 0)?1:0; - } + } if ((new_name=X509_NAME_ENTRY_dup(ne)) == NULL) goto err; new_name->set=set; - if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc)) - { + if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc)) { X509err(X509_F_X509_NAME_ADD_ENTRY,ERR_R_MALLOC_FAILURE); goto err; - } - if (inc) - { + } + if (inc) { n=sk_X509_NAME_ENTRY_num(sk); for (i=loc+1; iset+=1; - } + } return(1); err: if (new_name != NULL) X509_NAME_ENTRY_free(new_name); return(0); - } +} X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const char *field, int type, const unsigned char *bytes, int len) - { +{ ASN1_OBJECT *obj; X509_NAME_ENTRY *nentry; obj=OBJ_txt2obj(field, 0); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT, X509_R_INVALID_FIELD_NAME); ERR_add_error_data(2, "name=", field); return(NULL); - } + } nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len); ASN1_OBJECT_free(obj); return nentry; - } +} X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type, unsigned char *bytes, int len) - { +{ ASN1_OBJECT *obj; X509_NAME_ENTRY *nentry; obj=OBJ_nid2obj(nid); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID); return(NULL); - } + } nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len); ASN1_OBJECT_free(obj); return nentry; - } +} X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len) - { +{ X509_NAME_ENTRY *ret; - if ((ne == NULL) || (*ne == NULL)) - { + if ((ne == NULL) || (*ne == NULL)) { if ((ret=X509_NAME_ENTRY_new()) == NULL) return(NULL); - } - else + } else ret= *ne; if (!X509_NAME_ENTRY_set_object(ret,obj)) @@ -332,23 +317,22 @@ err: if ((ne == NULL) || (ret != *ne)) X509_NAME_ENTRY_free(ret); return(NULL); - } +} int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj) - { - if ((ne == NULL) || (obj == NULL)) - { +{ + if ((ne == NULL) || (obj == NULL)) { X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,ERR_R_PASSED_NULL_PARAMETER); return(0); - } + } ASN1_OBJECT_free(ne->object); ne->object=OBJ_dup(obj); return((ne->object == NULL)?0:1); - } +} int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, const unsigned char *bytes, int len) - { +{ int i; if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0); @@ -359,25 +343,24 @@ int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, if (len < 0) len=strlen((const char *)bytes); i=ASN1_STRING_set(ne->value,bytes,len); if (!i) return(0); - if (type != V_ASN1_UNDEF) - { + if (type != V_ASN1_UNDEF) { if (type == V_ASN1_APP_CHOOSE) ne->value->type=ASN1_PRINTABLE_type(bytes,len); else ne->value->type=type; - } - return(1); } + return(1); +} ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne) - { +{ if (ne == NULL) return(NULL); return(ne->object); - } +} ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne) - { +{ if (ne == NULL) return(NULL); return(ne->value); - } +} diff --git a/lib/libcrypto/x509/x509rset.c b/lib/libcrypto/x509/x509rset.c index d9f6b573729..fab93cce973 100644 --- a/lib/libcrypto/x509/x509rset.c +++ b/lib/libcrypto/x509/x509rset.c @@ -64,20 +64,20 @@ #include int X509_REQ_set_version(X509_REQ *x, long version) - { +{ if (x == NULL) return(0); return(ASN1_INTEGER_set(x->req_info->version,version)); - } +} int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name) - { +{ if ((x == NULL) || (x->req_info == NULL)) return(0); return(X509_NAME_set(&x->req_info->subject,name)); - } +} int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey) - { +{ if ((x == NULL) || (x->req_info == NULL)) return(0); return(X509_PUBKEY_set(&x->req_info->pubkey,pkey)); - } +} diff --git a/lib/libcrypto/x509/x509type.c b/lib/libcrypto/x509/x509type.c index 9702ec53103..ff06cfcab99 100644 --- a/lib/libcrypto/x509/x509type.c +++ b/lib/libcrypto/x509/x509type.c @@ -63,7 +63,7 @@ #include int X509_certificate_type(X509 *x, EVP_PKEY *pkey) - { +{ EVP_PKEY *pk; int ret=0,i; @@ -76,8 +76,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) if (pk == NULL) return(0); - switch (pk->type) - { + switch (pk->type) { case EVP_PKEY_RSA: ret=EVP_PK_RSA|EVP_PKT_SIGN; /* if (!sign only extension) */ @@ -98,14 +97,12 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) break; default: break; - } + } i=OBJ_obj2nid(x->sig_alg->algorithm); - if (i && OBJ_find_sigid_algs(i, NULL, &i)) - { + if (i && OBJ_find_sigid_algs(i, NULL, &i)) { - switch (i) - { + switch (i) { case NID_rsaEncryption: case NID_rsa: ret|=EVP_PKS_RSA; @@ -119,13 +116,13 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) break; default: break; - } } + } if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look for, not bytes */ ret|=EVP_PKT_EXP; if(pkey==NULL) EVP_PKEY_free(pk); return(ret); - } +} diff --git a/lib/libssl/src/crypto/x509/x509_att.c b/lib/libssl/src/crypto/x509/x509_att.c index 98460e89215..7f924fbe396 100644 --- a/lib/libssl/src/crypto/x509/x509_att.c +++ b/lib/libssl/src/crypto/x509/x509_att.c @@ -91,8 +91,7 @@ int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj, if (lastpos < 0) lastpos=0; n=sk_X509_ATTRIBUTE_num(sk); - for ( ; lastpos < n; lastpos++) - { + for ( ; lastpos < n; lastpos++) { ex=sk_X509_ATTRIBUTE_value(sk,lastpos); if (OBJ_cmp(ex->object,obj) == 0) return(lastpos); @@ -124,18 +123,15 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x, X509_ATTRIBUTE *new_attr=NULL; STACK_OF(X509_ATTRIBUTE) *sk=NULL; - if (x == NULL) - { + if (x == NULL) { X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_PASSED_NULL_PARAMETER); goto err2; - } + } - if (*x == NULL) - { + if (*x == NULL) { if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL) goto err; - } - else + } else sk= *x; if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL) @@ -215,11 +211,10 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid, X509_ATTRIBUTE *ret; obj=OBJ_nid2obj(nid); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID); return(NULL); - } + } ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len); if (ret == NULL) ASN1_OBJECT_free(obj); return(ret); @@ -230,14 +225,12 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr, { X509_ATTRIBUTE *ret; - if ((attr == NULL) || (*attr == NULL)) - { - if ((ret=X509_ATTRIBUTE_new()) == NULL) - { + if ((attr == NULL) || (*attr == NULL)) { + if ((ret=X509_ATTRIBUTE_new()) == NULL) { X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE); return(NULL); - } } + } else ret= *attr; @@ -256,22 +249,21 @@ err: X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr, const char *atrname, int type, const unsigned char *bytes, int len) - { +{ ASN1_OBJECT *obj; X509_ATTRIBUTE *nattr; obj=OBJ_txt2obj(atrname, 0); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT, X509_R_INVALID_FIELD_NAME); ERR_add_error_data(2, "name=", atrname); return(NULL); - } + } nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len); ASN1_OBJECT_free(obj); return nattr; - } +} int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj) { @@ -310,12 +302,10 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat if (attrtype == 0) return 1; if(!(ttmp = ASN1_TYPE_new())) goto err; - if ((len == -1) && !(attrtype & MBSTRING_FLAG)) - { + if ((len == -1) && !(attrtype & MBSTRING_FLAG)) { if (!ASN1_TYPE_set1(ttmp, attrtype, data)) goto err; - } - else + } else ASN1_TYPE_set(ttmp, atype, stmp); if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err; return 1; diff --git a/lib/libssl/src/crypto/x509/x509_cmp.c b/lib/libssl/src/crypto/x509/x509_cmp.c index 2f1b8953e55..87c45964148 100644 --- a/lib/libssl/src/crypto/x509/x509_cmp.c +++ b/lib/libssl/src/crypto/x509/x509_cmp.c @@ -65,7 +65,7 @@ #include int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) - { +{ int i; X509_CINF *ai,*bi; @@ -74,11 +74,11 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber); if (i) return(i); return(X509_NAME_cmp(ai->issuer,bi->issuer)); - } +} #ifndef OPENSSL_NO_MD5 unsigned long X509_issuer_and_serial_hash(X509 *a) - { +{ unsigned long ret=0; EVP_MD_CTX ctx; unsigned char md[16]; @@ -102,68 +102,68 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) err: EVP_MD_CTX_cleanup(&ctx); return(ret); - } +} #endif int X509_issuer_name_cmp(const X509 *a, const X509 *b) - { +{ return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer)); - } +} int X509_subject_name_cmp(const X509 *a, const X509 *b) - { +{ return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject)); - } +} int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) - { +{ return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer)); - } +} #ifndef OPENSSL_NO_SHA int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) - { +{ return memcmp(a->sha1_hash, b->sha1_hash, 20); - } +} #endif X509_NAME *X509_get_issuer_name(X509 *a) - { +{ return(a->cert_info->issuer); - } +} unsigned long X509_issuer_name_hash(X509 *x) - { +{ return(X509_NAME_hash(x->cert_info->issuer)); - } +} #ifndef OPENSSL_NO_MD5 unsigned long X509_issuer_name_hash_old(X509 *x) - { +{ return(X509_NAME_hash_old(x->cert_info->issuer)); - } +} #endif X509_NAME *X509_get_subject_name(X509 *a) - { +{ return(a->cert_info->subject); - } +} ASN1_INTEGER *X509_get_serialNumber(X509 *a) - { +{ return(a->cert_info->serialNumber); - } +} unsigned long X509_subject_name_hash(X509 *x) - { +{ return(X509_NAME_hash(x->cert_info->subject)); - } +} #ifndef OPENSSL_NO_MD5 unsigned long X509_subject_name_hash_old(X509 *x) - { +{ return(X509_NAME_hash_old(x->cert_info->subject)); - } +} #endif #ifndef OPENSSL_NO_SHA @@ -188,24 +188,22 @@ int X509_cmp(const X509 *a, const X509 *b) int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) - { +{ int ret; /* Ensure canonical encoding is present and up to date */ - if (!a->canon_enc || a->modified) - { + if (!a->canon_enc || a->modified) { ret = i2d_X509_NAME((X509_NAME *)a, NULL); if (ret < 0) return -2; - } + } - if (!b->canon_enc || b->modified) - { + if (!b->canon_enc || b->modified) { ret = i2d_X509_NAME((X509_NAME *)b, NULL); if (ret < 0) return -2; - } + } ret = a->canon_enclen - b->canon_enclen; @@ -214,10 +212,10 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen); - } +} unsigned long X509_NAME_hash(X509_NAME *x) - { +{ unsigned long ret=0; unsigned char md[SHA_DIGEST_LENGTH]; @@ -231,7 +229,7 @@ unsigned long X509_NAME_hash(X509_NAME *x) ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) )&0xffffffffL; return(ret); - } +} #ifndef OPENSSL_NO_MD5 @@ -239,7 +237,7 @@ unsigned long X509_NAME_hash(X509_NAME *x) * this is reasonably efficient. */ unsigned long X509_NAME_hash_old(X509_NAME *x) - { +{ EVP_MD_CTX md_ctx; unsigned long ret=0; unsigned char md[16]; @@ -257,13 +255,13 @@ unsigned long X509_NAME_hash_old(X509_NAME *x) EVP_MD_CTX_cleanup(&md_ctx); return(ret); - } +} #endif /* Search a stack of X509 for a match */ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name, ASN1_INTEGER *serial) - { +{ int i; X509_CINF cinf; X509 x,*x509=NULL; @@ -274,44 +272,42 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name, cinf.serialNumber=serial; cinf.issuer=name; - for (i=0; icert_info == NULL)) return(NULL); return(X509_PUBKEY_get(x->cert_info->key)); - } +} ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x) - { +{ if(!x) return NULL; return x->cert_info->key->public_key; - } +} int X509_check_private_key(X509 *x, EVP_PKEY *k) - { +{ EVP_PKEY *xk; int ret; @@ -322,8 +318,7 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k) else ret = -2; - switch (ret) - { + switch (ret) { case 1: break; case 0: @@ -334,10 +329,10 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k) break; case -2: X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE); - } + } if (xk) EVP_PKEY_free(xk); if (ret > 0) return 1; return 0; - } +} diff --git a/lib/libssl/src/crypto/x509/x509_d2.c b/lib/libssl/src/crypto/x509/x509_d2.c index 51410cfd1a9..ed051093ac9 100644 --- a/lib/libssl/src/crypto/x509/x509_d2.c +++ b/lib/libssl/src/crypto/x509/x509_d2.c @@ -63,7 +63,7 @@ #ifndef OPENSSL_NO_STDIO int X509_STORE_set_default_paths(X509_STORE *ctx) - { +{ X509_LOOKUP *lookup; lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file()); @@ -78,30 +78,28 @@ int X509_STORE_set_default_paths(X509_STORE *ctx) ERR_clear_error(); return(1); - } +} int X509_STORE_load_locations(X509_STORE *ctx, const char *file, const char *path) - { +{ X509_LOOKUP *lookup; - if (file != NULL) - { + if (file != NULL) { lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file()); if (lookup == NULL) return(0); if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1) return(0); - } - if (path != NULL) - { + } + if (path != NULL) { lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir()); if (lookup == NULL) return(0); if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1) return(0); - } + } if ((path == NULL) && (file == NULL)) return(0); return(1); - } +} #endif diff --git a/lib/libssl/src/crypto/x509/x509_err.c b/lib/libssl/src/crypto/x509/x509_err.c index a01402f4167..ab5e8aaea2f 100644 --- a/lib/libssl/src/crypto/x509/x509_err.c +++ b/lib/libssl/src/crypto/x509/x509_err.c @@ -69,7 +69,7 @@ #define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason) static ERR_STRING_DATA X509_str_functs[]= - { +{ {ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"}, {ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"}, {ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"}, @@ -116,10 +116,10 @@ static ERR_STRING_DATA X509_str_functs[]= {ERR_FUNC(X509_F_X509_TRUST_SET), "X509_TRUST_set"}, {ERR_FUNC(X509_F_X509_VERIFY_CERT), "X509_verify_cert"}, {0,NULL} - }; +}; static ERR_STRING_DATA X509_str_reasons[]= - { +{ {ERR_REASON(X509_R_BAD_X509_FILETYPE) ,"bad x509 filetype"}, {ERR_REASON(X509_R_BASE64_DECODE_ERROR) ,"base64 decode error"}, {ERR_REASON(X509_R_CANT_CHECK_DH_KEY) ,"cant check dh key"}, @@ -147,18 +147,17 @@ static ERR_STRING_DATA X509_str_reasons[]= {ERR_REASON(X509_R_WRONG_LOOKUP_TYPE) ,"wrong lookup type"}, {ERR_REASON(X509_R_WRONG_TYPE) ,"wrong type"}, {0,NULL} - }; +}; #endif void ERR_load_X509_strings(void) - { +{ #ifndef OPENSSL_NO_ERR - if (ERR_func_error_string(X509_str_functs[0].error) == NULL) - { + if (ERR_func_error_string(X509_str_functs[0].error) == NULL) { ERR_load_strings(0,X509_str_functs); ERR_load_strings(0,X509_str_reasons); - } -#endif } +#endif +} diff --git a/lib/libssl/src/crypto/x509/x509_ext.c b/lib/libssl/src/crypto/x509/x509_ext.c index e7fdacb5e45..bdc489f3674 100644 --- a/lib/libssl/src/crypto/x509/x509_ext.c +++ b/lib/libssl/src/crypto/x509/x509_ext.c @@ -67,34 +67,34 @@ int X509_CRL_get_ext_count(X509_CRL *x) - { +{ return(X509v3_get_ext_count(x->crl->extensions)); - } +} int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos) - { +{ return(X509v3_get_ext_by_NID(x->crl->extensions,nid,lastpos)); - } +} int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos) - { +{ return(X509v3_get_ext_by_OBJ(x->crl->extensions,obj,lastpos)); - } +} int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos) - { +{ return(X509v3_get_ext_by_critical(x->crl->extensions,crit,lastpos)); - } +} X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc) - { +{ return(X509v3_get_ext(x->crl->extensions,loc)); - } +} X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc) - { +{ return(X509v3_delete_ext(x->crl->extensions,loc)); - } +} void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx) { @@ -108,44 +108,44 @@ int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit, } int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc) - { +{ return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL); - } +} int X509_get_ext_count(X509 *x) - { +{ return(X509v3_get_ext_count(x->cert_info->extensions)); - } +} int X509_get_ext_by_NID(X509 *x, int nid, int lastpos) - { +{ return(X509v3_get_ext_by_NID(x->cert_info->extensions,nid,lastpos)); - } +} int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos) - { +{ return(X509v3_get_ext_by_OBJ(x->cert_info->extensions,obj,lastpos)); - } +} int X509_get_ext_by_critical(X509 *x, int crit, int lastpos) - { +{ return(X509v3_get_ext_by_critical(x->cert_info->extensions,crit,lastpos)); - } +} X509_EXTENSION *X509_get_ext(X509 *x, int loc) - { +{ return(X509v3_get_ext(x->cert_info->extensions,loc)); - } +} X509_EXTENSION *X509_delete_ext(X509 *x, int loc) - { +{ return(X509v3_delete_ext(x->cert_info->extensions,loc)); - } +} int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc) - { +{ return(X509v3_add_ext(&(x->cert_info->extensions),ex,loc) != NULL); - } +} void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx) { @@ -160,40 +160,40 @@ int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, } int X509_REVOKED_get_ext_count(X509_REVOKED *x) - { +{ return(X509v3_get_ext_count(x->extensions)); - } +} int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos) - { +{ return(X509v3_get_ext_by_NID(x->extensions,nid,lastpos)); - } +} int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj, int lastpos) - { +{ return(X509v3_get_ext_by_OBJ(x->extensions,obj,lastpos)); - } +} int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos) - { +{ return(X509v3_get_ext_by_critical(x->extensions,crit,lastpos)); - } +} X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc) - { +{ return(X509v3_get_ext(x->extensions,loc)); - } +} X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc) - { +{ return(X509v3_delete_ext(x->extensions,loc)); - } +} int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc) - { +{ return(X509v3_add_ext(&(x->extensions),ex,loc) != NULL); - } +} void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx) { diff --git a/lib/libssl/src/crypto/x509/x509_lu.c b/lib/libssl/src/crypto/x509/x509_lu.c index 38b034bfeef..a89cd70313e 100644 --- a/lib/libssl/src/crypto/x509/x509_lu.c +++ b/lib/libssl/src/crypto/x509/x509_lu.c @@ -63,7 +63,7 @@ #include X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) - { +{ X509_LOOKUP *ret; ret=(X509_LOOKUP *)malloc(sizeof(X509_LOOKUP)); @@ -74,50 +74,49 @@ X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) ret->method=method; ret->method_data=NULL; ret->store_ctx=NULL; - if ((method->new_item != NULL) && !method->new_item(ret)) - { + if ((method->new_item != NULL) && !method->new_item(ret)) { free(ret); return NULL; - } - return ret; } + return ret; +} void X509_LOOKUP_free(X509_LOOKUP *ctx) - { +{ if (ctx == NULL) return; if ( (ctx->method != NULL) && (ctx->method->free != NULL)) (*ctx->method->free)(ctx); free(ctx); - } +} int X509_LOOKUP_init(X509_LOOKUP *ctx) - { +{ if (ctx->method == NULL) return 0; if (ctx->method->init != NULL) return ctx->method->init(ctx); else return 1; - } +} int X509_LOOKUP_shutdown(X509_LOOKUP *ctx) - { +{ if (ctx->method == NULL) return 0; if (ctx->method->shutdown != NULL) return ctx->method->shutdown(ctx); else return 1; - } +} int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret) - { +{ if (ctx->method == NULL) return -1; if (ctx->method->ctrl != NULL) return ctx->method->ctrl(ctx,cmd,argc,argl,ret); else return 1; - } +} int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, X509_OBJECT *ret) @@ -126,42 +125,41 @@ int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, return X509_LU_FAIL; if (ctx->skip) return 0; return ctx->method->get_by_subject(ctx,type,name,ret); - } +} int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name, ASN1_INTEGER *serial, X509_OBJECT *ret) - { +{ if ((ctx->method == NULL) || (ctx->method->get_by_issuer_serial == NULL)) return X509_LU_FAIL; return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret); - } +} int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, unsigned char *bytes, int len, X509_OBJECT *ret) - { +{ if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL)) return X509_LU_FAIL; return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret); - } +} int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len, X509_OBJECT *ret) - { +{ if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL)) return X509_LU_FAIL; return ctx->method->get_by_alias(ctx,type,str,len,ret); - } +} static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b) - { + { int ret; ret=((*a)->type - (*b)->type); if (ret) return ret; - switch ((*a)->type) - { + switch ((*a)->type) { case X509_LU_X509: ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509); break; @@ -171,12 +169,12 @@ static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * con default: /* abort(); */ return 0; - } - return ret; } + return ret; +} X509_STORE *X509_STORE_new(void) - { +{ X509_STORE *ret; if ((ret=(X509_STORE *)malloc(sizeof(X509_STORE))) == NULL) @@ -191,7 +189,7 @@ X509_STORE *X509_STORE_new(void) sk_X509_OBJECT_free(ret->objs); free(ret); return NULL; - } +} ret->get_issuer = 0; ret->check_issued = 0; @@ -203,37 +201,31 @@ X509_STORE *X509_STORE_new(void) ret->lookup_crls = 0; ret->cleanup = 0; - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) - { + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) { sk_X509_OBJECT_free(ret->objs); free(ret); return NULL; - } + } ret->references=1; return ret; - } +} static void cleanup(X509_OBJECT *a) - { - if (a->type == X509_LU_X509) - { +{ + if (a->type == X509_LU_X509) { X509_free(a->data.x509); - } - else if (a->type == X509_LU_CRL) - { + } else if (a->type == X509_LU_CRL) { X509_CRL_free(a->data.crl); - } - else - { + } else { /* abort(); */ - } + } free(a); - } +} void X509_STORE_free(X509_STORE *vfy) - { +{ int i; STACK_OF(X509_LOOKUP) *sk; X509_LOOKUP *lu; @@ -242,12 +234,11 @@ void X509_STORE_free(X509_STORE *vfy) return; sk=vfy->get_cert_methods; - for (i=0; iobjs, cleanup); @@ -255,43 +246,39 @@ void X509_STORE_free(X509_STORE *vfy) if (vfy->param) X509_VERIFY_PARAM_free(vfy->param); free(vfy); - } +} X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) - { +{ int i; STACK_OF(X509_LOOKUP) *sk; X509_LOOKUP *lu; sk=v->get_cert_methods; - for (i=0; imethod) - { + if (m == lu->method) { return lu; - } } + } /* a new one */ lu=X509_LOOKUP_new(m); if (lu == NULL) return NULL; - else - { + else { lu->store_ctx=v; if (sk_X509_LOOKUP_push(v->get_cert_methods,lu)) return lu; - else - { + else { X509_LOOKUP_free(lu); return NULL; - } } } +} int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, X509_OBJECT *ret) - { +{ X509_STORE *ctx=vs->ctx; X509_LOOKUP *lu; X509_OBJECT stmp,*tmp; @@ -301,27 +288,22 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name); CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); - if (tmp == NULL || type == X509_LU_CRL) - { - for (i=vs->current_method; iget_cert_methods); i++) - { + if (tmp == NULL || type == X509_LU_CRL) { + for (i=vs->current_method; iget_cert_methods); i++) { lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i); j=X509_LOOKUP_by_subject(lu,type,name,&stmp); - if (j < 0) - { + if (j < 0) { vs->current_method=j; return j; - } - else if (j) - { + } else if (j) { tmp= &stmp; break; - } } + } vs->current_method=0; if (tmp == NULL) return 0; - } + } /* if (ret->data.ptr != NULL) X509_OBJECT_free_contents(ret); */ @@ -332,20 +314,19 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, X509_OBJECT_up_ref_count(ret); return 1; - } +} int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) - { +{ X509_OBJECT *obj; int ret=1; if (x == NULL) return 0; obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT)); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE); return 0; - } + } obj->type=X509_LU_X509; obj->data.x509=x; @@ -353,32 +334,30 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) X509_OBJECT_up_ref_count(obj); - if (X509_OBJECT_retrieve_match(ctx->objs, obj)) - { + if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { X509_OBJECT_free_contents(obj); free(obj); X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE); ret=0; - } + } else sk_X509_OBJECT_push(ctx->objs, obj); CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return ret; - } +} int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) - { +{ X509_OBJECT *obj; int ret=1; if (x == NULL) return 0; obj=(X509_OBJECT *)malloc(sizeof(X509_OBJECT)); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE); return 0; - } + } obj->type=X509_LU_CRL; obj->data.crl=x; @@ -386,49 +365,46 @@ int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) X509_OBJECT_up_ref_count(obj); - if (X509_OBJECT_retrieve_match(ctx->objs, obj)) - { + if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { X509_OBJECT_free_contents(obj); free(obj); X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE); ret=0; - } - else sk_X509_OBJECT_push(ctx->objs, obj); + } else + sk_X509_OBJECT_push(ctx->objs, obj); CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return ret; - } +} void X509_OBJECT_up_ref_count(X509_OBJECT *a) - { - switch (a->type) - { +{ + switch (a->type) { case X509_LU_X509: CRYPTO_add(&a->data.x509->references,1,CRYPTO_LOCK_X509); break; case X509_LU_CRL: CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL); break; - } } +} void X509_OBJECT_free_contents(X509_OBJECT *a) - { - switch (a->type) - { +{ + switch (a->type) { case X509_LU_X509: X509_free(a->data.x509); break; case X509_LU_CRL: X509_CRL_free(a->data.crl); break; - } } +} static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name, int *pnmatch) - { +{ X509_OBJECT stmp; X509 x509_s; X509_CINF cinf_s; @@ -437,8 +413,7 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, int idx; stmp.type=type; - switch (type) - { + switch (type) { case X509_LU_X509: stmp.data.x509= &x509_s; x509_s.cert_info= &cinf_s; @@ -452,44 +427,42 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, default: /* abort(); */ return -1; - } + } idx = sk_X509_OBJECT_find(h,&stmp); - if (idx >= 0 && pnmatch) - { + if (idx >= 0 && pnmatch) { int tidx; const X509_OBJECT *tobj, *pstmp; *pnmatch = 1; pstmp = &stmp; - for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) - { + for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) { tobj = sk_X509_OBJECT_value(h, tidx); if (x509_object_cmp(&tobj, &pstmp)) break; (*pnmatch)++; - } } - return idx; } + return idx; +} int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name) - { +{ return x509_object_idx_cnt(h, type, name, NULL); - } +} X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name) - { +{ int idx; idx = X509_OBJECT_idx_by_subject(h, type, name); if (idx==-1) return NULL; return sk_X509_OBJECT_value(h, idx); - } +} STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) - { +{ int i, idx, cnt; STACK_OF(X509) *sk; X509 *x; @@ -497,48 +470,43 @@ STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) sk = sk_X509_new_null(); CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); - if (idx < 0) - { + if (idx < 0) { /* Nothing found in cache: do lookup to possibly add new * objects to cache */ X509_OBJECT xobj; CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); - if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) - { + if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) { sk_X509_free(sk); return NULL; - } + } X509_OBJECT_free_contents(&xobj); CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt); - if (idx < 0) - { + if (idx < 0) { CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); sk_X509_free(sk); return NULL; - } } - for (i = 0; i < cnt; i++, idx++) - { + } + for (i = 0; i < cnt; i++, idx++) { obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); x = obj->data.x509; CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); - if (!sk_X509_push(sk, x)) - { + if (!sk_X509_push(sk, x)) { CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); X509_free(x); sk_X509_pop_free(sk, X509_free); return NULL; - } } + } CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return sk; - } +} STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) - { +{ int i, idx, cnt; STACK_OF(X509_CRL) *sk; X509_CRL *x; @@ -551,66 +519,57 @@ STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) /* Always do lookup to possibly add new CRLs to cache */ CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); - if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) - { + if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) { sk_X509_CRL_free(sk); return NULL; - } + } X509_OBJECT_free_contents(&xobj); CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt); - if (idx < 0) - { + if (idx < 0) { CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); sk_X509_CRL_free(sk); return NULL; - } + } - for (i = 0; i < cnt; i++, idx++) - { + for (i = 0; i < cnt; i++, idx++) { obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); x = obj->data.crl; CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); - if (!sk_X509_CRL_push(sk, x)) - { + if (!sk_X509_CRL_push(sk, x)) { CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); X509_CRL_free(x); sk_X509_CRL_pop_free(sk, X509_CRL_free); return NULL; - } } + } CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return sk; - } +} X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x) - { +{ int idx, i; X509_OBJECT *obj; idx = sk_X509_OBJECT_find(h, x); if (idx == -1) return NULL; if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL)) return sk_X509_OBJECT_value(h, idx); - for (i = idx; i < sk_X509_OBJECT_num(h); i++) - { + for (i = idx; i < sk_X509_OBJECT_num(h); i++) { obj = sk_X509_OBJECT_value(h, i); if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x)) return NULL; - if (x->type == X509_LU_X509) - { + if (x->type == X509_LU_X509) { if (!X509_cmp(obj->data.x509, x->data.x509)) return obj; - } - else if (x->type == X509_LU_CRL) - { + } else if (x->type == X509_LU_CRL) { if (!X509_CRL_match(obj->data.crl, x->data.crl)) return obj; - } - else + } else return obj; - } - return NULL; } + return NULL; +} /* Try to get issuer certificate from store. Due to limitations @@ -625,95 +584,87 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x * -1 some other error. */ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) - { +{ X509_NAME *xn; X509_OBJECT obj, *pobj; int i, ok, idx, ret; xn=X509_get_issuer_name(x); ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj); - if (ok != X509_LU_X509) - { - if (ok == X509_LU_RETRY) - { + if (ok != X509_LU_X509) { + if (ok == X509_LU_RETRY) { X509_OBJECT_free_contents(&obj); X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY); return -1; - } - else if (ok != X509_LU_FAIL) - { + } else if (ok != X509_LU_FAIL) { X509_OBJECT_free_contents(&obj); /* not good :-(, break anyway */ return -1; - } - return 0; } + return 0; + } /* If certificate matches all OK */ - if (ctx->check_issued(ctx, x, obj.data.x509)) - { + if (ctx->check_issued(ctx, x, obj.data.x509)) { *issuer = obj.data.x509; return 1; - } + } X509_OBJECT_free_contents(&obj); /* Else find index of first cert accepted by 'check_issued' */ ret = 0; CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn); - if (idx != -1) /* should be true as we've had at least one match */ - { + if (idx != -1) /* should be true as we've had at least one match */ { /* Look through all matching certs for suitable issuer */ - for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) - { + for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) { pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i); /* See if we've run past the matches */ if (pobj->type != X509_LU_X509) break; if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) break; - if (ctx->check_issued(ctx, x, pobj->data.x509)) - { + if (ctx->check_issued(ctx, x, pobj->data.x509)) { *issuer = pobj->data.x509; X509_OBJECT_up_ref_count(pobj); ret = 1; break; - } } } + } CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return ret; - } +} int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags) - { +{ return X509_VERIFY_PARAM_set_flags(ctx->param, flags); - } +} int X509_STORE_set_depth(X509_STORE *ctx, int depth) - { +{ X509_VERIFY_PARAM_set_depth(ctx->param, depth); return 1; - } +} int X509_STORE_set_purpose(X509_STORE *ctx, int purpose) - { +{ return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose); - } +} int X509_STORE_set_trust(X509_STORE *ctx, int trust) - { +{ return X509_VERIFY_PARAM_set_trust(ctx->param, trust); - } +} int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param) - { +{ return X509_VERIFY_PARAM_set1(ctx->param, param); - } +} void X509_STORE_set_verify_cb(X509_STORE *ctx, int (*verify_cb)(int, X509_STORE_CTX *)) - { +{ ctx->verify_cb = verify_cb; - } +} IMPLEMENT_STACK_OF(X509_LOOKUP) IMPLEMENT_STACK_OF(X509_OBJECT) diff --git a/lib/libssl/src/crypto/x509/x509_obj.c b/lib/libssl/src/crypto/x509/x509_obj.c index 5f38315f22e..d0c02f833e1 100644 --- a/lib/libssl/src/crypto/x509/x509_obj.c +++ b/lib/libssl/src/crypto/x509/x509_obj.c @@ -64,7 +64,7 @@ #include char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) - { +{ X509_NAME_ENTRY *ne; int i; int n,lold,l,l1,l2,num,j,type; @@ -76,103 +76,85 @@ int i; int gs_doit[4]; char tmp_buf[80]; - if (buf == NULL) - { + if (buf == NULL) { if ((b=BUF_MEM_new()) == NULL) goto err; if (!BUF_MEM_grow(b,200)) goto err; b->data[0]='\0'; len=200; + } + if (a == NULL) { + if(b) { + buf=b->data; + free(b); } - if (a == NULL) - { - if(b) - { - buf=b->data; - free(b); - } - strlcpy(buf,"NO X509_NAME",len); - return buf; - } + strlcpy(buf,"NO X509_NAME",len); + return buf; + } len--; /* space for '\0' */ l=0; - for (i=0; ientries); i++) - { + for (i=0; ientries); i++) { ne=sk_X509_NAME_ENTRY_value(a->entries,i); n=OBJ_obj2nid(ne->object); - if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL)) - { + if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL)) { i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object); s=tmp_buf; - } + } l1=strlen(s); type=ne->value->type; num=ne->value->length; q=ne->value->data; - if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0)) - { + if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0)) { gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0; for (j=0; j '~')) l2+=3; - } + } lold=l; l+=1+l1+1+l2; - if (b != NULL) - { + if (b != NULL) { if (!BUF_MEM_grow(b,l+1)) goto err; p= &(b->data[lold]); - } - else if (l > len) - { + } else if (l > len) { break; - } - else + } else p= &(buf[lold]); *(p++)='/'; memcpy(p,s,(unsigned int)l1); p+=l1; *(p++)='='; q=ne->value->data; - for (j=0; j '~')) - { + if ((n < ' ') || (n > '~')) { *(p++)='\\'; *(p++)='x'; *(p++)=hex[(n>>4)&0x0f]; *(p++)=hex[n&0x0f]; - } - else + } else *(p++)=n; - } - *p='\0'; } - if (b != NULL) - { + *p='\0'; + } + if (b != NULL) { p=b->data; free(b); - } - else + } else p=buf; if (i == 0) *p = '\0'; @@ -181,5 +163,5 @@ err: X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE); if (b != NULL) BUF_MEM_free(b); return(NULL); - } +} diff --git a/lib/libssl/src/crypto/x509/x509_r2x.c b/lib/libssl/src/crypto/x509/x509_r2x.c index 254a14693d9..f084447334f 100644 --- a/lib/libssl/src/crypto/x509/x509_r2x.c +++ b/lib/libssl/src/crypto/x509/x509_r2x.c @@ -66,27 +66,25 @@ #include X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) - { +{ X509 *ret=NULL; X509_CINF *xi=NULL; X509_NAME *xn; - if ((ret=X509_new()) == NULL) - { + if ((ret=X509_new()) == NULL) { X509err(X509_F_X509_REQ_TO_X509,ERR_R_MALLOC_FAILURE); goto err; - } + } /* duplicate the request */ xi=ret->cert_info; - if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0) - { + if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0) { if ((xi->version=M_ASN1_INTEGER_new()) == NULL) goto err; if (!ASN1_INTEGER_set(xi->version,2)) goto err; /* xi->extensions=ri->attributes; <- bad, should not ever be done ri->attributes=NULL; */ - } + } xn=X509_REQ_get_subject_name(r); if (X509_set_subject_name(ret,X509_NAME_dup(xn)) == 0) @@ -103,12 +101,11 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) if (!X509_sign(ret,pkey,EVP_md5())) goto err; - if (0) - { + if (0) { err: X509_free(ret); ret=NULL; - } - return(ret); } + return(ret); +} diff --git a/lib/libssl/src/crypto/x509/x509_req.c b/lib/libssl/src/crypto/x509/x509_req.c index 1c5cee80309..12725ed7e95 100644 --- a/lib/libssl/src/crypto/x509/x509_req.c +++ b/lib/libssl/src/crypto/x509/x509_req.c @@ -68,18 +68,17 @@ #include X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) - { +{ X509_REQ *ret; X509_REQ_INFO *ri; int i; EVP_PKEY *pktmp; ret=X509_REQ_new(); - if (ret == NULL) - { + if (ret == NULL) { X509err(X509_F_X509_TO_X509_REQ,ERR_R_MALLOC_FAILURE); goto err; - } + } ri=ret->req_info; @@ -96,32 +95,30 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) EVP_PKEY_free(pktmp); if (!i) goto err; - if (pkey != NULL) - { + if (pkey != NULL) { if (!X509_REQ_sign(ret,pkey,md)) goto err; - } + } return(ret); err: X509_REQ_free(ret); return(NULL); - } +} EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req) - { +{ if ((req == NULL) || (req->req_info == NULL)) return(NULL); return(X509_PUBKEY_get(req->req_info->pubkey)); - } +} int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) - { +{ EVP_PKEY *xk=NULL; int ok=0; xk=X509_REQ_get_pubkey(x); - switch (EVP_PKEY_cmp(xk, k)) - { + switch (EVP_PKEY_cmp(xk, k)) { case 1: ok=1; break; @@ -133,26 +130,24 @@ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) break; case -2: #ifndef OPENSSL_NO_EC - if (k->type == EVP_PKEY_EC) - { + if (k->type == EVP_PKEY_EC) { X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB); break; - } + } #endif #ifndef OPENSSL_NO_DH - if (k->type == EVP_PKEY_DH) - { + if (k->type == EVP_PKEY_DH) { /* No idea */ X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY); break; - } + } #endif X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE); - } + } EVP_PKEY_free(xk); return(ok); - } +} /* It seems several organisations had the same idea of including a list of * extensions in a certificate request. There are at least two OIDs that are @@ -184,7 +179,7 @@ void X509_REQ_set_extension_nids(int *nids) } STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) - { +{ X509_ATTRIBUTE *attr; ASN1_TYPE *ext = NULL; int idx, *pnid; @@ -192,8 +187,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) if ((req == NULL) || (req->req_info == NULL) || !ext_nids) return(NULL); - for (pnid = ext_nids; *pnid != NID_undef; pnid++) - { + for (pnid = ext_nids; *pnid != NID_undef; pnid++) { idx = X509_REQ_get_attr_by_NID(req, *pnid, -1); if (idx == -1) continue; @@ -202,7 +196,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) else if(sk_ASN1_TYPE_num(attr->value.set)) ext = sk_ASN1_TYPE_value(attr->value.set, 0); break; - } + } if(!ext || (ext->type != V_ASN1_SEQUENCE)) return NULL; p = ext->value.sequence->data; @@ -235,11 +229,10 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts, at = NULL; attr->single = 0; attr->object = OBJ_nid2obj(nid); - if (!req->req_info->attributes) - { + if (!req->req_info->attributes) { if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null())) goto err; - } + } if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err; return 1; err: diff --git a/lib/libssl/src/crypto/x509/x509_set.c b/lib/libssl/src/crypto/x509/x509_set.c index 4b94fc58477..dfe9eb68fff 100644 --- a/lib/libssl/src/crypto/x509/x509_set.c +++ b/lib/libssl/src/crypto/x509/x509_set.c @@ -64,87 +64,77 @@ #include int X509_set_version(X509 *x, long version) - { +{ if (x == NULL) return(0); - if (x->cert_info->version == NULL) - { + if (x->cert_info->version == NULL) { if ((x->cert_info->version=M_ASN1_INTEGER_new()) == NULL) return(0); - } - return(ASN1_INTEGER_set(x->cert_info->version,version)); } + return(ASN1_INTEGER_set(x->cert_info->version,version)); +} int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) - { +{ ASN1_INTEGER *in; if (x == NULL) return(0); in=x->cert_info->serialNumber; - if (in != serial) - { + if (in != serial) { in=M_ASN1_INTEGER_dup(serial); - if (in != NULL) - { + if (in != NULL) { M_ASN1_INTEGER_free(x->cert_info->serialNumber); x->cert_info->serialNumber=in; - } } - return(in != NULL); } + return(in != NULL); +} int X509_set_issuer_name(X509 *x, X509_NAME *name) - { +{ if ((x == NULL) || (x->cert_info == NULL)) return(0); return(X509_NAME_set(&x->cert_info->issuer,name)); - } +} int X509_set_subject_name(X509 *x, X509_NAME *name) - { +{ if ((x == NULL) || (x->cert_info == NULL)) return(0); return(X509_NAME_set(&x->cert_info->subject,name)); - } +} int X509_set_notBefore(X509 *x, const ASN1_TIME *tm) - { +{ ASN1_TIME *in; if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); in=x->cert_info->validity->notBefore; - if (in != tm) - { + if (in != tm) { in=M_ASN1_TIME_dup(tm); - if (in != NULL) - { + if (in != NULL) { M_ASN1_TIME_free(x->cert_info->validity->notBefore); x->cert_info->validity->notBefore=in; - } } - return(in != NULL); } + return(in != NULL); +} int X509_set_notAfter(X509 *x, const ASN1_TIME *tm) - { +{ ASN1_TIME *in; if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); in=x->cert_info->validity->notAfter; - if (in != tm) - { + if (in != tm) { in=M_ASN1_TIME_dup(tm); - if (in != NULL) - { + if (in != NULL) { M_ASN1_TIME_free(x->cert_info->validity->notAfter); x->cert_info->validity->notAfter=in; - } } - return(in != NULL); } + return(in != NULL); +} int X509_set_pubkey(X509 *x, EVP_PKEY *pkey) - { +{ if ((x == NULL) || (x->cert_info == NULL)) return(0); return(X509_PUBKEY_set(&(x->cert_info->key),pkey)); - } - - - +} diff --git a/lib/libssl/src/crypto/x509/x509_trs.c b/lib/libssl/src/crypto/x509/x509_trs.c index 7bb5094e640..bdda53ec6bb 100644 --- a/lib/libssl/src/crypto/x509/x509_trs.c +++ b/lib/libssl/src/crypto/x509/x509_trs.c @@ -174,7 +174,8 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), return 0; } trtmp->flags = X509_TRUST_DYNAMIC; - } else trtmp = X509_TRUST_get0(idx); + } else + trtmp = X509_TRUST_get0(idx); /* free existing name if dynamic */ if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) free(trtmp->name); @@ -208,15 +209,14 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), } static void trtable_free(X509_TRUST *p) - { +{ if(!p) return; - if (p->flags & X509_TRUST_DYNAMIC) - { + if (p->flags & X509_TRUST_DYNAMIC) { if (p->flags & X509_TRUST_DYNAMIC_NAME) free(p->name); free(p); - } } +} void X509_TRUST_cleanup(void) { diff --git a/lib/libssl/src/crypto/x509/x509_txt.c b/lib/libssl/src/crypto/x509/x509_txt.c index 27f6c7176ae..509948618e1 100644 --- a/lib/libssl/src/crypto/x509/x509_txt.c +++ b/lib/libssl/src/crypto/x509/x509_txt.c @@ -69,11 +69,10 @@ #include const char *X509_verify_cert_error_string(long n) - { +{ static char buf[100]; - switch ((int)n) - { + switch ((int)n) { case X509_V_OK: return("ok"); case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: @@ -187,7 +186,7 @@ const char *X509_verify_cert_error_string(long n) default: (void) snprintf(buf,sizeof buf,"error number %ld",n); return(buf); - } } +} diff --git a/lib/libssl/src/crypto/x509/x509_v3.c b/lib/libssl/src/crypto/x509/x509_v3.c index 42e6f0ab056..f41fab3367b 100644 --- a/lib/libssl/src/crypto/x509/x509_v3.c +++ b/lib/libssl/src/crypto/x509/x509_v3.c @@ -66,24 +66,24 @@ #include int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) - { +{ if (x == NULL) return(0); return(sk_X509_EXTENSION_num(x)); - } +} int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos) - { +{ ASN1_OBJECT *obj; obj=OBJ_nid2obj(nid); if (obj == NULL) return(-2); return(X509v3_get_ext_by_OBJ(x,obj,lastpos)); - } +} int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj, int lastpos) - { +{ int n; X509_EXTENSION *ex; @@ -92,18 +92,17 @@ int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj, if (lastpos < 0) lastpos=0; n=sk_X509_EXTENSION_num(sk); - for ( ; lastpos < n; lastpos++) - { + for ( ; lastpos < n; lastpos++) { ex=sk_X509_EXTENSION_value(sk,lastpos); if (OBJ_cmp(ex->object,obj) == 0) return(lastpos); - } - return(-1); } + return(-1); +} int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, int lastpos) - { +{ int n; X509_EXTENSION *ex; @@ -112,53 +111,49 @@ int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, if (lastpos < 0) lastpos=0; n=sk_X509_EXTENSION_num(sk); - for ( ; lastpos < n; lastpos++) - { + for ( ; lastpos < n; lastpos++) { ex=sk_X509_EXTENSION_value(sk,lastpos); if ( ((ex->critical > 0) && crit) || ((ex->critical <= 0) && !crit)) return(lastpos); - } - return(-1); } + return(-1); +} X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc) - { +{ if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) return NULL; else return sk_X509_EXTENSION_value(x,loc); - } +} X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc) - { +{ X509_EXTENSION *ret; if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0) return(NULL); ret=sk_X509_EXTENSION_delete(x,loc); return(ret); - } +} STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc) - { +{ X509_EXTENSION *new_ex=NULL; int n; STACK_OF(X509_EXTENSION) *sk=NULL; - if (x == NULL) - { + if (x == NULL) { X509err(X509_F_X509V3_ADD_EXT,ERR_R_PASSED_NULL_PARAMETER); goto err2; - } + } - if (*x == NULL) - { + if (*x == NULL) { if ((sk=sk_X509_EXTENSION_new_null()) == NULL) goto err; - } - else + } else sk= *x; n=sk_X509_EXTENSION_num(sk); @@ -178,39 +173,36 @@ err2: if (new_ex != NULL) X509_EXTENSION_free(new_ex); if (sk != NULL) sk_X509_EXTENSION_free(sk); return(NULL); - } +} X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit, ASN1_OCTET_STRING *data) - { +{ ASN1_OBJECT *obj; X509_EXTENSION *ret; obj=OBJ_nid2obj(nid); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_EXTENSION_CREATE_BY_NID,X509_R_UNKNOWN_NID); return(NULL); - } + } ret=X509_EXTENSION_create_by_OBJ(ex,obj,crit,data); if (ret == NULL) ASN1_OBJECT_free(obj); return(ret); - } +} X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data) - { +{ X509_EXTENSION *ret; - if ((ex == NULL) || (*ex == NULL)) - { + if ((ex == NULL) || (*ex == NULL)) { if ((ret=X509_EXTENSION_new()) == NULL) - { + { X509err(X509_F_X509_EXTENSION_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE); return(NULL); - } } - else + } else ret= *ex; if (!X509_EXTENSION_set_object(ret,obj)) @@ -226,49 +218,49 @@ err: if ((ex == NULL) || (ret != *ex)) X509_EXTENSION_free(ret); return(NULL); - } +} int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj) - { +{ if ((ex == NULL) || (obj == NULL)) return(0); ASN1_OBJECT_free(ex->object); ex->object=OBJ_dup(obj); return(1); - } +} int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) - { +{ if (ex == NULL) return(0); ex->critical=(crit)?0xFF:-1; return(1); - } +} int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) - { +{ int i; if (ex == NULL) return(0); i=M_ASN1_OCTET_STRING_set(ex->value,data->data,data->length); if (!i) return(0); return(1); - } +} ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex) - { +{ if (ex == NULL) return(NULL); return(ex->object); - } +} ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex) - { +{ if (ex == NULL) return(NULL); return(ex->value); - } +} int X509_EXTENSION_get_critical(X509_EXTENSION *ex) - { +{ if (ex == NULL) return(0); if(ex->critical > 0) return 1; return 0; - } +} diff --git a/lib/libssl/src/crypto/x509/x509_vfy.c b/lib/libssl/src/crypto/x509/x509_vfy.c index 077bfd8f2d6..6e9dd7cc6a5 100644 --- a/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/lib/libssl/src/crypto/x509/x509_vfy.c @@ -139,19 +139,19 @@ const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; static int null_callback(int ok, X509_STORE_CTX *e) - { +{ return ok; - } +} #if 0 static int x509_subject_cmp(X509 **a, X509 **b) - { +{ return X509_subject_name_cmp(*a,*b); - } +} #endif int X509_verify_cert(X509_STORE_CTX *ctx) - { +{ X509 *x,*xtmp,*chain_ss=NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; @@ -159,43 +159,38 @@ int X509_verify_cert(X509_STORE_CTX *ctx) int num; int (*cb)(int xok,X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp=NULL; - if (ctx->cert == NULL) - { + if (ctx->cert == NULL) { X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; - } + } cb=ctx->verify_cb; /* first we make sure the chain we are going to build is * present and that the first entry is in place */ - if (ctx->chain == NULL) - { + if (ctx->chain == NULL) { if ( ((ctx->chain=sk_X509_new_null()) == NULL) || - (!sk_X509_push(ctx->chain,ctx->cert))) - { + (!sk_X509_push(ctx->chain,ctx->cert))) { X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); goto end; - } + } CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); ctx->last_untrusted=1; - } + } /* We use a temporary STACK so we can chop and hack at it */ if (ctx->untrusted != NULL - && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) - { + && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) { X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); goto end; - } + } num=sk_X509_num(ctx->chain); x=sk_X509_value(ctx->chain,num-1); depth=param->depth; - for (;;) - { + for (;;) { /* If we have enough, we break */ if (depth < num) break; /* FIXME: If this happens, we should take * note of it and, if appropriate, use the @@ -207,16 +202,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (ctx->check_issued(ctx, x,x)) break; /* If we were passed a cert chain, use it first */ - if (ctx->untrusted != NULL) - { + if (ctx->untrusted != NULL) { xtmp=find_issuer(ctx, sktmp,x); - if (xtmp != NULL) - { - if (!sk_X509_push(ctx->chain,xtmp)) - { + if (xtmp != NULL) { + if (!sk_X509_push(ctx->chain,xtmp)) { X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); goto end; - } + } CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); (void)sk_X509_delete_ptr(sktmp,xtmp); ctx->last_untrusted++; @@ -225,10 +217,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* reparse the full chain for * the next one */ continue; - } } - break; } + break; + } /* at this point, chain should contain a list of untrusted * certificates. We now need to add at least one trusted one, @@ -240,18 +232,15 @@ int X509_verify_cert(X509_STORE_CTX *ctx) i=sk_X509_num(ctx->chain); x=sk_X509_value(ctx->chain,i-1); - if (ctx->check_issued(ctx, x, x)) - { + if (ctx->check_issued(ctx, x, x)) { /* we have a self signed certificate */ - if (sk_X509_num(ctx->chain) == 1) - { + if (sk_X509_num(ctx->chain) == 1) { /* We have a single self signed certificate: see if * we can find it in the store. We must have an exact * match to avoid possible impersonation. */ ok = ctx->get_issuer(&xtmp, ctx, x); - if ((ok <= 0) || X509_cmp(x, xtmp)) - { + if ((ok <= 0) || X509_cmp(x, xtmp)) { ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; ctx->current_cert=x; ctx->error_depth=i-1; @@ -259,9 +248,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) bad_chain = 1; ok=cb(0,ctx); if (!ok) goto end; - } - else - { + } else { /* We have a match: replace certificate with store version * so we get any trust settings. */ @@ -269,21 +256,18 @@ int X509_verify_cert(X509_STORE_CTX *ctx) x = xtmp; (void)sk_X509_set(ctx->chain, i - 1, x); ctx->last_untrusted=0; - } } - else - { + } else { /* extract and save self signed certificate for later use */ chain_ss=sk_X509_pop(ctx->chain); ctx->last_untrusted--; num--; x=sk_X509_value(ctx->chain,num-1); - } } + } /* We now lookup certs from the certificate store */ - for (;;) - { + for (;;) { /* If we have enough, we break */ if (depth < num) break; @@ -296,30 +280,25 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (ok == 0) break; x = xtmp; - if (!sk_X509_push(ctx->chain,x)) - { + if (!sk_X509_push(ctx->chain,x)) { X509_free(xtmp); X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); return 0; - } - num++; } + num++; + } /* we now have our chain, lets check it... */ /* Is last certificate looked up self signed? */ - if (!ctx->check_issued(ctx,x,x)) - { - if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) - { + if (!ctx->check_issued(ctx,x,x)) { + if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { if (ctx->last_untrusted >= num) ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; else ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; ctx->current_cert=x; - } - else - { + } else { sk_X509_push(ctx->chain,chain_ss); num++; @@ -327,13 +306,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx) ctx->current_cert=chain_ss; ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; chain_ss=NULL; - } + } ctx->error_depth=num-1; bad_chain = 1; ok=cb(0,ctx); if (!ok) goto end; - } + } /* We have the chain complete: now we need to check its purpose */ ok = check_chain_extensions(ctx); @@ -381,15 +360,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) ok = ctx->check_policy(ctx); if(!ok) goto end; - if (0) - { + if (0) { end: X509_get_pubkey_parameters(NULL,ctx->chain); - } + } if (sktmp != NULL) sk_X509_free(sktmp); if (chain_ss != NULL) X509_free(chain_ss); return ok; - } +} /* Given a STACK_OF(X509) find the issuer of cert (if any) @@ -399,12 +377,11 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { int i; X509 *issuer; - for (i = 0; i < sk_X509_num(sk); i++) - { + for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); if (ctx->check_issued(ctx, x, issuer)) return issuer; - } + } return NULL; } @@ -431,12 +408,10 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { *issuer = find_issuer(ctx, ctx->other_ctx, x); - if (*issuer) - { + if (*issuer) { CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); return 1; - } - else + } else return 0; } @@ -469,13 +444,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) must_be_ca = -1; /* CRL path validation */ - if (ctx->parent) - { + if (ctx->parent) { allow_proxy_certs = 0; purpose = X509_PURPOSE_CRL_SIGN; - } - else - { + } else { allow_proxy_certs = !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); /* A hack to keep people who don't want to modify their @@ -483,96 +455,82 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) allow_proxy_certs = 1; purpose = ctx->param->purpose; - } + } /* Check all untrusted certificates */ - for (i = 0; i < ctx->last_untrusted; i++) - { + for (i = 0; i < ctx->last_untrusted; i++) { int ret; x = sk_X509_value(ctx->chain, i); if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (x->ex_flags & EXFLAG_CRITICAL)) - { + && (x->ex_flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } - if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) - { + } + if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } + } ret = X509_check_ca(x); - switch(must_be_ca) - { + switch(must_be_ca) { case -1: if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1) && (ret != 0)) - { + && (ret != 1) && (ret != 0)) { ret = 0; ctx->error = X509_V_ERR_INVALID_CA; - } - else + } else ret = 1; break; case 0: - if (ret != 0) - { + if (ret != 0) { ret = 0; ctx->error = X509_V_ERR_INVALID_NON_CA; - } - else + } else ret = 1; break; default: if ((ret == 0) || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) - { + && (ret != 1))) { ret = 0; ctx->error = X509_V_ERR_INVALID_CA; - } - else + } else ret = 1; break; - } - if (ret == 0) - { + } + if (ret == 0) { ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } - if (ctx->param->purpose > 0) - { + } + if (ctx->param->purpose > 0) { ret = X509_check_purpose(x, purpose, must_be_ca > 0); if ((ret == 0) || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) - { + && (ret != 1))) { ctx->error = X509_V_ERR_INVALID_PURPOSE; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } } + } /* Check pathlen if not self issued */ if ((i > 1) && !(x->ex_flags & EXFLAG_SI) && (x->ex_pathlen != -1) - && (plen > (x->ex_pathlen + proxy_path_length + 1))) - { + && (plen > (x->ex_pathlen + proxy_path_length + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } + } /* Increment path length if not self issued */ if (!(x->ex_flags & EXFLAG_SI)) plen++; @@ -580,23 +538,20 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) certificate must be another proxy certificate or a EE certificate. If not, the next certificate must be a CA certificate. */ - if (x->ex_flags & EXFLAG_PROXY) - { - if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) - { + if (x->ex_flags & EXFLAG_PROXY) { + if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; - } + } proxy_path_length++; must_be_ca = 0; - } - else + } else must_be_ca = 1; - } + } ok = 1; end: return ok; @@ -604,12 +559,11 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) } static int check_name_constraints(X509_STORE_CTX *ctx) - { +{ X509 *x; int i, j, rv; /* Check name constraints for all certificates */ - for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) - { + for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { x = sk_X509_value(ctx->chain, i); /* Ignore self issued certs unless last in chain */ if (i && (x->ex_flags & EXFLAG_SI)) @@ -619,25 +573,22 @@ static int check_name_constraints(X509_STORE_CTX *ctx) * speaking needed but if it includes constraints it is to be * assumed it expects them to be obeyed. */ - for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) - { + for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) { NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; - if (nc) - { + if (nc) { rv = NAME_CONSTRAINTS_check(x, nc); - if (rv != X509_V_OK) - { + if (rv != X509_V_OK) { ctx->error = rv; ctx->error_depth = i; ctx->current_cert = x; if (!ctx->verify_cb(0,ctx)) return 0; - } } } } - return 1; } + return 1; +} static int check_trust(X509_STORE_CTX *ctx) { @@ -666,30 +617,27 @@ static int check_trust(X509_STORE_CTX *ctx) } static int check_revocation(X509_STORE_CTX *ctx) - { +{ int i, last, ok; if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) return 1; if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) last = sk_X509_num(ctx->chain) - 1; - else - { + else { /* If checking CRL paths this isn't the EE certificate */ if (ctx->parent) return 1; last = 0; - } - for(i = 0; i <= last; i++) - { + } + for(i = 0; i <= last; i++) { ctx->error_depth = i; ok = check_cert(ctx); if (!ok) return ok; - } - return 1; } + return 1; +} -static int check_cert(X509_STORE_CTX *ctx) - { +static int check_cert(X509_STORE_CTX *ctx) { X509_CRL *crl = NULL, *dcrl = NULL; X509 *x; int ok, cnum; @@ -700,8 +648,7 @@ static int check_cert(X509_STORE_CTX *ctx) ctx->current_issuer = NULL; ctx->current_crl_score = 0; ctx->current_reasons = 0; - while (ctx->current_reasons != CRLDP_ALL_REASONS) - { + while (ctx->current_reasons != CRLDP_ALL_REASONS) { last_reasons = ctx->current_reasons; /* Try to retrieve relevant CRL */ if (ctx->get_crl) @@ -711,36 +658,32 @@ static int check_cert(X509_STORE_CTX *ctx) /* If error looking up CRL, nothing we can do except * notify callback */ - if(!ok) - { + if(!ok) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; ok = ctx->verify_cb(0, ctx); goto err; - } + } ctx->current_crl = crl; ok = ctx->check_crl(ctx, crl); if (!ok) goto err; - if (dcrl) - { + if (dcrl) { ok = ctx->check_crl(ctx, dcrl); if (!ok) goto err; ok = ctx->cert_crl(ctx, dcrl, x); if (!ok) goto err; - } - else + } else ok = 1; /* Don't look in full CRL if delta reason is removefromCRL */ - if (ok != 2) - { + if (ok != 2) { ok = ctx->cert_crl(ctx, crl, x); if (!ok) goto err; - } + } X509_CRL_free(crl); X509_CRL_free(dcrl); @@ -749,26 +692,25 @@ static int check_cert(X509_STORE_CTX *ctx) /* If reasons not updated we wont get anywhere by * another iteration, so exit loop. */ - if (last_reasons == ctx->current_reasons) - { + if (last_reasons == ctx->current_reasons) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; ok = ctx->verify_cb(0, ctx); goto err; - } } - err: + } +err: X509_CRL_free(crl); X509_CRL_free(dcrl); ctx->current_crl = NULL; return ok; - } +} /* Check CRL times against values in X509_STORE_CTX */ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) - { +{ time_t *ptime; int i; if (notify) @@ -779,80 +721,72 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) ptime = NULL; i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); - if (i == 0) - { + if (i == 0) { if (!notify) return 0; ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; if (!ctx->verify_cb(0, ctx)) return 0; - } + } - if (i > 0) - { + if (i > 0) { if (!notify) return 0; ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; if (!ctx->verify_cb(0, ctx)) return 0; - } + } - if(X509_CRL_get_nextUpdate(crl)) - { + if(X509_CRL_get_nextUpdate(crl)) { i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); - if (i == 0) - { + if (i == 0) { if (!notify) return 0; ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; if (!ctx->verify_cb(0, ctx)) return 0; - } + } /* Ignore expiry of base CRL is delta is valid */ - if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) - { + if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { if (!notify) return 0; ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; if (!ctx->verify_cb(0, ctx)) return 0; - } } + } if (notify) ctx->current_crl = NULL; return 1; - } +} static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 **pissuer, int *pscore, unsigned int *preasons, STACK_OF(X509_CRL) *crls) - { +{ int i, crl_score, best_score = *pscore; unsigned int reasons, best_reasons = 0; X509 *x = ctx->current_cert; X509_CRL *crl, *best_crl = NULL; X509 *crl_issuer = NULL, *best_crl_issuer = NULL; - for (i = 0; i < sk_X509_CRL_num(crls); i++) - { + for (i = 0; i < sk_X509_CRL_num(crls); i++) { crl = sk_X509_CRL_value(crls, i); reasons = *preasons; crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); - if (crl_score > best_score) - { + if (crl_score > best_score) { best_crl = crl; best_crl_issuer = crl_issuer; best_score = crl_score; best_reasons = reasons; - } } + } - if (best_crl) - { + if (best_crl) { if (*pcrl) X509_CRL_free(*pcrl); *pcrl = best_crl; @@ -860,49 +794,44 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, *pscore = best_score; *preasons = best_reasons; CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); - if (*pdcrl) - { + if (*pdcrl) { X509_CRL_free(*pdcrl); *pdcrl = NULL; - } - get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); } + get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); + } if (best_score >= CRL_SCORE_VALID) return 1; return 0; - } +} /* Compare two CRL extensions for delta checking purposes. They should be * both present or both absent. If both present all fields must be identical. */ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) - { +{ ASN1_OCTET_STRING *exta, *extb; int i; i = X509_CRL_get_ext_by_NID(a, nid, -1); - if (i >= 0) - { + if (i >= 0) { /* Can't have multiple occurrences */ if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) return 0; exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); - } - else + } else exta = NULL; i = X509_CRL_get_ext_by_NID(b, nid, -1); - if (i >= 0) - { + if (i >= 0) { if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) return 0; extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); - } - else + } else extb = NULL; if (!exta && !extb) @@ -916,12 +845,12 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) return 0; return 1; - } +} /* See if a base and delta are compatible */ static int check_delta_base(X509_CRL *delta, X509_CRL *base) - { +{ /* Delta CRL must be a delta */ if (!delta->base_crl_number) return 0; @@ -944,7 +873,7 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base) if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) return 1; return 0; - } +} /* For a given base CRL find a delta... maybe extend to delta scoring * or retrieve a chain of deltas... @@ -952,27 +881,25 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base) static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base, STACK_OF(X509_CRL) *crls) - { +{ X509_CRL *delta; int i; if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) return; if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) return; - for (i = 0; i < sk_X509_CRL_num(crls); i++) - { + for (i = 0; i < sk_X509_CRL_num(crls); i++) { delta = sk_X509_CRL_value(crls, i); - if (check_delta_base(delta, base)) - { + if (check_delta_base(delta, base)) { if (check_crl_time(ctx, delta, 0)) *pscore |= CRL_SCORE_TIME_DELTA; CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); *dcrl = delta; return; - } } - *dcrl = NULL; } + *dcrl = NULL; +} /* For a given CRL return how suitable it is for the supplied certificate 'x'. * The return value is a mask of several criteria. @@ -984,7 +911,7 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, X509_CRL *crl, X509 *x) - { +{ int crl_score = 0; unsigned int tmp_reasons = *preasons, crl_reasons; @@ -995,27 +922,22 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, if (crl->idp_flags & IDP_INVALID) return 0; /* Reason codes or indirect CRLs need extended CRL support */ - if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) - { + if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) { if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) return 0; - } - else if (crl->idp_flags & IDP_REASONS) - { + } else if (crl->idp_flags & IDP_REASONS) { /* If no new reasons reject */ if (!(crl->idp_reasons & ~tmp_reasons)) return 0; - } + } /* Don't process deltas at this stage */ else if (crl->base_crl_number) return 0; /* If issuer name doesn't match certificate need indirect CRL */ - if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) - { + if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) { if (!(crl->idp_flags & IDP_INDIRECT)) return 0; - } - else + } else crl_score |= CRL_SCORE_ISSUER_NAME; if (!(crl->flags & EXFLAG_CRITICAL)) @@ -1035,24 +957,23 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, /* Check cert for matching CRL distribution points */ - if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) - { + if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) { /* If no new reasons reject */ if (!(crl_reasons & ~tmp_reasons)) return 0; tmp_reasons |= crl_reasons; crl_score |= CRL_SCORE_SCOPE; - } + } *preasons = tmp_reasons; return crl_score; - } +} static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, int *pcrl_score) - { +{ X509 *crl_issuer = NULL; X509_NAME *cnm = X509_CRL_get_issuer(crl); int cidx = ctx->error_depth; @@ -1063,28 +984,24 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, crl_issuer = sk_X509_value(ctx->chain, cidx); - if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) - { - if (*pcrl_score & CRL_SCORE_ISSUER_NAME) - { + if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { + if (*pcrl_score & CRL_SCORE_ISSUER_NAME) { *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT; *pissuer = crl_issuer; return; - } } + } - for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) - { + for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) { crl_issuer = sk_X509_value(ctx->chain, cidx); if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) continue; - if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) - { + if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH; *pissuer = crl_issuer; return; - } } + } /* Anything else needs extended CRL support */ @@ -1094,19 +1011,17 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, /* Otherwise the CRL issuer is not on the path. Look for it in the * set of untrusted certificates. */ - for (i = 0; i < sk_X509_num(ctx->untrusted); i++) - { + for (i = 0; i < sk_X509_num(ctx->untrusted); i++) { crl_issuer = sk_X509_value(ctx->untrusted, i); if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) continue; - if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) - { + if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { *pissuer = crl_issuer; *pcrl_score |= CRL_SCORE_AKID; return; - } } } +} /* Check the path of a CRL issuer certificate. This creates a new * X509_STORE_CTX and populates it with most of the parameters from the @@ -1116,7 +1031,7 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, */ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) - { +{ X509_STORE_CTX crl_ctx; int ret; /* Don't allow recursive CRL path validation */ @@ -1144,7 +1059,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) err: X509_STORE_CTX_cleanup(&crl_ctx); return ret; - } +} /* RFC3280 says nothing about the relationship between CRL path * and certificate path, which could lead to situations where a @@ -1157,14 +1072,14 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, STACK_OF(X509) *crl_path) - { +{ X509 *cert_ta, *crl_ta; cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); if (!X509_cmp(cert_ta, crl_ta)) return 1; return 0; - } +} /* Check for match between two dist point names: three separate cases. * 1. Both are relative names and compare X509_NAME types. @@ -1175,125 +1090,110 @@ static int check_crl_chain(X509_STORE_CTX *ctx, static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) - { +{ X509_NAME *nm = NULL; GENERAL_NAMES *gens = NULL; GENERAL_NAME *gena, *genb; int i, j; if (!a || !b) return 1; - if (a->type == 1) - { + if (a->type == 1) { if (!a->dpname) return 0; /* Case 1: two X509_NAME */ - if (b->type == 1) - { + if (b->type == 1) { if (!b->dpname) return 0; if (!X509_NAME_cmp(a->dpname, b->dpname)) return 1; else return 0; - } + } /* Case 2: set name and GENERAL_NAMES appropriately */ nm = a->dpname; gens = b->name.fullname; - } - else if (b->type == 1) - { + } else if (b->type == 1) { if (!b->dpname) return 0; /* Case 2: set name and GENERAL_NAMES appropriately */ gens = a->name.fullname; nm = b->dpname; - } + } /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ - if (nm) - { - for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) - { + if (nm) { + for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { gena = sk_GENERAL_NAME_value(gens, i); if (gena->type != GEN_DIRNAME) continue; if (!X509_NAME_cmp(nm, gena->d.directoryName)) return 1; - } - return 0; } + return 0; + } /* Else case 3: two GENERAL_NAMES */ - for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) - { + for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) { gena = sk_GENERAL_NAME_value(a->name.fullname, i); - for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) - { + for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) { genb = sk_GENERAL_NAME_value(b->name.fullname, j); if (!GENERAL_NAME_cmp(gena, genb)) return 1; - } } + } return 0; - } +} static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) - { +{ int i; X509_NAME *nm = X509_CRL_get_issuer(crl); /* If no CRLissuer return is successful iff don't need a match */ if (!dp->CRLissuer) return !!(crl_score & CRL_SCORE_ISSUER_NAME); - for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) - { + for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); if (gen->type != GEN_DIRNAME) continue; if (!X509_NAME_cmp(gen->d.directoryName, nm)) return 1; - } - return 0; } + return 0; +} /* Check CRLDP and IDP */ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons) - { +{ int i; if (crl->idp_flags & IDP_ONLYATTR) return 0; - if (x->ex_flags & EXFLAG_CA) - { + if (x->ex_flags & EXFLAG_CA) { if (crl->idp_flags & IDP_ONLYUSER) return 0; - } - else - { + } else { if (crl->idp_flags & IDP_ONLYCA) return 0; - } + } *preasons = crl->idp_reasons; - for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) - { + for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); - if (crldp_check_crlissuer(dp, crl, crl_score)) - { + if (crldp_check_crlissuer(dp, crl, crl_score)) { if (!crl->idp || - idp_check_dp(dp->distpoint, crl->idp->distpoint)) - { + idp_check_dp(dp->distpoint, crl->idp->distpoint)) { *preasons &= dp->dp_reasons; return 1; - } } } + } if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) return 1; return 0; - } +} /* Retrieve CRL corresponding to current certificate. * If deltas enabled try to find a delta CRL too @@ -1301,7 +1201,7 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) - { +{ int ok; X509 *issuer = NULL; int crl_score = 0; @@ -1331,129 +1231,113 @@ static int get_crl_delta(X509_STORE_CTX *ctx, done: /* If we got any kind of CRL use it and return success */ - if (crl) - { + if (crl) { ctx->current_issuer = issuer; ctx->current_crl_score = crl_score; ctx->current_reasons = reasons; *pcrl = crl; *pdcrl = dcrl; return 1; - } + } return 0; - } +} /* Check CRL validity */ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) - { +{ X509 *issuer = NULL; EVP_PKEY *ikey = NULL; int ok = 0, chnum, cnum; cnum = ctx->error_depth; chnum = sk_X509_num(ctx->chain) - 1; /* if we have an alternative CRL issuer cert use that */ - if (ctx->current_issuer) + if (ctx->current_issuer) { issuer = ctx->current_issuer; - - /* Else find CRL issuer: if not last certificate then issuer - * is next certificate in chain. - */ - else if (cnum < chnum) + } else if (cnum < chnum) { + /* Else find CRL issuer: if not last certificate then issuer + * is next certificate in chain. + */ issuer = sk_X509_value(ctx->chain, cnum + 1); - else - { + } else { issuer = sk_X509_value(ctx->chain, chnum); /* If not self signed, can't check signature */ - if(!ctx->check_issued(ctx, issuer, issuer)) - { + if(!ctx->check_issued(ctx, issuer, issuer)) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } } + } - if(issuer) - { + if(issuer) { /* Skip most tests for deltas because they have already * been done */ - if (!crl->base_crl_number) - { + if (!crl->base_crl_number) { /* Check for cRLSign bit if keyUsage present */ if ((issuer->ex_flags & EXFLAG_KUSAGE) && - !(issuer->ex_kusage & KU_CRL_SIGN)) - { + !(issuer->ex_kusage & KU_CRL_SIGN)) { ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } + } - if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) - { + if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } + } - if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) - { - if (check_crl_path(ctx, ctx->current_issuer) <= 0) - { + if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { + if (check_crl_path(ctx, ctx->current_issuer) <= 0) { ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } } + } - if (crl->idp_flags & IDP_INVALID) - { + if (crl->idp_flags & IDP_INVALID) { ctx->error = X509_V_ERR_INVALID_EXTENSION; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; - } + } - } + } - if (!(ctx->current_crl_score & CRL_SCORE_TIME)) - { + if (!(ctx->current_crl_score & CRL_SCORE_TIME)) { ok = check_crl_time(ctx, crl, 1); if (!ok) goto err; - } + } /* Attempt to get issuer certificate public key */ ikey = X509_get_pubkey(issuer); - if(!ikey) - { + if(!ikey) { ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ok = ctx->verify_cb(0, ctx); if (!ok) goto err; - } - else - { + } else { /* Verify CRL signature */ - if(X509_CRL_verify(crl, ikey) <= 0) - { + if(X509_CRL_verify(crl, ikey) <= 0) { ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; ok = ctx->verify_cb(0, ctx); if (!ok) goto err; - } } } + } ok = 1; - err: +err: EVP_PKEY_free(ikey); return ok; - } +} /* Check certificate against CRL */ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) - { +{ int ok; X509_REVOKED *rev; /* The rules changed for this... previously if a CRL contained @@ -1462,51 +1346,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) * critical extension can change the meaning of CRL entries. */ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (crl->flags & EXFLAG_CRITICAL)) - { + && (crl->flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; ok = ctx->verify_cb(0, ctx); if(!ok) return 0; - } + } /* Look for serial number of certificate in CRL * If found make sure reason is not removeFromCRL. */ - if (X509_CRL_get0_by_cert(crl, &rev, x)) - { + if (X509_CRL_get0_by_cert(crl, &rev, x)) { if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) return 2; ctx->error = X509_V_ERR_CERT_REVOKED; ok = ctx->verify_cb(0, ctx); if (!ok) return 0; - } + } return 1; - } +} static int check_policy(X509_STORE_CTX *ctx) - { +{ int ret; if (ctx->parent) return 1; ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, ctx->param->policies, ctx->param->flags); - if (ret == 0) - { + if (ret == 0) { X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); return 0; - } + } /* Invalid or inconsistent extensions */ - if (ret == -1) - { + if (ret == -1) { /* Locate certificates with bad extensions and notify * callback. */ X509 *x; int i; - for (i = 1; i < sk_X509_num(ctx->chain); i++) - { + for (i = 1; i < sk_X509_num(ctx->chain); i++) { x = sk_X509_value(ctx->chain, i); if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) continue; @@ -1514,29 +1393,27 @@ static int check_policy(X509_STORE_CTX *ctx) ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; if(!ctx->verify_cb(0, ctx)) return 0; - } - return 1; } - if (ret == -2) - { + return 1; + } + if (ret == -2) { ctx->current_cert = NULL; ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; return ctx->verify_cb(0, ctx); - } + } - if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) - { + if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { ctx->current_cert = NULL; ctx->error = X509_V_OK; if (!ctx->verify_cb(2, ctx)) return 0; - } + } return 1; - } +} static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) - { +{ time_t *ptime; int i; @@ -1546,44 +1423,40 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) ptime = NULL; i=X509_cmp_time(X509_get_notBefore(x), ptime); - if (i == 0) - { + if (i == 0) { ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; - } + } - if (i > 0) - { + if (i > 0) { ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; - } + } i=X509_cmp_time(X509_get_notAfter(x), ptime); - if (i == 0) - { + if (i == 0) { ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; - } + } - if (i < 0) - { + if (i < 0) { ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; - } + } return 1; - } +} static int internal_verify(X509_STORE_CTX *ctx) - { +{ int ok=0,n; X509 *xs,*xi; EVP_PKEY *pkey=NULL; @@ -1598,55 +1471,45 @@ static int internal_verify(X509_STORE_CTX *ctx) if (ctx->check_issued(ctx, xi, xi)) xs=xi; - else - { - if (n <= 0) - { + else { + if (n <= 0) { ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; ctx->current_cert=xi; ok=cb(0,ctx); goto end; - } - else - { + } else { n--; ctx->error_depth=n; xs=sk_X509_value(ctx->chain,n); - } } + } /* ctx->error=0; not needed */ - while (n >= 0) - { + while (n >= 0) { ctx->error_depth=n; /* Skip signature check for self signed certificates unless * explicitly asked for. It doesn't add any security and * just wastes time. */ - if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) - { - if ((pkey=X509_get_pubkey(xi)) == NULL) - { + if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { + if ((pkey=X509_get_pubkey(xi)) == NULL) { ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ctx->current_cert=xi; ok=(*cb)(0,ctx); if (!ok) goto end; - } - else if (X509_verify(xs,pkey) <= 0) - { + } else if (X509_verify(xs,pkey) <= 0) { ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; ctx->current_cert=xs; ok=(*cb)(0,ctx); - if (!ok) - { + if (!ok) { EVP_PKEY_free(pkey); goto end; - } } + } EVP_PKEY_free(pkey); pkey=NULL; - } + } xs->valid = 1; @@ -1661,16 +1524,15 @@ static int internal_verify(X509_STORE_CTX *ctx) if (!ok) goto end; n--; - if (n >= 0) - { + if (n >= 0) { xi=xs; xs=sk_X509_value(ctx->chain,n); - } } + } ok=1; end: return ok; - } +} int X509_cmp_current_time(const ASN1_TIME *ctm) { @@ -1678,7 +1540,7 @@ int X509_cmp_current_time(const ASN1_TIME *ctm) } int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) - { +{ char *str; ASN1_TIME atm; long offset; @@ -1688,49 +1550,44 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) p=buff1; i=ctm->length; str=(char *)ctm->data; - if (ctm->type == V_ASN1_UTCTIME) - { + if (ctm->type == V_ASN1_UTCTIME) { if ((i < 11) || (i > 17)) return 0; memcpy(p,str,10); p+=10; str+=10; - } - else - { + } else { if (i < 13) return 0; memcpy(p,str,12); p+=12; str+=12; - } + } - if ((*str == 'Z') || (*str == '-') || (*str == '+')) - { *(p++)='0'; *(p++)='0'; } - else - { + if ((*str == 'Z') || (*str == '-') || (*str == '+')) { + *(p++)='0'; + *(p++)='0'; + } else { *(p++)= *(str++); *(p++)= *(str++); /* Skip any fractional seconds... */ - if (*str == '.') - { + if (*str == '.') { str++; while ((*str >= '0') && (*str <= '9')) str++; - } - } + + } *(p++)='Z'; *(p++)='\0'; if (*str == 'Z') offset=0; - else - { + else { if ((*str != '+') && (*str != '-')) return 0; offset=((str[1]-'0')*10+(str[2]-'0'))*60; offset+=(str[3]-'0')*10+(str[4]-'0'); if (*str == '-') offset= -offset; - } + } atm.type=ctm->type; atm.flags = 0; atm.length=sizeof(buff2); @@ -1739,8 +1596,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) if (X509_time_adj(&atm, offset*60, cmp_time) == NULL) return 0; - if (ctm->type == V_ASN1_UTCTIME) - { + if (ctm->type == V_ASN1_UTCTIME) { i=(buff1[0]-'0')*10+(buff1[1]-'0'); if (i < 50) i+=100; /* cf. RFC 2459 */ j=(buff2[0]-'0')*10+(buff2[1]-'0'); @@ -1748,13 +1604,13 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) if (i < j) return -1; if (i > j) return 1; - } + } i=strcmp(buff1,buff2); if (i == 0) /* wait a second then return younger :-) */ return -1; else return i; - } +} ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) { @@ -1762,168 +1618,161 @@ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) } ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) - { +{ return X509_time_adj_ex(s, 0, offset_sec, in_tm); - } +} ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_tm) - { +{ time_t t; if (in_tm) t = *in_tm; else time(&t); - if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) - { + if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) { if (s->type == V_ASN1_UTCTIME) return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); if (s->type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec); - } - return ASN1_TIME_adj(s, t, offset_day, offset_sec); } + return ASN1_TIME_adj(s, t, offset_day, offset_sec); +} int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) - { +{ EVP_PKEY *ktmp=NULL,*ktmp2; int i,j; if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; - for (i=0; i= 0; j--) - { + for (j=i-1; j >= 0; j--) { ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); EVP_PKEY_copy_parameters(ktmp2,ktmp); EVP_PKEY_free(ktmp2); - } + } if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); EVP_PKEY_free(ktmp); return 1; - } +} int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) - { +{ /* This function is (usually) called only once, by * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, new_func, dup_func, free_func); - } +} int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) - { +{ return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); - } +} void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) - { +{ return CRYPTO_get_ex_data(&ctx->ex_data,idx); - } +} int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) - { +{ return ctx->error; - } +} void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) - { +{ ctx->error=err; - } +} int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) - { +{ return ctx->error_depth; - } +} X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) - { +{ return ctx->current_cert; - } +} STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) - { +{ return ctx->chain; - } +} STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) - { +{ int i; X509 *x; STACK_OF(X509) *chain; if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; - for (i = 0; i < sk_X509_num(chain); i++) - { + for (i = 0; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); - } - return chain; } + return chain; +} X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) - { +{ return ctx->current_issuer; - } +} X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) - { +{ return ctx->current_crl; - } +} X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) - { +{ return ctx->parent; - } +} void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) - { +{ ctx->cert=x; - } +} void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) - { +{ ctx->untrusted=sk; - } +} void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) - { +{ ctx->crls=sk; - } +} int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) - { +{ return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); - } +} int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) - { +{ return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); - } +} /* This function is used to set the X509_STORE_CTX purpose and trust * values. This is intended to be used when another structure has its @@ -1942,41 +1791,35 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, /* If purpose not set use default */ if (!purpose) purpose = def_purpose; /* If we have a purpose then check it is valid */ - if (purpose) - { + if (purpose) { X509_PURPOSE *ptmp; idx = X509_PURPOSE_get_by_id(purpose); - if (idx == -1) - { + if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_PURPOSE_ID); return 0; - } + } ptmp = X509_PURPOSE_get0(idx); - if (ptmp->trust == X509_TRUST_DEFAULT) - { + if (ptmp->trust == X509_TRUST_DEFAULT) { idx = X509_PURPOSE_get_by_id(def_purpose); - if (idx == -1) - { + if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_PURPOSE_ID); return 0; - } - ptmp = X509_PURPOSE_get0(idx); } + ptmp = X509_PURPOSE_get0(idx); + } /* If trust not set then get from purpose default */ if (!trust) trust = ptmp->trust; - } - if (trust) - { + } + if (trust) { idx = X509_TRUST_get_by_id(trust); - if (idx == -1) - { + if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_TRUST_ID); return 0; - } } + } if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; if (trust && !ctx->param->trust) ctx->param->trust = trust; @@ -1987,11 +1830,10 @@ X509_STORE_CTX *X509_STORE_CTX_new(void) { X509_STORE_CTX *ctx; ctx = (X509_STORE_CTX *)malloc(sizeof(X509_STORE_CTX)); - if (!ctx) - { + if (!ctx) { X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); return NULL; - } + } memset(ctx, 0, sizeof(X509_STORE_CTX)); return ctx; } @@ -2004,7 +1846,7 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx) int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain) - { +{ int ret = 1; ctx->ctx=store; ctx->current_method=0; @@ -2028,11 +1870,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->param = X509_VERIFY_PARAM_new(); - if (!ctx->param) - { + if (!ctx->param) { X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); return 0; - } + } /* Inherit callbacks and flags from X509_STORE if not set * use defaults. @@ -2044,23 +1885,20 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, else ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; - if (store) - { + if (store) { ctx->verify_cb = store->verify_cb; ctx->cleanup = store->cleanup; - } - else + } else ctx->cleanup = 0; if (ret) ret = X509_VERIFY_PARAM_inherit(ctx->param, X509_VERIFY_PARAM_lookup("default")); - if (ret == 0) - { + if (ret == 0) { X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); return 0; - } + } if (store && store->check_issued) ctx->check_issued = store->check_issued; @@ -2120,14 +1958,13 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, * corresponding "new" here and remove this bogus initialisation. */ /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, - &(ctx->ex_data))) - { + &(ctx->ex_data))) { free(ctx); X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); return 0; - } - return 1; } + return 1; +} /* Set alternative lookup method: just a STACK of trusted certificates. * This avoids X509_STORE nastiness where it isn't needed. @@ -2140,79 +1977,76 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) } void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) - { +{ if (ctx->cleanup) ctx->cleanup(ctx); - if (ctx->param != NULL) - { + if (ctx->param != NULL) { if (ctx->parent == NULL) X509_VERIFY_PARAM_free(ctx->param); ctx->param=NULL; - } - if (ctx->tree != NULL) - { + } + if (ctx->tree != NULL) { X509_policy_tree_free(ctx->tree); ctx->tree=NULL; - } - if (ctx->chain != NULL) - { + } + if (ctx->chain != NULL) { sk_X509_pop_free(ctx->chain,X509_free); ctx->chain=NULL; - } + } CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); - } +} void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) - { +{ X509_VERIFY_PARAM_set_depth(ctx->param, depth); - } +} void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) - { +{ X509_VERIFY_PARAM_set_flags(ctx->param, flags); - } +} void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) - { +{ X509_VERIFY_PARAM_set_time(ctx->param, t); - } +} void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)) - { +{ ctx->verify_cb=verify_cb; - } +} X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) - { +{ return ctx->tree; - } +} int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) - { +{ return ctx->explicit_policy; - } +} int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) - { +{ const X509_VERIFY_PARAM *param; param = X509_VERIFY_PARAM_lookup(name); if (!param) return 0; return X509_VERIFY_PARAM_inherit(ctx->param, param); - } +} X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) - { +{ return ctx->param; - } +} void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) - { +{ if (ctx->param) X509_VERIFY_PARAM_free(ctx->param); ctx->param = param; - } +} IMPLEMENT_STACK_OF(X509) IMPLEMENT_ASN1_SET_OF(X509) diff --git a/lib/libssl/src/crypto/x509/x509_vpm.c b/lib/libssl/src/crypto/x509/x509_vpm.c index 5e3eba4029b..7f0824f75ee 100644 --- a/lib/libssl/src/crypto/x509/x509_vpm.c +++ b/lib/libssl/src/crypto/x509/x509_vpm.c @@ -68,7 +68,7 @@ /* X509_VERIFY_PARAM functions */ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) - { +{ if (!param) return; param->name = NULL; @@ -78,27 +78,26 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) param->inh_flags = 0; param->flags = 0; param->depth = -1; - if (param->policies) - { + if (param->policies) { sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); param->policies = NULL; - } } +} X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) - { +{ X509_VERIFY_PARAM *param; param = malloc(sizeof(X509_VERIFY_PARAM)); memset(param, 0, sizeof(X509_VERIFY_PARAM)); x509_verify_param_zero(param); return param; - } +} void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) - { +{ x509_verify_param_zero(param); free(param); - } +} /* This function determines how parameters are "inherited" from one structure * to another. There are several different ways this can happen. @@ -146,7 +145,7 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src) - { +{ unsigned long inh_flags; int to_default, to_overwrite; if (!src) @@ -175,104 +174,101 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, /* If overwrite or check time not set, copy across */ - if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) - { + if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) { dest->check_time = src->check_time; dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME; /* Don't need to copy flag: that is done below */ - } + } if (inh_flags & X509_VP_FLAG_RESET_FLAGS) dest->flags = 0; dest->flags |= src->flags; - if (test_x509_verify_param_copy(policies, NULL)) - { + if (test_x509_verify_param_copy(policies, NULL)) { if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies)) return 0; - } + } return 1; - } +} int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from) - { +{ unsigned long save_flags = to->inh_flags; int ret; to->inh_flags |= X509_VP_FLAG_DEFAULT; ret = X509_VERIFY_PARAM_inherit(to, from); to->inh_flags = save_flags; return ret; - } +} int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) - { +{ if (param->name) free(param->name); param->name = BUF_strdup(name); if (param->name) return 1; return 0; - } +} int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) - { +{ param->flags |= flags; if (flags & X509_V_FLAG_POLICY_MASK) param->flags |= X509_V_FLAG_POLICY_CHECK; return 1; - } +} int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags) - { +{ param->flags &= ~flags; return 1; - } +} unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) - { +{ return param->flags; - } +} int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) - { +{ return X509_PURPOSE_set(¶m->purpose, purpose); - } +} int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) - { +{ return X509_TRUST_set(¶m->trust, trust); - } +} void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) - { +{ param->depth = depth; - } +} void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) - { +{ param->check_time = t; param->flags |= X509_V_FLAG_USE_CHECK_TIME; - } +} int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) - { - if (!param->policies) - { +{ + if (!param->policies) { param->policies = sk_ASN1_OBJECT_new_null(); if (!param->policies) return 0; - } + } if (!sk_ASN1_OBJECT_push(param->policies, policy)) return 0; return 1; - } +} int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, STACK_OF(ASN1_OBJECT) *policies) - { +{ int i; ASN1_OBJECT *oid, *doid; if (!param) @@ -280,36 +276,33 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, if (param->policies) sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); - if (!policies) - { + if (!policies) { param->policies = NULL; return 1; - } + } param->policies = sk_ASN1_OBJECT_new_null(); if (!param->policies) return 0; - for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) - { + for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) { oid = sk_ASN1_OBJECT_value(policies, i); doid = OBJ_dup(oid); if (!doid) return 0; - if (!sk_ASN1_OBJECT_push(param->policies, doid)) - { + if (!sk_ASN1_OBJECT_push(param->policies, doid)) { ASN1_OBJECT_free(doid); return 0; - } } + } param->flags |= X509_V_FLAG_POLICY_CHECK; return 1; - } +} int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) - { +{ return param->depth; - } +} /* Default verify parameters: these are used for various * applications and can be overridden by the user specified table. @@ -367,15 +360,16 @@ static const X509_VERIFY_PARAM default_table[] = { X509_TRUST_SSL_SERVER, /* trust */ -1, /* depth */ NULL /* policies */ - }}; + } +}; static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL; static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b) - { +{ return strcmp(a->name, b->name); - } +} DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table); @@ -384,55 +378,50 @@ IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, static int param_cmp(const X509_VERIFY_PARAM * const *a, const X509_VERIFY_PARAM * const *b) - { +{ return strcmp((*a)->name, (*b)->name); - } +} int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) - { +{ int idx; X509_VERIFY_PARAM *ptmp; - if (!param_table) - { + if (!param_table) { param_table = sk_X509_VERIFY_PARAM_new(param_cmp); if (!param_table) return 0; - } - else - { + } else { idx = sk_X509_VERIFY_PARAM_find(param_table, param); - if (idx != -1) - { + if (idx != -1) { ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx); X509_VERIFY_PARAM_free(ptmp); (void)sk_X509_VERIFY_PARAM_delete(param_table, idx); - } } + } if (!sk_X509_VERIFY_PARAM_push(param_table, param)) return 0; return 1; - } +} const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) - { +{ int idx; X509_VERIFY_PARAM pm; pm.name = (char *)name; - if (param_table) - { + if (param_table) { idx = sk_X509_VERIFY_PARAM_find(param_table, &pm); if (idx != -1) return sk_X509_VERIFY_PARAM_value(param_table, idx); - } + } return OBJ_bsearch_table(&pm, default_table, sizeof(default_table)/sizeof(X509_VERIFY_PARAM)); - } +} void X509_VERIFY_PARAM_table_cleanup(void) - { +{ if (param_table) sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free); param_table = NULL; - } +} diff --git a/lib/libssl/src/crypto/x509/x509cset.c b/lib/libssl/src/crypto/x509/x509cset.c index 3109defb0b2..bb39cf4e04e 100644 --- a/lib/libssl/src/crypto/x509/x509cset.c +++ b/lib/libssl/src/crypto/x509/x509cset.c @@ -64,107 +64,97 @@ #include int X509_CRL_set_version(X509_CRL *x, long version) - { +{ if (x == NULL) return(0); - if (x->crl->version == NULL) - { + if (x->crl->version == NULL) { if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL) return(0); - } - return(ASN1_INTEGER_set(x->crl->version,version)); } + return(ASN1_INTEGER_set(x->crl->version,version)); +} int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name) - { +{ if ((x == NULL) || (x->crl == NULL)) return(0); return(X509_NAME_set(&x->crl->issuer,name)); - } +} int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) - { +{ ASN1_TIME *in; if (x == NULL) return(0); in=x->crl->lastUpdate; - if (in != tm) - { + if (in != tm) { in=M_ASN1_TIME_dup(tm); - if (in != NULL) - { + if (in != NULL) { M_ASN1_TIME_free(x->crl->lastUpdate); x->crl->lastUpdate=in; - } } - return(in != NULL); } + return(in != NULL); +} int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) - { +{ ASN1_TIME *in; if (x == NULL) return(0); in=x->crl->nextUpdate; - if (in != tm) - { + if (in != tm) { in=M_ASN1_TIME_dup(tm); - if (in != NULL) - { + if (in != NULL) { M_ASN1_TIME_free(x->crl->nextUpdate); x->crl->nextUpdate=in; - } } - return(in != NULL); } + return(in != NULL); +} int X509_CRL_sort(X509_CRL *c) - { +{ int i; X509_REVOKED *r; /* sort the data so it will be written in serial * number order */ sk_X509_REVOKED_sort(c->crl->revoked); - for (i=0; icrl->revoked); i++) - { + for (i=0; icrl->revoked); i++) { r=sk_X509_REVOKED_value(c->crl->revoked,i); r->sequence=i; - } + } c->crl->enc.modified = 1; return 1; - } +} int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) - { +{ ASN1_TIME *in; if (x == NULL) return(0); in=x->revocationDate; - if (in != tm) - { + if (in != tm) { in=M_ASN1_TIME_dup(tm); - if (in != NULL) - { + if (in != NULL) { M_ASN1_TIME_free(x->revocationDate); x->revocationDate=in; - } } - return(in != NULL); } + return(in != NULL); +} int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial) - { +{ ASN1_INTEGER *in; if (x == NULL) return(0); in=x->serialNumber; - if (in != serial) - { + if (in != serial) { in=M_ASN1_INTEGER_dup(serial); - if (in != NULL) - { + if (in != NULL) { M_ASN1_INTEGER_free(x->serialNumber); x->serialNumber=in; - } } - return(in != NULL); } + return(in != NULL); +} diff --git a/lib/libssl/src/crypto/x509/x509name.c b/lib/libssl/src/crypto/x509/x509name.c index 27bc4dc9a3e..729fb060f8d 100644 --- a/lib/libssl/src/crypto/x509/x509name.c +++ b/lib/libssl/src/crypto/x509/x509name.c @@ -65,17 +65,17 @@ #include int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len) - { +{ ASN1_OBJECT *obj; obj=OBJ_nid2obj(nid); if (obj == NULL) return(-1); return(X509_NAME_get_text_by_OBJ(name,obj,buf,len)); - } +} int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf, int len) - { +{ int i; ASN1_STRING *data; @@ -87,27 +87,27 @@ int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf, memcpy(buf,data->data,i); buf[i]='\0'; return(i); - } +} int X509_NAME_entry_count(X509_NAME *name) - { +{ if (name == NULL) return(0); return(sk_X509_NAME_ENTRY_num(name->entries)); - } +} int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos) - { +{ ASN1_OBJECT *obj; obj=OBJ_nid2obj(nid); if (obj == NULL) return(-2); return(X509_NAME_get_index_by_OBJ(name,obj,lastpos)); - } +} /* NOTE: you should be passsing -1, not 0 as lastpos */ int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int lastpos) - { +{ int n; X509_NAME_ENTRY *ne; STACK_OF(X509_NAME_ENTRY) *sk; @@ -117,26 +117,25 @@ int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, lastpos= -1; sk=name->entries; n=sk_X509_NAME_ENTRY_num(sk); - for (lastpos++; lastpos < n; lastpos++) - { + for (lastpos++; lastpos < n; lastpos++) { ne=sk_X509_NAME_ENTRY_value(sk,lastpos); if (OBJ_cmp(ne->object,obj) == 0) return(lastpos); - } - return(-1); } + return(-1); +} X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc) - { +{ if(name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc || loc < 0) return(NULL); else return(sk_X509_NAME_ENTRY_value(name->entries,loc)); - } +} X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc) - { +{ X509_NAME_ENTRY *ret; int i,n,set_prev,set_next; STACK_OF(X509_NAME_ENTRY) *sk; @@ -169,7 +168,7 @@ X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc) for (i=loc; iset--; return(ret); - } +} int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set) @@ -211,7 +210,7 @@ int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, * prepend to the guy we are about to stomp on. */ int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc, int set) - { +{ X509_NAME_ENTRY *new_name=NULL; int n,i,inc; STACK_OF(X509_NAME_ENTRY) *sk; @@ -224,101 +223,87 @@ int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc, name->modified=1; - if (set == -1) - { - if (loc == 0) - { + if (set == -1) { + if (loc == 0) { set=0; inc=1; - } - else - { + } else { set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set; inc=0; - } } - else /* if (set >= 0) */ - { - if (loc >= n) - { + } else /* if (set >= 0) */ { + if (loc >= n) { if (loc != 0) set=sk_X509_NAME_ENTRY_value(sk,loc-1)->set+1; else set=0; - } - else + } else set=sk_X509_NAME_ENTRY_value(sk,loc)->set; inc=(set == 0)?1:0; - } + } if ((new_name=X509_NAME_ENTRY_dup(ne)) == NULL) goto err; new_name->set=set; - if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc)) - { + if (!sk_X509_NAME_ENTRY_insert(sk,new_name,loc)) { X509err(X509_F_X509_NAME_ADD_ENTRY,ERR_R_MALLOC_FAILURE); goto err; - } - if (inc) - { + } + if (inc) { n=sk_X509_NAME_ENTRY_num(sk); for (i=loc+1; iset+=1; - } + } return(1); err: if (new_name != NULL) X509_NAME_ENTRY_free(new_name); return(0); - } +} X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const char *field, int type, const unsigned char *bytes, int len) - { +{ ASN1_OBJECT *obj; X509_NAME_ENTRY *nentry; obj=OBJ_txt2obj(field, 0); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_TXT, X509_R_INVALID_FIELD_NAME); ERR_add_error_data(2, "name=", field); return(NULL); - } + } nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len); ASN1_OBJECT_free(obj); return nentry; - } +} X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type, unsigned char *bytes, int len) - { +{ ASN1_OBJECT *obj; X509_NAME_ENTRY *nentry; obj=OBJ_nid2obj(nid); - if (obj == NULL) - { + if (obj == NULL) { X509err(X509_F_X509_NAME_ENTRY_CREATE_BY_NID,X509_R_UNKNOWN_NID); return(NULL); - } + } nentry = X509_NAME_ENTRY_create_by_OBJ(ne,obj,type,bytes,len); ASN1_OBJECT_free(obj); return nentry; - } +} X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len) - { +{ X509_NAME_ENTRY *ret; - if ((ne == NULL) || (*ne == NULL)) - { + if ((ne == NULL) || (*ne == NULL)) { if ((ret=X509_NAME_ENTRY_new()) == NULL) return(NULL); - } - else + } else ret= *ne; if (!X509_NAME_ENTRY_set_object(ret,obj)) @@ -332,23 +317,22 @@ err: if ((ne == NULL) || (ret != *ne)) X509_NAME_ENTRY_free(ret); return(NULL); - } +} int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj) - { - if ((ne == NULL) || (obj == NULL)) - { +{ + if ((ne == NULL) || (obj == NULL)) { X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,ERR_R_PASSED_NULL_PARAMETER); return(0); - } + } ASN1_OBJECT_free(ne->object); ne->object=OBJ_dup(obj); return((ne->object == NULL)?0:1); - } +} int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, const unsigned char *bytes, int len) - { +{ int i; if ((ne == NULL) || ((bytes == NULL) && (len != 0))) return(0); @@ -359,25 +343,24 @@ int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, if (len < 0) len=strlen((const char *)bytes); i=ASN1_STRING_set(ne->value,bytes,len); if (!i) return(0); - if (type != V_ASN1_UNDEF) - { + if (type != V_ASN1_UNDEF) { if (type == V_ASN1_APP_CHOOSE) ne->value->type=ASN1_PRINTABLE_type(bytes,len); else ne->value->type=type; - } - return(1); } + return(1); +} ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne) - { +{ if (ne == NULL) return(NULL); return(ne->object); - } +} ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne) - { +{ if (ne == NULL) return(NULL); return(ne->value); - } +} diff --git a/lib/libssl/src/crypto/x509/x509rset.c b/lib/libssl/src/crypto/x509/x509rset.c index d9f6b573729..fab93cce973 100644 --- a/lib/libssl/src/crypto/x509/x509rset.c +++ b/lib/libssl/src/crypto/x509/x509rset.c @@ -64,20 +64,20 @@ #include int X509_REQ_set_version(X509_REQ *x, long version) - { +{ if (x == NULL) return(0); return(ASN1_INTEGER_set(x->req_info->version,version)); - } +} int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name) - { +{ if ((x == NULL) || (x->req_info == NULL)) return(0); return(X509_NAME_set(&x->req_info->subject,name)); - } +} int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey) - { +{ if ((x == NULL) || (x->req_info == NULL)) return(0); return(X509_PUBKEY_set(&x->req_info->pubkey,pkey)); - } +} diff --git a/lib/libssl/src/crypto/x509/x509type.c b/lib/libssl/src/crypto/x509/x509type.c index 9702ec53103..ff06cfcab99 100644 --- a/lib/libssl/src/crypto/x509/x509type.c +++ b/lib/libssl/src/crypto/x509/x509type.c @@ -63,7 +63,7 @@ #include int X509_certificate_type(X509 *x, EVP_PKEY *pkey) - { +{ EVP_PKEY *pk; int ret=0,i; @@ -76,8 +76,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) if (pk == NULL) return(0); - switch (pk->type) - { + switch (pk->type) { case EVP_PKEY_RSA: ret=EVP_PK_RSA|EVP_PKT_SIGN; /* if (!sign only extension) */ @@ -98,14 +97,12 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) break; default: break; - } + } i=OBJ_obj2nid(x->sig_alg->algorithm); - if (i && OBJ_find_sigid_algs(i, NULL, &i)) - { + if (i && OBJ_find_sigid_algs(i, NULL, &i)) { - switch (i) - { + switch (i) { case NID_rsaEncryption: case NID_rsa: ret|=EVP_PKS_RSA; @@ -119,13 +116,13 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) break; default: break; - } } + } if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look for, not bytes */ ret|=EVP_PKT_EXP; if(pkey==NULL) EVP_PKEY_free(pk); return(ret); - } +} -- 2.20.1