x509_vpm.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602
  1. /*
  2. * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/crypto.h>
  12. #include <openssl/buffer.h>
  13. #include <openssl/x509.h>
  14. #include <openssl/x509v3.h>
  15. #include "crypto/x509.h"
  16. #include "x509_local.h"
  17. /* X509_VERIFY_PARAM functions */
  18. #define SET_HOST 0
  19. #define ADD_HOST 1
  20. static char *str_copy(const char *s)
  21. {
  22. return OPENSSL_strdup(s);
  23. }
  24. static void str_free(char *s)
  25. {
  26. OPENSSL_free(s);
  27. }
  28. static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode,
  29. const char *name, size_t namelen)
  30. {
  31. char *copy;
  32. /*
  33. * Refuse names with embedded NUL bytes, except perhaps as final byte.
  34. * XXX: Do we need to push an error onto the error stack?
  35. */
  36. if (namelen == 0 || name == NULL)
  37. namelen = name ? strlen(name) : 0;
  38. else if (name && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen))
  39. return 0;
  40. if (namelen > 0 && name[namelen - 1] == '\0')
  41. --namelen;
  42. if (mode == SET_HOST) {
  43. sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);
  44. vpm->hosts = NULL;
  45. }
  46. if (name == NULL || namelen == 0)
  47. return 1;
  48. copy = OPENSSL_strndup(name, namelen);
  49. if (copy == NULL)
  50. return 0;
  51. if (vpm->hosts == NULL &&
  52. (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
  53. OPENSSL_free(copy);
  54. return 0;
  55. }
  56. if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {
  57. OPENSSL_free(copy);
  58. if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {
  59. sk_OPENSSL_STRING_free(vpm->hosts);
  60. vpm->hosts = NULL;
  61. }
  62. return 0;
  63. }
  64. return 1;
  65. }
  66. X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
  67. {
  68. X509_VERIFY_PARAM *param;
  69. param = OPENSSL_zalloc(sizeof(*param));
  70. if (param == NULL) {
  71. X509err(X509_F_X509_VERIFY_PARAM_NEW, ERR_R_MALLOC_FAILURE);
  72. return NULL;
  73. }
  74. param->trust = X509_TRUST_DEFAULT;
  75. /* param->inh_flags = X509_VP_FLAG_DEFAULT; */
  76. param->depth = -1;
  77. param->auth_level = -1; /* -1 means unset, 0 is explicit */
  78. return param;
  79. }
  80. void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
  81. {
  82. if (param == NULL)
  83. return;
  84. sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
  85. sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
  86. OPENSSL_free(param->peername);
  87. OPENSSL_free(param->email);
  88. OPENSSL_free(param->ip);
  89. OPENSSL_free(param);
  90. }
  91. /*-
  92. * This function determines how parameters are "inherited" from one structure
  93. * to another. There are several different ways this can happen.
  94. *
  95. * 1. If a child structure needs to have its values initialized from a parent
  96. * they are simply copied across. For example SSL_CTX copied to SSL.
  97. * 2. If the structure should take on values only if they are currently unset.
  98. * For example the values in an SSL structure will take appropriate value
  99. * for SSL servers or clients but only if the application has not set new
  100. * ones.
  101. *
  102. * The "inh_flags" field determines how this function behaves.
  103. *
  104. * Normally any values which are set in the default are not copied from the
  105. * destination and verify flags are ORed together.
  106. *
  107. * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
  108. * to the destination. Effectively the values in "to" become default values
  109. * which will be used only if nothing new is set in "from".
  110. *
  111. * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
  112. * they are set or not. Flags is still Ored though.
  113. *
  114. * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
  115. * of ORed.
  116. *
  117. * If X509_VP_FLAG_LOCKED is set then no values are copied.
  118. *
  119. * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
  120. * after the next call.
  121. */
  122. /* Macro to test if a field should be copied from src to dest */
  123. #define test_x509_verify_param_copy(field, def) \
  124. (to_overwrite || \
  125. ((src->field != def) && (to_default || (dest->field == def))))
  126. /* Macro to test and copy a field if necessary */
  127. #define x509_verify_param_copy(field, def) \
  128. if (test_x509_verify_param_copy(field, def)) \
  129. dest->field = src->field
  130. int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
  131. const X509_VERIFY_PARAM *src)
  132. {
  133. unsigned long inh_flags;
  134. int to_default, to_overwrite;
  135. if (!src)
  136. return 1;
  137. inh_flags = dest->inh_flags | src->inh_flags;
  138. if (inh_flags & X509_VP_FLAG_ONCE)
  139. dest->inh_flags = 0;
  140. if (inh_flags & X509_VP_FLAG_LOCKED)
  141. return 1;
  142. if (inh_flags & X509_VP_FLAG_DEFAULT)
  143. to_default = 1;
  144. else
  145. to_default = 0;
  146. if (inh_flags & X509_VP_FLAG_OVERWRITE)
  147. to_overwrite = 1;
  148. else
  149. to_overwrite = 0;
  150. x509_verify_param_copy(purpose, 0);
  151. x509_verify_param_copy(trust, X509_TRUST_DEFAULT);
  152. x509_verify_param_copy(depth, -1);
  153. x509_verify_param_copy(auth_level, -1);
  154. /* If overwrite or check time not set, copy across */
  155. if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {
  156. dest->check_time = src->check_time;
  157. dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
  158. /* Don't need to copy flag: that is done below */
  159. }
  160. if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
  161. dest->flags = 0;
  162. dest->flags |= src->flags;
  163. if (test_x509_verify_param_copy(policies, NULL)) {
  164. if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
  165. return 0;
  166. }
  167. x509_verify_param_copy(hostflags, 0);
  168. if (test_x509_verify_param_copy(hosts, NULL)) {
  169. sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
  170. dest->hosts = NULL;
  171. if (src->hosts) {
  172. dest->hosts =
  173. sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free);
  174. if (dest->hosts == NULL)
  175. return 0;
  176. }
  177. }
  178. if (test_x509_verify_param_copy(email, NULL)) {
  179. if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen))
  180. return 0;
  181. }
  182. if (test_x509_verify_param_copy(ip, NULL)) {
  183. if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen))
  184. return 0;
  185. }
  186. return 1;
  187. }
  188. int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
  189. const X509_VERIFY_PARAM *from)
  190. {
  191. unsigned long save_flags = to->inh_flags;
  192. int ret;
  193. to->inh_flags |= X509_VP_FLAG_DEFAULT;
  194. ret = X509_VERIFY_PARAM_inherit(to, from);
  195. to->inh_flags = save_flags;
  196. return ret;
  197. }
  198. static int int_x509_param_set1(char **pdest, size_t *pdestlen,
  199. const char *src, size_t srclen)
  200. {
  201. void *tmp;
  202. if (src) {
  203. if (srclen == 0)
  204. srclen = strlen(src);
  205. tmp = OPENSSL_memdup(src, srclen);
  206. if (tmp == NULL)
  207. return 0;
  208. } else {
  209. tmp = NULL;
  210. srclen = 0;
  211. }
  212. OPENSSL_free(*pdest);
  213. *pdest = tmp;
  214. if (pdestlen != NULL)
  215. *pdestlen = srclen;
  216. return 1;
  217. }
  218. int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
  219. {
  220. OPENSSL_free(param->name);
  221. param->name = OPENSSL_strdup(name);
  222. if (param->name)
  223. return 1;
  224. return 0;
  225. }
  226. int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
  227. {
  228. param->flags |= flags;
  229. if (flags & X509_V_FLAG_POLICY_MASK)
  230. param->flags |= X509_V_FLAG_POLICY_CHECK;
  231. return 1;
  232. }
  233. int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
  234. unsigned long flags)
  235. {
  236. param->flags &= ~flags;
  237. return 1;
  238. }
  239. unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
  240. {
  241. return param->flags;
  242. }
  243. uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param)
  244. {
  245. return param->inh_flags;
  246. }
  247. int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, uint32_t flags)
  248. {
  249. param->inh_flags = flags;
  250. return 1;
  251. }
  252. int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
  253. {
  254. return X509_PURPOSE_set(&param->purpose, purpose);
  255. }
  256. int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
  257. {
  258. return X509_TRUST_set(&param->trust, trust);
  259. }
  260. void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
  261. {
  262. param->depth = depth;
  263. }
  264. void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level)
  265. {
  266. param->auth_level = auth_level;
  267. }
  268. time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param)
  269. {
  270. return param->check_time;
  271. }
  272. void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
  273. {
  274. param->check_time = t;
  275. param->flags |= X509_V_FLAG_USE_CHECK_TIME;
  276. }
  277. int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
  278. ASN1_OBJECT *policy)
  279. {
  280. if (!param->policies) {
  281. param->policies = sk_ASN1_OBJECT_new_null();
  282. if (!param->policies)
  283. return 0;
  284. }
  285. if (!sk_ASN1_OBJECT_push(param->policies, policy))
  286. return 0;
  287. return 1;
  288. }
  289. int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
  290. STACK_OF(ASN1_OBJECT) *policies)
  291. {
  292. int i;
  293. ASN1_OBJECT *oid, *doid;
  294. if (!param)
  295. return 0;
  296. sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
  297. if (!policies) {
  298. param->policies = NULL;
  299. return 1;
  300. }
  301. param->policies = sk_ASN1_OBJECT_new_null();
  302. if (!param->policies)
  303. return 0;
  304. for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) {
  305. oid = sk_ASN1_OBJECT_value(policies, i);
  306. doid = OBJ_dup(oid);
  307. if (!doid)
  308. return 0;
  309. if (!sk_ASN1_OBJECT_push(param->policies, doid)) {
  310. ASN1_OBJECT_free(doid);
  311. return 0;
  312. }
  313. }
  314. param->flags |= X509_V_FLAG_POLICY_CHECK;
  315. return 1;
  316. }
  317. int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
  318. const char *name, size_t namelen)
  319. {
  320. return int_x509_param_set_hosts(param, SET_HOST, name, namelen);
  321. }
  322. int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
  323. const char *name, size_t namelen)
  324. {
  325. return int_x509_param_set_hosts(param, ADD_HOST, name, namelen);
  326. }
  327. void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
  328. unsigned int flags)
  329. {
  330. param->hostflags = flags;
  331. }
  332. unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param)
  333. {
  334. return param->hostflags;
  335. }
  336. char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
  337. {
  338. return param->peername;
  339. }
  340. /*
  341. * Move peername from one param structure to another, freeing any name present
  342. * at the target. If the source is a NULL parameter structure, free and zero
  343. * the target peername.
  344. */
  345. void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *to,
  346. X509_VERIFY_PARAM *from)
  347. {
  348. char *peername = (from != NULL) ? from->peername : NULL;
  349. if (to->peername != peername) {
  350. OPENSSL_free(to->peername);
  351. to->peername = peername;
  352. }
  353. if (from)
  354. from->peername = NULL;
  355. }
  356. int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
  357. const char *email, size_t emaillen)
  358. {
  359. return int_x509_param_set1(&param->email, &param->emaillen,
  360. email, emaillen);
  361. }
  362. int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
  363. const unsigned char *ip, size_t iplen)
  364. {
  365. if (iplen != 0 && iplen != 4 && iplen != 16)
  366. return 0;
  367. return int_x509_param_set1((char **)&param->ip, &param->iplen,
  368. (char *)ip, iplen);
  369. }
  370. int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
  371. {
  372. unsigned char ipout[16];
  373. size_t iplen;
  374. iplen = (size_t)a2i_ipadd(ipout, ipasc);
  375. if (iplen == 0)
  376. return 0;
  377. return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);
  378. }
  379. int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
  380. {
  381. return param->depth;
  382. }
  383. int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param)
  384. {
  385. return param->auth_level;
  386. }
  387. const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
  388. {
  389. return param->name;
  390. }
  391. #define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0
  392. /*
  393. * Default verify parameters: these are used for various applications and can
  394. * be overridden by the user specified table. NB: the 'name' field *must* be
  395. * in alphabetical order because it will be searched using OBJ_search.
  396. */
  397. static const X509_VERIFY_PARAM default_table[] = {
  398. {
  399. "default", /* X509 default parameters */
  400. 0, /* Check time */
  401. 0, /* internal flags */
  402. X509_V_FLAG_TRUSTED_FIRST, /* flags */
  403. 0, /* purpose */
  404. 0, /* trust */
  405. 100, /* depth */
  406. -1, /* auth_level */
  407. NULL, /* policies */
  408. vpm_empty_id},
  409. {
  410. "pkcs7", /* S/MIME sign parameters */
  411. 0, /* Check time */
  412. 0, /* internal flags */
  413. 0, /* flags */
  414. X509_PURPOSE_SMIME_SIGN, /* purpose */
  415. X509_TRUST_EMAIL, /* trust */
  416. -1, /* depth */
  417. -1, /* auth_level */
  418. NULL, /* policies */
  419. vpm_empty_id},
  420. {
  421. "smime_sign", /* S/MIME sign parameters */
  422. 0, /* Check time */
  423. 0, /* internal flags */
  424. 0, /* flags */
  425. X509_PURPOSE_SMIME_SIGN, /* purpose */
  426. X509_TRUST_EMAIL, /* trust */
  427. -1, /* depth */
  428. -1, /* auth_level */
  429. NULL, /* policies */
  430. vpm_empty_id},
  431. {
  432. "ssl_client", /* SSL/TLS client parameters */
  433. 0, /* Check time */
  434. 0, /* internal flags */
  435. 0, /* flags */
  436. X509_PURPOSE_SSL_CLIENT, /* purpose */
  437. X509_TRUST_SSL_CLIENT, /* trust */
  438. -1, /* depth */
  439. -1, /* auth_level */
  440. NULL, /* policies */
  441. vpm_empty_id},
  442. {
  443. "ssl_server", /* SSL/TLS server parameters */
  444. 0, /* Check time */
  445. 0, /* internal flags */
  446. 0, /* flags */
  447. X509_PURPOSE_SSL_SERVER, /* purpose */
  448. X509_TRUST_SSL_SERVER, /* trust */
  449. -1, /* depth */
  450. -1, /* auth_level */
  451. NULL, /* policies */
  452. vpm_empty_id}
  453. };
  454. static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
  455. static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
  456. {
  457. return strcmp(a->name, b->name);
  458. }
  459. DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
  460. IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table);
  461. static int param_cmp(const X509_VERIFY_PARAM *const *a,
  462. const X509_VERIFY_PARAM *const *b)
  463. {
  464. return strcmp((*a)->name, (*b)->name);
  465. }
  466. int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
  467. {
  468. int idx;
  469. X509_VERIFY_PARAM *ptmp;
  470. if (param_table == NULL) {
  471. param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
  472. if (param_table == NULL)
  473. return 0;
  474. } else {
  475. idx = sk_X509_VERIFY_PARAM_find(param_table, param);
  476. if (idx >= 0) {
  477. ptmp = sk_X509_VERIFY_PARAM_delete(param_table, idx);
  478. X509_VERIFY_PARAM_free(ptmp);
  479. }
  480. }
  481. if (!sk_X509_VERIFY_PARAM_push(param_table, param))
  482. return 0;
  483. return 1;
  484. }
  485. int X509_VERIFY_PARAM_get_count(void)
  486. {
  487. int num = OSSL_NELEM(default_table);
  488. if (param_table)
  489. num += sk_X509_VERIFY_PARAM_num(param_table);
  490. return num;
  491. }
  492. const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
  493. {
  494. int num = OSSL_NELEM(default_table);
  495. if (id < num)
  496. return default_table + id;
  497. return sk_X509_VERIFY_PARAM_value(param_table, id - num);
  498. }
  499. const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
  500. {
  501. int idx;
  502. X509_VERIFY_PARAM pm;
  503. pm.name = (char *)name;
  504. if (param_table != NULL) {
  505. idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
  506. if (idx >= 0)
  507. return sk_X509_VERIFY_PARAM_value(param_table, idx);
  508. }
  509. return OBJ_bsearch_table(&pm, default_table, OSSL_NELEM(default_table));
  510. }
  511. void X509_VERIFY_PARAM_table_cleanup(void)
  512. {
  513. sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free);
  514. param_table = NULL;
  515. }