x509_vfy.c
Go to the documentation of this file.
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to. The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  * notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  * notice, this list of conditions and the following disclaimer in the
29  * documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  * must display the following acknowledgement:
32  * "This product includes cryptographic software written by
33  * Eric Young (eay@cryptsoft.com)"
34  * The word 'cryptographic' can be left out if the rouines from the library
35  * being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  * the apps directory (application code) you must include an acknowledgement:
38  * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed. i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.] */
56 
57 #include <ctype.h>
58 #include <string.h>
59 #include <time.h>
60 
61 #include <openssl/asn1.h>
62 #include <openssl/err.h>
63 #include <openssl/evp.h>
64 #include <openssl/mem.h>
65 #include <openssl/obj.h>
66 #include <openssl/thread.h>
67 #include <openssl/x509.h>
68 #include <openssl/x509v3.h>
69 
70 #include "internal.h"
71 #include "../internal.h"
72 #include "../x509v3/internal.h"
73 
74 static CRYPTO_EX_DATA_CLASS g_ex_data_class =
75  CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
76 
77 /* CRL score values */
78 
79 /* No unhandled critical extensions */
80 
81 #define CRL_SCORE_NOCRITICAL 0x100
82 
83 /* certificate is within CRL scope */
84 
85 #define CRL_SCORE_SCOPE 0x080
86 
87 /* CRL times valid */
88 
89 #define CRL_SCORE_TIME 0x040
90 
91 /* Issuer name matches certificate */
92 
93 #define CRL_SCORE_ISSUER_NAME 0x020
94 
95 /* If this score or above CRL is probably valid */
96 
97 #define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
98 
99 /* CRL issuer is certificate issuer */
100 
101 #define CRL_SCORE_ISSUER_CERT 0x018
102 
103 /* CRL issuer is on certificate path */
104 
105 #define CRL_SCORE_SAME_PATH 0x008
106 
107 /* CRL issuer matches CRL AKID */
108 
109 #define CRL_SCORE_AKID 0x004
110 
111 /* Have a delta CRL with valid times */
112 
113 #define CRL_SCORE_TIME_DELTA 0x002
114 
115 static int null_callback(int ok, X509_STORE_CTX *e);
116 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
117 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
118 static int check_chain_extensions(X509_STORE_CTX *ctx);
119 static int check_name_constraints(X509_STORE_CTX *ctx);
120 static int check_id(X509_STORE_CTX *ctx);
121 static int check_trust(X509_STORE_CTX *ctx);
122 static int check_revocation(X509_STORE_CTX *ctx);
123 static int check_cert(X509_STORE_CTX *ctx);
124 static int check_policy(X509_STORE_CTX *ctx);
125 
126 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
127  unsigned int *preasons, X509_CRL *crl, X509 *x);
128 static int get_crl_delta(X509_STORE_CTX *ctx,
129  X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
130 static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl,
131  int *pcrl_score, X509_CRL *base,
132  STACK_OF(X509_CRL) *crls);
133 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
134  int *pcrl_score);
135 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
136  unsigned int *preasons);
137 static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
138 static int check_crl_chain(X509_STORE_CTX *ctx,
139  STACK_OF(X509) *cert_path,
140  STACK_OF(X509) *crl_path);
141 
142 static int internal_verify(X509_STORE_CTX *ctx);
143 
144 static int null_callback(int ok, X509_STORE_CTX *e)
145 {
146  return ok;
147 }
148 
149 /* cert_self_signed checks if |x| is self-signed. If |x| is valid, it returns
150  * one and sets |*out_is_self_signed| to the result. If |x| is invalid, it
151  * returns zero. */
152 static int cert_self_signed(X509 *x, int *out_is_self_signed)
153 {
154  if (!x509v3_cache_extensions(x)) {
155  return 0;
156  }
157  *out_is_self_signed = (x->ex_flags & EXFLAG_SS) != 0;
158  return 1;
159 }
160 
161 /* Given a certificate try and find an exact match in the store */
162 
163 static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
164 {
165  STACK_OF(X509) *certs;
166  X509 *xtmp = NULL;
167  size_t i;
168  /* Lookup all certs with matching subject name */
169  certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
170  if (certs == NULL)
171  return NULL;
172  /* Look for exact match */
173  for (i = 0; i < sk_X509_num(certs); i++) {
174  xtmp = sk_X509_value(certs, i);
175  if (!X509_cmp(xtmp, x))
176  break;
177  }
178  if (i < sk_X509_num(certs))
179  X509_up_ref(xtmp);
180  else
181  xtmp = NULL;
182  sk_X509_pop_free(certs, X509_free);
183  return xtmp;
184 }
185 
186 int X509_verify_cert(X509_STORE_CTX *ctx)
187 {
188  X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
189  int bad_chain = 0;
190  X509_VERIFY_PARAM *param = ctx->param;
191  int depth, i, ok = 0;
192  int num, j, retry, trust;
193  int (*cb) (int xok, X509_STORE_CTX *xctx);
194  STACK_OF(X509) *sktmp = NULL;
195  if (ctx->cert == NULL) {
196  OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
197  ctx->error = X509_V_ERR_INVALID_CALL;
198  return -1;
199  }
200  if (ctx->chain != NULL) {
201  /*
202  * This X509_STORE_CTX has already been used to verify a cert. We
203  * cannot do another one.
204  */
205  OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
206  ctx->error = X509_V_ERR_INVALID_CALL;
207  return -1;
208  }
209 
210  cb = ctx->verify_cb;
211 
212  /*
213  * first we make sure the chain we are going to build is present and that
214  * the first entry is in place
215  */
216  ctx->chain = sk_X509_new_null();
217  if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
218  OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
219  ctx->error = X509_V_ERR_OUT_OF_MEM;
220  goto end;
221  }
222  X509_up_ref(ctx->cert);
223  ctx->last_untrusted = 1;
224 
225  /* We use a temporary STACK so we can chop and hack at it. */
226  if (ctx->untrusted != NULL
227  && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
228  OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
229  ctx->error = X509_V_ERR_OUT_OF_MEM;
230  goto end;
231  }
232 
233  num = sk_X509_num(ctx->chain);
234  x = sk_X509_value(ctx->chain, num - 1);
235  depth = param->depth;
236 
237  for (;;) {
238  /* If we have enough, we break */
239  if (depth < num)
240  break; /* FIXME: If this happens, we should take
241  * note of it and, if appropriate, use the
242  * X509_V_ERR_CERT_CHAIN_TOO_LONG error code
243  * later. */
244 
245  int is_self_signed;
246  if (!cert_self_signed(x, &is_self_signed)) {
247  ctx->error = X509_V_ERR_INVALID_EXTENSION;
248  goto end;
249  }
250 
251  /* If we are self signed, we break */
252  if (is_self_signed)
253  break;
254  /*
255  * If asked see if we can find issuer in trusted store first
256  */
257  if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
258  ok = ctx->get_issuer(&xtmp, ctx, x);
259  if (ok < 0) {
260  ctx->error = X509_V_ERR_STORE_LOOKUP;
261  goto end;
262  }
263  /*
264  * If successful for now free up cert so it will be picked up
265  * again later.
266  */
267  if (ok > 0) {
268  X509_free(xtmp);
269  break;
270  }
271  }
272 
273  /* If we were passed a cert chain, use it first */
274  if (sktmp != NULL) {
275  xtmp = find_issuer(ctx, sktmp, x);
276  if (xtmp != NULL) {
277  if (!sk_X509_push(ctx->chain, xtmp)) {
278  OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
279  ctx->error = X509_V_ERR_OUT_OF_MEM;
280  ok = 0;
281  goto end;
282  }
283  X509_up_ref(xtmp);
284  (void)sk_X509_delete_ptr(sktmp, xtmp);
285  ctx->last_untrusted++;
286  x = xtmp;
287  num++;
288  /*
289  * reparse the full chain for the next one
290  */
291  continue;
292  }
293  }
294  break;
295  }
296 
297  /* Remember how many untrusted certs we have */
298  j = num;
299  /*
300  * at this point, chain should contain a list of untrusted certificates.
301  * We now need to add at least one trusted one, if possible, otherwise we
302  * complain.
303  */
304 
305  do {
306  /*
307  * Examine last certificate in chain and see if it is self signed.
308  */
309  i = sk_X509_num(ctx->chain);
310  x = sk_X509_value(ctx->chain, i - 1);
311 
312  int is_self_signed;
313  if (!cert_self_signed(x, &is_self_signed)) {
314  ctx->error = X509_V_ERR_INVALID_EXTENSION;
315  goto end;
316  }
317 
318  if (is_self_signed) {
319  /* we have a self signed certificate */
320  if (sk_X509_num(ctx->chain) == 1) {
321  /*
322  * We have a single self signed certificate: see if we can
323  * find it in the store. We must have an exact match to avoid
324  * possible impersonation.
325  */
326  ok = ctx->get_issuer(&xtmp, ctx, x);
327  if ((ok <= 0) || X509_cmp(x, xtmp)) {
328  ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
329  ctx->current_cert = x;
330  ctx->error_depth = i - 1;
331  if (ok == 1)
332  X509_free(xtmp);
333  bad_chain = 1;
334  ok = cb(0, ctx);
335  if (!ok)
336  goto end;
337  } else {
338  /*
339  * We have a match: replace certificate with store
340  * version so we get any trust settings.
341  */
342  X509_free(x);
343  x = xtmp;
344  (void)sk_X509_set(ctx->chain, i - 1, x);
345  ctx->last_untrusted = 0;
346  }
347  } else {
348  /*
349  * extract and save self signed certificate for later use
350  */
351  chain_ss = sk_X509_pop(ctx->chain);
352  ctx->last_untrusted--;
353  num--;
354  j--;
355  x = sk_X509_value(ctx->chain, num - 1);
356  }
357  }
358  /* We now lookup certs from the certificate store */
359  for (;;) {
360  /* If we have enough, we break */
361  if (depth < num)
362  break;
363  if (!cert_self_signed(x, &is_self_signed)) {
364  ctx->error = X509_V_ERR_INVALID_EXTENSION;
365  goto end;
366  }
367  /* If we are self signed, we break */
368  if (is_self_signed)
369  break;
370  ok = ctx->get_issuer(&xtmp, ctx, x);
371 
372  if (ok < 0) {
373  ctx->error = X509_V_ERR_STORE_LOOKUP;
374  goto end;
375  }
376  if (ok == 0)
377  break;
378  x = xtmp;
379  if (!sk_X509_push(ctx->chain, x)) {
380  X509_free(xtmp);
381  OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
382  ctx->error = X509_V_ERR_OUT_OF_MEM;
383  ok = 0;
384  goto end;
385  }
386  num++;
387  }
388 
389  /* we now have our chain, lets check it... */
390  trust = check_trust(ctx);
391 
392  /* If explicitly rejected error */
393  if (trust == X509_TRUST_REJECTED) {
394  ok = 0;
395  goto end;
396  }
397  /*
398  * If it's not explicitly trusted then check if there is an alternative
399  * chain that could be used. We only do this if we haven't already
400  * checked via TRUSTED_FIRST and the user hasn't switched off alternate
401  * chain checking
402  */
403  retry = 0;
404  if (trust != X509_TRUST_TRUSTED
405  && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
406  && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
407  while (j-- > 1) {
408  xtmp2 = sk_X509_value(ctx->chain, j - 1);
409  ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
410  if (ok < 0)
411  goto end;
412  /* Check if we found an alternate chain */
413  if (ok > 0) {
414  /*
415  * Free up the found cert we'll add it again later
416  */
417  X509_free(xtmp);
418 
419  /*
420  * Dump all the certs above this point - we've found an
421  * alternate chain
422  */
423  while (num > j) {
424  xtmp = sk_X509_pop(ctx->chain);
425  X509_free(xtmp);
426  num--;
427  }
428  ctx->last_untrusted = sk_X509_num(ctx->chain);
429  retry = 1;
430  break;
431  }
432  }
433  }
434  } while (retry);
435 
436  /*
437  * If not explicitly trusted then indicate error unless it's a single
438  * self signed certificate in which case we've indicated an error already
439  * and set bad_chain == 1
440  */
441  if (trust != X509_TRUST_TRUSTED && !bad_chain) {
442  if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
443  if (ctx->last_untrusted >= num)
444  ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
445  else
446  ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
447  ctx->current_cert = x;
448  } else {
449 
450  sk_X509_push(ctx->chain, chain_ss);
451  num++;
452  ctx->last_untrusted = num;
453  ctx->current_cert = chain_ss;
454  ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
455  chain_ss = NULL;
456  }
457 
458  ctx->error_depth = num - 1;
459  bad_chain = 1;
460  ok = cb(0, ctx);
461  if (!ok)
462  goto end;
463  }
464 
465  /* We have the chain complete: now we need to check its purpose */
466  ok = check_chain_extensions(ctx);
467 
468  if (!ok)
469  goto end;
470 
471  ok = check_id(ctx);
472 
473  if (!ok)
474  goto end;
475 
476  /*
477  * Check revocation status: we do this after copying parameters because
478  * they may be needed for CRL signature verification.
479  */
480 
481  ok = ctx->check_revocation(ctx);
482  if (!ok)
483  goto end;
484 
485  int err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
486  ctx->param->flags);
487  if (err != X509_V_OK) {
488  ctx->error = err;
489  ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
490  ok = cb(0, ctx);
491  if (!ok)
492  goto end;
493  }
494 
495  /* At this point, we have a chain and need to verify it */
496  if (ctx->verify != NULL)
497  ok = ctx->verify(ctx);
498  else
499  ok = internal_verify(ctx);
500  if (!ok)
501  goto end;
502 
503  /* Check name constraints */
504 
505  ok = check_name_constraints(ctx);
506  if (!ok)
507  goto end;
508 
509  /* If we get this far evaluate policies */
510  if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
511  ok = ctx->check_policy(ctx);
512 
513  end:
514  if (sktmp != NULL)
515  sk_X509_free(sktmp);
516  if (chain_ss != NULL)
517  X509_free(chain_ss);
518 
519  /* Safety net, error returns must set ctx->error */
520  if (ok <= 0 && ctx->error == X509_V_OK)
521  ctx->error = X509_V_ERR_UNSPECIFIED;
522  return ok;
523 }
524 
525 /*
526  * Given a STACK_OF(X509) find the issuer of cert (if any)
527  */
528 
529 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
530 {
531  size_t i;
532  X509 *issuer;
533  for (i = 0; i < sk_X509_num(sk); i++) {
534  issuer = sk_X509_value(sk, i);
535  if (ctx->check_issued(ctx, x, issuer))
536  return issuer;
537  }
538  return NULL;
539 }
540 
541 /* Given a possible certificate and issuer check them */
542 
543 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
544 {
545  int ret;
546  ret = X509_check_issued(issuer, x);
547  if (ret == X509_V_OK)
548  return 1;
549  /* If we haven't asked for issuer errors don't set ctx */
550  if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
551  return 0;
552 
553  ctx->error = ret;
554  ctx->current_cert = x;
555  ctx->current_issuer = issuer;
556  return ctx->verify_cb(0, ctx);
557 }
558 
559 /* Alternative lookup method: look from a STACK stored in other_ctx */
560 
561 static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
562 {
563  *issuer = find_issuer(ctx, ctx->other_ctx, x);
564  if (*issuer) {
565  X509_up_ref(*issuer);
566  return 1;
567  } else
568  return 0;
569 }
570 
571 /*
572  * Check a certificate chains extensions for consistency with the supplied
573  * purpose
574  */
575 
576 static int check_chain_extensions(X509_STORE_CTX *ctx)
577 {
578  int i, ok = 0, plen = 0;
579  X509 *x;
580  int (*cb) (int xok, X509_STORE_CTX *xctx);
581  int proxy_path_length = 0;
582  int purpose;
583  int allow_proxy_certs;
584  cb = ctx->verify_cb;
585 
586  enum {
587  // ca_or_leaf allows either type of certificate so that direct use of
588  // self-signed certificates works.
589  ca_or_leaf,
590  must_be_ca,
591  must_not_be_ca,
592  } ca_requirement;
593 
594  /* CRL path validation */
595  if (ctx->parent) {
596  allow_proxy_certs = 0;
597  purpose = X509_PURPOSE_CRL_SIGN;
598  } else {
599  allow_proxy_certs =
600  ! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
601  purpose = ctx->param->purpose;
602  }
603 
604  ca_requirement = ca_or_leaf;
605 
606  /* Check all untrusted certificates */
607  for (i = 0; i < ctx->last_untrusted; i++) {
608  int ret;
609  x = sk_X509_value(ctx->chain, i);
610  if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
611  && (x->ex_flags & EXFLAG_CRITICAL)) {
612  ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
613  ctx->error_depth = i;
614  ctx->current_cert = x;
615  ok = cb(0, ctx);
616  if (!ok)
617  goto end;
618  }
619  if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
620  ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
621  ctx->error_depth = i;
622  ctx->current_cert = x;
623  ok = cb(0, ctx);
624  if (!ok)
625  goto end;
626  }
627 
628  switch (ca_requirement) {
629  case ca_or_leaf:
630  ret = 1;
631  break;
632  case must_not_be_ca:
633  if (X509_check_ca(x)) {
634  ret = 0;
635  ctx->error = X509_V_ERR_INVALID_NON_CA;
636  } else
637  ret = 1;
638  break;
639  case must_be_ca:
640  if (!X509_check_ca(x)) {
641  ret = 0;
642  ctx->error = X509_V_ERR_INVALID_CA;
643  } else
644  ret = 1;
645  break;
646  default:
647  // impossible.
648  ret = 0;
649  }
650 
651  if (ret == 0) {
652  ctx->error_depth = i;
653  ctx->current_cert = x;
654  ok = cb(0, ctx);
655  if (!ok)
656  goto end;
657  }
658  if (ctx->param->purpose > 0) {
659  ret = X509_check_purpose(x, purpose, ca_requirement == must_be_ca);
660  if (ret != 1) {
661  ret = 0;
662  ctx->error = X509_V_ERR_INVALID_PURPOSE;
663  ctx->error_depth = i;
664  ctx->current_cert = x;
665  ok = cb(0, ctx);
666  if (!ok)
667  goto end;
668  }
669  }
670  /* Check pathlen if not self issued */
671  if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
672  && (x->ex_pathlen != -1)
673  && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
674  ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
675  ctx->error_depth = i;
676  ctx->current_cert = x;
677  ok = cb(0, ctx);
678  if (!ok)
679  goto end;
680  }
681  /* Increment path length if not self issued */
682  if (!(x->ex_flags & EXFLAG_SI))
683  plen++;
684  /*
685  * If this certificate is a proxy certificate, the next certificate
686  * must be another proxy certificate or a EE certificate. If not,
687  * the next certificate must be a CA certificate.
688  */
689  if (x->ex_flags & EXFLAG_PROXY) {
690  if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
691  ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
692  ctx->error_depth = i;
693  ctx->current_cert = x;
694  ok = cb(0, ctx);
695  if (!ok)
696  goto end;
697  }
698  proxy_path_length++;
699  ca_requirement = must_not_be_ca;
700  } else {
701  ca_requirement = must_be_ca;
702  }
703  }
704  ok = 1;
705  end:
706  return ok;
707 }
708 
709 static int reject_dns_name_in_common_name(X509 *x509)
710 {
711  X509_NAME *name = X509_get_subject_name(x509);
712  int i = -1;
713  for (;;) {
714  i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
715  if (i == -1) {
716  return X509_V_OK;
717  }
718 
719  X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);
720  ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(entry);
721  unsigned char *idval;
722  int idlen = ASN1_STRING_to_UTF8(&idval, common_name);
723  if (idlen < 0) {
724  return X509_V_ERR_OUT_OF_MEM;
725  }
726  /* Only process attributes that look like host names. Note it is
727  * important that this check be mirrored in |X509_check_host|. */
728  int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen);
729  OPENSSL_free(idval);
730  if (looks_like_dns) {
731  return X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS;
732  }
733  }
734 }
735 
736 static int check_name_constraints(X509_STORE_CTX *ctx)
737 {
738  int i, j, rv;
739  int has_name_constraints = 0;
740  /* Check name constraints for all certificates */
741  for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
742  X509 *x = sk_X509_value(ctx->chain, i);
743  /* Ignore self issued certs unless last in chain */
744  if (i && (x->ex_flags & EXFLAG_SI))
745  continue;
746  /*
747  * Check against constraints for all certificates higher in chain
748  * including trust anchor. Trust anchor not strictly speaking needed
749  * but if it includes constraints it is to be assumed it expects them
750  * to be obeyed.
751  */
752  for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
753  NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
754  if (nc) {
755  has_name_constraints = 1;
756  rv = NAME_CONSTRAINTS_check(x, nc);
757  switch (rv) {
758  case X509_V_OK:
759  continue;
760  case X509_V_ERR_OUT_OF_MEM:
761  ctx->error = rv;
762  return 0;
763  default:
764  ctx->error = rv;
765  ctx->error_depth = i;
766  ctx->current_cert = x;
767  if (!ctx->verify_cb(0, ctx))
768  return 0;
769  break;
770  }
771  }
772  }
773  }
774 
775  /* Name constraints do not match against the common name, but
776  * |X509_check_host| still implements the legacy behavior where, on
777  * certificates lacking a SAN list, DNS-like names in the common name are
778  * checked instead.
779  *
780  * While we could apply the name constraints to the common name, name
781  * constraints are rare enough that can hold such certificates to a higher
782  * standard. Note this does not make "DNS-like" heuristic failures any
783  * worse. A decorative common-name misidentified as a DNS name would fail
784  * the name constraint anyway. */
785  X509 *leaf = sk_X509_value(ctx->chain, 0);
786  if (has_name_constraints && leaf->altname == NULL) {
787  rv = reject_dns_name_in_common_name(leaf);
788  switch (rv) {
789  case X509_V_OK:
790  break;
791  case X509_V_ERR_OUT_OF_MEM:
792  ctx->error = rv;
793  return 0;
794  default:
795  ctx->error = rv;
796  ctx->error_depth = i;
797  ctx->current_cert = leaf;
798  if (!ctx->verify_cb(0, ctx))
799  return 0;
800  break;
801  }
802  }
803 
804  return 1;
805 }
806 
807 static int check_id_error(X509_STORE_CTX *ctx, int errcode)
808 {
809  ctx->error = errcode;
810  ctx->current_cert = ctx->cert;
811  ctx->error_depth = 0;
812  return ctx->verify_cb(0, ctx);
813 }
814 
815 static int check_hosts(X509 *x, X509_VERIFY_PARAM *param)
816 {
817  size_t i;
818  size_t n = sk_OPENSSL_STRING_num(param->hosts);
819  char *name;
820 
821  if (param->peername != NULL) {
822  OPENSSL_free(param->peername);
823  param->peername = NULL;
824  }
825  for (i = 0; i < n; ++i) {
826  name = sk_OPENSSL_STRING_value(param->hosts, i);
827  if (X509_check_host(x, name, strlen(name), param->hostflags,
828  &param->peername) > 0)
829  return 1;
830  }
831  return n == 0;
832 }
833 
834 static int check_id(X509_STORE_CTX *ctx)
835 {
836  X509_VERIFY_PARAM *vpm = ctx->param;
837  X509 *x = ctx->cert;
838  if (vpm->poison) {
839  if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL))
840  return 0;
841  }
842  if (vpm->hosts && check_hosts(x, vpm) <= 0) {
843  if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
844  return 0;
845  }
846  if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {
847  if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
848  return 0;
849  }
850  if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
851  if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
852  return 0;
853  }
854  return 1;
855 }
856 
857 static int check_trust(X509_STORE_CTX *ctx)
858 {
859  size_t i;
860  int ok;
861  X509 *x = NULL;
862  int (*cb) (int xok, X509_STORE_CTX *xctx);
863  cb = ctx->verify_cb;
864  /* Check all trusted certificates in chain */
865  for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
866  x = sk_X509_value(ctx->chain, i);
867  ok = X509_check_trust(x, ctx->param->trust, 0);
868  /* If explicitly trusted return trusted */
869  if (ok == X509_TRUST_TRUSTED)
870  return X509_TRUST_TRUSTED;
871  /*
872  * If explicitly rejected notify callback and reject if not
873  * overridden.
874  */
875  if (ok == X509_TRUST_REJECTED) {
876  ctx->error_depth = i;
877  ctx->current_cert = x;
878  ctx->error = X509_V_ERR_CERT_REJECTED;
879  ok = cb(0, ctx);
880  if (!ok)
881  return X509_TRUST_REJECTED;
882  }
883  }
884  /*
885  * If we accept partial chains and have at least one trusted certificate
886  * return success.
887  */
888  if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
889  X509 *mx;
890  if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain))
891  return X509_TRUST_TRUSTED;
892  x = sk_X509_value(ctx->chain, 0);
893  mx = lookup_cert_match(ctx, x);
894  if (mx) {
895  (void)sk_X509_set(ctx->chain, 0, mx);
896  X509_free(x);
897  ctx->last_untrusted = 0;
898  return X509_TRUST_TRUSTED;
899  }
900  }
901 
902  /*
903  * If no trusted certs in chain at all return untrusted and allow
904  * standard (no issuer cert) etc errors to be indicated.
905  */
906  return X509_TRUST_UNTRUSTED;
907 }
908 
909 static int check_revocation(X509_STORE_CTX *ctx)
910 {
911  int i, last, ok;
912  if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
913  return 1;
914  if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
915  last = sk_X509_num(ctx->chain) - 1;
916  else {
917  /* If checking CRL paths this isn't the EE certificate */
918  if (ctx->parent)
919  return 1;
920  last = 0;
921  }
922  for (i = 0; i <= last; i++) {
923  ctx->error_depth = i;
924  ok = check_cert(ctx);
925  if (!ok)
926  return ok;
927  }
928  return 1;
929 }
930 
931 static int check_cert(X509_STORE_CTX *ctx)
932 {
933  X509_CRL *crl = NULL, *dcrl = NULL;
934  X509 *x;
935  int ok = 0, cnum;
936  unsigned int last_reasons;
937  cnum = ctx->error_depth;
938  x = sk_X509_value(ctx->chain, cnum);
939  ctx->current_cert = x;
940  ctx->current_issuer = NULL;
941  ctx->current_crl_score = 0;
942  ctx->current_reasons = 0;
943  while (ctx->current_reasons != CRLDP_ALL_REASONS) {
944  last_reasons = ctx->current_reasons;
945  /* Try to retrieve relevant CRL */
946  if (ctx->get_crl)
947  ok = ctx->get_crl(ctx, &crl, x);
948  else
949  ok = get_crl_delta(ctx, &crl, &dcrl, x);
950  /*
951  * If error looking up CRL, nothing we can do except notify callback
952  */
953  if (!ok) {
954  ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
955  ok = ctx->verify_cb(0, ctx);
956  goto err;
957  }
958  ctx->current_crl = crl;
959  ok = ctx->check_crl(ctx, crl);
960  if (!ok)
961  goto err;
962 
963  if (dcrl) {
964  ok = ctx->check_crl(ctx, dcrl);
965  if (!ok)
966  goto err;
967  ok = ctx->cert_crl(ctx, dcrl, x);
968  if (!ok)
969  goto err;
970  } else
971  ok = 1;
972 
973  /* Don't look in full CRL if delta reason is removefromCRL */
974  if (ok != 2) {
975  ok = ctx->cert_crl(ctx, crl, x);
976  if (!ok)
977  goto err;
978  }
979 
980  X509_CRL_free(crl);
981  X509_CRL_free(dcrl);
982  crl = NULL;
983  dcrl = NULL;
984  /*
985  * If reasons not updated we wont get anywhere by another iteration,
986  * so exit loop.
987  */
988  if (last_reasons == ctx->current_reasons) {
989  ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
990  ok = ctx->verify_cb(0, ctx);
991  goto err;
992  }
993  }
994  err:
995  X509_CRL_free(crl);
996  X509_CRL_free(dcrl);
997 
998  ctx->current_crl = NULL;
999  return ok;
1000 
1001 }
1002 
1003 /* Check CRL times against values in X509_STORE_CTX */
1004 
1005 static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
1006 {
1007  time_t *ptime;
1008  int i;
1009  if (notify)
1010  ctx->current_crl = crl;
1011  if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1012  ptime = &ctx->param->check_time;
1013  else
1014  ptime = NULL;
1015 
1016  i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
1017  if (i == 0) {
1018  if (!notify)
1019  return 0;
1020  ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
1021  if (!ctx->verify_cb(0, ctx))
1022  return 0;
1023  }
1024 
1025  if (i > 0) {
1026  if (!notify)
1027  return 0;
1028  ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
1029  if (!ctx->verify_cb(0, ctx))
1030  return 0;
1031  }
1032 
1033  if (X509_CRL_get0_nextUpdate(crl)) {
1034  i = X509_cmp_time(X509_CRL_get0_nextUpdate(crl), ptime);
1035 
1036  if (i == 0) {
1037  if (!notify)
1038  return 0;
1039  ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
1040  if (!ctx->verify_cb(0, ctx))
1041  return 0;
1042  }
1043  /* Ignore expiry of base CRL is delta is valid */
1044  if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
1045  if (!notify)
1046  return 0;
1047  ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
1048  if (!ctx->verify_cb(0, ctx))
1049  return 0;
1050  }
1051  }
1052 
1053  if (notify)
1054  ctx->current_crl = NULL;
1055 
1056  return 1;
1057 }
1058 
1059 static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
1060  X509 **pissuer, int *pscore, unsigned int *preasons,
1061  STACK_OF(X509_CRL) *crls)
1062 {
1063  int crl_score, best_score = *pscore;
1064  size_t i;
1065  unsigned int reasons, best_reasons = 0;
1066  X509 *x = ctx->current_cert;
1067  X509_CRL *crl, *best_crl = NULL;
1068  X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
1069 
1070  for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1071  crl = sk_X509_CRL_value(crls, i);
1072  reasons = *preasons;
1073  crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
1074  if (crl_score < best_score || crl_score == 0)
1075  continue;
1076  /* If current CRL is equivalent use it if it is newer */
1077  if (crl_score == best_score && best_crl != NULL) {
1078  int day, sec;
1079  if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
1080  X509_CRL_get0_lastUpdate(crl)) == 0)
1081  continue;
1082  /*
1083  * ASN1_TIME_diff never returns inconsistent signs for |day|
1084  * and |sec|.
1085  */
1086  if (day <= 0 && sec <= 0)
1087  continue;
1088  }
1089  best_crl = crl;
1090  best_crl_issuer = crl_issuer;
1091  best_score = crl_score;
1092  best_reasons = reasons;
1093  }
1094 
1095  if (best_crl) {
1096  if (*pcrl)
1097  X509_CRL_free(*pcrl);
1098  *pcrl = best_crl;
1099  *pissuer = best_crl_issuer;
1100  *pscore = best_score;
1101  *preasons = best_reasons;
1102  X509_CRL_up_ref(best_crl);
1103  if (*pdcrl) {
1104  X509_CRL_free(*pdcrl);
1105  *pdcrl = NULL;
1106  }
1107  get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
1108  }
1109 
1110  if (best_score >= CRL_SCORE_VALID)
1111  return 1;
1112 
1113  return 0;
1114 }
1115 
1116 /*
1117  * Compare two CRL extensions for delta checking purposes. They should be
1118  * both present or both absent. If both present all fields must be identical.
1119  */
1120 
1121 static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
1122 {
1123  ASN1_OCTET_STRING *exta, *extb;
1124  int i;
1125  i = X509_CRL_get_ext_by_NID(a, nid, -1);
1126  if (i >= 0) {
1127  /* Can't have multiple occurrences */
1128  if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
1129  return 0;
1130  exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
1131  } else
1132  exta = NULL;
1133 
1134  i = X509_CRL_get_ext_by_NID(b, nid, -1);
1135 
1136  if (i >= 0) {
1137 
1138  if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
1139  return 0;
1140  extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
1141  } else
1142  extb = NULL;
1143 
1144  if (!exta && !extb)
1145  return 1;
1146 
1147  if (!exta || !extb)
1148  return 0;
1149 
1150  if (ASN1_OCTET_STRING_cmp(exta, extb))
1151  return 0;
1152 
1153  return 1;
1154 }
1155 
1156 /* See if a base and delta are compatible */
1157 
1158 static int check_delta_base(X509_CRL *delta, X509_CRL *base)
1159 {
1160  /* Delta CRL must be a delta */
1161  if (!delta->base_crl_number)
1162  return 0;
1163  /* Base must have a CRL number */
1164  if (!base->crl_number)
1165  return 0;
1166  /* Issuer names must match */
1167  if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta)))
1168  return 0;
1169  /* AKID and IDP must match */
1170  if (!crl_extension_match(delta, base, NID_authority_key_identifier))
1171  return 0;
1172  if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
1173  return 0;
1174  /* Delta CRL base number must not exceed Full CRL number. */
1175  if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
1176  return 0;
1177  /* Delta CRL number must exceed full CRL number */
1178  if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
1179  return 1;
1180  return 0;
1181 }
1182 
1183 /*
1184  * For a given base CRL find a delta... maybe extend to delta scoring or
1185  * retrieve a chain of deltas...
1186  */
1187 
1188 static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
1189  X509_CRL *base, STACK_OF(X509_CRL) *crls)
1190 {
1191  X509_CRL *delta;
1192  size_t i;
1193  if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
1194  return;
1195  if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
1196  return;
1197  for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1198  delta = sk_X509_CRL_value(crls, i);
1199  if (check_delta_base(delta, base)) {
1200  if (check_crl_time(ctx, delta, 0))
1201  *pscore |= CRL_SCORE_TIME_DELTA;
1202  X509_CRL_up_ref(delta);
1203  *dcrl = delta;
1204  return;
1205  }
1206  }
1207  *dcrl = NULL;
1208 }
1209 
1210 /*
1211  * For a given CRL return how suitable it is for the supplied certificate
1212  * 'x'. The return value is a mask of several criteria. If the issuer is not
1213  * the certificate issuer this is returned in *pissuer. The reasons mask is
1214  * also used to determine if the CRL is suitable: if no new reasons the CRL
1215  * is rejected, otherwise reasons is updated.
1216  */
1217 
1218 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
1219  unsigned int *preasons, X509_CRL *crl, X509 *x)
1220 {
1221 
1222  int crl_score = 0;
1223  unsigned int tmp_reasons = *preasons, crl_reasons;
1224 
1225  /* First see if we can reject CRL straight away */
1226 
1227  /* Invalid IDP cannot be processed */
1228  if (crl->idp_flags & IDP_INVALID)
1229  return 0;
1230  /* Reason codes or indirect CRLs need extended CRL support */
1231  if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
1232  if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
1233  return 0;
1234  } else if (crl->idp_flags & IDP_REASONS) {
1235  /* If no new reasons reject */
1236  if (!(crl->idp_reasons & ~tmp_reasons))
1237  return 0;
1238  }
1239  /* Don't process deltas at this stage */
1240  else if (crl->base_crl_number)
1241  return 0;
1242  /* If issuer name doesn't match certificate need indirect CRL */
1243  if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
1244  if (!(crl->idp_flags & IDP_INDIRECT))
1245  return 0;
1246  } else
1247  crl_score |= CRL_SCORE_ISSUER_NAME;
1248 
1249  if (!(crl->flags & EXFLAG_CRITICAL))
1250  crl_score |= CRL_SCORE_NOCRITICAL;
1251 
1252  /* Check expiry */
1253  if (check_crl_time(ctx, crl, 0))
1254  crl_score |= CRL_SCORE_TIME;
1255 
1256  /* Check authority key ID and locate certificate issuer */
1257  crl_akid_check(ctx, crl, pissuer, &crl_score);
1258 
1259  /* If we can't locate certificate issuer at this point forget it */
1260 
1261  if (!(crl_score & CRL_SCORE_AKID))
1262  return 0;
1263 
1264  /* Check cert for matching CRL distribution points */
1265 
1266  if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
1267  /* If no new reasons reject */
1268  if (!(crl_reasons & ~tmp_reasons))
1269  return 0;
1270  tmp_reasons |= crl_reasons;
1271  crl_score |= CRL_SCORE_SCOPE;
1272  }
1273 
1274  *preasons = tmp_reasons;
1275 
1276  return crl_score;
1277 
1278 }
1279 
1280 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1281  X509 **pissuer, int *pcrl_score)
1282 {
1283  X509 *crl_issuer = NULL;
1284  X509_NAME *cnm = X509_CRL_get_issuer(crl);
1285  int cidx = ctx->error_depth;
1286  size_t i;
1287 
1288  if ((size_t)cidx != sk_X509_num(ctx->chain) - 1)
1289  cidx++;
1290 
1291  crl_issuer = sk_X509_value(ctx->chain, cidx);
1292 
1293  if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1294  if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
1295  *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT;
1296  *pissuer = crl_issuer;
1297  return;
1298  }
1299  }
1300 
1301  for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) {
1302  crl_issuer = sk_X509_value(ctx->chain, cidx);
1303  if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1304  continue;
1305  if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1306  *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;
1307  *pissuer = crl_issuer;
1308  return;
1309  }
1310  }
1311 
1312  /* Anything else needs extended CRL support */
1313 
1314  if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
1315  return;
1316 
1317  /*
1318  * Otherwise the CRL issuer is not on the path. Look for it in the set of
1319  * untrusted certificates.
1320  */
1321  for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
1322  crl_issuer = sk_X509_value(ctx->untrusted, i);
1323  if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1324  continue;
1325  if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
1326  *pissuer = crl_issuer;
1327  *pcrl_score |= CRL_SCORE_AKID;
1328  return;
1329  }
1330  }
1331 }
1332 
1333 /*
1334  * Check the path of a CRL issuer certificate. This creates a new
1335  * X509_STORE_CTX and populates it with most of the parameters from the
1336  * parent. This could be optimised somewhat since a lot of path checking will
1337  * be duplicated by the parent, but this will rarely be used in practice.
1338  */
1339 
1340 static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1341 {
1342  X509_STORE_CTX crl_ctx;
1343  int ret;
1344  /* Don't allow recursive CRL path validation */
1345  if (ctx->parent)
1346  return 0;
1347  if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
1348  return -1;
1349 
1350  crl_ctx.crls = ctx->crls;
1351  /* Copy verify params across */
1352  X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1353 
1354  crl_ctx.parent = ctx;
1355  crl_ctx.verify_cb = ctx->verify_cb;
1356 
1357  /* Verify CRL issuer */
1358  ret = X509_verify_cert(&crl_ctx);
1359 
1360  if (ret <= 0)
1361  goto err;
1362 
1363  /* Check chain is acceptable */
1364 
1365  ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1366  err:
1367  X509_STORE_CTX_cleanup(&crl_ctx);
1368  return ret;
1369 }
1370 
1371 /*
1372  * RFC 3280 says nothing about the relationship between CRL path and
1373  * certificate path, which could lead to situations where a certificate could
1374  * be revoked or validated by a CA not authorised to do so. RFC 5280 is more
1375  * strict and states that the two paths must end in the same trust anchor,
1376  * though some discussions remain... until this is resolved we use the
1377  * RFC 5280 version
1378  */
1379 
1380 static int check_crl_chain(X509_STORE_CTX *ctx,
1381  STACK_OF(X509) *cert_path,
1382  STACK_OF(X509) *crl_path)
1383 {
1384  X509 *cert_ta, *crl_ta;
1385  cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1386  crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1387  if (!X509_cmp(cert_ta, crl_ta))
1388  return 1;
1389  return 0;
1390 }
1391 
1392 /*
1393  * Check for match between two dist point names: three separate cases. 1.
1394  * Both are relative names and compare X509_NAME types. 2. One full, one
1395  * relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and
1396  * compare two GENERAL_NAMES. 4. One is NULL: automatic match.
1397  */
1398 
1399 static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1400 {
1401  X509_NAME *nm = NULL;
1402  GENERAL_NAMES *gens = NULL;
1403  GENERAL_NAME *gena, *genb;
1404  size_t i, j;
1405  if (!a || !b)
1406  return 1;
1407  if (a->type == 1) {
1408  if (!a->dpname)
1409  return 0;
1410  /* Case 1: two X509_NAME */
1411  if (b->type == 1) {
1412  if (!b->dpname)
1413  return 0;
1414  if (!X509_NAME_cmp(a->dpname, b->dpname))
1415  return 1;
1416  else
1417  return 0;
1418  }
1419  /* Case 2: set name and GENERAL_NAMES appropriately */
1420  nm = a->dpname;
1421  gens = b->name.fullname;
1422  } else if (b->type == 1) {
1423  if (!b->dpname)
1424  return 0;
1425  /* Case 2: set name and GENERAL_NAMES appropriately */
1426  gens = a->name.fullname;
1427  nm = b->dpname;
1428  }
1429 
1430  /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1431  if (nm) {
1432  for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
1433  gena = sk_GENERAL_NAME_value(gens, i);
1434  if (gena->type != GEN_DIRNAME)
1435  continue;
1436  if (!X509_NAME_cmp(nm, gena->d.directoryName))
1437  return 1;
1438  }
1439  return 0;
1440  }
1441 
1442  /* Else case 3: two GENERAL_NAMES */
1443 
1444  for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
1445  gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1446  for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
1447  genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1448  if (!GENERAL_NAME_cmp(gena, genb))
1449  return 1;
1450  }
1451  }
1452 
1453  return 0;
1454 
1455 }
1456 
1457 static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1458 {
1459  size_t i;
1460  X509_NAME *nm = X509_CRL_get_issuer(crl);
1461  /* If no CRLissuer return is successful iff don't need a match */
1462  if (!dp->CRLissuer)
1463  return ! !(crl_score & CRL_SCORE_ISSUER_NAME);
1464  for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
1465  GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1466  if (gen->type != GEN_DIRNAME)
1467  continue;
1468  if (!X509_NAME_cmp(gen->d.directoryName, nm))
1469  return 1;
1470  }
1471  return 0;
1472 }
1473 
1474 /* Check CRLDP and IDP */
1475 
1476 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1477  unsigned int *preasons)
1478 {
1479  size_t i;
1480  if (crl->idp_flags & IDP_ONLYATTR)
1481  return 0;
1482  if (x->ex_flags & EXFLAG_CA) {
1483  if (crl->idp_flags & IDP_ONLYUSER)
1484  return 0;
1485  } else {
1486  if (crl->idp_flags & IDP_ONLYCA)
1487  return 0;
1488  }
1489  *preasons = crl->idp_reasons;
1490  for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
1491  DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1492  if (crldp_check_crlissuer(dp, crl, crl_score)) {
1493  if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
1494  *preasons &= dp->dp_reasons;
1495  return 1;
1496  }
1497  }
1498  }
1499  if ((!crl->idp || !crl->idp->distpoint)
1500  && (crl_score & CRL_SCORE_ISSUER_NAME))
1501  return 1;
1502  return 0;
1503 }
1504 
1505 /*
1506  * Retrieve CRL corresponding to current certificate. If deltas enabled try
1507  * to find a delta CRL too
1508  */
1509 
1510 static int get_crl_delta(X509_STORE_CTX *ctx,
1511  X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1512 {
1513  int ok;
1514  X509 *issuer = NULL;
1515  int crl_score = 0;
1516  unsigned int reasons;
1517  X509_CRL *crl = NULL, *dcrl = NULL;
1518  STACK_OF(X509_CRL) *skcrl;
1519  X509_NAME *nm = X509_get_issuer_name(x);
1520  reasons = ctx->current_reasons;
1521  ok = get_crl_sk(ctx, &crl, &dcrl,
1522  &issuer, &crl_score, &reasons, ctx->crls);
1523 
1524  if (ok)
1525  goto done;
1526 
1527  /* Lookup CRLs from store */
1528 
1529  skcrl = ctx->lookup_crls(ctx, nm);
1530 
1531  /* If no CRLs found and a near match from get_crl_sk use that */
1532  if (!skcrl && crl)
1533  goto done;
1534 
1535  get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1536 
1537  sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1538 
1539  done:
1540 
1541  /* If we got any kind of CRL use it and return success */
1542  if (crl) {
1543  ctx->current_issuer = issuer;
1544  ctx->current_crl_score = crl_score;
1545  ctx->current_reasons = reasons;
1546  *pcrl = crl;
1547  *pdcrl = dcrl;
1548  return 1;
1549  }
1550 
1551  return 0;
1552 }
1553 
1554 /* Check CRL validity */
1555 static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1556 {
1557  X509 *issuer = NULL;
1558  EVP_PKEY *ikey = NULL;
1559  int ok = 0, chnum, cnum;
1560  cnum = ctx->error_depth;
1561  chnum = sk_X509_num(ctx->chain) - 1;
1562  /* if we have an alternative CRL issuer cert use that */
1563  if (ctx->current_issuer)
1564  issuer = ctx->current_issuer;
1565 
1566  /*
1567  * Else find CRL issuer: if not last certificate then issuer is next
1568  * certificate in chain.
1569  */
1570  else if (cnum < chnum)
1571  issuer = sk_X509_value(ctx->chain, cnum + 1);
1572  else {
1573  issuer = sk_X509_value(ctx->chain, chnum);
1574  /* If not self signed, can't check signature */
1575  if (!ctx->check_issued(ctx, issuer, issuer)) {
1576  ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1577  ok = ctx->verify_cb(0, ctx);
1578  if (!ok)
1579  goto err;
1580  }
1581  }
1582 
1583  if (issuer) {
1584  /*
1585  * Skip most tests for deltas because they have already been done
1586  */
1587  if (!crl->base_crl_number) {
1588  /* Check for cRLSign bit if keyUsage present */
1589  if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1590  !(issuer->ex_kusage & KU_CRL_SIGN)) {
1591  ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1592  ok = ctx->verify_cb(0, ctx);
1593  if (!ok)
1594  goto err;
1595  }
1596 
1597  if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
1598  ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1599  ok = ctx->verify_cb(0, ctx);
1600  if (!ok)
1601  goto err;
1602  }
1603 
1604  if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
1605  if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
1606  ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1607  ok = ctx->verify_cb(0, ctx);
1608  if (!ok)
1609  goto err;
1610  }
1611  }
1612 
1613  if (crl->idp_flags & IDP_INVALID) {
1614  ctx->error = X509_V_ERR_INVALID_EXTENSION;
1615  ok = ctx->verify_cb(0, ctx);
1616  if (!ok)
1617  goto err;
1618  }
1619 
1620  }
1621 
1622  if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
1623  ok = check_crl_time(ctx, crl, 1);
1624  if (!ok)
1625  goto err;
1626  }
1627 
1628  /* Attempt to get issuer certificate public key */
1629  ikey = X509_get_pubkey(issuer);
1630 
1631  if (!ikey) {
1632  ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1633  ok = ctx->verify_cb(0, ctx);
1634  if (!ok)
1635  goto err;
1636  } else {
1637  int rv;
1638  rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
1639  if (rv != X509_V_OK) {
1640  ctx->error = rv;
1641  ok = ctx->verify_cb(0, ctx);
1642  if (!ok)
1643  goto err;
1644  }
1645  /* Verify CRL signature */
1646  if (X509_CRL_verify(crl, ikey) <= 0) {
1647  ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
1648  ok = ctx->verify_cb(0, ctx);
1649  if (!ok)
1650  goto err;
1651  }
1652  }
1653  }
1654 
1655  ok = 1;
1656 
1657  err:
1658  EVP_PKEY_free(ikey);
1659  return ok;
1660 }
1661 
1662 /* Check certificate against CRL */
1663 static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1664 {
1665  int ok;
1666  X509_REVOKED *rev;
1667  /*
1668  * The rules changed for this... previously if a CRL contained unhandled
1669  * critical extensions it could still be used to indicate a certificate
1670  * was revoked. This has since been changed since critical extension can
1671  * change the meaning of CRL entries.
1672  */
1673  if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1674  && (crl->flags & EXFLAG_CRITICAL)) {
1675  ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1676  ok = ctx->verify_cb(0, ctx);
1677  if (!ok)
1678  return 0;
1679  }
1680  /*
1681  * Look for serial number of certificate in CRL If found make sure reason
1682  * is not removeFromCRL.
1683  */
1684  if (X509_CRL_get0_by_cert(crl, &rev, x)) {
1685  if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1686  return 2;
1687  ctx->error = X509_V_ERR_CERT_REVOKED;
1688  ok = ctx->verify_cb(0, ctx);
1689  if (!ok)
1690  return 0;
1691  }
1692 
1693  return 1;
1694 }
1695 
1696 static int check_policy(X509_STORE_CTX *ctx)
1697 {
1698  int ret;
1699  if (ctx->parent)
1700  return 1;
1701  ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1702  ctx->param->policies, ctx->param->flags);
1703  if (ret == 0) {
1704  OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
1705  ctx->error = X509_V_ERR_OUT_OF_MEM;
1706  return 0;
1707  }
1708  /* Invalid or inconsistent extensions */
1709  if (ret == -1) {
1710  /*
1711  * Locate certificates with bad extensions and notify callback.
1712  */
1713  X509 *x;
1714  size_t i;
1715  for (i = 1; i < sk_X509_num(ctx->chain); i++) {
1716  x = sk_X509_value(ctx->chain, i);
1717  if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1718  continue;
1719  ctx->current_cert = x;
1720  ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1721  if (!ctx->verify_cb(0, ctx))
1722  return 0;
1723  }
1724  return 1;
1725  }
1726  if (ret == -2) {
1727  ctx->current_cert = NULL;
1728  ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1729  return ctx->verify_cb(0, ctx);
1730  }
1731 
1732  if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
1733  ctx->current_cert = NULL;
1734  /*
1735  * Verification errors need to be "sticky", a callback may have allowed
1736  * an SSL handshake to continue despite an error, and we must then
1737  * remain in an error state. Therefore, we MUST NOT clear earlier
1738  * verification errors by setting the error to X509_V_OK.
1739  */
1740  if (!ctx->verify_cb(2, ctx))
1741  return 0;
1742  }
1743 
1744  return 1;
1745 }
1746 
1747 static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1748 {
1749  time_t *ptime;
1750  int i;
1751 
1752  if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1753  ptime = &ctx->param->check_time;
1754  else
1755  ptime = NULL;
1756 
1757  i = X509_cmp_time(X509_get_notBefore(x), ptime);
1758  if (i == 0) {
1759  ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1760  ctx->current_cert = x;
1761  if (!ctx->verify_cb(0, ctx))
1762  return 0;
1763  }
1764 
1765  if (i > 0) {
1766  ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
1767  ctx->current_cert = x;
1768  if (!ctx->verify_cb(0, ctx))
1769  return 0;
1770  }
1771 
1772  i = X509_cmp_time(X509_get_notAfter(x), ptime);
1773  if (i == 0) {
1774  ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1775  ctx->current_cert = x;
1776  if (!ctx->verify_cb(0, ctx))
1777  return 0;
1778  }
1779 
1780  if (i < 0) {
1781  ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
1782  ctx->current_cert = x;
1783  if (!ctx->verify_cb(0, ctx))
1784  return 0;
1785  }
1786 
1787  return 1;
1788 }
1789 
1790 static int internal_verify(X509_STORE_CTX *ctx)
1791 {
1792  int ok = 0, n;
1793  X509 *xs, *xi;
1794  EVP_PKEY *pkey = NULL;
1795  int (*cb) (int xok, X509_STORE_CTX *xctx);
1796 
1797  cb = ctx->verify_cb;
1798 
1799  n = sk_X509_num(ctx->chain);
1800  ctx->error_depth = n - 1;
1801  n--;
1802  xi = sk_X509_value(ctx->chain, n);
1803 
1804  if (ctx->check_issued(ctx, xi, xi))
1805  xs = xi;
1806  else {
1807  if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
1808  xs = xi;
1809  goto check_cert;
1810  }
1811  if (n <= 0) {
1812  ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1813  ctx->current_cert = xi;
1814  ok = cb(0, ctx);
1815  goto end;
1816  } else {
1817  n--;
1818  ctx->error_depth = n;
1819  xs = sk_X509_value(ctx->chain, n);
1820  }
1821  }
1822 
1823 /* ctx->error=0; not needed */
1824  while (n >= 0) {
1825  ctx->error_depth = n;
1826 
1827  /*
1828  * Skip signature check for self signed certificates unless
1829  * explicitly asked for. It doesn't add any security and just wastes
1830  * time.
1831  */
1832  if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
1833  if ((pkey = X509_get_pubkey(xi)) == NULL) {
1834  ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1835  ctx->current_cert = xi;
1836  ok = (*cb) (0, ctx);
1837  if (!ok)
1838  goto end;
1839  } else if (X509_verify(xs, pkey) <= 0) {
1840  ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
1841  ctx->current_cert = xs;
1842  ok = (*cb) (0, ctx);
1843  if (!ok) {
1844  EVP_PKEY_free(pkey);
1845  goto end;
1846  }
1847  }
1848  EVP_PKEY_free(pkey);
1849  pkey = NULL;
1850  }
1851 
1852  check_cert:
1853  ok = check_cert_time(ctx, xs);
1854  if (!ok)
1855  goto end;
1856 
1857  /* The last error (if any) is still in the error value */
1858  ctx->current_issuer = xi;
1859  ctx->current_cert = xs;
1860  ok = (*cb) (1, ctx);
1861  if (!ok)
1862  goto end;
1863 
1864  n--;
1865  if (n >= 0) {
1866  xi = xs;
1867  xs = sk_X509_value(ctx->chain, n);
1868  }
1869  }
1870  ok = 1;
1871  end:
1872  return ok;
1873 }
1874 
1875 int X509_cmp_current_time(const ASN1_TIME *ctm)
1876 {
1877  return X509_cmp_time(ctm, NULL);
1878 }
1879 
1880 int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1881 {
1882  static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1;
1883  static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1;
1884  ASN1_TIME *asn1_cmp_time = NULL;
1885  int i, day, sec, ret = 0;
1886 
1887  /*
1888  * Note that ASN.1 allows much more slack in the time format than RFC 5280.
1889  * In RFC 5280, the representation is fixed:
1890  * UTCTime: YYMMDDHHMMSSZ
1891  * GeneralizedTime: YYYYMMDDHHMMSSZ
1892  *
1893  * We do NOT currently enforce the following RFC 5280 requirement:
1894  * "CAs conforming to this profile MUST always encode certificate
1895  * validity dates through the year 2049 as UTCTime; certificate validity
1896  * dates in 2050 or later MUST be encoded as GeneralizedTime."
1897  */
1898  switch (ctm->type) {
1899  case V_ASN1_UTCTIME:
1900  if (ctm->length != (int)(utctime_length))
1901  return 0;
1902  break;
1903  case V_ASN1_GENERALIZEDTIME:
1904  if (ctm->length != (int)(generalizedtime_length))
1905  return 0;
1906  break;
1907  default:
1908  return 0;
1909  }
1910 
1916  for (i = 0; i < ctm->length - 1; i++) {
1917  if (!isdigit(ctm->data[i]))
1918  return 0;
1919  }
1920  if (ctm->data[ctm->length - 1] != 'Z')
1921  return 0;
1922 
1923  /*
1924  * There is ASN1_UTCTIME_cmp_time_t but no
1925  * ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t,
1926  * so we go through ASN.1
1927  */
1928  asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time);
1929  if (asn1_cmp_time == NULL)
1930  goto err;
1931  if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time))
1932  goto err;
1933 
1934  /*
1935  * X509_cmp_time comparison is <=.
1936  * The return value 0 is reserved for errors.
1937  */
1938  ret = (day >= 0 && sec >= 0) ? -1 : 1;
1939 
1940  err:
1941  ASN1_TIME_free(asn1_cmp_time);
1942  return ret;
1943 }
1944 
1945 ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec)
1946 {
1947  return X509_time_adj(s, offset_sec, NULL);
1948 }
1949 
1950 ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1951 {
1952  return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1953 }
1954 
1955 ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1956  int offset_day, long offset_sec, time_t *in_tm)
1957 {
1958  time_t t = 0;
1959 
1960  if (in_tm) {
1961  t = *in_tm;
1962  } else {
1963  time(&t);
1964  }
1965 
1966  return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1967 }
1968 
1969 /* Make a delta CRL as the diff between two full CRLs */
1970 
1971 X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
1972  EVP_PKEY *skey, const EVP_MD *md, unsigned int flags)
1973 {
1974  X509_CRL *crl = NULL;
1975  int i;
1976  size_t j;
1977  STACK_OF(X509_REVOKED) *revs = NULL;
1978  /* CRLs can't be delta already */
1979  if (base->base_crl_number || newer->base_crl_number) {
1980  OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA);
1981  return NULL;
1982  }
1983  /* Base and new CRL must have a CRL number */
1984  if (!base->crl_number || !newer->crl_number) {
1985  OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER);
1986  return NULL;
1987  }
1988  /* Issuer names must match */
1989  if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
1990  OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH);
1991  return NULL;
1992  }
1993  /* AKID and IDP must match */
1994  if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
1995  OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH);
1996  return NULL;
1997  }
1998  if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {
1999  OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH);
2000  return NULL;
2001  }
2002  /* Newer CRL number must exceed full CRL number */
2003  if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
2004  OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER);
2005  return NULL;
2006  }
2007  /* CRLs must verify */
2008  if (skey && (X509_CRL_verify(base, skey) <= 0 ||
2009  X509_CRL_verify(newer, skey) <= 0)) {
2010  OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE);
2011  return NULL;
2012  }
2013  /* Create new CRL */
2014  crl = X509_CRL_new();
2015  if (!crl || !X509_CRL_set_version(crl, X509_CRL_VERSION_2))
2016  goto memerr;
2017  /* Set issuer name */
2018  if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
2019  goto memerr;
2020 
2021  if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer)))
2022  goto memerr;
2023  if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer)))
2024  goto memerr;
2025 
2026  /* Set base CRL number: must be critical */
2027 
2028  if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0))
2029  goto memerr;
2030 
2031  /*
2032  * Copy extensions across from newest CRL to delta: this will set CRL
2033  * number to correct value too.
2034  */
2035 
2036  for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
2037  X509_EXTENSION *ext;
2038  ext = X509_CRL_get_ext(newer, i);
2039  if (!X509_CRL_add_ext(crl, ext, -1))
2040  goto memerr;
2041  }
2042 
2043  /* Go through revoked entries, copying as needed */
2044 
2045  revs = X509_CRL_get_REVOKED(newer);
2046 
2047  for (j = 0; j < sk_X509_REVOKED_num(revs); j++) {
2048  X509_REVOKED *rvn, *rvtmp;
2049  rvn = sk_X509_REVOKED_value(revs, j);
2050  /*
2051  * Add only if not also in base. TODO: need something cleverer here
2052  * for some more complex CRLs covering multiple CAs.
2053  */
2054  if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
2055  rvtmp = X509_REVOKED_dup(rvn);
2056  if (!rvtmp)
2057  goto memerr;
2058  if (!X509_CRL_add0_revoked(crl, rvtmp)) {
2059  X509_REVOKED_free(rvtmp);
2060  goto memerr;
2061  }
2062  }
2063  }
2064  /* TODO: optionally prune deleted entries */
2065 
2066  if (skey && md && !X509_CRL_sign(crl, skey, md))
2067  goto memerr;
2068 
2069  return crl;
2070 
2071  memerr:
2072  OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
2073  if (crl)
2074  X509_CRL_free(crl);
2075  return NULL;
2076 }
2077 
2078 int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
2079  CRYPTO_EX_unused * unused,
2080  CRYPTO_EX_dup *dup_unused,
2081  CRYPTO_EX_free *free_func)
2082 {
2083  /*
2084  * This function is (usually) called only once, by
2085  * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c).
2086  */
2087  int index;
2088  if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
2089  free_func)) {
2090  return -1;
2091  }
2092  return index;
2093 }
2094 
2095 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
2096 {
2097  return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
2098 }
2099 
2100 void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
2101 {
2102  return CRYPTO_get_ex_data(&ctx->ex_data, idx);
2103 }
2104 
2105 int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
2106 {
2107  return ctx->error;
2108 }
2109 
2110 void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
2111 {
2112  ctx->error = err;
2113 }
2114 
2115 int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
2116 {
2117  return ctx->error_depth;
2118 }
2119 
2120 X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
2121 {
2122  return ctx->current_cert;
2123 }
2124 
2125 STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
2126 {
2127  return ctx->chain;
2128 }
2129 
2130 STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
2131 {
2132  return ctx->chain;
2133 }
2134 
2135 STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
2136 {
2137  if (!ctx->chain)
2138  return NULL;
2139  return X509_chain_up_ref(ctx->chain);
2140 }
2141 
2142 X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
2143 {
2144  return ctx->current_issuer;
2145 }
2146 
2147 X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
2148 {
2149  return ctx->current_crl;
2150 }
2151 
2152 X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
2153 {
2154  return ctx->parent;
2155 }
2156 
2157 void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
2158 {
2159  ctx->cert = x;
2160 }
2161 
2162 void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2163 {
2164  ctx->untrusted = sk;
2165 }
2166 
2167 STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
2168 {
2169  return ctx->untrusted;
2170 }
2171 
2172 void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
2173 {
2174  ctx->crls = sk;
2175 }
2176 
2177 int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
2178 {
2179  return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
2180 }
2181 
2182 int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
2183 {
2184  return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
2185 }
2186 
2187 /*
2188  * This function is used to set the X509_STORE_CTX purpose and trust values.
2189  * This is intended to be used when another structure has its own trust and
2190  * purpose values which (if set) will be inherited by the ctx. If they aren't
2191  * set then we will usually have a default purpose in mind which should then
2192  * be used to set the trust value. An example of this is SSL use: an SSL
2193  * structure will have its own purpose and trust settings which the
2194  * application can set: if they aren't set then we use the default of SSL
2195  * client/server.
2196  */
2197 
2198 int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
2199  int purpose, int trust)
2200 {
2201  int idx;
2202  /* If purpose not set use default */
2203  if (!purpose)
2204  purpose = def_purpose;
2205  /* If we have a purpose then check it is valid */
2206  if (purpose) {
2207  X509_PURPOSE *ptmp;
2208  idx = X509_PURPOSE_get_by_id(purpose);
2209  if (idx == -1) {
2210  OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
2211  return 0;
2212  }
2213  ptmp = X509_PURPOSE_get0(idx);
2214  if (ptmp->trust == X509_TRUST_DEFAULT) {
2215  idx = X509_PURPOSE_get_by_id(def_purpose);
2216  if (idx == -1) {
2217  OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);
2218  return 0;
2219  }
2220  ptmp = X509_PURPOSE_get0(idx);
2221  }
2222  /* If trust not set then get from purpose default */
2223  if (!trust)
2224  trust = ptmp->trust;
2225  }
2226  if (trust) {
2227  idx = X509_TRUST_get_by_id(trust);
2228  if (idx == -1) {
2229  OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID);
2230  return 0;
2231  }
2232  }
2233 
2234  if (purpose && !ctx->param->purpose)
2235  ctx->param->purpose = purpose;
2236  if (trust && !ctx->param->trust)
2237  ctx->param->trust = trust;
2238  return 1;
2239 }
2240 
2241 X509_STORE_CTX *X509_STORE_CTX_new(void)
2242 {
2243  X509_STORE_CTX *ctx;
2244  ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
2245  if (!ctx) {
2246  OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
2247  return NULL;
2248  }
2249  X509_STORE_CTX_zero(ctx);
2250  return ctx;
2251 }
2252 
2253 void X509_STORE_CTX_zero(X509_STORE_CTX *ctx)
2254 {
2255  OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
2256 }
2257 
2258 void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
2259 {
2260  if (ctx == NULL) {
2261  return;
2262  }
2263  X509_STORE_CTX_cleanup(ctx);
2264  OPENSSL_free(ctx);
2265 }
2266 
2267 int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2268  STACK_OF(X509) *chain)
2269 {
2270  X509_STORE_CTX_zero(ctx);
2271  ctx->ctx = store;
2272  ctx->cert = x509;
2273  ctx->untrusted = chain;
2274 
2275  CRYPTO_new_ex_data(&ctx->ex_data);
2276 
2277  if (store == NULL) {
2278  OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);
2279  goto err;
2280  }
2281 
2282  ctx->param = X509_VERIFY_PARAM_new();
2283  if (!ctx->param)
2284  goto err;
2285 
2286  /*
2287  * Inherit callbacks and flags from X509_STORE.
2288  */
2289 
2290  ctx->verify_cb = store->verify_cb;
2291  ctx->cleanup = store->cleanup;
2292 
2293  if (!X509_VERIFY_PARAM_inherit(ctx->param, store->param) ||
2294  !X509_VERIFY_PARAM_inherit(ctx->param,
2295  X509_VERIFY_PARAM_lookup("default"))) {
2296  goto err;
2297  }
2298 
2299  if (store->check_issued)
2300  ctx->check_issued = store->check_issued;
2301  else
2302  ctx->check_issued = check_issued;
2303 
2304  if (store->get_issuer)
2305  ctx->get_issuer = store->get_issuer;
2306  else
2307  ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2308 
2309  if (store->verify_cb)
2310  ctx->verify_cb = store->verify_cb;
2311  else
2312  ctx->verify_cb = null_callback;
2313 
2314  if (store->verify)
2315  ctx->verify = store->verify;
2316  else
2317  ctx->verify = internal_verify;
2318 
2319  if (store->check_revocation)
2320  ctx->check_revocation = store->check_revocation;
2321  else
2322  ctx->check_revocation = check_revocation;
2323 
2324  if (store->get_crl)
2325  ctx->get_crl = store->get_crl;
2326  else
2327  ctx->get_crl = NULL;
2328 
2329  if (store->check_crl)
2330  ctx->check_crl = store->check_crl;
2331  else
2332  ctx->check_crl = check_crl;
2333 
2334  if (store->cert_crl)
2335  ctx->cert_crl = store->cert_crl;
2336  else
2337  ctx->cert_crl = cert_crl;
2338 
2339  if (store->lookup_certs)
2340  ctx->lookup_certs = store->lookup_certs;
2341  else
2342  ctx->lookup_certs = X509_STORE_get1_certs;
2343 
2344  if (store->lookup_crls)
2345  ctx->lookup_crls = store->lookup_crls;
2346  else
2347  ctx->lookup_crls = X509_STORE_get1_crls;
2348 
2349  ctx->check_policy = check_policy;
2350 
2351  return 1;
2352 
2353  err:
2354  CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data);
2355  if (ctx->param != NULL) {
2356  X509_VERIFY_PARAM_free(ctx->param);
2357  }
2358 
2359  OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));
2360  OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
2361  return 0;
2362 }
2363 
2364 /*
2365  * Set alternative lookup method: just a STACK of trusted certificates. This
2366  * avoids X509_STORE nastiness where it isn't needed.
2367  */
2368 
2369 void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2370 {
2371  ctx->other_ctx = sk;
2372  ctx->get_issuer = get_issuer_sk;
2373 }
2374 
2375 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2376 {
2377  /* We need to be idempotent because, unfortunately, |X509_STORE_CTX_free|
2378  * also calls this function. */
2379  if (ctx->cleanup != NULL) {
2380  ctx->cleanup(ctx);
2381  ctx->cleanup = NULL;
2382  }
2383  if (ctx->param != NULL) {
2384  if (ctx->parent == NULL)
2385  X509_VERIFY_PARAM_free(ctx->param);
2386  ctx->param = NULL;
2387  }
2388  if (ctx->tree != NULL) {
2389  X509_policy_tree_free(ctx->tree);
2390  ctx->tree = NULL;
2391  }
2392  if (ctx->chain != NULL) {
2393  sk_X509_pop_free(ctx->chain, X509_free);
2394  ctx->chain = NULL;
2395  }
2396  CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));
2397  OPENSSL_memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
2398 }
2399 
2400 void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2401 {
2402  X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2403 }
2404 
2405 void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2406 {
2407  X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2408 }
2409 
2410 void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
2411  time_t t)
2412 {
2413  X509_VERIFY_PARAM_set_time(ctx->param, t);
2414 }
2415 
2416 X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
2417 {
2418  return ctx->cert;
2419 }
2420 
2421 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2422  int (*verify_cb) (int, X509_STORE_CTX *))
2423 {
2424  ctx->verify_cb = verify_cb;
2425 }
2426 
2427 X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2428 {
2429  return ctx->tree;
2430 }
2431 
2432 int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2433 {
2434  return ctx->explicit_policy;
2435 }
2436 
2437 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2438 {
2439  const X509_VERIFY_PARAM *param;
2440  param = X509_VERIFY_PARAM_lookup(name);
2441  if (!param)
2442  return 0;
2443  return X509_VERIFY_PARAM_inherit(ctx->param, param);
2444 }
2445 
2446 X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2447 {
2448  return ctx->param;
2449 }
2450 
2451 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2452 {
2453  if (ctx->param)
2454  X509_VERIFY_PARAM_free(ctx->param);
2455  ctx->param = param;
2456 }
X509_CRL_new
#define X509_CRL_new
Definition: boringssl_prefix_symbols.h:2316
X509_check_trust
#define X509_check_trust
Definition: boringssl_prefix_symbols.h:2622
X509_V_FLAG_CRL_CHECK_ALL
#define X509_V_FLAG_CRL_CHECK_ALL
Definition: x509.h:2009
X509_V_ERR_DIFFERENT_CRL_SCOPE
#define X509_V_ERR_DIFFERENT_CRL_SCOPE
Definition: x509.h:1966
x509_store_st::check_crl
X509_STORE_CTX_check_crl_fn check_crl
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:289
ASN1_OCTET_STRING_cmp
#define ASN1_OCTET_STRING_cmp
Definition: boringssl_prefix_symbols.h:658
X509_V_ERR_INVALID_EXTENSION
#define X509_V_ERR_INVALID_EXTENSION
Definition: x509.h:1963
X509_R_IDP_MISMATCH
#define X509_R_IDP_MISMATCH
Definition: x509.h:2385
CRL_SCORE_AKID
#define CRL_SCORE_AKID
Definition: x509_vfy.c:109
GENERAL_NAME_st::type
int type
Definition: x509v3.h:184
X509_CRL_up_ref
#define X509_CRL_up_ref
Definition: boringssl_prefix_symbols.h:2330
test_server.argp
argp
Definition: test_server.py:33
X509_get_subject_name
#define X509_get_subject_name
Definition: boringssl_prefix_symbols.h:2672
X509_STORE_CTX_get1_issuer
#define X509_STORE_CTX_get1_issuer
Definition: boringssl_prefix_symbols.h:2498
x509_st::ex_kusage
unsigned long ex_kusage
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:149
check_crl_chain
static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, STACK_OF(X509) *crl_path)
Definition: x509_vfy.c:1380
X509_V_FLAG_POLICY_CHECK
#define X509_V_FLAG_POLICY_CHECK
Definition: x509.h:2017
GENERAL_NAME_st
Definition: x509v3.h:173
CRL_SCORE_SAME_PATH
#define CRL_SCORE_SAME_PATH
Definition: x509_vfy.c:105
crl_extension_match
static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
Definition: x509_vfy.c:1121
CRL_SCORE_TIME
#define CRL_SCORE_TIME
Definition: x509_vfy.c:89
X509_STORE_CTX_set_trust
int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
Definition: x509_vfy.c:2182
ctx
Definition: benchmark-async.c:30
X509_VERIFY_PARAM_st::emaillen
size_t emaillen
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:231
X509_chain_check_suiteb
#define X509_chain_check_suiteb
Definition: boringssl_prefix_symbols.h:2611
X509_V_ERR_NO_EXPLICIT_POLICY
#define X509_V_ERR_NO_EXPLICIT_POLICY
Definition: x509.h:1965
X509_V_ERR_INVALID_CA
#define X509_V_ERR_INVALID_CA
Definition: x509.h:1943
internal_verify
static int internal_verify(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:1790
CRYPTO_EX_dup
int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, void **from_d, int index, long argl, void *argp)
Definition: ex_data.h:184
check_trust
static int check_trust(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:857
X509_crl_st::base_crl_number
ASN1_INTEGER * base_crl_number
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:210
env_md_st
Definition: third_party/boringssl-with-bazel/src/crypto/fipsmodule/digest/internal.h:67
X509_R_ISSUER_MISMATCH
#define X509_R_ISSUER_MISMATCH
Definition: x509.h:2391
evp.h
GENERAL_NAME_st::directoryName
X509_NAME * directoryName
Definition: x509v3.h:191
X509_verify
#define X509_verify
Definition: boringssl_prefix_symbols.h:2732
CRL_REASON_REMOVE_FROM_CRL
#define CRL_REASON_REMOVE_FROM_CRL
Definition: x509v3.h:242
X509_V_FLAG_CRL_CHECK
#define X509_V_FLAG_CRL_CHECK
Definition: x509.h:2007
DIST_POINT_st::CRLissuer
GENERAL_NAMES * CRLissuer
Definition: x509v3.h:249
X509_STORE_CTX_get0_chain
#define X509_STORE_CTX_get0_chain
Definition: boringssl_prefix_symbols.h:2489
X509_V_FLAG_PARTIAL_CHAIN
#define X509_V_FLAG_PARTIAL_CHAIN
Definition: x509.h:2042
X509_CRL_set_version
#define X509_CRL_set_version
Definition: boringssl_prefix_symbols.h:2326
verify_cb
static int verify_cb(int ok, X509_STORE_CTX *ctx)
Definition: ssl_transport_security.cc:1973
CRYPTO_EX_DATA_CLASS
Definition: third_party/boringssl-with-bazel/src/crypto/internal.h:679
IDP_ONLYCA
#define IDP_ONLYCA
Definition: x509v3.h:351
X509_V_ERR_CRL_HAS_EXPIRED
#define X509_V_ERR_CRL_HAS_EXPIRED
Definition: x509.h:1931
OPENSSL_PUT_ERROR
#define OPENSSL_PUT_ERROR(library, reason)
Definition: err.h:423
internal.h
ext
void * ext
Definition: x509v3.h:87
NID_authority_key_identifier
#define NID_authority_key_identifier
Definition: nid.h:499
X509_VERIFY_PARAM_st::poison
unsigned char poison
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:234
X509_get_notBefore
#define X509_get_notBefore
Definition: boringssl_prefix_symbols.h:2667
CRL_SCORE_TIME_DELTA
#define CRL_SCORE_TIME_DELTA
Definition: x509_vfy.c:113
string.h
sk_X509_num
#define sk_X509_num
Definition: boringssl_prefix_symbols.h:587
X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
Definition: x509.h:1935
X509_CRL_get0_nextUpdate
#define X509_CRL_get0_nextUpdate
Definition: boringssl_prefix_symbols.h:2299
x509_store_st::param
X509_VERIFY_PARAM * param
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:279
X509_CRL_check_suiteb
#define X509_CRL_check_suiteb
Definition: boringssl_prefix_symbols.h:2288
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
Definition: x509.h:1940
check_revocation
static int check_revocation(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:909
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
Definition: x509.h:1937
X509_V_ERR_CRL_SIGNATURE_FAILURE
#define X509_V_ERR_CRL_SIGNATURE_FAILURE
Definition: x509.h:1927
error
grpc_error_handle error
Definition: retry_filter.cc:499
reject_dns_name_in_common_name
static int reject_dns_name_in_common_name(X509 *x509)
Definition: x509_vfy.c:709
X509_TRUST_DEFAULT
#define X509_TRUST_DEFAULT
Definition: x509.h:159
X509_VERIFY_PARAM_st::hostflags
unsigned int hostflags
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:228
X509_CRL_get_ext
#define X509_CRL_get_ext
Definition: boringssl_prefix_symbols.h:2302
error_ref_leak.err
err
Definition: error_ref_leak.py:35
crl_reasons
static const ENUMERATED_NAMES crl_reasons[]
Definition: v3_enum.c:69
IDP_ONLYUSER
#define IDP_ONLYUSER
Definition: x509v3.h:349
X509_CRL_verify
OPENSSL_EXPORT int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey)
x509_revoked_st
Definition: x509.h:252
X509_V_FLAG_USE_DELTAS
#define X509_V_FLAG_USE_DELTAS
Definition: x509.h:2029
X509_STORE_CTX_set_default
int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
Definition: x509_vfy.c:2437
x509v3.h
EXFLAG_FRESHEST
#define EXFLAG_FRESHEST
Definition: x509v3.h:402
X509_crl_st::idp_flags
int idp_flags
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:206
EXFLAG_CA
#define EXFLAG_CA
Definition: x509v3.h:392
X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
Definition: x509.h:1933
X509_time_adj
ASN1_TIME * X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
Definition: x509_vfy.c:1950
CRL_SCORE_NOCRITICAL
#define CRL_SCORE_NOCRITICAL
Definition: x509_vfy.c:81
DIST_POINT_NAME_st
Definition: x509v3.h:222
x509_store_st::get_crl
X509_STORE_CTX_get_crl_fn get_crl
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:288
X509_V_ERR_PATH_LENGTH_EXCEEDED
#define X509_V_ERR_PATH_LENGTH_EXCEEDED
Definition: x509.h:1944
check_issued
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
Definition: x509_vfy.c:543
ctx
static struct test_ctx ctx
Definition: test-ipc-send-recv.c:65
setup.name
name
Definition: setup.py:542
x509_store_st::cleanup
X509_STORE_CTX_cleanup_fn cleanup
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:293
X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
Definition: x509.h:1961
X509_crl_st::idp
ISSUING_DIST_POINT * idp
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:204
X509_CRL_get_ext_by_NID
#define X509_CRL_get_ext_by_NID
Definition: boringssl_prefix_symbols.h:2303
a
int a
Definition: abseil-cpp/absl/container/internal/hash_policy_traits_test.cc:88
check_hosts
static int check_hosts(X509 *x, X509_VERIFY_PARAM *param)
Definition: x509_vfy.c:815
null_callback
static int null_callback(int ok, X509_STORE_CTX *e)
Definition: x509_vfy.c:144
X509_TRUST_TRUSTED
#define X509_TRUST_TRUSTED
Definition: x509.h:181
X509_V_OK
#define X509_V_OK
Definition: x509.h:1918
ASN1_TIME_free
OPENSSL_EXPORT void ASN1_TIME_free(ASN1_TIME *str)
X509_check_ip
#define X509_check_ip
Definition: boringssl_prefix_symbols.h:2617
X509_PURPOSE_get0
#define X509_PURPOSE_get0
Definition: boringssl_prefix_symbols.h:2417
CRL_SCORE_SCOPE
#define CRL_SCORE_SCOPE
Definition: x509_vfy.c:85
X509_extension_st
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:117
X509_chain_up_ref
#define X509_chain_up_ref
Definition: boringssl_prefix_symbols.h:2612
CRL_SCORE_VALID
#define CRL_SCORE_VALID
Definition: x509_vfy.c:97
X509_V_ERR_CERT_REVOKED
#define X509_V_ERR_CERT_REVOKED
Definition: x509.h:1942
X509_NAME_cmp
#define X509_NAME_cmp
Definition: boringssl_prefix_symbols.h:2376
X509_R_NO_CRL_NUMBER
#define X509_R_NO_CRL_NUMBER
Definition: x509.h:2401
g_ex_data_class
static CRYPTO_EX_DATA_CLASS g_ex_data_class
Definition: x509_vfy.c:74
crldp_check_crlissuer
static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
Definition: x509_vfy.c:1457
X509_VERIFY_PARAM_inherit
#define X509_VERIFY_PARAM_inherit
Definition: boringssl_prefix_symbols.h:2588
X509_NAME_get_index_by_NID
#define X509_NAME_get_index_by_NID
Definition: boringssl_prefix_symbols.h:2384
X509_STORE_CTX_set0_crls
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
Definition: x509_vfy.c:2172
X509_REVOKED_dup
OPENSSL_EXPORT X509_REVOKED * X509_REVOKED_dup(X509_REVOKED *rev)
OPENSSL_memset
static void * OPENSSL_memset(void *dst, int c, size_t n)
Definition: third_party/boringssl-with-bazel/src/crypto/internal.h:835
X509_CRL_diff
X509_CRL * X509_CRL_diff(X509_CRL *base, X509_CRL *newer, EVP_PKEY *skey, const EVP_MD *md, unsigned int flags)
Definition: x509_vfy.c:1971
X509_CRL_get_ext_count
#define X509_CRL_get_ext_count
Definition: boringssl_prefix_symbols.h:2306
DIST_POINT_st
Definition: x509v3.h:246
asn1_string_st::data
unsigned char * data
Definition: asn1.h:546
STACK_OF
STACK_OF(X509)
Definition: x509_vfy.c:2125
X509_CRL_set1_lastUpdate
#define X509_CRL_set1_lastUpdate
Definition: boringssl_prefix_symbols.h:2319
x509v3_looks_like_dns_name
#define x509v3_looks_like_dns_name
Definition: boringssl_prefix_symbols.h:3461
X509_CRL_add1_ext_i2d
#define X509_CRL_add1_ext_i2d
Definition: boringssl_prefix_symbols.h:2286
check_cert_time
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
Definition: x509_vfy.c:1747
X509_TRUST_get_by_id
#define X509_TRUST_get_by_id
Definition: boringssl_prefix_symbols.h:2568
X509_STORE_CTX_set_time
void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
Definition: x509_vfy.c:2410
check_cert
static int check_cert(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:931
V_ASN1_GENERALIZEDTIME
#define V_ASN1_GENERALIZEDTIME
Definition: asn1.h:145
X509_V_ERR_CERT_HAS_EXPIRED
#define X509_V_ERR_CERT_HAS_EXPIRED
Definition: x509.h:1929
X509_check_host
#define X509_check_host
Definition: boringssl_prefix_symbols.h:2616
x509_store_ctx_st::parent
X509_STORE_CTX * parent
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:356
X509_VERIFY_PARAM_new
#define X509_VERIFY_PARAM_new
Definition: boringssl_prefix_symbols.h:2590
check_policy
static int check_policy(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:1696
retry
void retry(grpc_end2end_test_config config)
Definition: retry.cc:319
X509_crl_st::flags
int flags
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:201
X509_free
#define X509_free
Definition: boringssl_prefix_symbols.h:2632
CRYPTO_free_ex_data
#define CRYPTO_free_ex_data
Definition: boringssl_prefix_symbols.h:1151
X509_CRL_VERSION_2
#define X509_CRL_VERSION_2
Definition: x509.h:429
OPENSSL_malloc
#define OPENSSL_malloc
Definition: boringssl_prefix_symbols.h:1885
X509_verify_cert
int X509_verify_cert(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:186
X509_POLICY_TREE_st
Definition: third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h:228
EXFLAG_SI
#define EXFLAG_SI
Definition: x509v3.h:394
EXFLAG_SS
#define EXFLAG_SS
Definition: x509v3.h:404
X509_get_pubkey
#define X509_get_pubkey
Definition: boringssl_prefix_symbols.h:2669
X509_V_ERR_UNSPECIFIED
#define X509_V_ERR_UNSPECIFIED
Definition: x509.h:1919
cert_crl
static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
Definition: x509_vfy.c:1663
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
Definition: x509.h:1939
X509_STORE_CTX_get_ex_new_index
int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func)
Definition: x509_vfy.c:2078
X509_VERIFY_PARAM_set_flags
#define X509_VERIFY_PARAM_set_flags
Definition: boringssl_prefix_symbols.h:2599
check_id
static int check_id(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:834
X509_V_FLAG_NO_ALT_CHAINS
#define X509_V_FLAG_NO_ALT_CHAINS
Definition: x509.h:2047
X509_VERIFY_PARAM_st
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:217
ASN1_TIME_diff
#define ASN1_TIME_diff
Definition: boringssl_prefix_symbols.h:702
check_crl_time
static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
Definition: x509_vfy.c:1005
x509_revoked_st::reason
int reason
Definition: x509.h:259
X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
Definition: x509.h:1954
X509_policy_tree_free
#define X509_policy_tree_free
Definition: boringssl_prefix_symbols.h:2696
X509_check_issued
#define X509_check_issued
Definition: boringssl_prefix_symbols.h:2619
NID_commonName
#define NID_commonName
Definition: nid.h:148
evp_pkey_st
Definition: evp.h:1046
xds_interop_client.int
int
Definition: xds_interop_client.py:113
X509_STORE_CTX_get0_current_issuer
X509 * X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:2142
end
char * end
Definition: abseil-cpp/absl/strings/internal/str_format/float_conversion.cc:1008
X509_V_ERR_INVALID_PURPOSE
#define X509_V_ERR_INVALID_PURPOSE
Definition: x509.h:1945
X509_V_ERR_CRL_NOT_YET_VALID
#define X509_V_ERR_CRL_NOT_YET_VALID
Definition: x509.h:1930
x509_store_st::verify
X509_STORE_CTX_verify_fn verify
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:282
check_id_error
static int check_id_error(X509_STORE_CTX *ctx, int errcode)
Definition: x509_vfy.c:807
NID_delta_crl
#define NID_delta_crl
Definition: nid.h:717
get_delta_sk
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, X509_CRL *base, STACK_OF(X509_CRL) *crls)
Definition: x509_vfy.c:1188
X509_get_issuer_name
#define X509_get_issuer_name
Definition: boringssl_prefix_symbols.h:2664
x509v3_cache_extensions
#define x509v3_cache_extensions
Definition: boringssl_prefix_symbols.h:3459
crl_crldp_check
static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons)
Definition: x509_vfy.c:1476
ERR_R_PASSED_NULL_PARAMETER
#define ERR_R_PASSED_NULL_PARAMETER
Definition: err.h:373
X509_STORE_CTX_set_error
void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
Definition: x509_vfy.c:2110
asn1_string_st::length
int length
Definition: asn1.h:544
X509_V_ERR_INVALID_POLICY_EXTENSION
#define X509_V_ERR_INVALID_POLICY_EXTENSION
Definition: x509.h:1964
X509_V_ERR_CERT_SIGNATURE_FAILURE
#define X509_V_ERR_CERT_SIGNATURE_FAILURE
Definition: x509.h:1926
X509_NAME_get_entry
#define X509_NAME_get_entry
Definition: boringssl_prefix_symbols.h:2383
X509_V_FLAG_NOTIFY_POLICY
#define X509_V_FLAG_NOTIFY_POLICY
Definition: x509.h:2025
X509_CRL_free
#define X509_CRL_free
Definition: boringssl_prefix_symbols.h:2294
ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
#define ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
Definition: err.h:372
X509_CRL_get0_lastUpdate
#define X509_CRL_get0_lastUpdate
Definition: boringssl_prefix_symbols.h:2298
X509_STORE_CTX_cleanup
void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:2375
x509_store_st::verify_cb
X509_STORE_CTX_verify_cb verify_cb
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:283
X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
Definition: x509.h:1959
idp_check_dp
static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
Definition: x509_vfy.c:1399
EXFLAG_INVALID_POLICY
#define EXFLAG_INVALID_POLICY
Definition: x509v3.h:401
X509_STORE_CTX_init
int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain)
Definition: x509_vfy.c:2267
X509_STORE_CTX_get0_untrusted
#define X509_STORE_CTX_get0_untrusted
Definition: boringssl_prefix_symbols.h:2496
X509_CRL_set_issuer_name
#define X509_CRL_set_issuer_name
Definition: boringssl_prefix_symbols.h:2324
X509_VERIFY_PARAM_set_time
#define X509_VERIFY_PARAM_set_time
Definition: boringssl_prefix_symbols.h:2602
X509_STORE_CTX_get_error
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:2105
X509_EXTENSION_get_data
#define X509_EXTENSION_get_data
Definition: boringssl_prefix_symbols.h:2338
EXFLAG_KUSAGE
#define EXFLAG_KUSAGE
Definition: x509v3.h:388
x509_purpose_st
Definition: x509v3.h:438
EVP_PKEY_free
#define EVP_PKEY_free
Definition: boringssl_prefix_symbols.h:1625
X509_crl_st
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:195
X509_R_NO_CERT_SET_FOR_US_TO_VERIFY
#define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY
Definition: x509.h:2399
X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
Definition: x509.h:1957
X509_check_ca
#define X509_check_ca
Definition: boringssl_prefix_symbols.h:2614
X509_V_ERR_OUT_OF_MEM
#define X509_V_ERR_OUT_OF_MEM
Definition: x509.h:1936
X509_NAME_ENTRY_get_data
#define X509_NAME_ENTRY_get_data
Definition: boringssl_prefix_symbols.h:2364
X509_get_notAfter
#define X509_get_notAfter
Definition: boringssl_prefix_symbols.h:2666
X509_policy_check
#define X509_policy_check
Definition: boringssl_prefix_symbols.h:2690
X509_STORE_CTX_get0_policy_tree
X509_POLICY_TREE * X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:2427
done
struct tab * done
Definition: bloaty/third_party/zlib/examples/enough.c:176
X509_STORE_CTX_set_cert
void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
Definition: x509_vfy.c:2157
IDP_INDIRECT
#define IDP_INDIRECT
Definition: x509v3.h:355
X509_STORE_CTX_set_ex_data
int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
Definition: x509_vfy.c:2095
err.h
X509_STORE_CTX_new
X509_STORE_CTX * X509_STORE_CTX_new(void)
Definition: x509_vfy.c:2241
X509_up_ref
OPENSSL_EXPORT int X509_up_ref(X509 *x509)
X509_STORE_CTX_get0_param
X509_VERIFY_PARAM * X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:2446
X509_V_FLAG_TRUSTED_FIRST
#define X509_V_FLAG_TRUSTED_FIRST
Definition: x509.h:2033
x509_store_st::check_revocation
X509_STORE_CTX_check_revocation_fn check_revocation
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:287
check_delta_base
static int check_delta_base(X509_CRL *delta, X509_CRL *base)
Definition: x509_vfy.c:1158
CRYPTO_EX_unused
int CRYPTO_EX_unused
Definition: ex_data.h:192
CRYPTO_new_ex_data
#define CRYPTO_new_ex_data
Definition: boringssl_prefix_symbols.h:1179
x509_store_st
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:270
X509_V_ERR_IP_ADDRESS_MISMATCH
#define X509_V_ERR_IP_ADDRESS_MISMATCH
Definition: x509.h:1991
X509_VERIFY_PARAM_st::iplen
size_t iplen
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:233
x
int x
Definition: bloaty/third_party/googletest/googlemock/test/gmock-matchers_test.cc:3610
X509_R_AKID_MISMATCH
#define X509_R_AKID_MISMATCH
Definition: x509.h:2377
gen_synthetic_protos.base
base
Definition: gen_synthetic_protos.py:31
X509_CRL_sign
#define X509_CRL_sign
Definition: boringssl_prefix_symbols.h:2327
data
char data[kBufferLength]
Definition: abseil-cpp/absl/strings/internal/str_format/float_conversion.cc:1006
X509_crl_st::akid
AUTHORITY_KEYID * akid
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:203
DIST_POINT_st::distpoint
DIST_POINT_NAME * distpoint
Definition: x509v3.h:247
X509_STORE_CTX_get0_current_crl
X509_CRL * X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:2147
gen
OPENSSL_EXPORT GENERAL_NAME * gen
Definition: x509v3.h:495
X509_CRL_get_REVOKED
#define X509_CRL_get_REVOKED
Definition: boringssl_prefix_symbols.h:2301
x509_st::ex_flags
unsigned long ex_flags
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:148
X509_STORE_CTX_free
void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:2258
X509_STORE_CTX_get_ex_data
void * X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
Definition: x509_vfy.c:2100
X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
Definition: x509.h:1934
b
uint64_t b
Definition: abseil-cpp/absl/container/internal/layout_test.cc:53
NAME_CONSTRAINTS_check
OPENSSL_EXPORT int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
X509_STORE_get1_crls
#define X509_STORE_get1_crls
Definition: boringssl_prefix_symbols.h:2531
X509_cmp_time
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
Definition: x509_vfy.c:1880
NAME_CONSTRAINTS_st
Definition: x509v3.h:310
CRYPTO_EX_free
void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int index, long argl, void *argp)
Definition: ex_data.h:174
x509_store_st::lookup_crls
X509_STORE_CTX_lookup_crls_fn lookup_crls
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:292
X509_V_ERR_INVALID_CALL
#define X509_V_ERR_INVALID_CALL
Definition: x509.h:1994
n
int n
Definition: abseil-cpp/absl/container/btree_test.cc:1080
DIST_POINT_st::dp_reasons
int dp_reasons
Definition: x509v3.h:250
X509_STORE_CTX_set_flags
void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
Definition: x509_vfy.c:2405
V_ASN1_UTCTIME
#define V_ASN1_UTCTIME
Definition: asn1.h:144
setup.idx
idx
Definition: third_party/bloaty/third_party/capstone/bindings/python/setup.py:197
x509_store_ctx_st::verify_cb
X509_STORE_CTX_verify_cb verify_cb
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:325
X509_STORE_CTX_set_chain
void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
Definition: x509_vfy.c:2162
X509_name_entry_st
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:88
IDP_ONLYATTR
#define IDP_ONLYATTR
Definition: x509v3.h:353
X509_VERIFY_PARAM_lookup
#define X509_VERIFY_PARAM_lookup
Definition: boringssl_prefix_symbols.h:2589
IDP_INVALID
#define IDP_INVALID
Definition: x509v3.h:347
nid
int nid
Definition: cipher_extra.c:71
ASN1_TIME_adj
#define ASN1_TIME_adj
Definition: boringssl_prefix_symbols.h:700
EXFLAG_CRITICAL
#define EXFLAG_CRITICAL
Definition: x509v3.h:398
X509_STORE_CTX_get_chain
#define X509_STORE_CTX_get_chain
Definition: boringssl_prefix_symbols.h:2499
X509_V_FLAG_IGNORE_CRITICAL
#define X509_V_FLAG_IGNORE_CRITICAL
Definition: x509.h:2011
CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA
#define CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA
Definition: third_party/boringssl-with-bazel/src/crypto/internal.h:688
X509_STORE_CTX_get1_chain
#define X509_STORE_CTX_get1_chain
Definition: boringssl_prefix_symbols.h:2497
X509_CRL_get0_by_serial
OPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial)
CRYPTO_get_ex_data
#define CRYPTO_get_ex_data
Definition: boringssl_prefix_symbols.h:1164
X509_crl_st::idp_reasons
int idp_reasons
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:207
X509_gmtime_adj
ASN1_TIME * X509_gmtime_adj(ASN1_TIME *s, long offset_sec)
Definition: x509_vfy.c:1945
x509_store_st::get_issuer
X509_STORE_CTX_get_issuer_fn get_issuer
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:284
x509_store_st::cert_crl
X509_STORE_CTX_cert_crl_fn cert_crl
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:290
X509_STORE_CTX_zero
void X509_STORE_CTX_zero(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:2253
ASN1_STRING_to_UTF8
#define ASN1_STRING_to_UTF8
Definition: boringssl_prefix_symbols.h:693
IDP_REASONS
#define IDP_REASONS
Definition: x509v3.h:357
CRL_SCORE_ISSUER_CERT
#define CRL_SCORE_ISSUER_CERT
Definition: x509_vfy.c:101
X509_CRL_set1_nextUpdate
#define X509_CRL_set1_nextUpdate
Definition: boringssl_prefix_symbols.h:2320
benchmark.md
md
Definition: benchmark.py:86
get_crl_delta
static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
Definition: x509_vfy.c:1510
CRLDP_ALL_REASONS
#define CRLDP_ALL_REASONS
Definition: x509v3.h:232
X509_STORE_CTX_get_error_depth
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:2115
CRYPTO_get_ex_new_index
#define CRYPTO_get_ex_new_index
Definition: boringssl_prefix_symbols.h:1165
x509_revoked_st::serialNumber
ASN1_INTEGER * serialNumber
Definition: x509.h:253
X509_V_FLAG_CB_ISSUER_CHECK
#define X509_V_FLAG_CB_ISSUER_CHECK
Definition: x509.h:2003
x509_st
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:139
GENERAL_NAME_st::d
union GENERAL_NAME_st::@370 d
X509_R_UNKNOWN_PURPOSE_ID
#define X509_R_UNKNOWN_PURPOSE_ID
Definition: x509.h:2407
X509_PURPOSE_CRL_SIGN
#define X509_PURPOSE_CRL_SIGN
Definition: x509v3.h:453
get_crl_score
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, X509_CRL *crl, X509 *x)
Definition: x509_vfy.c:1218
absl::flags_internal
Definition: abseil-cpp/absl/flags/commandlineflag.h:40
X509_V_ERR_HOSTNAME_MISMATCH
#define X509_V_ERR_HOSTNAME_MISMATCH
Definition: x509.h:1989
check_name_constraints
static int check_name_constraints(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:736
X509_STORE_CTX_purpose_inherit
int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, int purpose, int trust)
Definition: x509_vfy.c:2198
X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
Definition: x509.h:1956
check_chain_extensions
static int check_chain_extensions(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:576
X509_PURPOSE_get_by_id
#define X509_PURPOSE_get_by_id
Definition: boringssl_prefix_symbols.h:2420
X509_STORE_get1_certs
#define X509_STORE_get1_certs
Definition: boringssl_prefix_symbols.h:2530
X509_TRUST_UNTRUSTED
#define X509_TRUST_UNTRUSTED
Definition: x509.h:183
X509_STORE_CTX_get_explicit_policy
int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:2432
crl_akid_check
static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, int *pcrl_score)
Definition: x509_vfy.c:1280
index
int index
Definition: bloaty/third_party/protobuf/php/ext/google/protobuf/protobuf.h:1184
X509_VERIFY_PARAM_set_depth
#define X509_VERIFY_PARAM_set_depth
Definition: boringssl_prefix_symbols.h:2598
X509_V_ERR_STORE_LOOKUP
#define X509_V_ERR_STORE_LOOKUP
Definition: x509.h:1996
ret
UniquePtr< SSL_SESSION > ret
Definition: ssl_x509.cc:1029
find_issuer
static X509 * find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
Definition: x509_vfy.c:529
check_crl_path
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
Definition: x509_vfy.c:1340
GENERAL_NAME_cmp
OPENSSL_EXPORT int GENERAL_NAME_cmp(const GENERAL_NAME *a, const GENERAL_NAME *b)
sk_X509_value
#define sk_X509_value
Definition: boringssl_prefix_symbols.h:590
CRL_SCORE_ISSUER_NAME
#define CRL_SCORE_ISSUER_NAME
Definition: x509_vfy.c:93
X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
Definition: x509.h:1955
check_crl
static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
Definition: x509_vfy.c:1555
sk_X509_new_null
#define sk_X509_new_null
Definition: boringssl_prefix_symbols.h:586
X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
Definition: x509.h:1932
X509_VERIFY_PARAM_st::depth
int depth
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:224
X509_V_FLAG_EXTENDED_CRL_SUPPORT
#define X509_V_FLAG_EXTENDED_CRL_SUPPORT
Definition: x509.h:2027
xds_manager.num
num
Definition: xds_manager.py:56
ok
bool ok
Definition: async_end2end_test.cc:197
X509_STORE_CTX_get0_parent_ctx
X509_STORE_CTX * X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:2152
X509_crl_st::crl_number
ASN1_INTEGER * crl_number
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:209
X509_VERIFY_PARAM_st::peername
char * peername
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:229
X509_STORE_CTX_set_depth
void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
Definition: x509_vfy.c:2400
cert_self_signed
static int cert_self_signed(X509 *x, int *out_is_self_signed)
Definition: x509_vfy.c:152
X509_V_ERR_CERT_REJECTED
#define X509_V_ERR_CERT_REJECTED
Definition: x509.h:1947
X509_V_ERR_CERT_NOT_YET_VALID
#define X509_V_ERR_CERT_NOT_YET_VALID
Definition: x509.h:1928
X509_REVOKED_free
#define X509_REVOKED_free
Definition: boringssl_prefix_symbols.h:2467
asn1_string_st::type
int type
Definition: asn1.h:545
X509_R_UNKNOWN_TRUST_ID
#define X509_R_UNKNOWN_TRUST_ID
Definition: x509.h:2408
obj.h
x509_store_st::lookup_certs
X509_STORE_CTX_lookup_certs_fn lookup_certs
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:291
lookup_cert_match
static X509 * lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
Definition: x509_vfy.c:163
x509_store_st::check_issued
X509_STORE_CTX_check_issued_fn check_issued
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:285
X509_R_CRL_ALREADY_DELTA
#define X509_R_CRL_ALREADY_DELTA
Definition: x509.h:2383
X509_CRL_get0_by_cert
OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
Definition: x509.h:1921
X509_R_NEWER_CRL_NOT_NEWER
#define X509_R_NEWER_CRL_NOT_NEWER
Definition: x509.h:2396
mem.h
get_issuer_sk
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
Definition: x509_vfy.c:561
X509_check_email
#define X509_check_email
Definition: boringssl_prefix_symbols.h:2615
NID_issuing_distribution_point
#define NID_issuing_distribution_point
Definition: nid.h:3405
sk_X509_pop_free
#define sk_X509_pop_free
Definition: boringssl_prefix_symbols.h:588
ISSUING_DIST_POINT_st::distpoint
DIST_POINT_NAME * distpoint
Definition: x509v3.h:335
CRYPTO_set_ex_data
#define CRYPTO_set_ex_data
Definition: boringssl_prefix_symbols.h:1196
get_crl_sk
static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 **pissuer, int *pscore, unsigned int *preasons, STACK_OF(X509_CRL) *crls)
Definition: x509_vfy.c:1059
ASN1_INTEGER_cmp
#define ASN1_INTEGER_cmp
Definition: boringssl_prefix_symbols.h:642
mkowners.depth
depth
Definition: mkowners.py:114
X509_VERIFY_PARAM_free
#define X509_VERIFY_PARAM_free
Definition: boringssl_prefix_symbols.h:2581
X509_STORE_CTX_trusted_stack
void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
Definition: x509_vfy.c:2369
X509_V_ERR_EMAIL_MISMATCH
#define X509_V_ERR_EMAIL_MISMATCH
Definition: x509.h:1990
X509_V_ERR_CRL_PATH_VALIDATION_ERROR
#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR
Definition: x509.h:1978
crypto_ex_data_st
Definition: ex_data.h:194
x509_purpose_st::trust
int trust
Definition: x509v3.h:440
thread.h
X509_VERIFY_PARAM_st::email
char * email
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:230
X509_STORE_CTX_set0_param
void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
Definition: x509_vfy.c:2451
KU_CRL_SIGN
#define KU_CRL_SIGN
Definition: x509v3.h:412
OPENSSL_free
#define OPENSSL_free
Definition: boringssl_prefix_symbols.h:1869
X509_cmp_current_time
int X509_cmp_current_time(const ASN1_TIME *ctm)
Definition: x509_vfy.c:1875
GEN_DIRNAME
#define GEN_DIRNAME
Definition: x509v3.h:178
X509_cmp
#define X509_cmp
Definition: boringssl_prefix_symbols.h:2623
X509_CRL_get_issuer
#define X509_CRL_get_issuer
Definition: boringssl_prefix_symbols.h:2308
X509_R_CRL_VERIFY_FAILURE
#define X509_R_CRL_VERIFY_FAILURE
Definition: x509.h:2384
X509_name_st
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:95
X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS
#define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS
Definition: x509.h:1998
x509_store_ctx_st
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:312
X509_STORE_CTX_get_current_cert
X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:2120
X509_CRL_add_ext
#define X509_CRL_add_ext
Definition: boringssl_prefix_symbols.h:2287
X509_STORE_CTX_set_verify_cb
void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, int(*verify_cb)(int, X509_STORE_CTX *))
Definition: x509_vfy.c:2421
X509_VERIFY_PARAM_st::ip
unsigned char * ip
Definition: third_party/boringssl-with-bazel/src/crypto/x509/internal.h:232
X509_V_ERR_UNABLE_TO_GET_CRL
#define X509_V_ERR_UNABLE_TO_GET_CRL
Definition: x509.h:1922
X509_STORE_CTX_set_purpose
int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
Definition: x509_vfy.c:2177
X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
Definition: x509.h:1925
asn1_string_st
Definition: asn1.h:543
cb
OPENSSL_EXPORT pem_password_cb * cb
Definition: pem.h:351
EXFLAG_PROXY
#define EXFLAG_PROXY
Definition: x509v3.h:399
X509_CRL_add0_revoked
OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
X509_V_FLAG_USE_CHECK_TIME
#define X509_V_FLAG_USE_CHECK_TIME
Definition: x509.h:2005
i
uint64_t i
Definition: abseil-cpp/absl/container/btree_benchmark.cc:230
asn1.h
X509_time_adj_ex
ASN1_TIME * X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_tm)
Definition: x509_vfy.c:1955
ERR_R_MALLOC_FAILURE
#define ERR_R_MALLOC_FAILURE
Definition: err.h:371
X509_TRUST_REJECTED
#define X509_TRUST_REJECTED
Definition: x509.h:182
X509_V_FLAG_ALLOW_PROXY_CERTS
#define X509_V_FLAG_ALLOW_PROXY_CERTS
Definition: x509.h:2015
X509_check_purpose
#define X509_check_purpose
Definition: boringssl_prefix_symbols.h:2621
X509_STORE_CTX_get0_cert
X509 * X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
Definition: x509_vfy.c:2416
x509.h
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
Definition: x509.h:1938
X509_V_ERR_INVALID_NON_CA
#define X509_V_ERR_INVALID_NON_CA
Definition: x509.h:1958
X509_check_akid
#define X509_check_akid
Definition: boringssl_prefix_symbols.h:2613
X509_V_FLAG_CHECK_SS_SIGNATURE
#define X509_V_FLAG_CHECK_SS_SIGNATURE
Definition: x509.h:2031

grpc
Author(s):
autogenerated on Fri May 16 2025 03:00:56