Branch data Line data Source code
1 : : /* x509_trs.c */
2 : : /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 : : * project 1999.
4 : : */
5 : : /* ====================================================================
6 : : * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7 : : *
8 : : * Redistribution and use in source and binary forms, with or without
9 : : * modification, are permitted provided that the following conditions
10 : : * are met:
11 : : *
12 : : * 1. Redistributions of source code must retain the above copyright
13 : : * notice, this list of conditions and the following disclaimer.
14 : : *
15 : : * 2. Redistributions in binary form must reproduce the above copyright
16 : : * notice, this list of conditions and the following disclaimer in
17 : : * the documentation and/or other materials provided with the
18 : : * distribution.
19 : : *
20 : : * 3. All advertising materials mentioning features or use of this
21 : : * software must display the following acknowledgment:
22 : : * "This product includes software developed by the OpenSSL Project
23 : : * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 : : *
25 : : * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 : : * endorse or promote products derived from this software without
27 : : * prior written permission. For written permission, please contact
28 : : * licensing@OpenSSL.org.
29 : : *
30 : : * 5. Products derived from this software may not be called "OpenSSL"
31 : : * nor may "OpenSSL" appear in their names without prior written
32 : : * permission of the OpenSSL Project.
33 : : *
34 : : * 6. Redistributions of any form whatsoever must retain the following
35 : : * acknowledgment:
36 : : * "This product includes software developed by the OpenSSL Project
37 : : * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 : : *
39 : : * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 : : * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 : : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 : : * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 : : * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 : : * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 : : * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 : : * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 : : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 : : * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 : : * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 : : * OF THE POSSIBILITY OF SUCH DAMAGE.
51 : : * ====================================================================
52 : : *
53 : : * This product includes cryptographic software written by Eric Young
54 : : * (eay@cryptsoft.com). This product includes software written by Tim
55 : : * Hudson (tjh@cryptsoft.com).
56 : : *
57 : : */
58 : :
59 : : #include <stdio.h>
60 : : #include "cryptlib.h"
61 : : #include <openssl/x509v3.h>
62 : :
63 : :
64 : : static int tr_cmp(const X509_TRUST * const *a,
65 : : const X509_TRUST * const *b);
66 : : static void trtable_free(X509_TRUST *p);
67 : :
68 : : static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
69 : : static int trust_1oid(X509_TRUST *trust, X509 *x, int flags);
70 : : static int trust_compat(X509_TRUST *trust, X509 *x, int flags);
71 : :
72 : : static int obj_trust(int id, X509 *x, int flags);
73 : : static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
74 : :
75 : : /* WARNING: the following table should be kept in order of trust
76 : : * and without any gaps so we can just subtract the minimum trust
77 : : * value to get an index into the table
78 : : */
79 : :
80 : : static X509_TRUST trstandard[] = {
81 : : {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
82 : : {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
83 : : {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
84 : : {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
85 : : {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
86 : : {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
87 : : {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL},
88 : : {X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
89 : : };
90 : :
91 : : #define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST))
92 : :
93 : : IMPLEMENT_STACK_OF(X509_TRUST)
94 : :
95 : : static STACK_OF(X509_TRUST) *trtable = NULL;
96 : :
97 : 0 : static int tr_cmp(const X509_TRUST * const *a,
98 : : const X509_TRUST * const *b)
99 : : {
100 : 0 : return (*a)->trust - (*b)->trust;
101 : : }
102 : :
103 : 0 : int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
104 : : {
105 : : int (*oldtrust)(int , X509 *, int);
106 : 0 : oldtrust = default_trust;
107 : 0 : default_trust = trust;
108 : 0 : return oldtrust;
109 : : }
110 : :
111 : :
112 : 1198 : int X509_check_trust(X509 *x, int id, int flags)
113 : : {
114 : : X509_TRUST *pt;
115 : : int idx;
116 [ + - ]: 1198 : if(id == -1) return 1;
117 : : /* We get this as a default value */
118 [ + + ]: 1198 : if (id == 0)
119 : : {
120 : : int rv;
121 : 559 : rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
122 [ + - ]: 559 : if (rv != X509_TRUST_UNTRUSTED)
123 : : return rv;
124 : 559 : return trust_compat(NULL, x, 0);
125 : : }
126 : 639 : idx = X509_TRUST_get_by_id(id);
127 [ + + ]: 639 : if(idx == -1) return default_trust(id, x, flags);
128 : 636 : pt = X509_TRUST_get0(idx);
129 : 636 : return pt->check_trust(pt, x, flags);
130 : : }
131 : :
132 : 0 : int X509_TRUST_get_count(void)
133 : : {
134 [ # # ]: 0 : if(!trtable) return X509_TRUST_COUNT;
135 : 0 : return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
136 : : }
137 : :
138 : 636 : X509_TRUST * X509_TRUST_get0(int idx)
139 : : {
140 [ + - ]: 636 : if(idx < 0) return NULL;
141 [ + - ]: 636 : if(idx < (int)X509_TRUST_COUNT) return trstandard + idx;
142 : 0 : return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
143 : : }
144 : :
145 : 672 : int X509_TRUST_get_by_id(int id)
146 : : {
147 : : X509_TRUST tmp;
148 : : int idx;
149 [ + + ]: 672 : if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
150 : 669 : return id - X509_TRUST_MIN;
151 : 3 : tmp.trust = id;
152 [ - + ]: 3 : if(!trtable) return -1;
153 : 0 : idx = sk_X509_TRUST_find(trtable, &tmp);
154 [ # # ]: 0 : if(idx == -1) return -1;
155 : 0 : return idx + X509_TRUST_COUNT;
156 : : }
157 : :
158 : 0 : int X509_TRUST_set(int *t, int trust)
159 : : {
160 [ # # ]: 0 : if(X509_TRUST_get_by_id(trust) == -1) {
161 : 0 : X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST);
162 : 0 : return 0;
163 : : }
164 : 0 : *t = trust;
165 : 0 : return 1;
166 : : }
167 : :
168 : 0 : int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
169 : : char *name, int arg1, void *arg2)
170 : : {
171 : : int idx;
172 : : X509_TRUST *trtmp;
173 : : /* This is set according to what we change: application can't set it */
174 : 0 : flags &= ~X509_TRUST_DYNAMIC;
175 : : /* This will always be set for application modified trust entries */
176 : 0 : flags |= X509_TRUST_DYNAMIC_NAME;
177 : : /* Get existing entry if any */
178 : 0 : idx = X509_TRUST_get_by_id(id);
179 : : /* Need a new entry */
180 [ # # ]: 0 : if(idx == -1) {
181 [ # # ]: 0 : if(!(trtmp = OPENSSL_malloc(sizeof(X509_TRUST)))) {
182 : 0 : X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
183 : 0 : return 0;
184 : : }
185 : 0 : trtmp->flags = X509_TRUST_DYNAMIC;
186 : 0 : } else trtmp = X509_TRUST_get0(idx);
187 : :
188 : : /* OPENSSL_free existing name if dynamic */
189 [ # # ]: 0 : if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) OPENSSL_free(trtmp->name);
190 : : /* dup supplied name */
191 [ # # ]: 0 : if(!(trtmp->name = BUF_strdup(name))) {
192 : 0 : X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
193 : 0 : return 0;
194 : : }
195 : : /* Keep the dynamic flag of existing entry */
196 : 0 : trtmp->flags &= X509_TRUST_DYNAMIC;
197 : : /* Set all other flags */
198 : 0 : trtmp->flags |= flags;
199 : :
200 : 0 : trtmp->trust = id;
201 : 0 : trtmp->check_trust = ck;
202 : 0 : trtmp->arg1 = arg1;
203 : 0 : trtmp->arg2 = arg2;
204 : :
205 : : /* If its a new entry manage the dynamic table */
206 [ # # ]: 0 : if(idx == -1) {
207 [ # # ][ # # ]: 0 : if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
208 : 0 : X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
209 : 0 : return 0;
210 : : }
211 [ # # ]: 0 : if (!sk_X509_TRUST_push(trtable, trtmp)) {
212 : 0 : X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
213 : 0 : return 0;
214 : : }
215 : : }
216 : : return 1;
217 : : }
218 : :
219 : 0 : static void trtable_free(X509_TRUST *p)
220 : : {
221 [ # # ]: 0 : if(!p) return;
222 [ # # ]: 0 : if (p->flags & X509_TRUST_DYNAMIC)
223 : : {
224 [ # # ]: 0 : if (p->flags & X509_TRUST_DYNAMIC_NAME)
225 : 0 : OPENSSL_free(p->name);
226 : 0 : OPENSSL_free(p);
227 : : }
228 : : }
229 : :
230 : 0 : void X509_TRUST_cleanup(void)
231 : : {
232 : : unsigned int i;
233 [ # # ]: 0 : for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i);
234 : 0 : sk_X509_TRUST_pop_free(trtable, trtable_free);
235 : 0 : trtable = NULL;
236 : 0 : }
237 : :
238 : 0 : int X509_TRUST_get_flags(X509_TRUST *xp)
239 : : {
240 : 0 : return xp->flags;
241 : : }
242 : :
243 : 0 : char *X509_TRUST_get0_name(X509_TRUST *xp)
244 : : {
245 : 0 : return xp->name;
246 : : }
247 : :
248 : 0 : int X509_TRUST_get_trust(X509_TRUST *xp)
249 : : {
250 : 0 : return xp->trust;
251 : : }
252 : :
253 : 620 : static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
254 : : {
255 [ - + ][ # # ]: 620 : if(x->aux && (x->aux->trust || x->aux->reject))
[ # # ]
256 : 0 : return obj_trust(trust->arg1, x, flags);
257 : : /* we don't have any trust settings: for compatibility
258 : : * we return trusted if it is self signed
259 : : */
260 : 620 : return trust_compat(trust, x, flags);
261 : : }
262 : :
263 : 0 : static int trust_1oid(X509_TRUST *trust, X509 *x, int flags)
264 : : {
265 [ # # ]: 0 : if(x->aux) return obj_trust(trust->arg1, x, flags);
266 : : return X509_TRUST_UNTRUSTED;
267 : : }
268 : :
269 : 1195 : static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
270 : : {
271 : 1195 : X509_check_purpose(x, -1, 0);
272 [ + + ]: 1195 : if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED;
273 : 486 : else return X509_TRUST_UNTRUSTED;
274 : : }
275 : :
276 : 562 : static int obj_trust(int id, X509 *x, int flags)
277 : : {
278 : : ASN1_OBJECT *obj;
279 : : int i;
280 : : X509_CERT_AUX *ax;
281 : 562 : ax = x->aux;
282 [ - + ]: 562 : if(!ax) return X509_TRUST_UNTRUSTED;
283 [ # # ]: 0 : if(ax->reject) {
284 [ # # ]: 0 : for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
285 : 0 : obj = sk_ASN1_OBJECT_value(ax->reject, i);
286 [ # # ]: 0 : if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED;
287 : : }
288 : : }
289 [ # # ]: 0 : if(ax->trust) {
290 [ # # ]: 0 : for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
291 : 0 : obj = sk_ASN1_OBJECT_value(ax->trust, i);
292 [ # # ]: 0 : if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED;
293 : : }
294 : : }
295 : : return X509_TRUST_UNTRUSTED;
296 : : }
297 : :
|
