1/* 2 * Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <stdio.h> 11 12#include "internal/cryptlib.h" 13#include <openssl/crypto.h> 14#include <openssl/buffer.h> 15#include <openssl/x509.h> 16#include <openssl/x509v3.h> 17#include "crypto/x509.h" 18 19#include "x509_local.h" 20 21/* X509_VERIFY_PARAM functions */ 22 23#define SET_HOST 0 24#define ADD_HOST 1 25 26static char *str_copy(const char *s) 27{ 28 return OPENSSL_strdup(s); 29} 30 31static void str_free(char *s) 32{ 33 OPENSSL_free(s); 34} 35 36static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode, 37 const char *name, size_t namelen) 38{ 39 char *copy; 40 41 /* 42 * Refuse names with embedded NUL bytes, except perhaps as final byte. 43 * XXX: Do we need to push an error onto the error stack? 44 */ 45 if (namelen == 0 || name == NULL) 46 namelen = name ? strlen(name) : 0; 47 else if (name != NULL 48 && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen) != NULL) 49 return 0; 50 if (namelen > 0 && name[namelen - 1] == '\0') 51 --namelen; 52 53 if (mode == SET_HOST) { 54 sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free); 55 vpm->hosts = NULL; 56 } 57 if (name == NULL || namelen == 0) 58 return 1; 59 60 copy = OPENSSL_strndup(name, namelen); 61 if (copy == NULL) 62 return 0; 63 64 if (vpm->hosts == NULL && 65 (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) { 66 OPENSSL_free(copy); 67 return 0; 68 } 69 70 if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) { 71 OPENSSL_free(copy); 72 if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) { 73 sk_OPENSSL_STRING_free(vpm->hosts); 74 vpm->hosts = NULL; 75 } 76 return 0; 77 } 78 79 return 1; 80} 81 82X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) 83{ 84 X509_VERIFY_PARAM *param; 85 86 param = OPENSSL_zalloc(sizeof(*param)); 87 if (param == NULL) { 88 ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); 89 return NULL; 90 } 91 param->trust = X509_TRUST_DEFAULT; 92 /* param->inh_flags = X509_VP_FLAG_DEFAULT; */ 93 param->depth = -1; 94 param->auth_level = -1; /* -1 means unset, 0 is explicit */ 95 return param; 96} 97 98void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) 99{ 100 if (param == NULL) 101 return; 102 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); 103 sk_OPENSSL_STRING_pop_free(param->hosts, str_free); 104 OPENSSL_free(param->peername); 105 OPENSSL_free(param->email); 106 OPENSSL_free(param->ip); 107 OPENSSL_free(param); 108} 109 110/*- 111 * This function determines how parameters are "inherited" from one structure 112 * to another. There are several different ways this can happen. 113 * 114 * 1. If a child structure needs to have its values initialized from a parent 115 * they are simply copied across. For example SSL_CTX copied to SSL. 116 * 2. If the structure should take on values only if they are currently unset. 117 * For example the values in an SSL structure will take appropriate value 118 * for SSL servers or clients but only if the application has not set new 119 * ones. 120 * 121 * The "inh_flags" field determines how this function behaves. 122 * 123 * Normally any values which are set in the default are not copied from the 124 * destination and verify flags are ORed together. 125 * 126 * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied 127 * to the destination. Effectively the values in "to" become default values 128 * which will be used only if nothing new is set in "from". 129 * 130 * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether 131 * they are set or not. Flags is still Ored though. 132 * 133 * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead 134 * of ORed. 135 * 136 * If X509_VP_FLAG_LOCKED is set then no values are copied. 137 * 138 * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed 139 * after the next call. 140 */ 141 142/* Macro to test if a field should be copied from src to dest */ 143 144#define test_x509_verify_param_copy(field, def) \ 145 (to_overwrite || (src->field != def && (to_default || dest->field == def))) 146 147/* Macro to test and copy a field if necessary */ 148 149#define x509_verify_param_copy(field, def) \ 150 if (test_x509_verify_param_copy(field, def)) \ 151 dest->field = src->field; 152 153int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, 154 const X509_VERIFY_PARAM *src) 155{ 156 unsigned long inh_flags; 157 int to_default, to_overwrite; 158 159 if (src == NULL) 160 return 1; 161 inh_flags = dest->inh_flags | src->inh_flags; 162 163 if ((inh_flags & X509_VP_FLAG_ONCE) != 0) 164 dest->inh_flags = 0; 165 166 if ((inh_flags & X509_VP_FLAG_LOCKED) != 0) 167 return 1; 168 169 to_default = (inh_flags & X509_VP_FLAG_DEFAULT) != 0; 170 to_overwrite = (inh_flags & X509_VP_FLAG_OVERWRITE) != 0; 171 172 x509_verify_param_copy(purpose, 0); 173 x509_verify_param_copy(trust, X509_TRUST_DEFAULT); 174 x509_verify_param_copy(depth, -1); 175 x509_verify_param_copy(auth_level, -1); 176 177 /* If overwrite or check time not set, copy across */ 178 179 if (to_overwrite || (dest->flags & X509_V_FLAG_USE_CHECK_TIME) == 0) { 180 dest->check_time = src->check_time; 181 dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME; 182 /* Don't need to copy flag: that is done below */ 183 } 184 185 if ((inh_flags & X509_VP_FLAG_RESET_FLAGS) != 0) 186 dest->flags = 0; 187 188 dest->flags |= src->flags; 189 190 if (test_x509_verify_param_copy(policies, NULL)) { 191 if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies)) 192 return 0; 193 } 194 195 x509_verify_param_copy(hostflags, 0); 196 197 if (test_x509_verify_param_copy(hosts, NULL)) { 198 sk_OPENSSL_STRING_pop_free(dest->hosts, str_free); 199 dest->hosts = NULL; 200 if (src->hosts != NULL) { 201 dest->hosts = 202 sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free); 203 if (dest->hosts == NULL) 204 return 0; 205 } 206 } 207 208 if (test_x509_verify_param_copy(email, NULL)) { 209 if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen)) 210 return 0; 211 } 212 213 if (test_x509_verify_param_copy(ip, NULL)) { 214 if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen)) 215 return 0; 216 } 217 218 return 1; 219} 220 221int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, 222 const X509_VERIFY_PARAM *from) 223{ 224 unsigned long save_flags; 225 int ret; 226 227 if (to == NULL) { 228 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 229 return 0; 230 } 231 save_flags = to->inh_flags; 232 to->inh_flags |= X509_VP_FLAG_DEFAULT; 233 ret = X509_VERIFY_PARAM_inherit(to, from); 234 to->inh_flags = save_flags; 235 return ret; 236} 237 238static int int_x509_param_set1(char **pdest, size_t *pdestlen, 239 const char *src, size_t srclen) 240{ 241 char *tmp; 242 243 if (src != NULL) { 244 if (srclen == 0) 245 srclen = strlen(src); 246 247 tmp = OPENSSL_malloc(srclen + 1); 248 if (tmp == NULL) 249 return 0; 250 memcpy(tmp, src, srclen); 251 tmp[srclen] = '\0'; /* enforce NUL termination */ 252 } else { 253 tmp = NULL; 254 srclen = 0; 255 } 256 OPENSSL_free(*pdest); 257 *pdest = tmp; 258 if (pdestlen != NULL) 259 *pdestlen = srclen; 260 return 1; 261} 262 263int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) 264{ 265 OPENSSL_free(param->name); 266 param->name = OPENSSL_strdup(name); 267 return param->name != NULL; 268} 269 270int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) 271{ 272 param->flags |= flags; 273 if ((flags & X509_V_FLAG_POLICY_MASK) != 0) 274 param->flags |= X509_V_FLAG_POLICY_CHECK; 275 return 1; 276} 277 278int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, 279 unsigned long flags) 280{ 281 param->flags &= ~flags; 282 return 1; 283} 284 285unsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param) 286{ 287 return param->flags; 288} 289 290uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param) 291{ 292 return param->inh_flags; 293} 294 295int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, uint32_t flags) 296{ 297 param->inh_flags = flags; 298 return 1; 299} 300 301int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) 302{ 303 return X509_PURPOSE_set(¶m->purpose, purpose); 304} 305 306int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) 307{ 308 return X509_TRUST_set(¶m->trust, trust); 309} 310 311void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) 312{ 313 param->depth = depth; 314} 315 316void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level) 317{ 318 param->auth_level = auth_level; 319} 320 321time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param) 322{ 323 return param->check_time; 324} 325 326void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) 327{ 328 param->check_time = t; 329 param->flags |= X509_V_FLAG_USE_CHECK_TIME; 330} 331 332int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, 333 ASN1_OBJECT *policy) 334{ 335 if (param->policies == NULL) { 336 param->policies = sk_ASN1_OBJECT_new_null(); 337 if (param->policies == NULL) 338 return 0; 339 } 340 return sk_ASN1_OBJECT_push(param->policies, policy); 341} 342 343int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 344 STACK_OF(ASN1_OBJECT) *policies) 345{ 346 int i; 347 ASN1_OBJECT *oid, *doid; 348 349 if (param == NULL) { 350 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 351 return 0; 352 } 353 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); 354 355 if (policies == NULL) { 356 param->policies = NULL; 357 return 1; 358 } 359 360 param->policies = sk_ASN1_OBJECT_new_null(); 361 if (param->policies == NULL) 362 return 0; 363 364 for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) { 365 oid = sk_ASN1_OBJECT_value(policies, i); 366 doid = OBJ_dup(oid); 367 if (doid == NULL) 368 return 0; 369 if (!sk_ASN1_OBJECT_push(param->policies, doid)) { 370 ASN1_OBJECT_free(doid); 371 return 0; 372 } 373 } 374 param->flags |= X509_V_FLAG_POLICY_CHECK; 375 return 1; 376} 377 378char *X509_VERIFY_PARAM_get0_host(X509_VERIFY_PARAM *param, int idx) 379{ 380 return sk_OPENSSL_STRING_value(param->hosts, idx); 381} 382 383int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, 384 const char *name, size_t namelen) 385{ 386 return int_x509_param_set_hosts(param, SET_HOST, name, namelen); 387} 388 389int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, 390 const char *name, size_t namelen) 391{ 392 return int_x509_param_set_hosts(param, ADD_HOST, name, namelen); 393} 394 395void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, 396 unsigned int flags) 397{ 398 param->hostflags = flags; 399} 400 401unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param) 402{ 403 return param->hostflags; 404} 405 406char *X509_VERIFY_PARAM_get0_peername(const X509_VERIFY_PARAM *param) 407{ 408 return param->peername; 409} 410 411/* 412 * Move peername from one param structure to another, freeing any name present 413 * at the target. If the source is a NULL parameter structure, free and zero 414 * the target peername. 415 */ 416void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *to, 417 X509_VERIFY_PARAM *from) 418{ 419 char *peername = (from != NULL) ? from->peername : NULL; 420 421 if (to->peername != peername) { 422 OPENSSL_free(to->peername); 423 to->peername = peername; 424 } 425 if (from != NULL) 426 from->peername = NULL; 427} 428 429char *X509_VERIFY_PARAM_get0_email(X509_VERIFY_PARAM *param) 430{ 431 return param->email; 432} 433 434int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, 435 const char *email, size_t emaillen) 436{ 437 return int_x509_param_set1(¶m->email, ¶m->emaillen, 438 email, emaillen); 439} 440 441static unsigned char 442*int_X509_VERIFY_PARAM_get0_ip(X509_VERIFY_PARAM *param, size_t *plen) 443{ 444 if (param == NULL || param->ip == NULL) { 445 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 446 return NULL; 447 } 448 if (plen != NULL) 449 *plen = param->iplen; 450 return param->ip; 451} 452 453char *X509_VERIFY_PARAM_get1_ip_asc(X509_VERIFY_PARAM *param) 454{ 455 size_t iplen; 456 unsigned char *ip = int_X509_VERIFY_PARAM_get0_ip(param, &iplen); 457 458 return ip == NULL ? NULL : ossl_ipaddr_to_asc(ip, iplen); 459} 460 461int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, 462 const unsigned char *ip, size_t iplen) 463{ 464 if (iplen != 0 && iplen != 4 && iplen != 16) { 465 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_INVALID_ARGUMENT); 466 return 0; 467 } 468 return int_x509_param_set1((char **)¶m->ip, ¶m->iplen, 469 (char *)ip, iplen); 470} 471 472int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc) 473{ 474 unsigned char ipout[16]; 475 size_t iplen = (size_t)ossl_a2i_ipadd(ipout, ipasc); 476 477 if (iplen == 0) 478 return 0; 479 return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen); 480} 481 482int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) 483{ 484 return param->depth; 485} 486 487int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param) 488{ 489 return param->auth_level; 490} 491 492const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) 493{ 494 return param->name; 495} 496 497#define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0 498 499/* 500 * Default verify parameters: these are used for various applications and can 501 * be overridden by the user specified table. NB: the 'name' field *must* be 502 * in alphabetical order because it will be searched using OBJ_search. 503 */ 504 505static const X509_VERIFY_PARAM default_table[] = { 506 { 507 "default", /* X509 default parameters */ 508 0, /* check time to use */ 509 0, /* inheritance flags */ 510 X509_V_FLAG_TRUSTED_FIRST, /* flags */ 511 0, /* purpose */ 512 0, /* trust */ 513 100, /* depth */ 514 -1, /* auth_level */ 515 NULL, /* policies */ 516 vpm_empty_id}, 517 { 518 "pkcs7", /* S/MIME sign parameters */ 519 0, /* check time to use */ 520 0, /* inheritance flags */ 521 0, /* flags */ 522 X509_PURPOSE_SMIME_SIGN, /* purpose */ 523 X509_TRUST_EMAIL, /* trust */ 524 -1, /* depth */ 525 -1, /* auth_level */ 526 NULL, /* policies */ 527 vpm_empty_id}, 528 { 529 "smime_sign", /* S/MIME sign parameters */ 530 0, /* check time to use */ 531 0, /* inheritance flags */ 532 0, /* flags */ 533 X509_PURPOSE_SMIME_SIGN, /* purpose */ 534 X509_TRUST_EMAIL, /* trust */ 535 -1, /* depth */ 536 -1, /* auth_level */ 537 NULL, /* policies */ 538 vpm_empty_id}, 539 { 540 "ssl_client", /* SSL/TLS client parameters */ 541 0, /* check time to use */ 542 0, /* inheritance flags */ 543 0, /* flags */ 544 X509_PURPOSE_SSL_CLIENT, /* purpose */ 545 X509_TRUST_SSL_CLIENT, /* trust */ 546 -1, /* depth */ 547 -1, /* auth_level */ 548 NULL, /* policies */ 549 vpm_empty_id}, 550 { 551 "ssl_server", /* SSL/TLS server parameters */ 552 0, /* check time to use */ 553 0, /* inheritance flags */ 554 0, /* flags */ 555 X509_PURPOSE_SSL_SERVER, /* purpose */ 556 X509_TRUST_SSL_SERVER, /* trust */ 557 -1, /* depth */ 558 -1, /* auth_level */ 559 NULL, /* policies */ 560 vpm_empty_id} 561}; 562 563static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL; 564 565static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b) 566{ 567 return strcmp(a->name, b->name); 568} 569 570DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table); 571IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table); 572 573static int param_cmp(const X509_VERIFY_PARAM *const *a, 574 const X509_VERIFY_PARAM *const *b) 575{ 576 return strcmp((*a)->name, (*b)->name); 577} 578 579int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) 580{ 581 int idx; 582 X509_VERIFY_PARAM *ptmp; 583 584 if (param_table == NULL) { 585 param_table = sk_X509_VERIFY_PARAM_new(param_cmp); 586 if (param_table == NULL) 587 return 0; 588 } else { 589 idx = sk_X509_VERIFY_PARAM_find(param_table, param); 590 if (idx >= 0) { 591 ptmp = sk_X509_VERIFY_PARAM_delete(param_table, idx); 592 X509_VERIFY_PARAM_free(ptmp); 593 } 594 } 595 return sk_X509_VERIFY_PARAM_push(param_table, param); 596} 597 598int X509_VERIFY_PARAM_get_count(void) 599{ 600 int num = OSSL_NELEM(default_table); 601 602 if (param_table != NULL) 603 num += sk_X509_VERIFY_PARAM_num(param_table); 604 return num; 605} 606 607const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id) 608{ 609 int num = OSSL_NELEM(default_table); 610 611 if (id < num) 612 return default_table + id; 613 return sk_X509_VERIFY_PARAM_value(param_table, id - num); 614} 615 616const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) 617{ 618 int idx; 619 X509_VERIFY_PARAM pm; 620 621 pm.name = (char *)name; 622 if (param_table != NULL) { 623 idx = sk_X509_VERIFY_PARAM_find(param_table, &pm); 624 if (idx >= 0) 625 return sk_X509_VERIFY_PARAM_value(param_table, idx); 626 } 627 return OBJ_bsearch_table(&pm, default_table, OSSL_NELEM(default_table)); 628} 629 630void X509_VERIFY_PARAM_table_cleanup(void) 631{ 632 sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free); 633 param_table = NULL; 634} 635