x509_vpm.c revision 296465 
1/* x509_vpm.c */
2/*
3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
4 * 2004.
5 */
6/* ====================================================================
7 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 *    notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 *    notice, this list of conditions and the following disclaimer in
18 *    the documentation and/or other materials provided with the
19 *    distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 *    software must display the following acknowledgment:
23 *    "This product includes software developed by the OpenSSL Project
24 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 *    endorse or promote products derived from this software without
28 *    prior written permission. For written permission, please contact
29 *    licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 *    nor may "OpenSSL" appear in their names without prior written
33 *    permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 *    acknowledgment:
37 *    "This product includes software developed by the OpenSSL Project
38 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com).  This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59
60#include <stdio.h>
61
62#include "cryptlib.h"
63#include <openssl/crypto.h>
64#include <openssl/lhash.h>
65#include <openssl/buffer.h>
66#include <openssl/x509.h>
67#include <openssl/x509v3.h>
68
69/* X509_VERIFY_PARAM functions */
70
71static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
72{
73    if (!param)
74        return;
75    param->name = NULL;
76    param->purpose = 0;
77    param->trust = 0;
78    param->inh_flags = 0;
79    param->flags = 0;
80    param->depth = -1;
81    if (param->policies) {
82        sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
83        param->policies = NULL;
84    }
85}
86
87X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
88{
89    X509_VERIFY_PARAM *param;
90    param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
91    memset(param, 0, sizeof(X509_VERIFY_PARAM));
92    x509_verify_param_zero(param);
93    return param;
94}
95
96void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
97{
98    x509_verify_param_zero(param);
99    OPENSSL_free(param);
100}
101
102/*-
103 * This function determines how parameters are "inherited" from one structure
104 * to another. There are several different ways this can happen.
105 *
106 * 1. If a child structure needs to have its values initialized from a parent
107 *    they are simply copied across. For example SSL_CTX copied to SSL.
108 * 2. If the structure should take on values only if they are currently unset.
109 *    For example the values in an SSL structure will take appropriate value
110 *    for SSL servers or clients but only if the application has not set new
111 *    ones.
112 *
113 * The "inh_flags" field determines how this function behaves.
114 *
115 * Normally any values which are set in the default are not copied from the
116 * destination and verify flags are ORed together.
117 *
118 * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
119 * to the destination. Effectively the values in "to" become default values
120 * which will be used only if nothing new is set in "from".
121 *
122 * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
123 * they are set or not. Flags is still Ored though.
124 *
125 * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
126 * of ORed.
127 *
128 * If X509_VP_FLAG_LOCKED is set then no values are copied.
129 *
130 * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
131 * after the next call.
132 */
133
134/* Macro to test if a field should be copied from src to dest */
135
136#define test_x509_verify_param_copy(field, def) \
137        (to_overwrite || \
138                ((src->field != def) && (to_default || (dest->field == def))))
139
140/* Macro to test and copy a field if necessary */
141
142#define x509_verify_param_copy(field, def) \
143        if (test_x509_verify_param_copy(field, def)) \
144                dest->field = src->field
145
146int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
147                              const X509_VERIFY_PARAM *src)
148{
149    unsigned long inh_flags;
150    int to_default, to_overwrite;
151    if (!src)
152        return 1;
153    inh_flags = dest->inh_flags | src->inh_flags;
154
155    if (inh_flags & X509_VP_FLAG_ONCE)
156        dest->inh_flags = 0;
157
158    if (inh_flags & X509_VP_FLAG_LOCKED)
159        return 1;
160
161    if (inh_flags & X509_VP_FLAG_DEFAULT)
162        to_default = 1;
163    else
164        to_default = 0;
165
166    if (inh_flags & X509_VP_FLAG_OVERWRITE)
167        to_overwrite = 1;
168    else
169        to_overwrite = 0;
170
171    x509_verify_param_copy(purpose, 0);
172    x509_verify_param_copy(trust, 0);
173    x509_verify_param_copy(depth, -1);
174
175    /* If overwrite or check time not set, copy across */
176
177    if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {
178        dest->check_time = src->check_time;
179        dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
180        /* Don't need to copy flag: that is done below */
181    }
182
183    if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
184        dest->flags = 0;
185
186    dest->flags |= src->flags;
187
188    if (test_x509_verify_param_copy(policies, NULL)) {
189        if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
190            return 0;
191    }
192
193    return 1;
194}
195
196int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
197                           const X509_VERIFY_PARAM *from)
198{
199    unsigned long save_flags = to->inh_flags;
200    int ret;
201    to->inh_flags |= X509_VP_FLAG_DEFAULT;
202    ret = X509_VERIFY_PARAM_inherit(to, from);
203    to->inh_flags = save_flags;
204    return ret;
205}
206
207int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
208{
209    if (param->name)
210        OPENSSL_free(param->name);
211    param->name = BUF_strdup(name);
212    if (param->name)
213        return 1;
214    return 0;
215}
216
217int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
218{
219    param->flags |= flags;
220    if (flags & X509_V_FLAG_POLICY_MASK)
221        param->flags |= X509_V_FLAG_POLICY_CHECK;
222    return 1;
223}
224
225int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
226                                  unsigned long flags)
227{
228    param->flags &= ~flags;
229    return 1;
230}
231
232unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
233{
234    return param->flags;
235}
236
237int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
238{
239    return X509_PURPOSE_set(&param->purpose, purpose);
240}
241
242int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
243{
244    return X509_TRUST_set(&param->trust, trust);
245}
246
247void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
248{
249    param->depth = depth;
250}
251
252void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
253{
254    param->check_time = t;
255    param->flags |= X509_V_FLAG_USE_CHECK_TIME;
256}
257
258int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
259                                  ASN1_OBJECT *policy)
260{
261    if (!param->policies) {
262        param->policies = sk_ASN1_OBJECT_new_null();
263        if (!param->policies)
264            return 0;
265    }
266    if (!sk_ASN1_OBJECT_push(param->policies, policy))
267        return 0;
268    return 1;
269}
270
271int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
272                                    STACK_OF(ASN1_OBJECT) *policies)
273{
274    int i;
275    ASN1_OBJECT *oid, *doid;
276    if (!param)
277        return 0;
278    if (param->policies)
279        sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
280
281    if (!policies) {
282        param->policies = NULL;
283        return 1;
284    }
285
286    param->policies = sk_ASN1_OBJECT_new_null();
287    if (!param->policies)
288        return 0;
289
290    for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) {
291        oid = sk_ASN1_OBJECT_value(policies, i);
292        doid = OBJ_dup(oid);
293        if (!doid)
294            return 0;
295        if (!sk_ASN1_OBJECT_push(param->policies, doid)) {
296            ASN1_OBJECT_free(doid);
297            return 0;
298        }
299    }
300    param->flags |= X509_V_FLAG_POLICY_CHECK;
301    return 1;
302}
303
304int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
305{
306    return param->depth;
307}
308
309/*
310 * Default verify parameters: these are used for various applications and can
311 * be overridden by the user specified table. NB: the 'name' field *must* be
312 * in alphabetical order because it will be searched using OBJ_search.
313 */
314
315static const X509_VERIFY_PARAM default_table[] = {
316    {
317     "default",                 /* X509 default parameters */
318     0,                         /* Check time */
319     0,                         /* internal flags */
320     0,                         /* flags */
321     0,                         /* purpose */
322     0,                         /* trust */
323     100,                       /* depth */
324     NULL                       /* policies */
325     },
326    {
327     "pkcs7",                   /* S/MIME signing parameters */
328     0,                         /* Check time */
329     0,                         /* internal flags */
330     0,                         /* flags */
331     X509_PURPOSE_SMIME_SIGN,   /* purpose */
332     X509_TRUST_EMAIL,          /* trust */
333     -1,                        /* depth */
334     NULL                       /* policies */
335     },
336    {
337     "smime_sign",              /* S/MIME signing parameters */
338     0,                         /* Check time */
339     0,                         /* internal flags */
340     0,                         /* flags */
341     X509_PURPOSE_SMIME_SIGN,   /* purpose */
342     X509_TRUST_EMAIL,          /* trust */
343     -1,                        /* depth */
344     NULL                       /* policies */
345     },
346    {
347     "ssl_client",              /* SSL/TLS client parameters */
348     0,                         /* Check time */
349     0,                         /* internal flags */
350     0,                         /* flags */
351     X509_PURPOSE_SSL_CLIENT,   /* purpose */
352     X509_TRUST_SSL_CLIENT,     /* trust */
353     -1,                        /* depth */
354     NULL                       /* policies */
355     },
356    {
357     "ssl_server",              /* SSL/TLS server parameters */
358     0,                         /* Check time */
359     0,                         /* internal flags */
360     0,                         /* flags */
361     X509_PURPOSE_SSL_SERVER,   /* purpose */
362     X509_TRUST_SSL_SERVER,     /* trust */
363     -1,                        /* depth */
364     NULL                       /* policies */
365     }
366};
367
368static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
369
370static int table_cmp(const void *pa, const void *pb)
371{
372    const X509_VERIFY_PARAM *a = pa, *b = pb;
373    return strcmp(a->name, b->name);
374}
375
376static int param_cmp(const X509_VERIFY_PARAM *const *a,
377                     const X509_VERIFY_PARAM *const *b)
378{
379    return strcmp((*a)->name, (*b)->name);
380}
381
382int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
383{
384    int idx;
385    X509_VERIFY_PARAM *ptmp;
386    if (!param_table) {
387        param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
388        if (!param_table)
389            return 0;
390    } else {
391        idx = sk_X509_VERIFY_PARAM_find(param_table, param);
392        if (idx != -1) {
393            ptmp = sk_X509_VERIFY_PARAM_value(param_table, idx);
394            X509_VERIFY_PARAM_free(ptmp);
395            (void)sk_X509_VERIFY_PARAM_delete(param_table, idx);
396        }
397    }
398    if (!sk_X509_VERIFY_PARAM_push(param_table, param))
399        return 0;
400    return 1;
401}
402
403const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
404{
405    int idx;
406    X509_VERIFY_PARAM pm;
407    pm.name = (char *)name;
408    if (param_table) {
409        idx = sk_X509_VERIFY_PARAM_find(param_table, &pm);
410        if (idx != -1)
411            return sk_X509_VERIFY_PARAM_value(param_table, idx);
412    }
413    return (const X509_VERIFY_PARAM *)OBJ_bsearch((char *)&pm,
414                                                  (char *)&default_table,
415                                                  sizeof(default_table) /
416                                                  sizeof(X509_VERIFY_PARAM),
417                                                  sizeof(X509_VERIFY_PARAM),
418                                                  table_cmp);
419}
420
421void X509_VERIFY_PARAM_table_cleanup(void)
422{
423    if (param_table)
424        sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free);
425    param_table = NULL;
426}
427