1/* 2 * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <stdio.h> 11 12#include "internal/cryptlib.h" 13#include <openssl/crypto.h> 14#include <openssl/buffer.h> 15#include <openssl/x509.h> 16#include <openssl/x509v3.h> 17#include "crypto/x509.h" 18 19#include "x509_local.h" 20 21/* X509_VERIFY_PARAM functions */ 22 23#define SET_HOST 0 24#define ADD_HOST 1 25 26static char *str_copy(const char *s) 27{ 28 return OPENSSL_strdup(s); 29} 30 31static void str_free(char *s) 32{ 33 OPENSSL_free(s); 34} 35 36static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode, 37 const char *name, size_t namelen) 38{ 39 char *copy; 40 41 /* 42 * Refuse names with embedded NUL bytes, except perhaps as final byte. 43 * XXX: Do we need to push an error onto the error stack? 44 */ 45 if (namelen == 0 || name == NULL) 46 namelen = name ? strlen(name) : 0; 47 else if (name != NULL 48 && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen) != NULL) 49 return 0; 50 if (namelen > 0 && name[namelen - 1] == '\0') 51 --namelen; 52 53 if (mode == SET_HOST) { 54 sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free); 55 vpm->hosts = NULL; 56 } 57 if (name == NULL || namelen == 0) 58 return 1; 59 60 copy = OPENSSL_strndup(name, namelen); 61 if (copy == NULL) 62 return 0; 63 64 if (vpm->hosts == NULL && 65 (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) { 66 OPENSSL_free(copy); 67 return 0; 68 } 69 70 if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) { 71 OPENSSL_free(copy); 72 if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) { 73 sk_OPENSSL_STRING_free(vpm->hosts); 74 vpm->hosts = NULL; 75 } 76 return 0; 77 } 78 79 return 1; 80} 81 82X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) 83{ 84 X509_VERIFY_PARAM *param; 85 86 param = OPENSSL_zalloc(sizeof(*param)); 87 if (param == NULL) { 88 ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); 89 return NULL; 90 } 91 param->trust = X509_TRUST_DEFAULT; 92 /* param->inh_flags = X509_VP_FLAG_DEFAULT; */ 93 param->depth = -1; 94 param->auth_level = -1; /* -1 means unset, 0 is explicit */ 95 return param; 96} 97 98void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) 99{ 100 if (param == NULL) 101 return; 102 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); 103 sk_OPENSSL_STRING_pop_free(param->hosts, str_free); 104 OPENSSL_free(param->peername); 105 OPENSSL_free(param->email); 106 OPENSSL_free(param->ip); 107 OPENSSL_free(param); 108} 109 110/*- 111 * This function determines how parameters are "inherited" from one structure 112 * to another. There are several different ways this can happen. 113 * 114 * 1. If a child structure needs to have its values initialized from a parent 115 * they are simply copied across. For example SSL_CTX copied to SSL. 116 * 2. If the structure should take on values only if they are currently unset. 117 * For example the values in an SSL structure will take appropriate value 118 * for SSL servers or clients but only if the application has not set new 119 * ones. 120 * 121 * The "inh_flags" field determines how this function behaves. 122 * 123 * Normally any values which are set in the default are not copied from the 124 * destination and verify flags are ORed together. 125 * 126 * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied 127 * to the destination. Effectively the values in "to" become default values 128 * which will be used only if nothing new is set in "from". 129 * 130 * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether 131 * they are set or not. Flags is still Ored though. 132 * 133 * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead 134 * of ORed. 135 * 136 * If X509_VP_FLAG_LOCKED is set then no values are copied. 137 * 138 * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed 139 * after the next call. 140 */ 141 142/* Macro to test if a field should be copied from src to dest */ 143 144#define test_x509_verify_param_copy(field, def) \ 145 (to_overwrite || (src->field != def && (to_default || dest->field == def))) 146 147/* Macro to test and copy a field if necessary */ 148 149#define x509_verify_param_copy(field, def) \ 150 if (test_x509_verify_param_copy(field, def)) \ 151 dest->field = src->field; 152 153int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, 154 const X509_VERIFY_PARAM *src) 155{ 156 unsigned long inh_flags; 157 int to_default, to_overwrite; 158 159 if (src == NULL) 160 return 1; 161 inh_flags = dest->inh_flags | src->inh_flags; 162 163 if ((inh_flags & X509_VP_FLAG_ONCE) != 0) 164 dest->inh_flags = 0; 165 166 if ((inh_flags & X509_VP_FLAG_LOCKED) != 0) 167 return 1; 168 169 to_default = (inh_flags & X509_VP_FLAG_DEFAULT) != 0; 170 to_overwrite = (inh_flags & X509_VP_FLAG_OVERWRITE) != 0; 171 172 x509_verify_param_copy(purpose, 0); 173 x509_verify_param_copy(trust, X509_TRUST_DEFAULT); 174 x509_verify_param_copy(depth, -1); 175 x509_verify_param_copy(auth_level, -1); 176 177 /* If overwrite or check time not set, copy across */ 178 179 if (to_overwrite || (dest->flags & X509_V_FLAG_USE_CHECK_TIME) == 0) { 180 dest->check_time = src->check_time; 181 dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME; 182 /* Don't need to copy flag: that is done below */ 183 } 184 185 if ((inh_flags & X509_VP_FLAG_RESET_FLAGS) != 0) 186 dest->flags = 0; 187 188 dest->flags |= src->flags; 189 190 if (test_x509_verify_param_copy(policies, NULL)) { 191 if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies)) 192 return 0; 193 } 194 195 x509_verify_param_copy(hostflags, 0); 196 197 if (test_x509_verify_param_copy(hosts, NULL)) { 198 sk_OPENSSL_STRING_pop_free(dest->hosts, str_free); 199 dest->hosts = NULL; 200 if (src->hosts != NULL) { 201 dest->hosts = 202 sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free); 203 if (dest->hosts == NULL) 204 return 0; 205 } 206 } 207 208 if (test_x509_verify_param_copy(email, NULL)) { 209 if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen)) 210 return 0; 211 } 212 213 if (test_x509_verify_param_copy(ip, NULL)) { 214 if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen)) 215 return 0; 216 } 217 218 return 1; 219} 220 221int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, 222 const X509_VERIFY_PARAM *from) 223{ 224 unsigned long save_flags; 225 int ret; 226 227 if (to == NULL) { 228 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 229 return 0; 230 } 231 save_flags = to->inh_flags; 232 to->inh_flags |= X509_VP_FLAG_DEFAULT; 233 ret = X509_VERIFY_PARAM_inherit(to, from); 234 to->inh_flags = save_flags; 235 return ret; 236} 237 238static int int_x509_param_set1(char **pdest, size_t *pdestlen, 239 const char *src, size_t srclen) 240{ 241 char *tmp; 242 243 if (src != NULL) { 244 if (srclen == 0) 245 srclen = strlen(src); 246 247 tmp = OPENSSL_malloc(srclen + 1); 248 if (tmp == NULL) 249 return 0; 250 memcpy(tmp, src, srclen); 251 tmp[srclen] = '\0'; /* enforce NUL termination */ 252 } else { 253 tmp = NULL; 254 srclen = 0; 255 } 256 OPENSSL_free(*pdest); 257 *pdest = tmp; 258 if (pdestlen != NULL) 259 *pdestlen = srclen; 260 return 1; 261} 262 263int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) 264{ 265 OPENSSL_free(param->name); 266 param->name = OPENSSL_strdup(name); 267 return param->name != NULL; 268} 269 270int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) 271{ 272 param->flags |= flags; 273 if ((flags & X509_V_FLAG_POLICY_MASK) != 0) 274 param->flags |= X509_V_FLAG_POLICY_CHECK; 275 return 1; 276} 277 278int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, 279 unsigned long flags) 280{ 281 param->flags &= ~flags; 282 return 1; 283} 284 285unsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param) 286{ 287 return param->flags; 288} 289 290uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param) 291{ 292 return param->inh_flags; 293} 294 295int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, uint32_t flags) 296{ 297 param->inh_flags = flags; 298 return 1; 299} 300 301int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) 302{ 303 return X509_PURPOSE_set(¶m->purpose, purpose); 304} 305 306int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) 307{ 308 return X509_TRUST_set(¶m->trust, trust); 309} 310 311void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) 312{ 313 param->depth = depth; 314} 315 316void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level) 317{ 318 param->auth_level = auth_level; 319} 320 321time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param) 322{ 323 return param->check_time; 324} 325 326void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) 327{ 328 param->check_time = t; 329 param->flags |= X509_V_FLAG_USE_CHECK_TIME; 330} 331 332int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, 333 ASN1_OBJECT *policy) 334{ 335 if (param->policies == NULL) { 336 param->policies = sk_ASN1_OBJECT_new_null(); 337 if (param->policies == NULL) 338 return 0; 339 } 340 341 if (sk_ASN1_OBJECT_push(param->policies, policy) <= 0) 342 return 0; 343 return 1; 344} 345 346int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 347 STACK_OF(ASN1_OBJECT) *policies) 348{ 349 int i; 350 ASN1_OBJECT *oid, *doid; 351 352 if (param == NULL) { 353 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 354 return 0; 355 } 356 sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); 357 358 if (policies == NULL) { 359 param->policies = NULL; 360 return 1; 361 } 362 363 param->policies = sk_ASN1_OBJECT_new_null(); 364 if (param->policies == NULL) 365 return 0; 366 367 for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) { 368 oid = sk_ASN1_OBJECT_value(policies, i); 369 doid = OBJ_dup(oid); 370 if (doid == NULL) 371 return 0; 372 if (!sk_ASN1_OBJECT_push(param->policies, doid)) { 373 ASN1_OBJECT_free(doid); 374 return 0; 375 } 376 } 377 param->flags |= X509_V_FLAG_POLICY_CHECK; 378 return 1; 379} 380 381char *X509_VERIFY_PARAM_get0_host(X509_VERIFY_PARAM *param, int idx) 382{ 383 return sk_OPENSSL_STRING_value(param->hosts, idx); 384} 385 386int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, 387 const char *name, size_t namelen) 388{ 389 return int_x509_param_set_hosts(param, SET_HOST, name, namelen); 390} 391 392int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, 393 const char *name, size_t namelen) 394{ 395 return int_x509_param_set_hosts(param, ADD_HOST, name, namelen); 396} 397 398void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, 399 unsigned int flags) 400{ 401 param->hostflags = flags; 402} 403 404unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param) 405{ 406 return param->hostflags; 407} 408 409char *X509_VERIFY_PARAM_get0_peername(const X509_VERIFY_PARAM *param) 410{ 411 return param->peername; 412} 413 414/* 415 * Move peername from one param structure to another, freeing any name present 416 * at the target. If the source is a NULL parameter structure, free and zero 417 * the target peername. 418 */ 419void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *to, 420 X509_VERIFY_PARAM *from) 421{ 422 char *peername = (from != NULL) ? from->peername : NULL; 423 424 if (to->peername != peername) { 425 OPENSSL_free(to->peername); 426 to->peername = peername; 427 } 428 if (from != NULL) 429 from->peername = NULL; 430} 431 432char *X509_VERIFY_PARAM_get0_email(X509_VERIFY_PARAM *param) 433{ 434 return param->email; 435} 436 437int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, 438 const char *email, size_t emaillen) 439{ 440 return int_x509_param_set1(¶m->email, ¶m->emaillen, 441 email, emaillen); 442} 443 444static unsigned char 445*int_X509_VERIFY_PARAM_get0_ip(X509_VERIFY_PARAM *param, size_t *plen) 446{ 447 if (param == NULL || param->ip == NULL) { 448 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 449 return NULL; 450 } 451 if (plen != NULL) 452 *plen = param->iplen; 453 return param->ip; 454} 455 456char *X509_VERIFY_PARAM_get1_ip_asc(X509_VERIFY_PARAM *param) 457{ 458 size_t iplen; 459 unsigned char *ip = int_X509_VERIFY_PARAM_get0_ip(param, &iplen); 460 461 return ip == NULL ? NULL : ossl_ipaddr_to_asc(ip, iplen); 462} 463 464int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, 465 const unsigned char *ip, size_t iplen) 466{ 467 if (iplen != 0 && iplen != 4 && iplen != 16) { 468 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_INVALID_ARGUMENT); 469 return 0; 470 } 471 return int_x509_param_set1((char **)¶m->ip, ¶m->iplen, 472 (char *)ip, iplen); 473} 474 475int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc) 476{ 477 unsigned char ipout[16]; 478 size_t iplen = (size_t)ossl_a2i_ipadd(ipout, ipasc); 479 480 if (iplen == 0) 481 return 0; 482 return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen); 483} 484 485int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) 486{ 487 return param->depth; 488} 489 490int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param) 491{ 492 return param->auth_level; 493} 494 495const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) 496{ 497 return param->name; 498} 499 500#define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0 501 502/* 503 * Default verify parameters: these are used for various applications and can 504 * be overridden by the user specified table. NB: the 'name' field *must* be 505 * in alphabetical order because it will be searched using OBJ_search. 506 */ 507 508static const X509_VERIFY_PARAM default_table[] = { 509 { 510 "default", /* X509 default parameters */ 511 0, /* check time to use */ 512 0, /* inheritance flags */ 513 X509_V_FLAG_TRUSTED_FIRST, /* flags */ 514 0, /* purpose */ 515 0, /* trust */ 516 100, /* depth */ 517 -1, /* auth_level */ 518 NULL, /* policies */ 519 vpm_empty_id}, 520 { 521 "pkcs7", /* S/MIME sign parameters */ 522 0, /* check time to use */ 523 0, /* inheritance flags */ 524 0, /* flags */ 525 X509_PURPOSE_SMIME_SIGN, /* purpose */ 526 X509_TRUST_EMAIL, /* trust */ 527 -1, /* depth */ 528 -1, /* auth_level */ 529 NULL, /* policies */ 530 vpm_empty_id}, 531 { 532 "smime_sign", /* S/MIME sign parameters */ 533 0, /* check time to use */ 534 0, /* inheritance flags */ 535 0, /* flags */ 536 X509_PURPOSE_SMIME_SIGN, /* purpose */ 537 X509_TRUST_EMAIL, /* trust */ 538 -1, /* depth */ 539 -1, /* auth_level */ 540 NULL, /* policies */ 541 vpm_empty_id}, 542 { 543 "ssl_client", /* SSL/TLS client parameters */ 544 0, /* check time to use */ 545 0, /* inheritance flags */ 546 0, /* flags */ 547 X509_PURPOSE_SSL_CLIENT, /* purpose */ 548 X509_TRUST_SSL_CLIENT, /* trust */ 549 -1, /* depth */ 550 -1, /* auth_level */ 551 NULL, /* policies */ 552 vpm_empty_id}, 553 { 554 "ssl_server", /* SSL/TLS server parameters */ 555 0, /* check time to use */ 556 0, /* inheritance flags */ 557 0, /* flags */ 558 X509_PURPOSE_SSL_SERVER, /* purpose */ 559 X509_TRUST_SSL_SERVER, /* trust */ 560 -1, /* depth */ 561 -1, /* auth_level */ 562 NULL, /* policies */ 563 vpm_empty_id} 564}; 565 566static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL; 567 568static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b) 569{ 570 return strcmp(a->name, b->name); 571} 572 573DECLARE_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table); 574IMPLEMENT_OBJ_BSEARCH_CMP_FN(X509_VERIFY_PARAM, X509_VERIFY_PARAM, table); 575 576static int param_cmp(const X509_VERIFY_PARAM *const *a, 577 const X509_VERIFY_PARAM *const *b) 578{ 579 return strcmp((*a)->name, (*b)->name); 580} 581 582int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) 583{ 584 int idx; 585 X509_VERIFY_PARAM *ptmp; 586 587 if (param_table == NULL) { 588 param_table = sk_X509_VERIFY_PARAM_new(param_cmp); 589 if (param_table == NULL) 590 return 0; 591 } else { 592 idx = sk_X509_VERIFY_PARAM_find(param_table, param); 593 if (idx >= 0) { 594 ptmp = sk_X509_VERIFY_PARAM_delete(param_table, idx); 595 X509_VERIFY_PARAM_free(ptmp); 596 } 597 } 598 599 if (sk_X509_VERIFY_PARAM_push(param_table, param) <= 0) 600 return 0; 601 return 1; 602} 603 604int X509_VERIFY_PARAM_get_count(void) 605{ 606 int num = OSSL_NELEM(default_table); 607 608 if (param_table != NULL) 609 num += sk_X509_VERIFY_PARAM_num(param_table); 610 return num; 611} 612 613const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id) 614{ 615 int num = OSSL_NELEM(default_table); 616 617 if (id < num) 618 return default_table + id; 619 return sk_X509_VERIFY_PARAM_value(param_table, id - num); 620} 621 622const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) 623{ 624 int idx; 625 X509_VERIFY_PARAM pm; 626 627 pm.name = (char *)name; 628 if (param_table != NULL) { 629 idx = sk_X509_VERIFY_PARAM_find(param_table, &pm); 630 if (idx >= 0) 631 return sk_X509_VERIFY_PARAM_value(param_table, idx); 632 } 633 return OBJ_bsearch_table(&pm, default_table, OSSL_NELEM(default_table)); 634} 635 636void X509_VERIFY_PARAM_table_cleanup(void) 637{ 638 sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free); 639 param_table = NULL; 640} 641