1 /* $OpenBSD: x509_verify.c,v 1.70 2024/06/07 06:21:40 tb Exp $ */
2 /*
3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 /* x509_verify - inspired by golang's crypto/x509.Verify */
19
20 #include <errno.h>
21 #include <stdio.h>
22 #include <string.h>
23 #include <time.h>
24 #include <unistd.h>
25
26 #include <openssl/safestack.h>
27 #include <openssl/x509.h>
28 #include <openssl/x509v3.h>
29
30 #include "asn1_local.h"
31 #include "x509_internal.h"
32 #include "x509_issuer_cache.h"
33
34 static int x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert,
35 struct x509_verify_chain *current_chain);
36 static int x509_verify_cert_hostname(struct x509_verify_ctx *ctx, X509 *cert,
37 char *name);
38 static void x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
39 struct x509_verify_chain *current_chain, int full_chain, char *name);
40 static int x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert,
41 size_t depth, int error, int ok);
42 static void x509_verify_chain_free(struct x509_verify_chain *chain);
43
44 /*
45 * Parse an asn1 to a representable time_t as per RFC 5280 rules.
46 * Returns -1 if that can't be done for any reason.
47 */
48 int
x509_verify_asn1_time_to_time_t(const ASN1_TIME * atime,int notAfter,time_t * out)49 x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
50 time_t *out)
51 {
52 struct tm tm = { 0 };
53 int type;
54
55 if (atime == NULL)
56 return 0;
57
58 type = ASN1_time_parse(atime->data, atime->length, &tm, atime->type);
59 if (type == -1)
60 return 0;
61
62 /* RFC 5280 section 4.1.2.5 */
63 if (tm.tm_year < 150 && type != V_ASN1_UTCTIME)
64 return 0;
65 if (tm.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME)
66 return 0;
67
68 if (notAfter) {
69 /*
70 * If we are a completely broken operating system with a
71 * 32 bit time_t, and we have been told this is a notAfter
72 * date, limit the date to a 32 bit representable value.
73 */
74 if (!ASN1_time_tm_clamp_notafter(&tm))
75 return 0;
76 }
77
78 /*
79 * Defensively fail if the time string is not representable as
80 * a time_t. A time_t must be sane if you care about times after
81 * Jan 19 2038.
82 */
83 return asn1_time_tm_to_time_t(&tm, out);
84 }
85
86 struct x509_verify_chain *
x509_verify_chain_new(void)87 x509_verify_chain_new(void)
88 {
89 struct x509_verify_chain *chain;
90
91 if ((chain = calloc(1, sizeof(*chain))) == NULL)
92 goto err;
93 if ((chain->certs = sk_X509_new_null()) == NULL)
94 goto err;
95 if ((chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS,
96 sizeof(int))) == NULL)
97 goto err;
98 if ((chain->names =
99 x509_constraints_names_new(X509_VERIFY_MAX_CHAIN_NAMES)) == NULL)
100 goto err;
101
102 return chain;
103 err:
104 x509_verify_chain_free(chain);
105 return NULL;
106 }
107
108 static void
x509_verify_chain_clear(struct x509_verify_chain * chain)109 x509_verify_chain_clear(struct x509_verify_chain *chain)
110 {
111 sk_X509_pop_free(chain->certs, X509_free);
112 chain->certs = NULL;
113 free(chain->cert_errors);
114 chain->cert_errors = NULL;
115 x509_constraints_names_free(chain->names);
116 chain->names = NULL;
117 }
118
119 static void
x509_verify_chain_free(struct x509_verify_chain * chain)120 x509_verify_chain_free(struct x509_verify_chain *chain)
121 {
122 if (chain == NULL)
123 return;
124 x509_verify_chain_clear(chain);
125 free(chain);
126 }
127
128 static struct x509_verify_chain *
x509_verify_chain_dup(struct x509_verify_chain * chain)129 x509_verify_chain_dup(struct x509_verify_chain *chain)
130 {
131 struct x509_verify_chain *new_chain;
132
133 if ((new_chain = calloc(1, sizeof(*chain))) == NULL)
134 goto err;
135 if ((new_chain->certs = X509_chain_up_ref(chain->certs)) == NULL)
136 goto err;
137 if ((new_chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS,
138 sizeof(int))) == NULL)
139 goto err;
140 memcpy(new_chain->cert_errors, chain->cert_errors,
141 X509_VERIFY_MAX_CHAIN_CERTS * sizeof(int));
142 if ((new_chain->names =
143 x509_constraints_names_dup(chain->names)) == NULL)
144 goto err;
145 return(new_chain);
146 err:
147 x509_verify_chain_free(new_chain);
148 return NULL;
149 }
150
151 static int
x509_verify_chain_append(struct x509_verify_chain * chain,X509 * cert,int * error)152 x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert,
153 int *error)
154 {
155 int verify_err = X509_V_ERR_UNSPECIFIED;
156 size_t idx;
157
158 if (!x509_constraints_extract_names(chain->names, cert,
159 sk_X509_num(chain->certs) == 0, &verify_err)) {
160 *error = verify_err;
161 return 0;
162 }
163
164 X509_up_ref(cert);
165 if (!sk_X509_push(chain->certs, cert)) {
166 X509_free(cert);
167 *error = X509_V_ERR_OUT_OF_MEM;
168 return 0;
169 }
170
171 idx = sk_X509_num(chain->certs) - 1;
172 chain->cert_errors[idx] = *error;
173
174 /*
175 * We've just added the issuer for the previous certificate,
176 * clear its error if appropriate.
177 */
178 if (idx > 1 && chain->cert_errors[idx - 1] ==
179 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
180 chain->cert_errors[idx - 1] = X509_V_OK;
181
182 return 1;
183 }
184
185 static X509 *
x509_verify_chain_last(struct x509_verify_chain * chain)186 x509_verify_chain_last(struct x509_verify_chain *chain)
187 {
188 int last;
189
190 if (chain->certs == NULL)
191 return NULL;
192 if ((last = sk_X509_num(chain->certs) - 1) < 0)
193 return NULL;
194 return sk_X509_value(chain->certs, last);
195 }
196
197 X509 *
x509_verify_chain_leaf(struct x509_verify_chain * chain)198 x509_verify_chain_leaf(struct x509_verify_chain *chain)
199 {
200 if (chain->certs == NULL)
201 return NULL;
202 return sk_X509_value(chain->certs, 0);
203 }
204
205 static void
x509_verify_ctx_reset(struct x509_verify_ctx * ctx)206 x509_verify_ctx_reset(struct x509_verify_ctx *ctx)
207 {
208 size_t i;
209
210 for (i = 0; i < ctx->chains_count; i++)
211 x509_verify_chain_free(ctx->chains[i]);
212 sk_X509_pop_free(ctx->saved_error_chain, X509_free);
213 ctx->saved_error = 0;
214 ctx->saved_error_depth = 0;
215 ctx->error = 0;
216 ctx->error_depth = 0;
217 ctx->chains_count = 0;
218 ctx->sig_checks = 0;
219 ctx->check_time = NULL;
220 }
221
222 static void
x509_verify_ctx_clear(struct x509_verify_ctx * ctx)223 x509_verify_ctx_clear(struct x509_verify_ctx *ctx)
224 {
225 x509_verify_ctx_reset(ctx);
226 sk_X509_pop_free(ctx->intermediates, X509_free);
227 free(ctx->chains);
228
229 }
230
231 static int
x509_verify_cert_cache_extensions(X509 * cert)232 x509_verify_cert_cache_extensions(X509 *cert)
233 {
234 return x509v3_cache_extensions(cert);
235 }
236
237 static int
x509_verify_cert_self_signed(X509 * cert)238 x509_verify_cert_self_signed(X509 *cert)
239 {
240 return (cert->ex_flags & EXFLAG_SS) ? 1 : 0;
241 }
242
243 /* XXX beck - clean up this mess of is_root */
244 static int
x509_verify_check_chain_end(X509 * cert,int full_chain)245 x509_verify_check_chain_end(X509 *cert, int full_chain)
246 {
247 if (full_chain)
248 return x509_verify_cert_self_signed(cert);
249 return 1;
250 }
251
252 static int
x509_verify_ctx_cert_is_root(struct x509_verify_ctx * ctx,X509 * cert,int full_chain)253 x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
254 int full_chain)
255 {
256 X509 *match = NULL;
257 int i;
258
259 if (!x509_verify_cert_cache_extensions(cert))
260 return 0;
261
262 /* Check by lookup if we have a legacy xsc */
263 if (ctx->xsc != NULL) {
264 /*
265 * "alternative" lookup method, using the "trusted" stack in the
266 * xsc as the source for roots.
267 */
268 if (ctx->xsc->trusted != NULL) {
269 for (i = 0; i < sk_X509_num(ctx->xsc->trusted); i++) {
270 if (X509_cmp(sk_X509_value(ctx->xsc->trusted,
271 i), cert) == 0)
272 return x509_verify_check_chain_end(cert,
273 full_chain);
274 }
275 }
276 if ((match = x509_vfy_lookup_cert_match(ctx->xsc,
277 cert)) != NULL) {
278 X509_free(match);
279 return x509_verify_check_chain_end(cert, full_chain);
280 }
281 } else {
282 /* Check the provided roots */
283 for (i = 0; i < sk_X509_num(ctx->roots); i++) {
284 if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0)
285 return x509_verify_check_chain_end(cert,
286 full_chain);
287 }
288 }
289
290 return 0;
291 }
292
293 static int
x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx * ctx,struct x509_verify_chain * chain,int set_error,int is_trusted)294 x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx *ctx,
295 struct x509_verify_chain *chain, int set_error, int is_trusted)
296 {
297 size_t num_untrusted;
298 int i;
299
300 if (ctx->xsc == NULL)
301 return 1;
302
303 /*
304 * XXX num_untrusted is the number of untrusted certs at the
305 * bottom of the chain. This works now since we stop at the first
306 * trusted cert. This will need fixing once we allow more than one
307 * trusted certificate.
308 */
309 num_untrusted = sk_X509_num(chain->certs);
310 if (is_trusted && num_untrusted > 0)
311 num_untrusted--;
312 ctx->xsc->num_untrusted = num_untrusted;
313
314 sk_X509_pop_free(ctx->xsc->chain, X509_free);
315 ctx->xsc->chain = X509_chain_up_ref(chain->certs);
316 if (ctx->xsc->chain == NULL)
317 return x509_verify_cert_error(ctx, NULL, 0,
318 X509_V_ERR_OUT_OF_MEM, 0);
319
320 if (set_error) {
321 ctx->xsc->error = X509_V_OK;
322 ctx->xsc->error_depth = 0;
323 for (i = 0; i < sk_X509_num(chain->certs); i++) {
324 if (chain->cert_errors[i] != X509_V_OK) {
325 ctx->xsc->error = chain->cert_errors[i];
326 ctx->xsc->error_depth = i;
327 break;
328 }
329 }
330 }
331
332 return 1;
333 }
334
335
336 /*
337 * Save the error state and unvalidated chain off of the xsc for
338 * later.
339 */
340 static int
x509_verify_ctx_save_xsc_error(struct x509_verify_ctx * ctx)341 x509_verify_ctx_save_xsc_error(struct x509_verify_ctx *ctx)
342 {
343 if (ctx->xsc != NULL && ctx->xsc->chain != NULL) {
344 sk_X509_pop_free(ctx->saved_error_chain, X509_free);
345 ctx->saved_error_chain = X509_chain_up_ref(ctx->xsc->chain);
346 if (ctx->saved_error_chain == NULL)
347 return x509_verify_cert_error(ctx, NULL, 0,
348 X509_V_ERR_OUT_OF_MEM, 0);
349 ctx->saved_error = ctx->xsc->error;
350 ctx->saved_error_depth = ctx->xsc->error_depth;
351 }
352 return 1;
353 }
354
355 /*
356 * Restore the saved error state and unvalidated chain to the xsc
357 * if we do not have a validated chain.
358 */
359 static int
x509_verify_ctx_restore_xsc_error(struct x509_verify_ctx * ctx)360 x509_verify_ctx_restore_xsc_error(struct x509_verify_ctx *ctx)
361 {
362 if (ctx->xsc != NULL && ctx->chains_count == 0 &&
363 ctx->saved_error_chain != NULL) {
364 sk_X509_pop_free(ctx->xsc->chain, X509_free);
365 ctx->xsc->chain = X509_chain_up_ref(ctx->saved_error_chain);
366 if (ctx->xsc->chain == NULL)
367 return x509_verify_cert_error(ctx, NULL, 0,
368 X509_V_ERR_OUT_OF_MEM, 0);
369 ctx->xsc->error = ctx->saved_error;
370 ctx->xsc->error_depth = ctx->saved_error_depth;
371 }
372 return 1;
373 }
374
375 /* Perform legacy style validation of a chain */
376 static int
x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx * ctx,struct x509_verify_chain * chain,size_t depth)377 x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
378 struct x509_verify_chain *chain, size_t depth)
379 {
380 int ret = 0, trust;
381
382 if (ctx->xsc == NULL)
383 return 1;
384
385 /*
386 * If we have a legacy xsc, choose a validated chain, and
387 * apply the extensions, revocation, and policy checks just
388 * like the legacy code did. We do this here instead of as
389 * building the chains to more easily support the callback and
390 * the bewildering array of VERIFY_PARAM knobs that are there
391 * for the fiddling.
392 */
393
394 /* These may be set in one of the following calls. */
395 ctx->xsc->error = X509_V_OK;
396 ctx->xsc->error_depth = 0;
397
398 if (!x509_verify_ctx_set_xsc_chain(ctx, chain, 0, 1))
399 goto err;
400
401 /*
402 * Call the legacy code to walk the chain and check trust
403 * in the legacy way to handle partial chains and get the
404 * callback fired correctly.
405 */
406 trust = x509_vfy_check_trust(ctx->xsc);
407 if (trust == X509_TRUST_REJECTED)
408 goto err; /* callback was called in x509_vfy_check_trust */
409 if (trust != X509_TRUST_TRUSTED) {
410 /* NOTREACHED */
411 goto err; /* should not happen if we get in here - abort? */
412 }
413
414 /*
415 * XXX currently this duplicates some work done in chain
416 * build, but we keep it here until we have feature parity
417 */
418 if (!x509_vfy_check_chain_extensions(ctx->xsc))
419 goto err;
420
421 #ifndef OPENSSL_NO_RFC3779
422 if (!X509v3_asid_validate_path(ctx->xsc))
423 goto err;
424
425 if (!X509v3_addr_validate_path(ctx->xsc))
426 goto err;
427 #endif
428
429 if (!x509_vfy_check_security_level(ctx->xsc))
430 goto err;
431
432 if (!x509_constraints_chain(ctx->xsc->chain,
433 &ctx->xsc->error, &ctx->xsc->error_depth)) {
434 X509 *cert = sk_X509_value(ctx->xsc->chain, depth);
435 if (!x509_verify_cert_error(ctx, cert,
436 ctx->xsc->error_depth, ctx->xsc->error, 0))
437 goto err;
438 }
439
440 if (!x509_vfy_check_revocation(ctx->xsc))
441 goto err;
442
443 if (!x509_vfy_check_policy(ctx->xsc))
444 goto err;
445
446 ret = 1;
447
448 err:
449 /*
450 * The above checks may have set ctx->xsc->error and
451 * ctx->xsc->error_depth - save these for later on.
452 */
453 if (ctx->xsc->error != X509_V_OK) {
454 if (ctx->xsc->error_depth < 0 ||
455 ctx->xsc->error_depth >= X509_VERIFY_MAX_CHAIN_CERTS)
456 return 0;
457 chain->cert_errors[ctx->xsc->error_depth] =
458 ctx->xsc->error;
459 ctx->error_depth = ctx->xsc->error_depth;
460 }
461
462 return ret;
463 }
464
465 /* Add a validated chain to our list of valid chains */
466 static int
x509_verify_ctx_add_chain(struct x509_verify_ctx * ctx,struct x509_verify_chain * chain,char * name)467 x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx,
468 struct x509_verify_chain *chain, char *name)
469 {
470 size_t depth;
471 X509 *last = x509_verify_chain_last(chain);
472 X509 *leaf = x509_verify_chain_leaf(chain);
473
474 depth = sk_X509_num(chain->certs);
475 if (depth > 0)
476 depth--;
477
478 if (ctx->chains_count >= ctx->max_chains)
479 return x509_verify_cert_error(ctx, last, depth,
480 X509_V_ERR_CERT_CHAIN_TOO_LONG, 0);
481
482 /* Clear a get issuer failure for a root certificate. */
483 if (chain->cert_errors[depth] ==
484 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
485 chain->cert_errors[depth] = X509_V_OK;
486
487 if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth))
488 return 0;
489
490 /* Verify the leaf certificate and store any resulting error. */
491 if (!x509_verify_cert_valid(ctx, leaf, NULL))
492 return 0;
493 if (!x509_verify_cert_hostname(ctx, leaf, name))
494 return 0;
495 if (ctx->error_depth == 0 &&
496 ctx->error != X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
497 chain->cert_errors[0] = ctx->error;
498
499 /*
500 * In the non-legacy code, extensions and purpose are dealt
501 * with as the chain is built.
502 *
503 * The non-legacy api returns multiple chains but does not do
504 * any revocation checking (it must be done by the caller on
505 * any chain they wish to use)
506 */
507
508 if ((ctx->chains[ctx->chains_count] = x509_verify_chain_dup(chain)) ==
509 NULL) {
510 return x509_verify_cert_error(ctx, last, depth,
511 X509_V_ERR_OUT_OF_MEM, 0);
512 }
513 ctx->chains_count++;
514
515 ctx->error = X509_V_OK;
516 ctx->error_depth = depth;
517
518 return 1;
519 }
520
521 static int
x509_verify_potential_parent(struct x509_verify_ctx * ctx,X509 * parent,X509 * child)522 x509_verify_potential_parent(struct x509_verify_ctx *ctx, X509 *parent,
523 X509 *child)
524 {
525 if (!x509_verify_cert_cache_extensions(parent))
526 return 0;
527 if (ctx->xsc != NULL)
528 return (ctx->xsc->check_issued(ctx->xsc, child, parent));
529
530 /* XXX key usage */
531 return X509_check_issued(parent, child) == X509_V_OK;
532 }
533
534 static int
x509_verify_parent_signature(X509 * parent,X509 * child,int * error)535 x509_verify_parent_signature(X509 *parent, X509 *child, int *error)
536 {
537 EVP_PKEY *pkey;
538 int cached;
539 int ret = 0;
540
541 /* Use cached value if we have it */
542 if ((cached = x509_issuer_cache_find(parent->hash, child->hash)) >= 0)
543 return cached;
544
545 /* Check signature. Did parent sign child? */
546 if ((pkey = X509_get_pubkey(parent)) == NULL) {
547 *error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
548 return 0;
549 }
550 if (X509_verify(child, pkey) <= 0)
551 *error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
552 else
553 ret = 1;
554
555 /* Add result to cache */
556 x509_issuer_cache_add(parent->hash, child->hash, ret);
557
558 EVP_PKEY_free(pkey);
559
560 return ret;
561 }
562
563 static int
x509_verify_consider_candidate(struct x509_verify_ctx * ctx,X509 * cert,int is_root_cert,X509 * candidate,struct x509_verify_chain * current_chain,int full_chain,char * name)564 x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert,
565 int is_root_cert, X509 *candidate, struct x509_verify_chain *current_chain,
566 int full_chain, char *name)
567 {
568 int depth = sk_X509_num(current_chain->certs);
569 struct x509_verify_chain *new_chain;
570 int i;
571
572 /* Fail if the certificate is already in the chain */
573 for (i = 0; i < sk_X509_num(current_chain->certs); i++) {
574 if (X509_cmp(sk_X509_value(current_chain->certs, i),
575 candidate) == 0)
576 return 0;
577 }
578
579 if (ctx->sig_checks++ > X509_VERIFY_MAX_SIGCHECKS) {
580 /* don't allow callback to override safety check */
581 (void) x509_verify_cert_error(ctx, candidate, depth,
582 X509_V_ERR_CERT_CHAIN_TOO_LONG, 0);
583 return 0;
584 }
585
586 if (!x509_verify_parent_signature(candidate, cert, &ctx->error)) {
587 if (!x509_verify_cert_error(ctx, candidate, depth,
588 ctx->error, 0))
589 return 0;
590 }
591
592 if (!x509_verify_cert_valid(ctx, candidate, current_chain))
593 return 0;
594
595 /* candidate is good, add it to a copy of the current chain */
596 if ((new_chain = x509_verify_chain_dup(current_chain)) == NULL) {
597 x509_verify_cert_error(ctx, candidate, depth,
598 X509_V_ERR_OUT_OF_MEM, 0);
599 return 0;
600 }
601 if (!x509_verify_chain_append(new_chain, candidate, &ctx->error)) {
602 x509_verify_cert_error(ctx, candidate, depth, ctx->error, 0);
603 x509_verify_chain_free(new_chain);
604 return 0;
605 }
606
607 /*
608 * If candidate is a trusted root, we have a validated chain,
609 * so we save it. Otherwise, recurse until we find a root or
610 * give up.
611 */
612 if (is_root_cert) {
613 if (!x509_verify_ctx_set_xsc_chain(ctx, new_chain, 0, 1)) {
614 x509_verify_chain_free(new_chain);
615 return 0;
616 }
617 if (!x509_verify_ctx_add_chain(ctx, new_chain, name)) {
618 x509_verify_chain_free(new_chain);
619 return 0;
620 }
621 goto done;
622 }
623
624 x509_verify_build_chains(ctx, candidate, new_chain, full_chain, name);
625
626 done:
627 x509_verify_chain_free(new_chain);
628 return 1;
629 }
630
631 static int
x509_verify_cert_error(struct x509_verify_ctx * ctx,X509 * cert,size_t depth,int error,int ok)632 x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, size_t depth,
633 int error, int ok)
634 {
635 ctx->error = error;
636 ctx->error_depth = depth;
637 if (ctx->xsc != NULL) {
638 ctx->xsc->error = error;
639 ctx->xsc->error_depth = depth;
640 ctx->xsc->current_cert = cert;
641 return ctx->xsc->verify_cb(ok, ctx->xsc);
642 }
643 return ok;
644 }
645
646 static void
x509_verify_build_chains(struct x509_verify_ctx * ctx,X509 * cert,struct x509_verify_chain * current_chain,int full_chain,char * name)647 x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
648 struct x509_verify_chain *current_chain, int full_chain, char *name)
649 {
650 X509 *candidate;
651 int i, depth, count, ret, is_root;
652
653 /*
654 * If we are finding chains with an xsc, just stop after we have
655 * one chain, there's no point in finding more, it just exercises
656 * the potentially buggy callback processing in the calling software.
657 */
658 if (ctx->xsc != NULL && ctx->chains_count > 0)
659 return;
660
661 depth = sk_X509_num(current_chain->certs);
662 if (depth > 0)
663 depth--;
664
665 if (depth >= ctx->max_depth &&
666 !x509_verify_cert_error(ctx, cert, depth,
667 X509_V_ERR_CERT_CHAIN_TOO_LONG, 0))
668 return;
669
670 count = ctx->chains_count;
671
672 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
673 ctx->error_depth = depth;
674
675 if (ctx->saved_error != 0)
676 ctx->error = ctx->saved_error;
677 if (ctx->saved_error_depth != 0)
678 ctx->error_depth = ctx->saved_error_depth;
679
680 if (ctx->xsc != NULL) {
681 /*
682 * Long ago experiments at Muppet labs resulted in a
683 * situation where software not only sees these errors
684 * but forced developers to expect them in certain cases.
685 * so we must mimic this awfulness for the legacy case.
686 */
687 if (cert->ex_flags & EXFLAG_SS)
688 ctx->error = (depth == 0) ?
689 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
690 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
691 }
692
693 /* Check for legacy mode roots */
694 if (ctx->xsc != NULL) {
695 if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) {
696 x509_verify_cert_error(ctx, cert, depth,
697 X509_V_ERR_STORE_LOOKUP, 0);
698 return;
699 }
700 if (ret > 0) {
701 if (x509_verify_potential_parent(ctx, candidate, cert)) {
702 is_root = x509_verify_check_chain_end(candidate,
703 full_chain);
704 x509_verify_consider_candidate(ctx, cert,
705 is_root, candidate, current_chain,
706 full_chain, name);
707 }
708 X509_free(candidate);
709 }
710 } else {
711 /* Check to see if we have a trusted root issuer. */
712 for (i = 0; i < sk_X509_num(ctx->roots); i++) {
713 candidate = sk_X509_value(ctx->roots, i);
714 if (x509_verify_potential_parent(ctx, candidate, cert)) {
715 is_root = x509_verify_check_chain_end(candidate,
716 full_chain);
717 x509_verify_consider_candidate(ctx, cert,
718 is_root, candidate, current_chain,
719 full_chain, name);
720 }
721 }
722 }
723
724 /* Check intermediates after checking roots */
725 if (ctx->intermediates != NULL) {
726 for (i = 0; i < sk_X509_num(ctx->intermediates); i++) {
727 candidate = sk_X509_value(ctx->intermediates, i);
728 if (x509_verify_potential_parent(ctx, candidate, cert)) {
729 x509_verify_consider_candidate(ctx, cert,
730 0, candidate, current_chain,
731 full_chain, name);
732 }
733 }
734 }
735
736 if (ctx->chains_count > count) {
737 if (ctx->xsc != NULL) {
738 ctx->xsc->error = X509_V_OK;
739 ctx->xsc->error_depth = depth;
740 ctx->xsc->current_cert = cert;
741 }
742 } else if (ctx->error_depth == depth) {
743 if (!x509_verify_ctx_set_xsc_chain(ctx, current_chain, 0, 0))
744 return;
745 }
746 }
747
748 static int
x509_verify_cert_hostname(struct x509_verify_ctx * ctx,X509 * cert,char * name)749 x509_verify_cert_hostname(struct x509_verify_ctx *ctx, X509 *cert, char *name)
750 {
751 char *candidate;
752 size_t len;
753
754 if (name == NULL) {
755 if (ctx->xsc != NULL) {
756 int ret;
757
758 if ((ret = x509_vfy_check_id(ctx->xsc)) == 0)
759 ctx->error = ctx->xsc->error;
760 return ret;
761 }
762 return 1;
763 }
764 if ((candidate = strdup(name)) == NULL) {
765 ctx->error = X509_V_ERR_OUT_OF_MEM;
766 goto err;
767 }
768 if ((len = strlen(candidate)) < 1) {
769 ctx->error = X509_V_ERR_UNSPECIFIED; /* XXX */
770 goto err;
771 }
772
773 /* IP addresses may be written in [ ]. */
774 if (candidate[0] == '[' && candidate[len - 1] == ']') {
775 candidate[len - 1] = '\0';
776 if (X509_check_ip_asc(cert, candidate + 1, 0) <= 0) {
777 ctx->error = X509_V_ERR_IP_ADDRESS_MISMATCH;
778 goto err;
779 }
780 } else {
781 int flags = 0;
782
783 if (ctx->xsc == NULL)
784 flags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
785
786 if (X509_check_host(cert, candidate, len, flags, NULL) <= 0) {
787 ctx->error = X509_V_ERR_HOSTNAME_MISMATCH;
788 goto err;
789 }
790 }
791 free(candidate);
792 return 1;
793 err:
794 free(candidate);
795 return x509_verify_cert_error(ctx, cert, 0, ctx->error, 0);
796 }
797
798 static int
x509_verify_set_check_time(struct x509_verify_ctx * ctx)799 x509_verify_set_check_time(struct x509_verify_ctx *ctx)
800 {
801 if (ctx->xsc != NULL) {
802 if (ctx->xsc->param->flags & X509_V_FLAG_USE_CHECK_TIME) {
803 ctx->check_time = &ctx->xsc->param->check_time;
804 return 1;
805 }
806 if (ctx->xsc->param->flags & X509_V_FLAG_NO_CHECK_TIME)
807 return 0;
808 }
809
810 ctx->check_time = NULL;
811 return 1;
812 }
813
814 static int
x509_verify_cert_times(X509 * cert,time_t * cmp_time,int * error)815 x509_verify_cert_times(X509 *cert, time_t *cmp_time, int *error)
816 {
817 time_t when, not_before, not_after;
818
819 if (cmp_time == NULL)
820 when = time(NULL);
821 else
822 when = *cmp_time;
823
824 if (!x509_verify_asn1_time_to_time_t(X509_get_notBefore(cert), 0,
825 ¬_before)) {
826 *error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
827 return 0;
828 }
829 if (when < not_before) {
830 *error = X509_V_ERR_CERT_NOT_YET_VALID;
831 return 0;
832 }
833 if (!x509_verify_asn1_time_to_time_t(X509_get_notAfter(cert), 1,
834 ¬_after)) {
835 *error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
836 return 0;
837 }
838 if (when > not_after) {
839 *error = X509_V_ERR_CERT_HAS_EXPIRED;
840 return 0;
841 }
842
843 return 1;
844 }
845
846 static int
x509_verify_validate_constraints(X509 * cert,struct x509_verify_chain * current_chain,int * error)847 x509_verify_validate_constraints(X509 *cert,
848 struct x509_verify_chain *current_chain, int *error)
849 {
850 struct x509_constraints_names *excluded = NULL;
851 struct x509_constraints_names *permitted = NULL;
852 int err = X509_V_ERR_UNSPECIFIED;
853
854 if (current_chain == NULL)
855 return 1;
856
857 if (cert->nc != NULL) {
858 if ((permitted = x509_constraints_names_new(
859 X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) {
860 err = X509_V_ERR_OUT_OF_MEM;
861 goto err;
862 }
863 if ((excluded = x509_constraints_names_new(
864 X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) {
865 err = X509_V_ERR_OUT_OF_MEM;
866 goto err;
867 }
868 if (!x509_constraints_extract_constraints(cert,
869 permitted, excluded, &err))
870 goto err;
871 if (!x509_constraints_check(current_chain->names,
872 permitted, excluded, &err))
873 goto err;
874 x509_constraints_names_free(excluded);
875 x509_constraints_names_free(permitted);
876 }
877
878 return 1;
879 err:
880 *error = err;
881 x509_constraints_names_free(excluded);
882 x509_constraints_names_free(permitted);
883 return 0;
884 }
885
886 static int
x509_verify_cert_extensions(struct x509_verify_ctx * ctx,X509 * cert,int need_ca)887 x509_verify_cert_extensions(struct x509_verify_ctx *ctx, X509 *cert, int need_ca)
888 {
889 if (!x509_verify_cert_cache_extensions(cert)) {
890 ctx->error = X509_V_ERR_UNSPECIFIED;
891 return 0;
892 }
893
894 if (ctx->xsc != NULL)
895 return 1; /* legacy is checked after chain is built */
896
897 if (cert->ex_flags & EXFLAG_CRITICAL) {
898 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
899 return 0;
900 }
901 /* No we don't care about v1, netscape, and other ancient silliness */
902 if (need_ca && (!(cert->ex_flags & EXFLAG_BCONS) &&
903 (cert->ex_flags & EXFLAG_CA))) {
904 ctx->error = X509_V_ERR_INVALID_CA;
905 return 0;
906 }
907 if (ctx->purpose > 0 && X509_check_purpose(cert, ctx->purpose, need_ca)) {
908 ctx->error = X509_V_ERR_INVALID_PURPOSE;
909 return 0;
910 }
911
912 return 1;
913 }
914
915 /* Validate that cert is a possible candidate to append to current_chain */
916 static int
x509_verify_cert_valid(struct x509_verify_ctx * ctx,X509 * cert,struct x509_verify_chain * current_chain)917 x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert,
918 struct x509_verify_chain *current_chain)
919 {
920 X509 *issuer_candidate;
921 int should_be_ca = current_chain != NULL;
922 size_t depth = 0;
923
924 if (current_chain != NULL)
925 depth = sk_X509_num(current_chain->certs);
926
927 if (!x509_verify_cert_extensions(ctx, cert, should_be_ca))
928 return 0;
929
930 if (should_be_ca) {
931 issuer_candidate = x509_verify_chain_last(current_chain);
932 if (issuer_candidate != NULL &&
933 !X509_check_issued(issuer_candidate, cert))
934 if (!x509_verify_cert_error(ctx, cert, depth,
935 X509_V_ERR_SUBJECT_ISSUER_MISMATCH, 0))
936 return 0;
937 }
938
939 if (x509_verify_set_check_time(ctx)) {
940 if (!x509_verify_cert_times(cert, ctx->check_time,
941 &ctx->error)) {
942 if (!x509_verify_cert_error(ctx, cert, depth,
943 ctx->error, 0))
944 return 0;
945 }
946 }
947
948 if (!x509_verify_validate_constraints(cert, current_chain,
949 &ctx->error) && !x509_verify_cert_error(ctx, cert, depth,
950 ctx->error, 0))
951 return 0;
952
953 return 1;
954 }
955
956 struct x509_verify_ctx *
x509_verify_ctx_new_from_xsc(X509_STORE_CTX * xsc)957 x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc)
958 {
959 struct x509_verify_ctx *ctx;
960 size_t max_depth;
961
962 if (xsc == NULL)
963 return NULL;
964
965 if ((ctx = x509_verify_ctx_new(NULL)) == NULL)
966 return NULL;
967
968 ctx->xsc = xsc;
969
970 if (xsc->untrusted &&
971 (ctx->intermediates = X509_chain_up_ref(xsc->untrusted)) == NULL)
972 goto err;
973
974 max_depth = X509_VERIFY_MAX_CHAIN_CERTS;
975 if (xsc->param->depth > 0 && xsc->param->depth < X509_VERIFY_MAX_CHAIN_CERTS)
976 max_depth = xsc->param->depth;
977 if (!x509_verify_ctx_set_max_depth(ctx, max_depth))
978 goto err;
979
980 return ctx;
981 err:
982 x509_verify_ctx_free(ctx);
983 return NULL;
984 }
985
986 /* Public API */
987
988 struct x509_verify_ctx *
x509_verify_ctx_new(STACK_OF (X509)* roots)989 x509_verify_ctx_new(STACK_OF(X509) *roots)
990 {
991 struct x509_verify_ctx *ctx;
992
993 if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL)
994 return NULL;
995
996 if (roots != NULL) {
997 if ((ctx->roots = X509_chain_up_ref(roots)) == NULL)
998 goto err;
999 } else {
1000 if ((ctx->roots = sk_X509_new_null()) == NULL)
1001 goto err;
1002 }
1003
1004 ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS;
1005 ctx->max_chains = X509_VERIFY_MAX_CHAINS;
1006 ctx->max_sigs = X509_VERIFY_MAX_SIGCHECKS;
1007
1008 if ((ctx->chains = calloc(X509_VERIFY_MAX_CHAINS,
1009 sizeof(*ctx->chains))) == NULL)
1010 goto err;
1011
1012 return ctx;
1013 err:
1014 x509_verify_ctx_free(ctx);
1015 return NULL;
1016 }
1017
1018 void
x509_verify_ctx_free(struct x509_verify_ctx * ctx)1019 x509_verify_ctx_free(struct x509_verify_ctx *ctx)
1020 {
1021 if (ctx == NULL)
1022 return;
1023 sk_X509_pop_free(ctx->roots, X509_free);
1024 x509_verify_ctx_clear(ctx);
1025 free(ctx);
1026 }
1027
1028 int
x509_verify_ctx_set_max_depth(struct x509_verify_ctx * ctx,size_t max)1029 x509_verify_ctx_set_max_depth(struct x509_verify_ctx *ctx, size_t max)
1030 {
1031 if (max < 1 || max > X509_VERIFY_MAX_CHAIN_CERTS)
1032 return 0;
1033 ctx->max_depth = max;
1034 return 1;
1035 }
1036
1037 int
x509_verify_ctx_set_max_chains(struct x509_verify_ctx * ctx,size_t max)1038 x509_verify_ctx_set_max_chains(struct x509_verify_ctx *ctx, size_t max)
1039 {
1040 if (max < 1 || max > X509_VERIFY_MAX_CHAINS)
1041 return 0;
1042 ctx->max_chains = max;
1043 return 1;
1044 }
1045
1046 int
x509_verify_ctx_set_max_signatures(struct x509_verify_ctx * ctx,size_t max)1047 x509_verify_ctx_set_max_signatures(struct x509_verify_ctx *ctx, size_t max)
1048 {
1049 if (max < 1 || max > 100000)
1050 return 0;
1051 ctx->max_sigs = max;
1052 return 1;
1053 }
1054
1055 int
x509_verify_ctx_set_purpose(struct x509_verify_ctx * ctx,int purpose)1056 x509_verify_ctx_set_purpose(struct x509_verify_ctx *ctx, int purpose)
1057 {
1058 if (purpose < X509_PURPOSE_MIN || purpose > X509_PURPOSE_MAX)
1059 return 0;
1060 ctx->purpose = purpose;
1061 return 1;
1062 }
1063
1064 int
x509_verify_ctx_set_intermediates(struct x509_verify_ctx * ctx,STACK_OF (X509)* intermediates)1065 x509_verify_ctx_set_intermediates(struct x509_verify_ctx *ctx,
1066 STACK_OF(X509) *intermediates)
1067 {
1068 if ((ctx->intermediates = X509_chain_up_ref(intermediates)) == NULL)
1069 return 0;
1070 return 1;
1071 }
1072
1073 const char *
x509_verify_ctx_error_string(struct x509_verify_ctx * ctx)1074 x509_verify_ctx_error_string(struct x509_verify_ctx *ctx)
1075 {
1076 return X509_verify_cert_error_string(ctx->error);
1077 }
1078
1079 size_t
x509_verify_ctx_error_depth(struct x509_verify_ctx * ctx)1080 x509_verify_ctx_error_depth(struct x509_verify_ctx *ctx)
1081 {
1082 return ctx->error_depth;
1083 }
1084
STACK_OF(X509)1085 STACK_OF(X509) *
1086 x509_verify_ctx_chain(struct x509_verify_ctx *ctx, size_t i)
1087 {
1088 if (i >= ctx->chains_count)
1089 return NULL;
1090 return ctx->chains[i]->certs;
1091 }
1092
1093 size_t
x509_verify(struct x509_verify_ctx * ctx,X509 * leaf,char * name)1094 x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
1095 {
1096 struct x509_verify_chain *current_chain;
1097 int retry_chain_build, full_chain = 0;
1098
1099 if (ctx->roots == NULL || ctx->max_depth == 0) {
1100 ctx->error = X509_V_ERR_INVALID_CALL;
1101 goto err;
1102 }
1103
1104 if (ctx->xsc != NULL) {
1105 if (leaf != NULL || name != NULL) {
1106 ctx->error = X509_V_ERR_INVALID_CALL;
1107 goto err;
1108 }
1109 leaf = ctx->xsc->cert;
1110
1111 /* XXX */
1112 full_chain = 1;
1113 if (ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
1114 full_chain = 0;
1115 /*
1116 * XXX
1117 * The legacy code expects the top level cert to be
1118 * there, even if we didn't find a chain. So put it
1119 * there, we will clobber it later if we find a valid
1120 * chain.
1121 */
1122 if ((ctx->xsc->chain = sk_X509_new_null()) == NULL) {
1123 ctx->error = X509_V_ERR_OUT_OF_MEM;
1124 goto err;
1125 }
1126 if (!X509_up_ref(leaf)) {
1127 ctx->error = X509_V_ERR_OUT_OF_MEM;
1128 goto err;
1129 }
1130 if (!sk_X509_push(ctx->xsc->chain, leaf)) {
1131 X509_free(leaf);
1132 ctx->error = X509_V_ERR_OUT_OF_MEM;
1133 goto err;
1134 }
1135 ctx->xsc->error_depth = 0;
1136 ctx->xsc->current_cert = leaf;
1137 }
1138
1139 if ((current_chain = x509_verify_chain_new()) == NULL) {
1140 ctx->error = X509_V_ERR_OUT_OF_MEM;
1141 goto err;
1142 }
1143
1144 /*
1145 * Add the leaf to the chain and try to build chains from it.
1146 * Note that unlike Go's verifier, we have not yet checked
1147 * anything about the leaf, This is intentional, so that we
1148 * report failures in chain building before we report problems
1149 * with the leaf.
1150 */
1151 if (!x509_verify_chain_append(current_chain, leaf, &ctx->error)) {
1152 x509_verify_chain_free(current_chain);
1153 goto err;
1154 }
1155 do {
1156 retry_chain_build = 0;
1157 if (x509_verify_ctx_cert_is_root(ctx, leaf, full_chain)) {
1158 if (!x509_verify_ctx_add_chain(ctx, current_chain,
1159 name)) {
1160 x509_verify_chain_free(current_chain);
1161 goto err;
1162 }
1163 } else {
1164 x509_verify_build_chains(ctx, leaf, current_chain,
1165 full_chain, name);
1166 if (full_chain && ctx->chains_count == 0) {
1167 /*
1168 * Save the error state from the xsc
1169 * at this point to put back on the
1170 * xsc in case we do not find a chain
1171 * that is trusted but not a full
1172 * chain to a self signed root. This
1173 * is because the unvalidated chain is
1174 * used by the autochain batshittery
1175 * on failure and will be needed for
1176 * that.
1177 */
1178 ctx->xsc->error_depth = ctx->error_depth;
1179 if (!x509_verify_ctx_save_xsc_error(ctx)) {
1180 x509_verify_chain_free(current_chain);
1181 goto err;
1182 }
1183 full_chain = 0;
1184 retry_chain_build = 1;
1185 }
1186 }
1187 } while (retry_chain_build);
1188
1189 x509_verify_chain_free(current_chain);
1190
1191 /*
1192 * Do the new verifier style return, where we don't have an xsc
1193 * that allows a crazy callback to turn invalid things into valid.
1194 */
1195 if (ctx->xsc == NULL) {
1196 /*
1197 * Safety net:
1198 * We could not find a validated chain, and for some reason do not
1199 * have an error set.
1200 */
1201 if (ctx->chains_count == 0 && ctx->error == X509_V_OK)
1202 ctx->error = X509_V_ERR_UNSPECIFIED;
1203
1204 /*
1205 * If we are not using an xsc, and have no possibility for the
1206 * crazy OpenSSL callback API changing the results of
1207 * validation steps (because the callback can make validation
1208 * proceed in the presence of invalid certs), any chains we
1209 * have here are correctly built and verified.
1210 */
1211 if (ctx->chains_count > 0)
1212 ctx->error = X509_V_OK;
1213
1214 return ctx->chains_count;
1215 }
1216
1217 /*
1218 * Otherwise we are doing compatibility with an xsc, which means that we
1219 * will have one chain, which might actually be a bogus chain because
1220 * the callback told us to ignore errors and proceed to build an invalid
1221 * chain. Possible return values from this include returning 1 with an
1222 * invalid chain and a value of xsc->error != X509_V_OK (It's tradition
1223 * that makes it ok).
1224 */
1225
1226 if (ctx->chains_count > 0) {
1227 /*
1228 * The chain we have using an xsc might not be a verified chain
1229 * if the callback perverted things while we built it to ignore
1230 * failures and proceed with chain building. We put this chain
1231 * and the error associated with it on the xsc.
1232 */
1233 if (!x509_verify_ctx_set_xsc_chain(ctx, ctx->chains[0], 1, 1))
1234 goto err;
1235
1236 /*
1237 * Call the callback for completion up our built
1238 * chain. The callback could still tell us to
1239 * fail. Since this chain might exist as the result of
1240 * callback doing perversions, we could still return
1241 * "success" with something other than X509_V_OK set
1242 * as the error.
1243 */
1244 if (!x509_vfy_callback_indicate_completion(ctx->xsc))
1245 goto err;
1246 } else {
1247 /*
1248 * We did not find a chain. Bring back the failure
1249 * case we wanted to the xsc if we saved one. If we
1250 * did not we should have just the leaf on the xsc.
1251 */
1252 if (!x509_verify_ctx_restore_xsc_error(ctx))
1253 goto err;
1254
1255 /*
1256 * Safety net, ensure we have an error set in the
1257 * failing case.
1258 */
1259 if (ctx->xsc->error == X509_V_OK) {
1260 if (ctx->error == X509_V_OK)
1261 ctx->error = X509_V_ERR_UNSPECIFIED;
1262 ctx->xsc->error = ctx->error;
1263 }
1264
1265 /*
1266 * Let the callback override the return value
1267 * at depth 0 if it chooses to
1268 */
1269 return ctx->xsc->verify_cb(0, ctx->xsc);
1270 }
1271
1272 /* We only ever find one chain in compat mode with an xsc. */
1273 return 1;
1274
1275 err:
1276 if (ctx->error == X509_V_OK)
1277 ctx->error = X509_V_ERR_UNSPECIFIED;
1278
1279 if (ctx->xsc != NULL) {
1280 if (ctx->xsc->error == X509_V_OK)
1281 ctx->xsc->error = X509_V_ERR_UNSPECIFIED;
1282 ctx->error = ctx->xsc->error;
1283 }
1284
1285 return 0;
1286 }
1287