1 /* $OpenBSD: x509_internal.h,v 1.7 2021/03/12 15:53:38 tb Exp $ */ 2 /* 3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 #ifndef HEADER_X509_INTERNAL_H 18 #define HEADER_X509_INTERNAL_H 19 20 /* Internal use only, not public API */ 21 #include <netinet/in.h> 22 23 #include <openssl/x509_verify.h> 24 25 /* Hard limits on structure size and number of signature checks. */ 26 #define X509_VERIFY_MAX_CHAINS 8 /* Max validated chains */ 27 #define X509_VERIFY_MAX_CHAIN_CERTS 32 /* Max depth of a chain */ 28 #define X509_VERIFY_MAX_SIGCHECKS 256 /* Max signature checks */ 29 30 /* 31 * Limit the number of names and constraints we will check in a chain 32 * to avoid a hostile input DOS 33 */ 34 #define X509_VERIFY_MAX_CHAIN_NAMES 512 35 #define X509_VERIFY_MAX_CHAIN_CONSTRAINTS 512 36 37 /* 38 * Hold the parsed and validated result of names from a certificate. 39 * these typically come from a GENERALNAME, but we store the parsed 40 * and validated results, not the ASN1 bytes. 41 */ 42 struct x509_constraints_name { 43 int type; /* GEN_* types from GENERAL_NAME */ 44 char *name; /* Name to check */ 45 char *local; /* holds the local part of GEN_EMAIL */ 46 uint8_t *der; /* DER encoded value or NULL*/ 47 size_t der_len; 48 int af; /* INET and INET6 are supported */ 49 uint8_t address[32]; /* Must hold ipv6 + mask */ 50 }; 51 52 struct x509_constraints_names { 53 struct x509_constraints_name **names; 54 size_t names_count; 55 size_t names_len; 56 size_t names_max; 57 }; 58 59 struct x509_verify_chain { 60 STACK_OF(X509) *certs; /* Kept in chain order, includes leaf */ 61 int *cert_errors; /* Verify error for each cert in chain. */ 62 struct x509_constraints_names *names; /* All names from all certs */ 63 }; 64 65 struct x509_verify_ctx { 66 X509_STORE_CTX *xsc; 67 struct x509_verify_chain **chains; /* Validated chains */ 68 size_t chains_count; 69 int dump_chain; /* Dump current chain without erroring */ 70 STACK_OF(X509) *roots; /* Trusted roots for this validation */ 71 STACK_OF(X509) *intermediates; /* Intermediates provided by peer */ 72 time_t *check_time; /* Time for validity checks */ 73 int purpose; /* Cert purpose we are validating */ 74 size_t max_chains; /* Max chains to return */ 75 size_t max_depth; /* Max chain depth for validation */ 76 size_t max_sigs; /* Max number of signature checks */ 77 size_t sig_checks; /* Number of signature checks done */ 78 size_t error_depth; /* Depth of last error seen */ 79 int error; /* Last error seen */ 80 }; 81 82 int ASN1_time_tm_clamp_notafter(struct tm *tm); 83 84 __BEGIN_HIDDEN_DECLS 85 86 int x509_vfy_check_id(X509_STORE_CTX *ctx); 87 int x509_vfy_check_revocation(X509_STORE_CTX *ctx); 88 int x509_vfy_check_policy(X509_STORE_CTX *ctx); 89 int x509_vfy_check_trust(X509_STORE_CTX *ctx); 90 int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx); 91 void x509v3_cache_extensions(X509 *x); 92 93 int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, 94 int notafter); 95 96 struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, 97 STACK_OF(X509) *roots); 98 99 void x509_constraints_name_clear(struct x509_constraints_name *name); 100 int x509_constraints_names_add(struct x509_constraints_names *names, 101 struct x509_constraints_name *name); 102 struct x509_constraints_names *x509_constraints_names_dup( 103 struct x509_constraints_names *names); 104 void x509_constraints_names_clear(struct x509_constraints_names *names); 105 struct x509_constraints_names *x509_constraints_names_new(size_t names_max); 106 void x509_constraints_names_free(struct x509_constraints_names *names); 107 int x509_constraints_valid_host(uint8_t *name, size_t len); 108 int x509_constraints_valid_sandns(uint8_t *name, size_t len); 109 int x509_constraints_domain(char *domain, size_t dlen, char *constraint, 110 size_t len); 111 int x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, 112 struct x509_constraints_name *name); 113 int x509_constraints_valid_domain_constraint(uint8_t *constraint, 114 size_t len); 115 int x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostp); 116 int x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, 117 size_t len, int *error); 118 int x509_constraints_extract_names(struct x509_constraints_names *names, 119 X509 *cert, int include_cn, int *error); 120 int x509_constraints_extract_constraints(X509 *cert, 121 struct x509_constraints_names *permitted, 122 struct x509_constraints_names *excluded, int *error); 123 int x509_constraints_check(struct x509_constraints_names *names, 124 struct x509_constraints_names *permitted, 125 struct x509_constraints_names *excluded, int *error); 126 int x509_constraints_chain(STACK_OF(X509) *chain, int *error, 127 int *depth); 128 129 __END_HIDDEN_DECLS 130 131 #endif 132