1 /* $OpenBSD: callbackfailures.c,v 1.2 2023/01/28 19:12:20 tb Exp $ */ 2 /* 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <err.h> 20 #include <string.h> 21 22 #include <openssl/bio.h> 23 #include <openssl/err.h> 24 #include <openssl/pem.h> 25 #include <openssl/x509.h> 26 #include <openssl/x509v3.h> 27 28 #include "x509_verify.h" 29 30 #define MODE_MODERN_VFY 0 31 #define MODE_MODERN_VFY_DIR 1 32 #define MODE_LEGACY_VFY 2 33 #define MODE_VERIFY 3 34 35 static int verbose = 1; 36 37 static int expected_depth; 38 static int expected_error; 39 static int seen_depth; 40 static int seen_error; 41 42 static int 43 passwd_cb(char *buf, int size, int rwflag, void *u) 44 { 45 memset(buf, 0, size); 46 return (0); 47 } 48 49 static int 50 certs_from_file(const char *filename, STACK_OF(X509) **certs, int clear) 51 { 52 STACK_OF(X509_INFO) *xis = NULL; 53 STACK_OF(X509) *xs = NULL; 54 BIO *bio = NULL; 55 X509 *x; 56 int i; 57 58 if (clear) { 59 if ((xs = sk_X509_new_null()) == NULL) 60 errx(1, "failed to create X509 stack"); 61 } else 62 xs = *certs; 63 if ((bio = BIO_new_file(filename, "r")) == NULL) { 64 ERR_print_errors_fp(stderr); 65 errx(1, "failed to create bio"); 66 } 67 if ((xis = PEM_X509_INFO_read_bio(bio, NULL, passwd_cb, NULL)) == NULL) 68 errx(1, "failed to read PEM"); 69 70 for (i = 0; i < sk_X509_INFO_num(xis); i++) { 71 if ((x = sk_X509_INFO_value(xis, i)->x509) == NULL) 72 continue; 73 if (!sk_X509_push(xs, x)) 74 errx(1, "failed to push X509"); 75 X509_up_ref(x); 76 } 77 78 *certs = xs; 79 xs = NULL; 80 81 sk_X509_INFO_pop_free(xis, X509_INFO_free); 82 sk_X509_pop_free(xs, X509_free); 83 BIO_free(bio); 84 85 return 1; 86 } 87 88 static int 89 verify_cert_cb(int ok, X509_STORE_CTX *xsc) 90 { 91 X509 *current_cert; 92 int verify_err; 93 94 current_cert = X509_STORE_CTX_get_current_cert(xsc); 95 if (current_cert != NULL) { 96 X509_NAME_print_ex_fp(stderr, 97 X509_get_subject_name(current_cert), 0, 98 XN_FLAG_ONELINE); 99 fprintf(stderr, "\n"); 100 } 101 102 verify_err = X509_STORE_CTX_get_error(xsc); 103 if (verify_err != X509_V_OK) { 104 seen_depth = X509_STORE_CTX_get_error_depth(xsc); 105 seen_error = verify_err; 106 fprintf(stderr, "verify error at depth %d: %s\n", 107 X509_STORE_CTX_get_error_depth(xsc), 108 X509_verify_cert_error_string(verify_err)); 109 } 110 111 fprintf(stderr, "chain of length %d\n", sk_X509_num (X509_STORE_CTX_get0_chain (xsc))); 112 113 return ok; 114 } 115 116 static void 117 verify_cert(const char *roots_dir, const char *roots_file, 118 const char *bundle_file, const char*bundle_file2, int *chains, int mode) 119 { 120 STACK_OF(X509) *roots = NULL, *bundle = NULL; 121 X509_STORE_CTX *xsc = NULL; 122 X509_STORE *store = NULL; 123 int verify_err, use_dir; 124 X509 *leaf = NULL; 125 126 *chains = 0; 127 use_dir = (mode == MODE_MODERN_VFY_DIR); 128 129 if (!use_dir && !certs_from_file(roots_file, &roots, 1)) 130 errx(1, "failed to load roots from '%s'", roots_file); 131 if (!certs_from_file(bundle_file, &bundle, 1)) 132 errx(1, "failed to load bundle from '%s'", bundle_file); 133 if (!certs_from_file(bundle_file, &bundle, 0)) 134 errx(1, "failed to load bundle from '%s'", bundle_file2); 135 if (sk_X509_num(bundle) < 1) 136 errx(1, "not enough certs in bundle"); 137 leaf = sk_X509_shift(bundle); 138 139 if ((xsc = X509_STORE_CTX_new()) == NULL) 140 errx(1, "X509_STORE_CTX"); 141 if (use_dir && (store = X509_STORE_new()) == NULL) 142 errx(1, "X509_STORE"); 143 if (!X509_STORE_CTX_init(xsc, store, leaf, bundle)) { 144 ERR_print_errors_fp(stderr); 145 errx(1, "failed to init store context"); 146 } 147 148 if (use_dir) { 149 if (!X509_STORE_load_locations(store, NULL, roots_dir)) 150 errx(1, "failed to set by_dir directory of %s", roots_dir); 151 } 152 if (mode == MODE_LEGACY_VFY) 153 X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_LEGACY_VERIFY); 154 else 155 X509_VERIFY_PARAM_clear_flags(X509_STORE_CTX_get0_param(xsc), 156 X509_V_FLAG_LEGACY_VERIFY); 157 158 if (verbose) 159 X509_STORE_CTX_set_verify_cb(xsc, verify_cert_cb); 160 if (!use_dir) 161 X509_STORE_CTX_set0_trusted_stack(xsc, roots); 162 163 if (X509_verify_cert(xsc) == 1) { 164 *chains = 1; /* XXX */ 165 goto done; 166 } 167 168 verify_err = X509_STORE_CTX_get_error(xsc); 169 if (verify_err == 0) 170 errx(1, "Error unset on failure!\n"); 171 172 fprintf(stderr, "failed to verify at %d: %s\n", 173 X509_STORE_CTX_get_error_depth(xsc), 174 X509_verify_cert_error_string(verify_err)); 175 176 done: 177 sk_X509_pop_free(roots, X509_free); 178 sk_X509_pop_free(bundle, X509_free); 179 X509_STORE_free(store); 180 X509_STORE_CTX_free(xsc); 181 X509_free(leaf); 182 } 183 184 struct verify_cert_test { 185 const char *id; 186 int want_chains; 187 int failing; 188 int depth; 189 int error; 190 }; 191 192 struct verify_cert_test verify_cert_tests[] = { 193 { 194 .id = "1a", 195 .want_chains = 0, 196 .depth = 0, 197 .error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 198 }, 199 { 200 .id = "2a", 201 .want_chains = 0, 202 .depth = 1, 203 .error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 204 }, 205 { 206 .id = "2c", 207 .want_chains = 0, 208 .depth = 2, 209 .error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, 210 }, 211 }; 212 213 #define N_VERIFY_CERT_TESTS \ 214 (sizeof(verify_cert_tests) / sizeof(*verify_cert_tests)) 215 216 static int 217 verify_cert_test(const char *certs_path, int mode) 218 { 219 char *roots_file, *bundle_file, *bundle_file2, *roots_dir; 220 struct verify_cert_test *vct; 221 int failed = 0; 222 int chains; 223 size_t i; 224 225 for (i = 0; i < N_VERIFY_CERT_TESTS; i++) { 226 vct = &verify_cert_tests[i]; 227 228 if (asprintf(&roots_file, "/etc/ssl/cert.pem") == -1) 229 errx(1, "asprintf"); 230 if (asprintf(&bundle_file, "%s/%s/bundle.pem", certs_path, 231 vct->id) == -1) 232 errx(1, "asprintf"); 233 if (asprintf(&bundle_file2, "%s/%s/roots.pem", certs_path, 234 vct->id) == -1) 235 errx(1, "asprintf"); 236 if (asprintf(&roots_dir, "./%s/roots", vct->id) == -1) 237 errx(1, "asprintf"); 238 239 fprintf(stderr, "== Test %zu (%s)\n", i, vct->id); 240 fprintf(stderr, "== depth %d\n", vct->depth); 241 fprintf(stderr, "== error %d\n", vct->error); 242 expected_depth = vct->depth; 243 expected_error = vct->error; 244 verify_cert(roots_dir, roots_file, bundle_file, bundle_file2, &chains, mode); 245 if (chains == 0 && vct->want_chains == 0) { 246 if (seen_error != expected_error) { 247 fprintf(stderr, "FAIL: expected error %d, got %d\n", 248 seen_error, expected_error); 249 failed |= 1; 250 } 251 if (seen_depth != expected_depth) { 252 fprintf(stderr, "FAIL: expected depth %d, got %d\n", 253 seen_depth, expected_depth); 254 failed |= 1; 255 } 256 } 257 258 if ((mode == MODE_VERIFY && chains == vct->want_chains) || 259 (chains == 0 && vct->want_chains == 0) || 260 (chains == 1 && vct->want_chains > 0)) { 261 fprintf(stderr, "INFO: Succeeded with %d chains%s\n", 262 chains, vct->failing ? " (legacy failure)" : ""); 263 if (mode == MODE_LEGACY_VFY && vct->failing) 264 failed |= 1; 265 } else { 266 fprintf(stderr, "FAIL: Failed with %d chains%s\n", 267 chains, vct->failing ? " (legacy failure)" : ""); 268 if (!vct->failing) 269 failed |= 1; 270 } 271 fprintf(stderr, "\n"); 272 273 free(roots_file); 274 free(bundle_file); 275 free(bundle_file2); 276 free(roots_dir); 277 } 278 279 return failed; 280 } 281 282 int 283 main(int argc, char **argv) 284 { 285 int failed = 0; 286 287 if (argc != 2) { 288 fprintf(stderr, "usage: %s <certs_path>\n", argv[0]); 289 exit(1); 290 } 291 292 fprintf(stderr, "\n\nTesting legacy x509_vfy\n"); 293 failed |= verify_cert_test(argv[1], MODE_LEGACY_VFY); 294 fprintf(stderr, "\n\nTesting modern x509_vfy\n"); 295 failed |= verify_cert_test(argv[1], MODE_MODERN_VFY); 296 297 return (failed); 298 } 299