1 /* $OpenBSD: x509_verify.c,v 1.49.2.1 2021/11/24 09:28:56 tb Exp $ */
2 /*
3 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 /* x509_verify - inspired by golang's crypto/x509.Verify */
19
20 #include <errno.h>
21 #include <stdio.h>
22 #include <string.h>
23 #include <time.h>
24 #include <unistd.h>
25
26 #include <openssl/safestack.h>
27 #include <openssl/x509.h>
28 #include <openssl/x509v3.h>
29
30 #include "x509_internal.h"
31 #include "x509_issuer_cache.h"
32
33 static int x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert,
34 struct x509_verify_chain *current_chain);
35 static void x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
36 struct x509_verify_chain *current_chain, int full_chain);
37 static int x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert,
38 size_t depth, int error, int ok);
39 static void x509_verify_chain_free(struct x509_verify_chain *chain);
40
41 #define X509_VERIFY_CERT_HASH (EVP_sha512())
42
43 struct x509_verify_chain *
x509_verify_chain_new(void)44 x509_verify_chain_new(void)
45 {
46 struct x509_verify_chain *chain;
47
48 if ((chain = calloc(1, sizeof(*chain))) == NULL)
49 goto err;
50 if ((chain->certs = sk_X509_new_null()) == NULL)
51 goto err;
52 if ((chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS,
53 sizeof(int))) == NULL)
54 goto err;
55 if ((chain->names =
56 x509_constraints_names_new(X509_VERIFY_MAX_CHAIN_NAMES)) == NULL)
57 goto err;
58
59 return chain;
60 err:
61 x509_verify_chain_free(chain);
62 return NULL;
63 }
64
65 static void
x509_verify_chain_clear(struct x509_verify_chain * chain)66 x509_verify_chain_clear(struct x509_verify_chain *chain)
67 {
68 sk_X509_pop_free(chain->certs, X509_free);
69 chain->certs = NULL;
70 free(chain->cert_errors);
71 chain->cert_errors = NULL;
72 x509_constraints_names_free(chain->names);
73 chain->names = NULL;
74 }
75
76 static void
x509_verify_chain_free(struct x509_verify_chain * chain)77 x509_verify_chain_free(struct x509_verify_chain *chain)
78 {
79 if (chain == NULL)
80 return;
81 x509_verify_chain_clear(chain);
82 free(chain);
83 }
84
85 static struct x509_verify_chain *
x509_verify_chain_dup(struct x509_verify_chain * chain)86 x509_verify_chain_dup(struct x509_verify_chain *chain)
87 {
88 struct x509_verify_chain *new_chain;
89
90 if ((new_chain = calloc(1, sizeof(*chain))) == NULL)
91 goto err;
92 if ((new_chain->certs = X509_chain_up_ref(chain->certs)) == NULL)
93 goto err;
94 if ((new_chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS,
95 sizeof(int))) == NULL)
96 goto err;
97 memcpy(new_chain->cert_errors, chain->cert_errors,
98 X509_VERIFY_MAX_CHAIN_CERTS * sizeof(int));
99 if ((new_chain->names =
100 x509_constraints_names_dup(chain->names)) == NULL)
101 goto err;
102 return(new_chain);
103 err:
104 x509_verify_chain_free(new_chain);
105 return NULL;
106 }
107
108 static int
x509_verify_chain_append(struct x509_verify_chain * chain,X509 * cert,int * error)109 x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert,
110 int *error)
111 {
112 int verify_err = X509_V_ERR_UNSPECIFIED;
113 size_t idx;
114
115 if (!x509_constraints_extract_names(chain->names, cert,
116 sk_X509_num(chain->certs) == 0, &verify_err)) {
117 *error = verify_err;
118 return 0;
119 }
120
121 X509_up_ref(cert);
122 if (!sk_X509_push(chain->certs, cert)) {
123 X509_free(cert);
124 *error = X509_V_ERR_OUT_OF_MEM;
125 return 0;
126 }
127
128 idx = sk_X509_num(chain->certs) - 1;
129 chain->cert_errors[idx] = *error;
130
131 /*
132 * We've just added the issuer for the previous certificate,
133 * clear its error if appropriate.
134 */
135 if (idx > 1 && chain->cert_errors[idx - 1] ==
136 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
137 chain->cert_errors[idx - 1] = X509_V_OK;
138
139 return 1;
140 }
141
142 static X509 *
x509_verify_chain_last(struct x509_verify_chain * chain)143 x509_verify_chain_last(struct x509_verify_chain *chain)
144 {
145 int last;
146
147 if (chain->certs == NULL)
148 return NULL;
149 if ((last = sk_X509_num(chain->certs) - 1) < 0)
150 return NULL;
151 return sk_X509_value(chain->certs, last);
152 }
153
154 X509 *
x509_verify_chain_leaf(struct x509_verify_chain * chain)155 x509_verify_chain_leaf(struct x509_verify_chain *chain)
156 {
157 if (chain->certs == NULL)
158 return NULL;
159 return sk_X509_value(chain->certs, 0);
160 }
161
162 static void
x509_verify_ctx_reset(struct x509_verify_ctx * ctx)163 x509_verify_ctx_reset(struct x509_verify_ctx *ctx)
164 {
165 size_t i;
166
167 for (i = 0; i < ctx->chains_count; i++)
168 x509_verify_chain_free(ctx->chains[i]);
169 sk_X509_pop_free(ctx->saved_error_chain, X509_free);
170 ctx->saved_error = 0;
171 ctx->saved_error_depth = 0;
172 ctx->error = 0;
173 ctx->error_depth = 0;
174 ctx->chains_count = 0;
175 ctx->sig_checks = 0;
176 ctx->check_time = NULL;
177 }
178
179 static void
x509_verify_ctx_clear(struct x509_verify_ctx * ctx)180 x509_verify_ctx_clear(struct x509_verify_ctx *ctx)
181 {
182 x509_verify_ctx_reset(ctx);
183 sk_X509_pop_free(ctx->intermediates, X509_free);
184 free(ctx->chains);
185 memset(ctx, 0, sizeof(*ctx));
186 }
187
188 static int
x509_verify_cert_cache_extensions(X509 * cert)189 x509_verify_cert_cache_extensions(X509 *cert) {
190 if (!(cert->ex_flags & EXFLAG_SET)) {
191 CRYPTO_w_lock(CRYPTO_LOCK_X509);
192 x509v3_cache_extensions(cert);
193 CRYPTO_w_unlock(CRYPTO_LOCK_X509);
194 }
195 if (cert->ex_flags & EXFLAG_INVALID)
196 return 0;
197 return (cert->ex_flags & EXFLAG_SET);
198 }
199
200 static int
x509_verify_cert_self_signed(X509 * cert)201 x509_verify_cert_self_signed(X509 *cert)
202 {
203 return (cert->ex_flags & EXFLAG_SS) ? 1 : 0;
204 }
205
206 static int
x509_verify_ctx_cert_is_root(struct x509_verify_ctx * ctx,X509 * cert,int full_chain)207 x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
208 int full_chain)
209 {
210 X509 *match = NULL;
211 int i;
212
213 if (!x509_verify_cert_cache_extensions(cert))
214 return 0;
215
216 /* Check by lookup if we have a legacy xsc */
217 if (ctx->xsc != NULL) {
218 if ((match = x509_vfy_lookup_cert_match(ctx->xsc,
219 cert)) != NULL) {
220 X509_free(match);
221 return !full_chain ||
222 x509_verify_cert_self_signed(cert);
223 }
224 } else {
225 /* Check the provided roots */
226 for (i = 0; i < sk_X509_num(ctx->roots); i++) {
227 if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0)
228 return !full_chain ||
229 x509_verify_cert_self_signed(cert);
230 }
231 }
232
233 return 0;
234 }
235
236 static int
x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx * ctx,struct x509_verify_chain * chain,int set_error,int is_trusted)237 x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx *ctx,
238 struct x509_verify_chain *chain, int set_error, int is_trusted)
239 {
240 size_t num_untrusted;
241 int i;
242
243 if (ctx->xsc == NULL)
244 return 1;
245
246 /*
247 * XXX last_untrusted is actually the number of untrusted certs at the
248 * bottom of the chain. This works now since we stop at the first
249 * trusted cert. This will need fixing once we allow more than one
250 * trusted certificate.
251 */
252 num_untrusted = sk_X509_num(chain->certs);
253 if (is_trusted && num_untrusted > 0)
254 num_untrusted--;
255 ctx->xsc->last_untrusted = num_untrusted;
256
257 sk_X509_pop_free(ctx->xsc->chain, X509_free);
258 ctx->xsc->chain = X509_chain_up_ref(chain->certs);
259 if (ctx->xsc->chain == NULL)
260 return x509_verify_cert_error(ctx, NULL, 0,
261 X509_V_ERR_OUT_OF_MEM, 0);
262
263 if (set_error) {
264 ctx->xsc->error = X509_V_OK;
265 ctx->xsc->error_depth = 0;
266 for (i = 0; i < sk_X509_num(chain->certs); i++) {
267 if (chain->cert_errors[i] != X509_V_OK) {
268 ctx->xsc->error = chain->cert_errors[i];
269 ctx->xsc->error_depth = i;
270 break;
271 }
272 }
273 }
274
275 return 1;
276 }
277
278
279 /*
280 * Save the error state and unvalidated chain off of the xsc for
281 * later.
282 */
283 static int
x509_verify_ctx_save_xsc_error(struct x509_verify_ctx * ctx)284 x509_verify_ctx_save_xsc_error(struct x509_verify_ctx *ctx)
285 {
286 if (ctx->xsc != NULL && ctx->xsc->chain != NULL) {
287 sk_X509_pop_free(ctx->saved_error_chain, X509_free);
288 ctx->saved_error_chain = X509_chain_up_ref(ctx->xsc->chain);
289 if (ctx->saved_error_chain == NULL)
290 return x509_verify_cert_error(ctx, NULL, 0,
291 X509_V_ERR_OUT_OF_MEM, 0);
292 ctx->saved_error = ctx->xsc->error;
293 ctx->saved_error_depth = ctx->xsc->error_depth;
294 }
295 return 1;
296 }
297
298 /*
299 * Restore the saved error state and unvalidated chain to the xsc
300 * if we do not have a validated chain.
301 */
302 static int
x509_verify_ctx_restore_xsc_error(struct x509_verify_ctx * ctx)303 x509_verify_ctx_restore_xsc_error(struct x509_verify_ctx *ctx)
304 {
305 if (ctx->xsc != NULL && ctx->chains_count == 0 &&
306 ctx->saved_error_chain != NULL) {
307 sk_X509_pop_free(ctx->xsc->chain, X509_free);
308 ctx->xsc->chain = X509_chain_up_ref(ctx->saved_error_chain);
309 if (ctx->xsc->chain == NULL)
310 return x509_verify_cert_error(ctx, NULL, 0,
311 X509_V_ERR_OUT_OF_MEM, 0);
312 ctx->xsc->error = ctx->saved_error;
313 ctx->xsc->error_depth = ctx->saved_error_depth;
314 }
315 return 1;
316 }
317
318 /* Perform legacy style validation of a chain */
319 static int
x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx * ctx,struct x509_verify_chain * chain,size_t depth)320 x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
321 struct x509_verify_chain *chain, size_t depth)
322 {
323 int ret = 0, trust;
324
325 if (ctx->xsc == NULL)
326 return 1;
327
328 /*
329 * If we have a legacy xsc, choose a validated chain, and
330 * apply the extensions, revocation, and policy checks just
331 * like the legacy code did. We do this here instead of as
332 * building the chains to more easily support the callback and
333 * the bewildering array of VERIFY_PARAM knobs that are there
334 * for the fiddling.
335 */
336
337 /* These may be set in one of the following calls. */
338 ctx->xsc->error = X509_V_OK;
339 ctx->xsc->error_depth = 0;
340
341 trust = x509_vfy_check_trust(ctx->xsc);
342 if (trust == X509_TRUST_REJECTED)
343 goto err;
344
345 if (!x509_verify_ctx_set_xsc_chain(ctx, chain, 0, 1))
346 goto err;
347
348 /*
349 * XXX currently this duplicates some work done in chain
350 * build, but we keep it here until we have feature parity
351 */
352 if (!x509_vfy_check_chain_extensions(ctx->xsc))
353 goto err;
354
355 if (!x509_constraints_chain(ctx->xsc->chain,
356 &ctx->xsc->error, &ctx->xsc->error_depth)) {
357 X509 *cert = sk_X509_value(ctx->xsc->chain, depth);
358 if (!x509_verify_cert_error(ctx, cert,
359 ctx->xsc->error_depth, ctx->xsc->error, 0))
360 goto err;
361 }
362
363 if (!x509_vfy_check_revocation(ctx->xsc))
364 goto err;
365
366 if (!x509_vfy_check_policy(ctx->xsc))
367 goto err;
368
369 if ((!(ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN)) &&
370 trust != X509_TRUST_TRUSTED)
371 goto err;
372
373 ret = 1;
374
375 err:
376 /*
377 * The above checks may have set ctx->xsc->error and
378 * ctx->xsc->error_depth - save these for later on.
379 */
380 if (ctx->xsc->error != X509_V_OK) {
381 if (ctx->xsc->error_depth < 0 ||
382 ctx->xsc->error_depth >= X509_VERIFY_MAX_CHAIN_CERTS)
383 return 0;
384 chain->cert_errors[ctx->xsc->error_depth] =
385 ctx->xsc->error;
386 ctx->error_depth = ctx->xsc->error_depth;
387 }
388
389 return ret;
390 }
391
392 /* Add a validated chain to our list of valid chains */
393 static int
x509_verify_ctx_add_chain(struct x509_verify_ctx * ctx,struct x509_verify_chain * chain)394 x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx,
395 struct x509_verify_chain *chain)
396 {
397 size_t depth;
398 X509 *last = x509_verify_chain_last(chain);
399
400 depth = sk_X509_num(chain->certs);
401 if (depth > 0)
402 depth--;
403
404 if (ctx->chains_count >= ctx->max_chains)
405 return x509_verify_cert_error(ctx, last, depth,
406 X509_V_ERR_CERT_CHAIN_TOO_LONG, 0);
407
408 /* Clear a get issuer failure for a root certificate. */
409 if (chain->cert_errors[depth] ==
410 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
411 chain->cert_errors[depth] = X509_V_OK;
412
413 if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth))
414 return 0;
415
416 /*
417 * In the non-legacy code, extensions and purpose are dealt
418 * with as the chain is built.
419 *
420 * The non-legacy api returns multiple chains but does not do
421 * any revocation checking (it must be done by the caller on
422 * any chain they wish to use)
423 */
424
425 if ((ctx->chains[ctx->chains_count] = x509_verify_chain_dup(chain)) ==
426 NULL) {
427 return x509_verify_cert_error(ctx, last, depth,
428 X509_V_ERR_OUT_OF_MEM, 0);
429 }
430 ctx->chains_count++;
431 ctx->error = X509_V_OK;
432 ctx->error_depth = depth;
433 return 1;
434 }
435
436 static int
x509_verify_potential_parent(struct x509_verify_ctx * ctx,X509 * parent,X509 * child)437 x509_verify_potential_parent(struct x509_verify_ctx *ctx, X509 *parent,
438 X509 *child)
439 {
440 if (!x509_verify_cert_cache_extensions(parent))
441 return 0;
442 if (ctx->xsc != NULL)
443 return (ctx->xsc->check_issued(ctx->xsc, child, parent));
444
445 /* XXX key usage */
446 return X509_check_issued(child, parent) != X509_V_OK;
447 }
448
449 static int
x509_verify_parent_signature(X509 * parent,X509 * child,unsigned char * child_md,int * error)450 x509_verify_parent_signature(X509 *parent, X509 *child,
451 unsigned char *child_md, int *error)
452 {
453 unsigned char parent_md[EVP_MAX_MD_SIZE] = { 0 };
454 EVP_PKEY *pkey;
455 int cached;
456 int ret = 0;
457
458 /* Use cached value if we have it */
459 if (child_md != NULL) {
460 if (!X509_digest(parent, X509_VERIFY_CERT_HASH, parent_md,
461 NULL))
462 return 0;
463 if ((cached = x509_issuer_cache_find(parent_md, child_md)) >= 0)
464 return cached;
465 }
466
467 /* Check signature. Did parent sign child? */
468 if ((pkey = X509_get_pubkey(parent)) == NULL) {
469 *error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
470 return 0;
471 }
472 if (X509_verify(child, pkey) <= 0)
473 *error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
474 else
475 ret = 1;
476
477 /* Add result to cache */
478 if (child_md != NULL)
479 x509_issuer_cache_add(parent_md, child_md, ret);
480
481 EVP_PKEY_free(pkey);
482
483 return ret;
484 }
485
486 static int
x509_verify_consider_candidate(struct x509_verify_ctx * ctx,X509 * cert,unsigned char * cert_md,int is_root_cert,X509 * candidate,struct x509_verify_chain * current_chain,int full_chain)487 x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert,
488 unsigned char *cert_md, int is_root_cert, X509 *candidate,
489 struct x509_verify_chain *current_chain, int full_chain)
490 {
491 int depth = sk_X509_num(current_chain->certs);
492 struct x509_verify_chain *new_chain;
493 int i;
494
495 /* Fail if the certificate is already in the chain */
496 for (i = 0; i < sk_X509_num(current_chain->certs); i++) {
497 if (X509_cmp(sk_X509_value(current_chain->certs, i),
498 candidate) == 0)
499 return 0;
500 }
501
502 if (ctx->sig_checks++ > X509_VERIFY_MAX_SIGCHECKS) {
503 /* don't allow callback to override safety check */
504 (void) x509_verify_cert_error(ctx, candidate, depth,
505 X509_V_ERR_CERT_CHAIN_TOO_LONG, 0);
506 return 0;
507 }
508
509 if (!x509_verify_parent_signature(candidate, cert, cert_md,
510 &ctx->error)) {
511 if (!x509_verify_cert_error(ctx, candidate, depth,
512 ctx->error, 0))
513 return 0;
514 }
515
516 if (!x509_verify_cert_valid(ctx, candidate, current_chain))
517 return 0;
518
519 /* candidate is good, add it to a copy of the current chain */
520 if ((new_chain = x509_verify_chain_dup(current_chain)) == NULL) {
521 x509_verify_cert_error(ctx, candidate, depth,
522 X509_V_ERR_OUT_OF_MEM, 0);
523 return 0;
524 }
525 if (!x509_verify_chain_append(new_chain, candidate, &ctx->error)) {
526 x509_verify_cert_error(ctx, candidate, depth, ctx->error, 0);
527 x509_verify_chain_free(new_chain);
528 return 0;
529 }
530
531 /*
532 * If candidate is a trusted root, we have a validated chain,
533 * so we save it. Otherwise, recurse until we find a root or
534 * give up.
535 */
536 if (is_root_cert) {
537 if (!x509_verify_ctx_set_xsc_chain(ctx, new_chain, 0, 1)) {
538 x509_verify_chain_free(new_chain);
539 return 0;
540 }
541 if (!x509_verify_ctx_add_chain(ctx, new_chain)) {
542 x509_verify_chain_free(new_chain);
543 return 0;
544 }
545 goto done;
546 }
547
548 x509_verify_build_chains(ctx, candidate, new_chain, full_chain);
549
550 done:
551 x509_verify_chain_free(new_chain);
552 return 1;
553 }
554
555 static int
x509_verify_cert_error(struct x509_verify_ctx * ctx,X509 * cert,size_t depth,int error,int ok)556 x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, size_t depth,
557 int error, int ok)
558 {
559 ctx->error = error;
560 ctx->error_depth = depth;
561 if (ctx->xsc != NULL) {
562 ctx->xsc->error = error;
563 ctx->xsc->error_depth = depth;
564 ctx->xsc->current_cert = cert;
565 return ctx->xsc->verify_cb(ok, ctx->xsc);
566 }
567 return ok;
568 }
569
570 static void
x509_verify_build_chains(struct x509_verify_ctx * ctx,X509 * cert,struct x509_verify_chain * current_chain,int full_chain)571 x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
572 struct x509_verify_chain *current_chain, int full_chain)
573 {
574 unsigned char cert_md[EVP_MAX_MD_SIZE] = { 0 };
575 X509 *candidate;
576 int i, depth, count, ret, is_root;
577
578 /*
579 * If we are finding chains with an xsc, just stop after we have
580 * one chain, there's no point in finding more, it just exercises
581 * the potentially buggy callback processing in the calling software.
582 */
583 if (ctx->xsc != NULL && ctx->chains_count > 0)
584 return;
585
586 depth = sk_X509_num(current_chain->certs);
587 if (depth > 0)
588 depth--;
589
590 if (depth >= ctx->max_depth &&
591 !x509_verify_cert_error(ctx, cert, depth,
592 X509_V_ERR_CERT_CHAIN_TOO_LONG, 0))
593 return;
594
595 if (!X509_digest(cert, X509_VERIFY_CERT_HASH, cert_md, NULL) &&
596 !x509_verify_cert_error(ctx, cert, depth,
597 X509_V_ERR_UNSPECIFIED, 0))
598 return;
599
600 count = ctx->chains_count;
601
602 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
603 ctx->error_depth = depth;
604
605 if (ctx->saved_error != 0)
606 ctx->error = ctx->saved_error;
607 if (ctx->saved_error_depth != 0)
608 ctx->error_depth = ctx->saved_error_depth;
609
610 if (ctx->xsc != NULL) {
611 /*
612 * Long ago experiments at Muppet labs resulted in a
613 * situation where software not only sees these errors
614 * but forced developers to expect them in certain cases.
615 * so we must mimic this awfulness for the legacy case.
616 */
617 if (cert->ex_flags & EXFLAG_SS)
618 ctx->error = (depth == 0) ?
619 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
620 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
621 }
622
623 /* Check for legacy mode roots */
624 if (ctx->xsc != NULL) {
625 if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) {
626 x509_verify_cert_error(ctx, cert, depth,
627 X509_V_ERR_STORE_LOOKUP, 0);
628 return;
629 }
630 if (ret > 0) {
631 if (x509_verify_potential_parent(ctx, candidate, cert)) {
632 is_root = !full_chain ||
633 x509_verify_cert_self_signed(candidate);
634 x509_verify_consider_candidate(ctx, cert,
635 cert_md, is_root, candidate, current_chain,
636 full_chain);
637 }
638 X509_free(candidate);
639 }
640 } else {
641 /* Check to see if we have a trusted root issuer. */
642 for (i = 0; i < sk_X509_num(ctx->roots); i++) {
643 candidate = sk_X509_value(ctx->roots, i);
644 if (x509_verify_potential_parent(ctx, candidate, cert)) {
645 is_root = !full_chain ||
646 x509_verify_cert_self_signed(candidate);
647 x509_verify_consider_candidate(ctx, cert,
648 cert_md, is_root, candidate, current_chain,
649 full_chain);
650 }
651 }
652 }
653
654 /* Check intermediates after checking roots */
655 if (ctx->intermediates != NULL) {
656 for (i = 0; i < sk_X509_num(ctx->intermediates); i++) {
657 candidate = sk_X509_value(ctx->intermediates, i);
658 if (x509_verify_potential_parent(ctx, candidate, cert)) {
659 x509_verify_consider_candidate(ctx, cert,
660 cert_md, 0, candidate, current_chain,
661 full_chain);
662 }
663 }
664 }
665
666 if (ctx->chains_count > count) {
667 if (ctx->xsc != NULL) {
668 ctx->xsc->error = X509_V_OK;
669 ctx->xsc->error_depth = depth;
670 ctx->xsc->current_cert = cert;
671 }
672 } else if (ctx->error_depth == depth) {
673 if (!x509_verify_ctx_set_xsc_chain(ctx, current_chain, 0, 0))
674 return;
675 }
676 }
677
678 static int
x509_verify_cert_hostname(struct x509_verify_ctx * ctx,X509 * cert,char * name)679 x509_verify_cert_hostname(struct x509_verify_ctx *ctx, X509 *cert, char *name)
680 {
681 char *candidate;
682 size_t len;
683
684 if (name == NULL) {
685 if (ctx->xsc != NULL) {
686 int ret;
687
688 if ((ret = x509_vfy_check_id(ctx->xsc)) == 0)
689 ctx->error = ctx->xsc->error;
690 return ret;
691 }
692 return 1;
693 }
694 if ((candidate = strdup(name)) == NULL) {
695 ctx->error = X509_V_ERR_OUT_OF_MEM;
696 goto err;
697 }
698 if ((len = strlen(candidate)) < 1) {
699 ctx->error = X509_V_ERR_UNSPECIFIED; /* XXX */
700 goto err;
701 }
702
703 /* IP addresses may be written in [ ]. */
704 if (candidate[0] == '[' && candidate[len - 1] == ']') {
705 candidate[len - 1] = '\0';
706 if (X509_check_ip_asc(cert, candidate + 1, 0) <= 0) {
707 ctx->error = X509_V_ERR_IP_ADDRESS_MISMATCH;
708 goto err;
709 }
710 } else {
711 int flags = 0;
712
713 if (ctx->xsc == NULL)
714 flags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
715
716 if (X509_check_host(cert, candidate, len, flags, NULL) <= 0) {
717 ctx->error = X509_V_ERR_HOSTNAME_MISMATCH;
718 goto err;
719 }
720 }
721 free(candidate);
722 return 1;
723 err:
724 free(candidate);
725 return x509_verify_cert_error(ctx, cert, 0, ctx->error, 0);
726 }
727
728 static int
x509_verify_set_check_time(struct x509_verify_ctx * ctx)729 x509_verify_set_check_time(struct x509_verify_ctx *ctx) {
730 if (ctx->xsc != NULL) {
731 if (ctx->xsc->param->flags & X509_V_FLAG_USE_CHECK_TIME) {
732 ctx->check_time = &ctx->xsc->param->check_time;
733 return 1;
734 }
735 if (ctx->xsc->param->flags & X509_V_FLAG_NO_CHECK_TIME)
736 return 0;
737 }
738
739 ctx->check_time = NULL;
740 return 1;
741 }
742
743 int
x509_verify_asn1_time_to_tm(const ASN1_TIME * atime,struct tm * tm,int notafter)744 x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, int notafter)
745 {
746 int type;
747
748 type = ASN1_time_parse(atime->data, atime->length, tm, atime->type);
749 if (type == -1)
750 return 0;
751
752 /* RFC 5280 section 4.1.2.5 */
753 if (tm->tm_year < 150 && type != V_ASN1_UTCTIME)
754 return 0;
755 if (tm->tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME)
756 return 0;
757
758 if (notafter) {
759 /*
760 * If we are a completely broken operating system with a
761 * 32 bit time_t, and we have been told this is a notafter
762 * date, limit the date to a 32 bit representable value.
763 */
764 if (!ASN1_time_tm_clamp_notafter(tm))
765 return 0;
766 }
767
768 /*
769 * Defensively fail if the time string is not representable as
770 * a time_t. A time_t must be sane if you care about times after
771 * Jan 19 2038.
772 */
773 if (timegm(tm) == -1)
774 return 0;
775
776 return 1;
777 }
778
779 static int
x509_verify_cert_time(int is_notafter,const ASN1_TIME * cert_asn1,time_t * cmp_time,int * error)780 x509_verify_cert_time(int is_notafter, const ASN1_TIME *cert_asn1,
781 time_t *cmp_time, int *error)
782 {
783 struct tm cert_tm, when_tm;
784 time_t when;
785
786 if (cmp_time == NULL)
787 when = time(NULL);
788 else
789 when = *cmp_time;
790
791 if (!x509_verify_asn1_time_to_tm(cert_asn1, &cert_tm,
792 is_notafter)) {
793 *error = is_notafter ?
794 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD :
795 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
796 return 0;
797 }
798
799 if (gmtime_r(&when, &when_tm) == NULL) {
800 *error = X509_V_ERR_UNSPECIFIED;
801 return 0;
802 }
803
804 if (is_notafter) {
805 if (ASN1_time_tm_cmp(&cert_tm, &when_tm) == -1) {
806 *error = X509_V_ERR_CERT_HAS_EXPIRED;
807 return 0;
808 }
809 } else {
810 if (ASN1_time_tm_cmp(&cert_tm, &when_tm) == 1) {
811 *error = X509_V_ERR_CERT_NOT_YET_VALID;
812 return 0;
813 }
814 }
815
816 return 1;
817 }
818
819 static int
x509_verify_validate_constraints(X509 * cert,struct x509_verify_chain * current_chain,int * error)820 x509_verify_validate_constraints(X509 *cert,
821 struct x509_verify_chain *current_chain, int *error)
822 {
823 struct x509_constraints_names *excluded = NULL;
824 struct x509_constraints_names *permitted = NULL;
825 int err = X509_V_ERR_UNSPECIFIED;
826
827 if (current_chain == NULL)
828 return 1;
829
830 if (cert->nc != NULL) {
831 if ((permitted = x509_constraints_names_new(
832 X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) {
833 err = X509_V_ERR_OUT_OF_MEM;
834 goto err;
835 }
836 if ((excluded = x509_constraints_names_new(
837 X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) {
838 err = X509_V_ERR_OUT_OF_MEM;
839 goto err;
840 }
841 if (!x509_constraints_extract_constraints(cert,
842 permitted, excluded, &err))
843 goto err;
844 if (!x509_constraints_check(current_chain->names,
845 permitted, excluded, &err))
846 goto err;
847 x509_constraints_names_free(excluded);
848 x509_constraints_names_free(permitted);
849 }
850
851 return 1;
852 err:
853 *error = err;
854 x509_constraints_names_free(excluded);
855 x509_constraints_names_free(permitted);
856 return 0;
857 }
858
859 static int
x509_verify_cert_extensions(struct x509_verify_ctx * ctx,X509 * cert,int need_ca)860 x509_verify_cert_extensions(struct x509_verify_ctx *ctx, X509 *cert, int need_ca)
861 {
862 if (!x509_verify_cert_cache_extensions(cert)) {
863 ctx->error = X509_V_ERR_UNSPECIFIED;
864 return 0;
865 }
866
867 if (ctx->xsc != NULL)
868 return 1; /* legacy is checked after chain is built */
869
870 if (cert->ex_flags & EXFLAG_CRITICAL) {
871 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
872 return 0;
873 }
874 /* No we don't care about v1, netscape, and other ancient silliness */
875 if (need_ca && (!(cert->ex_flags & EXFLAG_BCONS) &&
876 (cert->ex_flags & EXFLAG_CA))) {
877 ctx->error = X509_V_ERR_INVALID_CA;
878 return 0;
879 }
880 if (ctx->purpose > 0 && X509_check_purpose(cert, ctx->purpose, need_ca)) {
881 ctx->error = X509_V_ERR_INVALID_PURPOSE;
882 return 0;
883 }
884
885 /* XXX support proxy certs later in new api */
886 if (ctx->xsc == NULL && cert->ex_flags & EXFLAG_PROXY) {
887 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
888 return 0;
889 }
890
891 return 1;
892 }
893
894 /* Validate that cert is a possible candidate to append to current_chain */
895 static int
x509_verify_cert_valid(struct x509_verify_ctx * ctx,X509 * cert,struct x509_verify_chain * current_chain)896 x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert,
897 struct x509_verify_chain *current_chain)
898 {
899 X509 *issuer_candidate;
900 int should_be_ca = current_chain != NULL;
901 size_t depth = 0;
902
903 if (current_chain != NULL)
904 depth = sk_X509_num(current_chain->certs);
905
906 if (!x509_verify_cert_extensions(ctx, cert, should_be_ca))
907 return 0;
908
909 if (should_be_ca) {
910 issuer_candidate = x509_verify_chain_last(current_chain);
911 if (issuer_candidate != NULL &&
912 !X509_check_issued(issuer_candidate, cert))
913 if (!x509_verify_cert_error(ctx, cert, depth,
914 X509_V_ERR_SUBJECT_ISSUER_MISMATCH, 0))
915 return 0;
916 }
917
918 if (x509_verify_set_check_time(ctx)) {
919 if (!x509_verify_cert_time(0, X509_get_notBefore(cert),
920 ctx->check_time, &ctx->error)) {
921 if (!x509_verify_cert_error(ctx, cert, depth,
922 ctx->error, 0))
923 return 0;
924 }
925
926 if (!x509_verify_cert_time(1, X509_get_notAfter(cert),
927 ctx->check_time, &ctx->error)) {
928 if (!x509_verify_cert_error(ctx, cert, depth,
929 ctx->error, 0))
930 return 0;
931 }
932 }
933
934 if (!x509_verify_validate_constraints(cert, current_chain,
935 &ctx->error) && !x509_verify_cert_error(ctx, cert, depth,
936 ctx->error, 0))
937 return 0;
938
939 return 1;
940 }
941
942 struct x509_verify_ctx *
x509_verify_ctx_new_from_xsc(X509_STORE_CTX * xsc)943 x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc)
944 {
945 struct x509_verify_ctx *ctx;
946 size_t max_depth;
947
948 if (xsc == NULL)
949 return NULL;
950
951 if ((ctx = x509_verify_ctx_new(NULL)) == NULL)
952 return NULL;
953
954 ctx->xsc = xsc;
955
956 if (xsc->untrusted &&
957 (ctx->intermediates = X509_chain_up_ref(xsc->untrusted)) == NULL)
958 goto err;
959
960 max_depth = X509_VERIFY_MAX_CHAIN_CERTS;
961 if (xsc->param->depth > 0 && xsc->param->depth < X509_VERIFY_MAX_CHAIN_CERTS)
962 max_depth = xsc->param->depth;
963 if (!x509_verify_ctx_set_max_depth(ctx, max_depth))
964 goto err;
965
966 return ctx;
967 err:
968 x509_verify_ctx_free(ctx);
969 return NULL;
970 }
971
972 /* Public API */
973
974 struct x509_verify_ctx *
x509_verify_ctx_new(STACK_OF (X509)* roots)975 x509_verify_ctx_new(STACK_OF(X509) *roots)
976 {
977 struct x509_verify_ctx *ctx;
978
979 if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL)
980 return NULL;
981
982 if (roots != NULL) {
983 if ((ctx->roots = X509_chain_up_ref(roots)) == NULL)
984 goto err;
985 } else {
986 if ((ctx->roots = sk_X509_new_null()) == NULL)
987 goto err;
988 }
989
990 ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS;
991 ctx->max_chains = X509_VERIFY_MAX_CHAINS;
992 ctx->max_sigs = X509_VERIFY_MAX_SIGCHECKS;
993
994 if ((ctx->chains = calloc(X509_VERIFY_MAX_CHAINS,
995 sizeof(*ctx->chains))) == NULL)
996 goto err;
997
998 return ctx;
999 err:
1000 x509_verify_ctx_free(ctx);
1001 return NULL;
1002 }
1003
1004 void
x509_verify_ctx_free(struct x509_verify_ctx * ctx)1005 x509_verify_ctx_free(struct x509_verify_ctx *ctx)
1006 {
1007 if (ctx == NULL)
1008 return;
1009 sk_X509_pop_free(ctx->roots, X509_free);
1010 x509_verify_ctx_clear(ctx);
1011 free(ctx);
1012 }
1013
1014 int
x509_verify_ctx_set_max_depth(struct x509_verify_ctx * ctx,size_t max)1015 x509_verify_ctx_set_max_depth(struct x509_verify_ctx *ctx, size_t max)
1016 {
1017 if (max < 1 || max > X509_VERIFY_MAX_CHAIN_CERTS)
1018 return 0;
1019 ctx->max_depth = max;
1020 return 1;
1021 }
1022
1023 int
x509_verify_ctx_set_max_chains(struct x509_verify_ctx * ctx,size_t max)1024 x509_verify_ctx_set_max_chains(struct x509_verify_ctx *ctx, size_t max)
1025 {
1026 if (max < 1 || max > X509_VERIFY_MAX_CHAINS)
1027 return 0;
1028 ctx->max_chains = max;
1029 return 1;
1030 }
1031
1032 int
x509_verify_ctx_set_max_signatures(struct x509_verify_ctx * ctx,size_t max)1033 x509_verify_ctx_set_max_signatures(struct x509_verify_ctx *ctx, size_t max)
1034 {
1035 if (max < 1 || max > 100000)
1036 return 0;
1037 ctx->max_sigs = max;
1038 return 1;
1039 }
1040
1041 int
x509_verify_ctx_set_purpose(struct x509_verify_ctx * ctx,int purpose)1042 x509_verify_ctx_set_purpose(struct x509_verify_ctx *ctx, int purpose)
1043 {
1044 if (purpose < X509_PURPOSE_MIN || purpose > X509_PURPOSE_MAX)
1045 return 0;
1046 ctx->purpose = purpose;
1047 return 1;
1048 }
1049
1050 int
x509_verify_ctx_set_intermediates(struct x509_verify_ctx * ctx,STACK_OF (X509)* intermediates)1051 x509_verify_ctx_set_intermediates(struct x509_verify_ctx *ctx,
1052 STACK_OF(X509) *intermediates)
1053 {
1054 if ((ctx->intermediates = X509_chain_up_ref(intermediates)) == NULL)
1055 return 0;
1056 return 1;
1057 }
1058
1059 const char *
x509_verify_ctx_error_string(struct x509_verify_ctx * ctx)1060 x509_verify_ctx_error_string(struct x509_verify_ctx *ctx)
1061 {
1062 return X509_verify_cert_error_string(ctx->error);
1063 }
1064
1065 size_t
x509_verify_ctx_error_depth(struct x509_verify_ctx * ctx)1066 x509_verify_ctx_error_depth(struct x509_verify_ctx *ctx)
1067 {
1068 return ctx->error_depth;
1069 }
1070
STACK_OF(X509)1071 STACK_OF(X509) *
1072 x509_verify_ctx_chain(struct x509_verify_ctx *ctx, size_t i)
1073 {
1074 if (i >= ctx->chains_count)
1075 return NULL;
1076 return ctx->chains[i]->certs;
1077 }
1078
1079 size_t
x509_verify(struct x509_verify_ctx * ctx,X509 * leaf,char * name)1080 x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
1081 {
1082 struct x509_verify_chain *current_chain;
1083 int retry_chain_build, full_chain = 0;
1084
1085 if (ctx->roots == NULL || ctx->max_depth == 0) {
1086 ctx->error = X509_V_ERR_INVALID_CALL;
1087 goto err;
1088 }
1089
1090 if (ctx->xsc != NULL) {
1091 if (leaf != NULL || name != NULL) {
1092 ctx->error = X509_V_ERR_INVALID_CALL;
1093 goto err;
1094 }
1095 leaf = ctx->xsc->cert;
1096
1097 /* XXX */
1098 full_chain = 1;
1099 if (ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
1100 full_chain = 0;
1101 /*
1102 * XXX
1103 * The legacy code expects the top level cert to be
1104 * there, even if we didn't find a chain. So put it
1105 * there, we will clobber it later if we find a valid
1106 * chain.
1107 */
1108 if ((ctx->xsc->chain = sk_X509_new_null()) == NULL) {
1109 ctx->error = X509_V_ERR_OUT_OF_MEM;
1110 goto err;
1111 }
1112 if (!X509_up_ref(leaf)) {
1113 ctx->error = X509_V_ERR_OUT_OF_MEM;
1114 goto err;
1115 }
1116 if (!sk_X509_push(ctx->xsc->chain, leaf)) {
1117 X509_free(leaf);
1118 ctx->error = X509_V_ERR_OUT_OF_MEM;
1119 goto err;
1120 }
1121 ctx->xsc->error_depth = 0;
1122 ctx->xsc->current_cert = leaf;
1123 }
1124
1125 if (!x509_verify_cert_valid(ctx, leaf, NULL))
1126 goto err;
1127
1128 if (!x509_verify_cert_hostname(ctx, leaf, name))
1129 goto err;
1130
1131 if ((current_chain = x509_verify_chain_new()) == NULL) {
1132 ctx->error = X509_V_ERR_OUT_OF_MEM;
1133 goto err;
1134 }
1135 if (!x509_verify_chain_append(current_chain, leaf, &ctx->error)) {
1136 x509_verify_chain_free(current_chain);
1137 goto err;
1138 }
1139 do {
1140 retry_chain_build = 0;
1141 if (x509_verify_ctx_cert_is_root(ctx, leaf, full_chain)) {
1142 if (!x509_verify_ctx_add_chain(ctx, current_chain)) {
1143 x509_verify_chain_free(current_chain);
1144 goto err;
1145 }
1146 } else {
1147 x509_verify_build_chains(ctx, leaf, current_chain,
1148 full_chain);
1149 if (full_chain && ctx->chains_count == 0) {
1150 /*
1151 * Save the error state from the xsc
1152 * at this point to put back on the
1153 * xsc in case we do not find a chain
1154 * that is trusted but not a full
1155 * chain to a self signed root. This
1156 * is because the unvalidated chain is
1157 * used by the autochain batshittery
1158 * on failure and will be needed for
1159 * that.
1160 */
1161 if (!x509_verify_ctx_save_xsc_error(ctx)) {
1162 x509_verify_chain_free(current_chain);
1163 goto err;
1164 }
1165 full_chain = 0;
1166 retry_chain_build = 1;
1167 }
1168 }
1169 } while (retry_chain_build);
1170
1171 x509_verify_chain_free(current_chain);
1172
1173 /*
1174 * Do the new verifier style return, where we don't have an xsc
1175 * that allows a crazy callback to turn invalid things into valid.
1176 */
1177 if (ctx->xsc == NULL) {
1178 /*
1179 * Safety net:
1180 * We could not find a validated chain, and for some reason do not
1181 * have an error set.
1182 */
1183 if (ctx->chains_count == 0 && ctx->error == X509_V_OK)
1184 ctx->error = X509_V_ERR_UNSPECIFIED;
1185
1186 /*
1187 * If we are not using an xsc, and have no possibility for the
1188 * crazy OpenSSL callback API changing the results of
1189 * validation steps (because the callback can make validation
1190 * proceed in the presence of invalid certs), any chains we
1191 * have here are correctly built and verified.
1192 */
1193 if (ctx->chains_count > 0)
1194 ctx->error = X509_V_OK;
1195
1196 return ctx->chains_count;
1197 }
1198
1199 /*
1200 * Otherwise we are doing compatibility with an xsc, which means that we
1201 * will have one chain, which might actually be a bogus chain because
1202 * the callback told us to ignore errors and proceed to build an invalid
1203 * chain. Possible return values from this include returning 1 with an
1204 * invalid chain and a value of xsc->error != X509_V_OK (It's tradition
1205 * that makes it ok).
1206 */
1207
1208 if (ctx->chains_count > 0) {
1209 /*
1210 * The chain we have using an xsc might not be a verified chain
1211 * if the callback perverted things while we built it to ignore
1212 * failures and proceed with chain building. We put this chain
1213 * and the error associated with it on the xsc.
1214 */
1215 if (!x509_verify_ctx_set_xsc_chain(ctx, ctx->chains[0], 1, 1))
1216 goto err;
1217
1218 /*
1219 * Call the callback for completion up our built
1220 * chain. The callback could still tell us to
1221 * fail. Since this chain might exist as the result of
1222 * callback doing perversions, we could still return
1223 * "success" with something other than X509_V_OK set
1224 * as the error.
1225 */
1226 if (!x509_vfy_callback_indicate_completion(ctx->xsc))
1227 goto err;
1228 } else {
1229 /*
1230 * We did not find a chain. Bring back the failure
1231 * case we wanted to the xsc if we saved one. If we
1232 * did not we should have just the leaf on the xsc.
1233 */
1234 if (!x509_verify_ctx_restore_xsc_error(ctx))
1235 goto err;
1236
1237 /*
1238 * Safety net, ensure we have an error set in the
1239 * failing case.
1240 */
1241 if (ctx->xsc->error == X509_V_OK) {
1242 if (ctx->error == X509_V_OK)
1243 ctx->error = X509_V_ERR_UNSPECIFIED;
1244 ctx->xsc->error = ctx->error;
1245 }
1246
1247 /*
1248 * Let the callback override the return value
1249 * at depth 0 if it chooses to
1250 */
1251 return ctx->xsc->verify_cb(0, ctx->xsc);
1252 }
1253
1254 /* We only ever find one chain in compat mode with an xsc. */
1255 return 1;
1256
1257 err:
1258 if (ctx->error == X509_V_OK)
1259 ctx->error = X509_V_ERR_UNSPECIFIED;
1260
1261 if (ctx->xsc != NULL) {
1262 if (ctx->xsc->error == X509_V_OK)
1263 ctx->xsc->error = X509_V_ERR_UNSPECIFIED;
1264 ctx->error = ctx->xsc->error;
1265 }
1266
1267 return 0;
1268 }
1269
1270