1 /* $OpenBSD: ts_verify_ctx.c,v 1.11 2022/07/24 19:54:46 tb Exp $ */ 2 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL 3 * project 2003. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 #include <string.h> 60 61 #include <openssl/err.h> 62 #include <openssl/objects.h> 63 #include <openssl/ts.h> 64 65 #include "ts_local.h" 66 67 TS_VERIFY_CTX * 68 TS_VERIFY_CTX_new(void) 69 { 70 TS_VERIFY_CTX *ctx = calloc(1, sizeof(TS_VERIFY_CTX)); 71 72 if (!ctx) 73 TSerror(ERR_R_MALLOC_FAILURE); 74 75 return ctx; 76 } 77 78 void 79 TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx) 80 { 81 memset(ctx, 0, sizeof(TS_VERIFY_CTX)); 82 } 83 84 void 85 TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx) 86 { 87 if (!ctx) 88 return; 89 90 TS_VERIFY_CTX_cleanup(ctx); 91 free(ctx); 92 } 93 94 void 95 TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx) 96 { 97 if (!ctx) 98 return; 99 100 X509_STORE_free(ctx->store); 101 sk_X509_pop_free(ctx->certs, X509_free); 102 103 ASN1_OBJECT_free(ctx->policy); 104 105 X509_ALGOR_free(ctx->md_alg); 106 free(ctx->imprint); 107 108 BIO_free_all(ctx->data); 109 110 ASN1_INTEGER_free(ctx->nonce); 111 112 GENERAL_NAME_free(ctx->tsa_name); 113 114 TS_VERIFY_CTX_init(ctx); 115 } 116 117 /* 118 * XXX: The following accessors demonstrate the amount of care and thought that 119 * went into OpenSSL 1.1 API design and the review thereof: for whatever reason 120 * these functions return what was passed in. Correct memory management is left 121 * as an exercise for the reader... Unfortunately, careful consumers like 122 * openssl-ruby assume this behavior, so we're stuck with this insanity. The 123 * cherry on top is the TS_VERIFY_CTS_set_certs() [sic!] function that made it 124 * into the public API. 125 * 126 * Outstanding job, R$ and tjh, A+. 127 */ 128 129 int 130 TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags) 131 { 132 ctx->flags |= flags; 133 134 return ctx->flags; 135 } 136 137 int 138 TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags) 139 { 140 ctx->flags = flags; 141 142 return ctx->flags; 143 } 144 145 BIO * 146 TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *bio) 147 { 148 ctx->data = bio; 149 150 return ctx->data; 151 } 152 153 X509_STORE * 154 TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *store) 155 { 156 ctx->store = store; 157 158 return ctx->store; 159 } 160 161 STACK_OF(X509) * 162 TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs) 163 { 164 ctx->certs = certs; 165 166 return ctx->certs; 167 } 168 169 unsigned char * 170 TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, unsigned char *imprint, 171 long imprint_len) 172 { 173 free(ctx->imprint); 174 175 ctx->imprint = imprint; 176 ctx->imprint_len = imprint_len; 177 178 return ctx->imprint; 179 } 180 181 TS_VERIFY_CTX * 182 TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx) 183 { 184 TS_VERIFY_CTX *ret = ctx; 185 ASN1_OBJECT *policy; 186 TS_MSG_IMPRINT *imprint; 187 X509_ALGOR *md_alg; 188 ASN1_OCTET_STRING *msg; 189 const ASN1_INTEGER *nonce; 190 191 if (ret) 192 TS_VERIFY_CTX_cleanup(ret); 193 else if (!(ret = TS_VERIFY_CTX_new())) 194 return NULL; 195 196 /* Setting flags. */ 197 ret->flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE); 198 199 /* Setting policy. */ 200 if ((policy = TS_REQ_get_policy_id(req)) != NULL) { 201 if (!(ret->policy = OBJ_dup(policy))) 202 goto err; 203 } else 204 ret->flags &= ~TS_VFY_POLICY; 205 206 /* Setting md_alg, imprint and imprint_len. */ 207 imprint = TS_REQ_get_msg_imprint(req); 208 md_alg = TS_MSG_IMPRINT_get_algo(imprint); 209 if (!(ret->md_alg = X509_ALGOR_dup(md_alg))) 210 goto err; 211 msg = TS_MSG_IMPRINT_get_msg(imprint); 212 ret->imprint_len = ASN1_STRING_length(msg); 213 if (!(ret->imprint = malloc(ret->imprint_len))) 214 goto err; 215 memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len); 216 217 /* Setting nonce. */ 218 if ((nonce = TS_REQ_get_nonce(req)) != NULL) { 219 if (!(ret->nonce = ASN1_INTEGER_dup(nonce))) 220 goto err; 221 } else 222 ret->flags &= ~TS_VFY_NONCE; 223 224 return ret; 225 226 err: 227 if (ctx) 228 TS_VERIFY_CTX_cleanup(ctx); 229 else 230 TS_VERIFY_CTX_free(ret); 231 return NULL; 232 } 233