1 /* $OpenBSD: x509_internal.h,v 1.19 2022/06/27 14:10:22 tb Exp $ */ 2 /* 3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 #ifndef HEADER_X509_INTERNAL_H 18 #define HEADER_X509_INTERNAL_H 19 20 /* Internal use only, not public API */ 21 #include <netinet/in.h> 22 23 #include <openssl/x509_verify.h> 24 25 #include "x509_lcl.h" 26 27 /* Hard limits on structure size and number of signature checks. */ 28 #define X509_VERIFY_MAX_CHAINS 8 /* Max validated chains */ 29 #define X509_VERIFY_MAX_CHAIN_CERTS 32 /* Max depth of a chain */ 30 #define X509_VERIFY_MAX_SIGCHECKS 256 /* Max signature checks */ 31 32 /* 33 * Limit the number of names and constraints we will check in a chain 34 * to avoid a hostile input DOS 35 */ 36 #define X509_VERIFY_MAX_CHAIN_NAMES 512 37 #define X509_VERIFY_MAX_CHAIN_CONSTRAINTS 512 38 39 /* 40 * Hold the parsed and validated result of names from a certificate. 41 * these typically come from a GENERALNAME, but we store the parsed 42 * and validated results, not the ASN1 bytes. 43 */ 44 struct x509_constraints_name { 45 int type; /* GEN_* types from GENERAL_NAME */ 46 char *name; /* Name to check */ 47 char *local; /* holds the local part of GEN_EMAIL */ 48 uint8_t *der; /* DER encoded value or NULL*/ 49 size_t der_len; 50 int af; /* INET and INET6 are supported */ 51 uint8_t address[32]; /* Must hold ipv6 + mask */ 52 }; 53 54 struct x509_constraints_names { 55 struct x509_constraints_name **names; 56 size_t names_count; 57 size_t names_len; 58 size_t names_max; 59 }; 60 61 struct x509_verify_chain { 62 STACK_OF(X509) *certs; /* Kept in chain order, includes leaf */ 63 int *cert_errors; /* Verify error for each cert in chain. */ 64 struct x509_constraints_names *names; /* All names from all certs */ 65 }; 66 67 struct x509_verify_ctx { 68 X509_STORE_CTX *xsc; 69 struct x509_verify_chain **chains; /* Validated chains */ 70 STACK_OF(X509) *saved_error_chain; 71 int saved_error; 72 int saved_error_depth; 73 size_t chains_count; 74 STACK_OF(X509) *roots; /* Trusted roots for this validation */ 75 STACK_OF(X509) *intermediates; /* Intermediates provided by peer */ 76 time_t *check_time; /* Time for validity checks */ 77 int purpose; /* Cert purpose we are validating */ 78 size_t max_chains; /* Max chains to return */ 79 size_t max_depth; /* Max chain depth for validation */ 80 size_t max_sigs; /* Max number of signature checks */ 81 size_t sig_checks; /* Number of signature checks done */ 82 size_t error_depth; /* Depth of last error seen */ 83 int error; /* Last error seen */ 84 }; 85 86 int ASN1_time_tm_clamp_notafter(struct tm *tm); 87 88 __BEGIN_HIDDEN_DECLS 89 90 int x509_vfy_check_id(X509_STORE_CTX *ctx); 91 int x509_vfy_check_revocation(X509_STORE_CTX *ctx); 92 int x509_vfy_check_policy(X509_STORE_CTX *ctx); 93 int x509_vfy_check_trust(X509_STORE_CTX *ctx); 94 int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx); 95 int x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx); 96 void x509v3_cache_extensions(X509 *x); 97 X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x); 98 99 time_t x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter); 100 101 struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc); 102 103 void x509_constraints_name_clear(struct x509_constraints_name *name); 104 void x509_constraints_name_free(struct x509_constraints_name *name); 105 int x509_constraints_names_add(struct x509_constraints_names *names, 106 struct x509_constraints_name *name); 107 struct x509_constraints_names *x509_constraints_names_dup( 108 struct x509_constraints_names *names); 109 void x509_constraints_names_clear(struct x509_constraints_names *names); 110 struct x509_constraints_names *x509_constraints_names_new(size_t names_max); 111 int x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes, 112 size_t *len); 113 void x509_constraints_names_free(struct x509_constraints_names *names); 114 int x509_constraints_valid_host(uint8_t *name, size_t len); 115 int x509_constraints_valid_sandns(uint8_t *name, size_t len); 116 int x509_constraints_domain(char *domain, size_t dlen, char *constraint, 117 size_t len); 118 int x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, 119 struct x509_constraints_name *name); 120 int x509_constraints_valid_domain_constraint(uint8_t *constraint, 121 size_t len); 122 int x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostp); 123 int x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, 124 size_t len, int *error); 125 int x509_constraints_extract_names(struct x509_constraints_names *names, 126 X509 *cert, int include_cn, int *error); 127 int x509_constraints_extract_constraints(X509 *cert, 128 struct x509_constraints_names *permitted, 129 struct x509_constraints_names *excluded, int *error); 130 int x509_constraints_validate(GENERAL_NAME *constraint, 131 struct x509_constraints_name **out_name, int *error); 132 int x509_constraints_check(struct x509_constraints_names *names, 133 struct x509_constraints_names *permitted, 134 struct x509_constraints_names *excluded, int *error); 135 int x509_constraints_chain(STACK_OF(X509) *chain, int *error, 136 int *depth); 137 void x509_verify_cert_info_populate(X509 *cert); 138 int x509_vfy_check_security_level(X509_STORE_CTX *ctx); 139 140 __END_HIDDEN_DECLS 141 142 #endif 143