libcrypto/x509/x509_vpm.c

*a16560b1Stb/* $OpenBSD: x509_vpm.c,v 1.45 2024/03/29 04:50:11 tb Exp $ */
82a8dcafSdjm/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5650a0e1Sdjm * project 2004.
5650a0e1Sdjm */
5650a0e1Sdjm/* ====================================================================
5650a0e1Sdjm * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
5650a0e1Sdjm *
5650a0e1Sdjm * Redistribution and use in source and binary forms, with or without
5650a0e1Sdjm * modification, are permitted provided that the following conditions
5650a0e1Sdjm * are met:
5650a0e1Sdjm *
5650a0e1Sdjm * 1. Redistributions of source code must retain the above copyright
5650a0e1Sdjm *    notice, this list of conditions and the following disclaimer.
5650a0e1Sdjm *
5650a0e1Sdjm * 2. Redistributions in binary form must reproduce the above copyright
5650a0e1Sdjm *    notice, this list of conditions and the following disclaimer in
5650a0e1Sdjm *    the documentation and/or other materials provided with the
5650a0e1Sdjm *    distribution.
5650a0e1Sdjm *
5650a0e1Sdjm * 3. All advertising materials mentioning features or use of this
5650a0e1Sdjm *    software must display the following acknowledgment:
5650a0e1Sdjm *    "This product includes software developed by the OpenSSL Project
5650a0e1Sdjm *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
5650a0e1Sdjm *
5650a0e1Sdjm * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
5650a0e1Sdjm *    endorse or promote products derived from this software without
5650a0e1Sdjm *    prior written permission. For written permission, please contact
5650a0e1Sdjm *    licensing@OpenSSL.org.
5650a0e1Sdjm *
5650a0e1Sdjm * 5. Products derived from this software may not be called "OpenSSL"
5650a0e1Sdjm *    nor may "OpenSSL" appear in their names without prior written
5650a0e1Sdjm *    permission of the OpenSSL Project.
5650a0e1Sdjm *
5650a0e1Sdjm * 6. Redistributions of any form whatsoever must retain the following
5650a0e1Sdjm *    acknowledgment:
5650a0e1Sdjm *    "This product includes software developed by the OpenSSL Project
5650a0e1Sdjm *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
5650a0e1Sdjm *
5650a0e1Sdjm * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
5650a0e1Sdjm * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
5650a0e1Sdjm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
5650a0e1Sdjm * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
5650a0e1Sdjm * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
5650a0e1Sdjm * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
5650a0e1Sdjm * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
5650a0e1Sdjm * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
5650a0e1Sdjm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
5650a0e1Sdjm * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
5650a0e1Sdjm * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
5650a0e1Sdjm * OF THE POSSIBILITY OF SUCH DAMAGE.
5650a0e1Sdjm * ====================================================================
5650a0e1Sdjm *
5650a0e1Sdjm * This product includes cryptographic software written by Eric Young
5650a0e1Sdjm * (eay@cryptsoft.com).  This product includes software written by Tim
5650a0e1Sdjm * Hudson (tjh@cryptsoft.com).
5650a0e1Sdjm *
5650a0e1Sdjm */
5650a0e1Sdjm
5650a0e1Sdjm#include <stdio.h>
a8913c44Sjsing#include <string.h>
5650a0e1Sdjm
b6ab114eSjsing#include <openssl/buffer.h>
5650a0e1Sdjm#include <openssl/crypto.h>
e932005dStb#include <openssl/err.h>
5650a0e1Sdjm#include <openssl/lhash.h>
deda88cbSbeck#include <openssl/stack.h>
5650a0e1Sdjm#include <openssl/x509.h>
5650a0e1Sdjm#include <openssl/x509v3.h>
5650a0e1Sdjm
c9675a23Stb#include "x509_local.h"
deda88cbSbeck
5650a0e1Sdjm/* X509_VERIFY_PARAM functions */
5650a0e1Sdjm
47398500Sjsingint X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email,
47398500Sjsing    size_t emaillen);
47398500Sjsingint X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, const unsigned char *ip,
47398500Sjsing    size_t iplen);
47398500Sjsing
deda88cbSbeck#define SET_HOST 0
deda88cbSbeck#define ADD_HOST 1
deda88cbSbeck
deda88cbSbeckstatic void
deda88cbSbeckstr_free(char *s)
deda88cbSbeck{
deda88cbSbeck	free(s);
deda88cbSbeck}
deda88cbSbeck
35600121Stbstatic STACK_OF(OPENSSL_STRING) *
35600121Stbsk_OPENSSL_STRING_deep_copy(const STACK_OF(OPENSSL_STRING) *sk)
deda88cbSbeck{
35600121Stb	STACK_OF(OPENSSL_STRING) *new;
35600121Stb	char *copy = NULL;
35600121Stb	int i;
deda88cbSbeck
35600121Stb	if ((new = sk_OPENSSL_STRING_new_null()) == NULL)
35600121Stb		goto err;
35600121Stb
35600121Stb	for (i = 0; i < sk_OPENSSL_STRING_num(sk); i++) {
35600121Stb		if ((copy = strdup(sk_OPENSSL_STRING_value(sk, i))) == NULL)
35600121Stb			goto err;
35600121Stb		if (sk_OPENSSL_STRING_push(new, copy) <= 0)
35600121Stb			goto err;
35600121Stb		copy = NULL;
35600121Stb	}
35600121Stb
35600121Stb	return new;
35600121Stb
35600121Stb err:
35600121Stb	sk_OPENSSL_STRING_pop_free(new, str_free);
35600121Stb	free(copy);
35600121Stb
deda88cbSbeck	return NULL;
deda88cbSbeck}
deda88cbSbeck
deda88cbSbeckstatic int
b6c35519Stbx509_param_set_hosts_internal(X509_VERIFY_PARAM *vpm, int mode,
deda88cbSbeck    const char *name, size_t namelen)
deda88cbSbeck{
deda88cbSbeck	char *copy;
deda88cbSbeck
e9803435Sbeck	if (name != NULL && namelen == 0)
e9803435Sbeck		namelen = strlen(name);
deda88cbSbeck	/*
deda88cbSbeck	 * Refuse names with embedded NUL bytes.
deda88cbSbeck	 */
deda88cbSbeck	if (name && memchr(name, '\0', namelen))
deda88cbSbeck		return 0;
deda88cbSbeck
b6c35519Stb	if (mode == SET_HOST && vpm->hosts) {
b6c35519Stb		sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);
b6c35519Stb		vpm->hosts = NULL;
deda88cbSbeck	}
deda88cbSbeck	if (name == NULL || namelen == 0)
deda88cbSbeck		return 1;
deda88cbSbeck	copy = strndup(name, namelen);
deda88cbSbeck	if (copy == NULL)
deda88cbSbeck		return 0;
deda88cbSbeck
b6c35519Stb	if (vpm->hosts == NULL &&
b6c35519Stb	    (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
deda88cbSbeck		free(copy);
deda88cbSbeck		return 0;
deda88cbSbeck	}
deda88cbSbeck
b6c35519Stb	if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {
deda88cbSbeck		free(copy);
b6c35519Stb		if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {
b6c35519Stb			sk_OPENSSL_STRING_free(vpm->hosts);
b6c35519Stb			vpm->hosts = NULL;
deda88cbSbeck		}
deda88cbSbeck		return 0;
deda88cbSbeck	}
deda88cbSbeck
deda88cbSbeck	return 1;
deda88cbSbeck}
deda88cbSbeck
15238b08Sjsingstatic void
15238b08Sjsingx509_verify_param_zero(X509_VERIFY_PARAM *param)
5650a0e1Sdjm{
5650a0e1Sdjm	if (!param)
5650a0e1Sdjm		return;
b6c35519Stb
4c6be9d1Stb	free(param->name);
5650a0e1Sdjm	param->name = NULL;
5650a0e1Sdjm	param->purpose = 0;
5650a0e1Sdjm	param->trust = 0;
f1535dc8Sdjm	/*param->inh_flags = X509_VP_FLAG_DEFAULT;*/
e2ee43e0Sdjm	param->inh_flags = 0;
d4b1ba33Stb	param->flags = 0;
5650a0e1Sdjm	param->depth = -1;
5650a0e1Sdjm	sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
5650a0e1Sdjm	param->policies = NULL;
b6c35519Stb	sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
b6c35519Stb	param->hosts = NULL;
b6c35519Stb	free(param->peername);
b6c35519Stb	param->peername = NULL;
b6c35519Stb	free(param->email);
b6c35519Stb	param->email = NULL;
b6c35519Stb	param->emaillen = 0;
b6c35519Stb	free(param->ip);
b6c35519Stb	param->ip = NULL;
b6c35519Stb	param->iplen = 0;
b6c35519Stb	param->poisoned = 0;
5650a0e1Sdjm}
5650a0e1Sdjm
15238b08SjsingX509_VERIFY_PARAM *
15238b08SjsingX509_VERIFY_PARAM_new(void)
5650a0e1Sdjm{
5650a0e1Sdjm	X509_VERIFY_PARAM *param;
b6c35519Stb
66415b63Stedu	param = calloc(1, sizeof(X509_VERIFY_PARAM));
deda88cbSbeck	if (param == NULL)
deda88cbSbeck		return NULL;
5650a0e1Sdjm	x509_verify_param_zero(param);
5650a0e1Sdjm	return param;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_new);
5650a0e1Sdjm
15238b08Sjsingvoid
15238b08SjsingX509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
5650a0e1Sdjm{
deda88cbSbeck	if (param == NULL)
deda88cbSbeck		return;
5650a0e1Sdjm	x509_verify_param_zero(param);
6f3a6cb1Sbeck	free(param);
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_free);
5650a0e1Sdjm
40007492Stb/*
40007492Stb * This function determines how parameters are "inherited" from one structure
5650a0e1Sdjm * to another. There are several different ways this can happen.
5650a0e1Sdjm *
5650a0e1Sdjm * 1. If a child structure needs to have its values initialized from a parent
5650a0e1Sdjm *    they are simply copied across. For example SSL_CTX copied to SSL.
5650a0e1Sdjm * 2. If the structure should take on values only if they are currently unset.
5650a0e1Sdjm *    For example the values in an SSL structure will take appropriate value
5650a0e1Sdjm *    for SSL servers or clients but only if the application has not set new
5650a0e1Sdjm *    ones.
5650a0e1Sdjm *
5650a0e1Sdjm * The "inh_flags" field determines how this function behaves.
5650a0e1Sdjm *
5650a0e1Sdjm * Normally any values which are set in the default are not copied from the
5650a0e1Sdjm * destination and verify flags are ORed together.
5650a0e1Sdjm *
5650a0e1Sdjm * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
5650a0e1Sdjm * to the destination. Effectively the values in "to" become default values
5650a0e1Sdjm * which will be used only if nothing new is set in "from".
5650a0e1Sdjm *
5650a0e1Sdjm * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
5650a0e1Sdjm * they are set or not. Flags is still Ored though.
5650a0e1Sdjm *
5650a0e1Sdjm * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
5650a0e1Sdjm * of ORed.
5650a0e1Sdjm *
5650a0e1Sdjm * If X509_VP_FLAG_LOCKED is set then no values are copied.
5650a0e1Sdjm *
5650a0e1Sdjm * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
5650a0e1Sdjm * after the next call.
5650a0e1Sdjm */
5650a0e1Sdjm
5650a0e1Sdjm/* Macro to test if a field should be copied from src to dest */
5650a0e1Sdjm#define test_x509_verify_param_copy(field, def) \
5650a0e1Sdjm	(to_overwrite || \
5650a0e1Sdjm		((src->field != def) && (to_default || (dest->field == def))))
5650a0e1Sdjm
5650a0e1Sdjm/* Macro to test and copy a field if necessary */
5650a0e1Sdjm#define x509_verify_param_copy(field, def) \
5650a0e1Sdjm	if (test_x509_verify_param_copy(field, def)) \
5650a0e1Sdjm		dest->field = src->field
5650a0e1Sdjm
15238b08Sjsingint
15238b08SjsingX509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src)
5650a0e1Sdjm{
5650a0e1Sdjm	unsigned long inh_flags;
5650a0e1Sdjm	int to_default, to_overwrite;
15238b08Sjsing
5650a0e1Sdjm	if (!src)
5650a0e1Sdjm		return 1;
5650a0e1Sdjm	inh_flags = dest->inh_flags | src->inh_flags;
5650a0e1Sdjm
5650a0e1Sdjm	if (inh_flags & X509_VP_FLAG_ONCE)
5650a0e1Sdjm		dest->inh_flags = 0;
5650a0e1Sdjm
5650a0e1Sdjm	if (inh_flags & X509_VP_FLAG_LOCKED)
5650a0e1Sdjm		return 1;
5650a0e1Sdjm
5650a0e1Sdjm	if (inh_flags & X509_VP_FLAG_DEFAULT)
5650a0e1Sdjm		to_default = 1;
5650a0e1Sdjm	else
5650a0e1Sdjm		to_default = 0;
5650a0e1Sdjm
5650a0e1Sdjm	if (inh_flags & X509_VP_FLAG_OVERWRITE)
5650a0e1Sdjm		to_overwrite = 1;
5650a0e1Sdjm	else
5650a0e1Sdjm		to_overwrite = 0;
5650a0e1Sdjm
5650a0e1Sdjm	x509_verify_param_copy(purpose, 0);
5650a0e1Sdjm	x509_verify_param_copy(trust, 0);
5650a0e1Sdjm	x509_verify_param_copy(depth, -1);
5650a0e1Sdjm
5650a0e1Sdjm	/* If overwrite or check time not set, copy across */
5650a0e1Sdjm
7609e5c6Stedu	if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {
5650a0e1Sdjm		dest->check_time = src->check_time;
5650a0e1Sdjm		dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
5650a0e1Sdjm		/* Don't need to copy flag: that is done below */
5650a0e1Sdjm	}
5650a0e1Sdjm
5650a0e1Sdjm	if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
5650a0e1Sdjm		dest->flags = 0;
5650a0e1Sdjm
5650a0e1Sdjm	dest->flags |= src->flags;
5650a0e1Sdjm
7609e5c6Stedu	if (test_x509_verify_param_copy(policies, NULL)) {
5650a0e1Sdjm		if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies))
5650a0e1Sdjm			return 0;
5650a0e1Sdjm	}
5650a0e1Sdjm
b6c35519Stb	x509_verify_param_copy(hostflags, 0);
5c7ffd32Stb
b6c35519Stb	if (test_x509_verify_param_copy(hosts, NULL)) {
b6c35519Stb		if (dest->hosts) {
b6c35519Stb			sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
b6c35519Stb			dest->hosts = NULL;
deda88cbSbeck		}
b6c35519Stb		if (src->hosts) {
35600121Stb			dest->hosts = sk_OPENSSL_STRING_deep_copy(src->hosts);
b6c35519Stb			if (dest->hosts == NULL)
deda88cbSbeck				return 0;
deda88cbSbeck		}
deda88cbSbeck	}
deda88cbSbeck
b6c35519Stb	if (test_x509_verify_param_copy(email, NULL)) {
b6c35519Stb		if (!X509_VERIFY_PARAM_set1_email(dest, src->email,
b6c35519Stb		    src->emaillen))
deda88cbSbeck			return 0;
deda88cbSbeck	}
deda88cbSbeck
b6c35519Stb	if (test_x509_verify_param_copy(ip, NULL)) {
b6c35519Stb		if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen))
deda88cbSbeck			return 0;
deda88cbSbeck	}
deda88cbSbeck
5650a0e1Sdjm	return 1;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_inherit);
5650a0e1Sdjm
15238b08Sjsingint
15238b08SjsingX509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from)
5650a0e1Sdjm{
f1535dc8Sdjm	unsigned long save_flags = to->inh_flags;
f1535dc8Sdjm	int ret;
15238b08Sjsing
5650a0e1Sdjm	to->inh_flags |= X509_VP_FLAG_DEFAULT;
f1535dc8Sdjm	ret = X509_VERIFY_PARAM_inherit(to, from);
f1535dc8Sdjm	to->inh_flags = save_flags;
f1535dc8Sdjm	return ret;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set1);
5650a0e1Sdjm
deda88cbSbeckstatic int
2a5239c0Sbeckx509_param_set1_internal(char **pdest, size_t *pdestlen,  const char *src,
2a5239c0Sbeck    size_t srclen, int nonul)
deda88cbSbeck{
deda88cbSbeck	char *tmp;
2a5239c0Sbeck
2a5239c0Sbeck	if (src == NULL)
2a5239c0Sbeck		return 0;
2a5239c0Sbeck
deda88cbSbeck	if (srclen == 0) {
2a5239c0Sbeck		srclen = strlen(src);
2a5239c0Sbeck		if (srclen == 0)
2a5239c0Sbeck			return 0;
deda88cbSbeck		if ((tmp = strdup(src)) == NULL)
deda88cbSbeck			return 0;
deda88cbSbeck	} else {
2a5239c0Sbeck		if (nonul && memchr(src, '\0', srclen))
2a5239c0Sbeck			return 0;
deda88cbSbeck		if ((tmp = malloc(srclen)) == NULL)
deda88cbSbeck			return 0;
deda88cbSbeck		memcpy(tmp, src, srclen);
deda88cbSbeck	}
2a5239c0Sbeck
deda88cbSbeck	if (*pdest)
deda88cbSbeck		free(*pdest);
deda88cbSbeck	*pdest = tmp;
deda88cbSbeck	if (pdestlen)
deda88cbSbeck		*pdestlen = srclen;
deda88cbSbeck	return 1;
deda88cbSbeck}
deda88cbSbeck
15238b08Sjsingint
15238b08SjsingX509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
5650a0e1Sdjm{
6f3a6cb1Sbeck	free(param->name);
cfa3bb9dSmiod	param->name = NULL;
69442892Sbeck	if (name == NULL)
69442892Sbeck		return 1;
69442892Sbeck	param->name = strdup(name);
5650a0e1Sdjm	if (param->name)
5650a0e1Sdjm		return 1;
5650a0e1Sdjm	return 0;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_name);
5650a0e1Sdjm
15238b08Sjsingint
15238b08SjsingX509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
5650a0e1Sdjm{
5650a0e1Sdjm	param->flags |= flags;
5650a0e1Sdjm	return 1;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set_flags);
5650a0e1Sdjm
15238b08Sjsingint
15238b08SjsingX509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags)
5650a0e1Sdjm{
5650a0e1Sdjm	param->flags &= ~flags;
5650a0e1Sdjm	return 1;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_clear_flags);
5650a0e1Sdjm
15238b08Sjsingunsigned long
15238b08SjsingX509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
5650a0e1Sdjm{
5650a0e1Sdjm	return param->flags;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_get_flags);
5650a0e1Sdjm
15238b08Sjsingint
15238b08SjsingX509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
5650a0e1Sdjm{
e932005dStb	if (purpose < X509_PURPOSE_MIN || purpose > X509_PURPOSE_MAX) {
e932005dStb		X509V3error(X509V3_R_INVALID_PURPOSE);
e932005dStb		return 0;
e932005dStb	}
e932005dStb
e932005dStb	param->purpose = purpose;
e932005dStb	return 1;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set_purpose);
5650a0e1Sdjm
15238b08Sjsingint
15238b08SjsingX509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust)
5650a0e1Sdjm{
e932005dStb	if (trust < X509_TRUST_MIN || trust > X509_TRUST_MAX) {
e932005dStb		X509error(X509_R_INVALID_TRUST);
e932005dStb		return 0;
e932005dStb	}
e932005dStb
e932005dStb	param->trust = trust;
e932005dStb	return 1;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set_trust);
5650a0e1Sdjm
15238b08Sjsingvoid
15238b08SjsingX509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
5650a0e1Sdjm{
5650a0e1Sdjm	param->depth = depth;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set_depth);
5650a0e1Sdjm
15238b08Sjsingvoid
e84fde04StbX509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level)
e84fde04Stb{
e84fde04Stb	param->security_level = auth_level;
e84fde04Stb}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set_auth_level);
e84fde04Stb
6f34a740Stbtime_t
6f34a740StbX509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param)
6f34a740Stb{
6f34a740Stb	return param->check_time;
6f34a740Stb}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_get_time);
6f34a740Stb
e84fde04Stbvoid
15238b08SjsingX509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
5650a0e1Sdjm{
5650a0e1Sdjm	param->check_time = t;
5650a0e1Sdjm	param->flags |= X509_V_FLAG_USE_CHECK_TIME;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set_time);
5650a0e1Sdjm
15238b08Sjsingint
15238b08SjsingX509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy)
5650a0e1Sdjm{
6602a299Stb	if (param->policies == NULL)
5650a0e1Sdjm		param->policies = sk_ASN1_OBJECT_new_null();
6602a299Stb	if (param->policies == NULL)
5650a0e1Sdjm		return 0;
6602a299Stb	if (sk_ASN1_OBJECT_push(param->policies, policy) <= 0)
5650a0e1Sdjm		return 0;
5650a0e1Sdjm	return 1;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_add0_policy);
5650a0e1Sdjm
*a16560b1Stbstatic STACK_OF(ASN1_OBJECT) *
*a16560b1Stbsk_ASN1_OBJECT_deep_copy(const STACK_OF(ASN1_OBJECT) *sk)
*a16560b1Stb{
*a16560b1Stb	STACK_OF(ASN1_OBJECT) *objs;
*a16560b1Stb	ASN1_OBJECT *obj = NULL;
*a16560b1Stb	int i;
*a16560b1Stb
*a16560b1Stb	if ((objs = sk_ASN1_OBJECT_new_null()) == NULL)
*a16560b1Stb		goto err;
*a16560b1Stb
*a16560b1Stb	for (i = 0; i < sk_ASN1_OBJECT_num(sk); i++) {
*a16560b1Stb		if ((obj = OBJ_dup(sk_ASN1_OBJECT_value(sk, i))) == NULL)
*a16560b1Stb			goto err;
*a16560b1Stb		if (sk_ASN1_OBJECT_push(objs, obj) <= 0)
*a16560b1Stb			goto err;
*a16560b1Stb		obj = NULL;
*a16560b1Stb	}
*a16560b1Stb
*a16560b1Stb	return objs;
*a16560b1Stb
*a16560b1Stb err:
*a16560b1Stb	sk_ASN1_OBJECT_pop_free(objs, ASN1_OBJECT_free);
*a16560b1Stb	ASN1_OBJECT_free(obj);
*a16560b1Stb
*a16560b1Stb	return NULL;
*a16560b1Stb}
*a16560b1Stb
15238b08Sjsingint
15238b08SjsingX509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
5650a0e1Sdjm    STACK_OF(ASN1_OBJECT) *policies)
5650a0e1Sdjm{
*a16560b1Stb	if (param == NULL)
5650a0e1Sdjm		return 0;
*a16560b1Stb
5650a0e1Sdjm	sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
5650a0e1Sdjm	param->policies = NULL;
*a16560b1Stb
*a16560b1Stb	if (policies == NULL)
5650a0e1Sdjm		return 1;
5650a0e1Sdjm
*a16560b1Stb	if ((param->policies = sk_ASN1_OBJECT_deep_copy(policies)) == NULL)
5650a0e1Sdjm		return 0;
5650a0e1Sdjm
5650a0e1Sdjm	return 1;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_policies);
5650a0e1Sdjm
15238b08Sjsingint
deda88cbSbeckX509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
deda88cbSbeck    const char *name, size_t namelen)
deda88cbSbeck{
b6c35519Stb	if (x509_param_set_hosts_internal(param, SET_HOST, name, namelen))
2a5239c0Sbeck		return 1;
b6c35519Stb	param->poisoned = 1;
2a5239c0Sbeck	return 0;
deda88cbSbeck}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_host);
deda88cbSbeck
deda88cbSbeckint
deda88cbSbeckX509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
deda88cbSbeck    const char *name, size_t namelen)
deda88cbSbeck{
b6c35519Stb	if (x509_param_set_hosts_internal(param, ADD_HOST, name, namelen))
2a5239c0Sbeck		return 1;
b6c35519Stb	param->poisoned = 1;
2a5239c0Sbeck	return 0;
deda88cbSbeck}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_add1_host);
deda88cbSbeck
e51d4db3Stb/* Public API in OpenSSL - nothing seems to use this. */
e51d4db3Stbunsigned int
e51d4db3StbX509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param)
e51d4db3Stb{
b6c35519Stb	return param->hostflags;
e51d4db3Stb}
e51d4db3Stb
deda88cbSbeckvoid
deda88cbSbeckX509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags)
deda88cbSbeck{
b6c35519Stb	param->hostflags = flags;
deda88cbSbeck}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set_hostflags);
deda88cbSbeck
deda88cbSbeckchar *
deda88cbSbeckX509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
deda88cbSbeck{
b6c35519Stb	return param->peername;
deda88cbSbeck}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_get0_peername);
deda88cbSbeck
deda88cbSbeckint
deda88cbSbeckX509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,  const char *email,
deda88cbSbeck    size_t emaillen)
deda88cbSbeck{
b6c35519Stb	if (x509_param_set1_internal(&param->email, &param->emaillen,
2a5239c0Sbeck	    email, emaillen, 1))
2a5239c0Sbeck		return 1;
b6c35519Stb	param->poisoned = 1;
2a5239c0Sbeck	return 0;
deda88cbSbeck}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_email);
deda88cbSbeck
deda88cbSbeckint
deda88cbSbeckX509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, const unsigned char *ip,
deda88cbSbeck    size_t iplen)
deda88cbSbeck{
2a5239c0Sbeck	if (iplen != 4 && iplen != 16)
2a5239c0Sbeck		goto err;
b6c35519Stb	if (x509_param_set1_internal((char **)&param->ip, &param->iplen,
2a5239c0Sbeck		(char *)ip, iplen, 0))
2a5239c0Sbeck		return 1;
2a5239c0Sbeck err:
b6c35519Stb	param->poisoned = 1;
deda88cbSbeck	return 0;
deda88cbSbeck}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_ip);
deda88cbSbeck
deda88cbSbeckint
deda88cbSbeckX509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
deda88cbSbeck{
deda88cbSbeck	unsigned char ipout[16];
deda88cbSbeck	size_t iplen;
deda88cbSbeck
deda88cbSbeck	iplen = (size_t)a2i_ipadd(ipout, ipasc);
deda88cbSbeck	return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);
deda88cbSbeck}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_ip_asc);
deda88cbSbeck
deda88cbSbeckint
15238b08SjsingX509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
5650a0e1Sdjm{
5650a0e1Sdjm	return param->depth;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_get_depth);
5650a0e1Sdjm
deda88cbSbeckconst char *
deda88cbSbeckX509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
deda88cbSbeck{
deda88cbSbeck	return param->name;
deda88cbSbeck}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_get0_name);
deda88cbSbeck
deda88cbSbeck/*
deda88cbSbeck * Default verify parameters: these are used for various applications and can
deda88cbSbeck * be overridden by the user specified table.
5650a0e1Sdjm */
5650a0e1Sdjm
5650a0e1Sdjmstatic const X509_VERIFY_PARAM default_table[] = {
5650a0e1Sdjm	{
deda88cbSbeck		.name = "default",
a37b3debSjsing		.flags = X509_V_FLAG_TRUSTED_FIRST,
deda88cbSbeck		.depth = 100,
f69362f8Sbeck		.trust = 0,  /* XXX This is not the default trust value */
5650a0e1Sdjm	},
5650a0e1Sdjm	{
deda88cbSbeck		.name = "pkcs7",
deda88cbSbeck		.purpose = X509_PURPOSE_SMIME_SIGN,
deda88cbSbeck		.trust = X509_TRUST_EMAIL,
deda88cbSbeck		.depth = -1,
e2ee43e0Sdjm	},
e2ee43e0Sdjm	{
deda88cbSbeck		.name = "smime_sign",
deda88cbSbeck		.purpose = X509_PURPOSE_SMIME_SIGN,
deda88cbSbeck		.trust = X509_TRUST_EMAIL,
deda88cbSbeck		.depth =  -1,
5650a0e1Sdjm	},
5650a0e1Sdjm	{
deda88cbSbeck		.name = "ssl_client",
deda88cbSbeck		.purpose = X509_PURPOSE_SSL_CLIENT,
deda88cbSbeck		.trust = X509_TRUST_SSL_CLIENT,
deda88cbSbeck		.depth = -1,
5650a0e1Sdjm	},
5650a0e1Sdjm	{
deda88cbSbeck		.name = "ssl_server",
deda88cbSbeck		.purpose = X509_PURPOSE_SSL_SERVER,
deda88cbSbeck		.trust = X509_TRUST_SSL_SERVER,
deda88cbSbeck		.depth = -1,
7609e5c6Stedu	}
7609e5c6Stedu};
5650a0e1Sdjm
5650a0e1Sdjmstatic STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
5650a0e1Sdjm
15238b08Sjsingstatic int
15238b08Sjsingparam_cmp(const X509_VERIFY_PARAM * const *a,
5650a0e1Sdjm    const X509_VERIFY_PARAM * const *b)
5650a0e1Sdjm{
5650a0e1Sdjm	return strcmp((*a)->name, (*b)->name);
5650a0e1Sdjm}
5650a0e1Sdjm
15238b08Sjsingint
15238b08SjsingX509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
5650a0e1Sdjm{
5650a0e1Sdjm	X509_VERIFY_PARAM *ptmp;
7609e5c6Stedu	if (!param_table) {
5650a0e1Sdjm		param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
5650a0e1Sdjm		if (!param_table)
5650a0e1Sdjm			return 0;
7609e5c6Stedu	} else {
deda88cbSbeck		size_t idx;
deda88cbSbeck
deda88cbSbeck		if ((idx = sk_X509_VERIFY_PARAM_find(param_table, param))
deda88cbSbeck		    != -1) {
deda88cbSbeck			ptmp = sk_X509_VERIFY_PARAM_value(param_table,
deda88cbSbeck			    idx);
5650a0e1Sdjm			X509_VERIFY_PARAM_free(ptmp);
deda88cbSbeck			(void)sk_X509_VERIFY_PARAM_delete(param_table,
deda88cbSbeck			    idx);
5650a0e1Sdjm		}
5650a0e1Sdjm	}
5650a0e1Sdjm	if (!sk_X509_VERIFY_PARAM_push(param_table, param))
5650a0e1Sdjm		return 0;
5650a0e1Sdjm	return 1;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_add0_table);
5650a0e1Sdjm
deda88cbSbeckint
deda88cbSbeckX509_VERIFY_PARAM_get_count(void)
5650a0e1Sdjm{
deda88cbSbeck	int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);
deda88cbSbeck	if (param_table)
deda88cbSbeck		num += sk_X509_VERIFY_PARAM_num(param_table);
deda88cbSbeck	return num;
deda88cbSbeck}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_get_count);
deda88cbSbeck
40007492Stbconst X509_VERIFY_PARAM *
40007492StbX509_VERIFY_PARAM_get0(int id)
deda88cbSbeck{
deda88cbSbeck	int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);
deda88cbSbeck	if (id < num)
deda88cbSbeck		return default_table + id;
deda88cbSbeck	return sk_X509_VERIFY_PARAM_value(param_table, id - num);
deda88cbSbeck}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_get0);
deda88cbSbeck
40007492Stbconst X509_VERIFY_PARAM *
40007492StbX509_VERIFY_PARAM_lookup(const char *name)
deda88cbSbeck{
5650a0e1Sdjm	X509_VERIFY_PARAM pm;
deda88cbSbeck	unsigned int i, limit;
f1535dc8Sdjm
5650a0e1Sdjm	pm.name = (char *)name;
7609e5c6Stedu	if (param_table) {
deda88cbSbeck		size_t idx;
deda88cbSbeck		if ((idx = sk_X509_VERIFY_PARAM_find(param_table, &pm)) != -1)
5650a0e1Sdjm			return sk_X509_VERIFY_PARAM_value(param_table, idx);
5650a0e1Sdjm	}
deda88cbSbeck
deda88cbSbeck	limit = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);
deda88cbSbeck	for (i = 0; i < limit; i++) {
deda88cbSbeck		if (strcmp(default_table[i].name, name) == 0) {
deda88cbSbeck			return &default_table[i];
deda88cbSbeck		}
deda88cbSbeck	}
deda88cbSbeck	return NULL;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_lookup);
5650a0e1Sdjm
15238b08Sjsingvoid
15238b08SjsingX509_VERIFY_PARAM_table_cleanup(void)
5650a0e1Sdjm{
5650a0e1Sdjm	if (param_table)
5650a0e1Sdjm		sk_X509_VERIFY_PARAM_pop_free(param_table,
5650a0e1Sdjm		    X509_VERIFY_PARAM_free);
5650a0e1Sdjm	param_table = NULL;
5650a0e1Sdjm}
cedac418StbLCRYPTO_ALIAS(X509_VERIFY_PARAM_table_cleanup);