/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
#include "ssl_local.h"
#include "ssl_cert_table.h"
#include "internal/thread_once.h"
+#ifndef OPENSSL_NO_POSIX_IO
+# include <sys/stat.h>
+# ifdef _WIN32
+# define stat _stat
+# endif
+# ifndef S_ISDIR
+# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
+# endif
+#endif
+
static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
int op, int bits, int nid, void *other,
return ssl_x509_store_ctx_idx;
}
-CERT *ssl_cert_new(void)
+CERT *ssl_cert_new(size_t ssl_pkey_num)
{
- CERT *ret = OPENSSL_zalloc(sizeof(*ret));
+ CERT *ret = NULL;
- if (ret == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ /* Should never happen */
+ if (!ossl_assert(ssl_pkey_num >= SSL_PKEY_NUM))
+ return NULL;
+
+ ret = OPENSSL_zalloc(sizeof(*ret));
+ if (ret == NULL)
+ return NULL;
+
+ ret->ssl_pkey_num = ssl_pkey_num;
+ ret->pkeys = OPENSSL_zalloc(ret->ssl_pkey_num * sizeof(CERT_PKEY));
+ if (ret->pkeys == NULL) {
+ OPENSSL_free(ret);
return NULL;
}
ret->key = &(ret->pkeys[SSL_PKEY_RSA]);
- ret->references = 1;
ret->sec_cb = ssl_security_default_callback;
ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL;
ret->sec_ex = NULL;
- ret->lock = CRYPTO_THREAD_lock_new();
- if (ret->lock == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ if (!CRYPTO_NEW_REF(&ret->references, 1)) {
+ OPENSSL_free(ret->pkeys);
OPENSSL_free(ret);
return NULL;
}
CERT *ssl_cert_dup(CERT *cert)
{
CERT *ret = OPENSSL_zalloc(sizeof(*ret));
- int i;
+ size_t i;
+#ifndef OPENSSL_NO_COMP_ALG
+ int j;
+#endif
- if (ret == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ if (ret == NULL)
+ return NULL;
+
+ ret->ssl_pkey_num = cert->ssl_pkey_num;
+ ret->pkeys = OPENSSL_zalloc(ret->ssl_pkey_num * sizeof(CERT_PKEY));
+ if (ret->pkeys == NULL) {
+ OPENSSL_free(ret);
return NULL;
}
- ret->references = 1;
ret->key = &ret->pkeys[cert->key - cert->pkeys];
- ret->lock = CRYPTO_THREAD_lock_new();
- if (ret->lock == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ if (!CRYPTO_NEW_REF(&ret->references, 1)) {
+ OPENSSL_free(ret->pkeys);
OPENSSL_free(ret);
return NULL;
}
ret->dh_tmp_cb = cert->dh_tmp_cb;
ret->dh_tmp_auto = cert->dh_tmp_auto;
- for (i = 0; i < SSL_PKEY_NUM; i++) {
+ for (i = 0; i < ret->ssl_pkey_num; i++) {
CERT_PKEY *cpk = cert->pkeys + i;
CERT_PKEY *rpk = ret->pkeys + i;
+
if (cpk->x509 != NULL) {
rpk->x509 = cpk->x509;
X509_up_ref(rpk->x509);
if (cpk->chain) {
rpk->chain = X509_chain_up_ref(cpk->chain);
if (!rpk->chain) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
goto err;
}
}
- if (cert->pkeys[i].serverinfo != NULL) {
+ if (cpk->serverinfo != NULL) {
/* Just copy everything. */
- ret->pkeys[i].serverinfo =
- OPENSSL_malloc(cert->pkeys[i].serverinfo_length);
- if (ret->pkeys[i].serverinfo == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ rpk->serverinfo = OPENSSL_memdup(cpk->serverinfo, cpk->serverinfo_length);
+ if (rpk->serverinfo == NULL)
goto err;
+ rpk->serverinfo_length = cpk->serverinfo_length;
+ }
+#ifndef OPENSSL_NO_COMP_ALG
+ for (j = TLSEXT_comp_cert_none; j < TLSEXT_comp_cert_limit; j++) {
+ if (cpk->comp_cert[j] != NULL) {
+ if (!OSSL_COMP_CERT_up_ref(cpk->comp_cert[j]))
+ goto err;
+ rpk->comp_cert[j] = cpk->comp_cert[j];
}
- ret->pkeys[i].serverinfo_length = cert->pkeys[i].serverinfo_length;
- memcpy(ret->pkeys[i].serverinfo,
- cert->pkeys[i].serverinfo, cert->pkeys[i].serverinfo_length);
}
+#endif
}
/* Configured sigalgs copied across */
void ssl_cert_clear_certs(CERT *c)
{
- int i;
+ size_t i;
+#ifndef OPENSSL_NO_COMP_ALG
+ int j;
+#endif
+
if (c == NULL)
return;
- for (i = 0; i < SSL_PKEY_NUM; i++) {
+ for (i = 0; i < c->ssl_pkey_num; i++) {
CERT_PKEY *cpk = c->pkeys + i;
X509_free(cpk->x509);
cpk->x509 = NULL;
OPENSSL_free(cpk->serverinfo);
cpk->serverinfo = NULL;
cpk->serverinfo_length = 0;
+#ifndef OPENSSL_NO_COMP_ALG
+ for (j = 0; j < TLSEXT_comp_cert_limit; j++) {
+ OSSL_COMP_CERT_free(cpk->comp_cert[j]);
+ cpk->comp_cert[j] = NULL;
+ cpk->cert_comp_used = 0;
+ }
+#endif
}
}
if (c == NULL)
return;
- CRYPTO_DOWN_REF(&c->references, &i, c->lock);
+ CRYPTO_DOWN_REF(&c->references, &i);
REF_PRINT_COUNT("CERT", c);
if (i > 0)
return;
#ifndef OPENSSL_NO_PSK
OPENSSL_free(c->psk_identity_hint);
#endif
- CRYPTO_THREAD_lock_free(c->lock);
+ OPENSSL_free(c->pkeys);
+ CRYPTO_FREE_REF(&c->references);
OPENSSL_free(c);
}
int ssl_cert_set1_chain(SSL_CONNECTION *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
{
STACK_OF(X509) *dchain;
+
if (!chain)
return ssl_cert_set0_chain(s, ctx, NULL);
dchain = X509_chain_up_ref(chain);
{
int r;
CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key;
+
if (!cpk)
return 0;
r = ssl_security_cert(s, ctx, x, 0, 0);
int ssl_cert_select_current(CERT *c, X509 *x)
{
- int i;
+ size_t i;
+
if (x == NULL)
return 0;
- for (i = 0; i < SSL_PKEY_NUM; i++) {
+ for (i = 0; i < c->ssl_pkey_num; i++) {
CERT_PKEY *cpk = c->pkeys + i;
if (cpk->x509 == x && cpk->privatekey) {
c->key = cpk;
}
}
- for (i = 0; i < SSL_PKEY_NUM; i++) {
+ for (i = 0; i < c->ssl_pkey_num; i++) {
CERT_PKEY *cpk = c->pkeys + i;
if (cpk->privatekey && cpk->x509 && !X509_cmp(cpk->x509, x)) {
c->key = cpk;
int ssl_cert_set_current(CERT *c, long op)
{
- int i, idx;
+ size_t i, idx;
+
if (!c)
return 0;
if (op == SSL_CERT_SET_FIRST)
idx = 0;
else if (op == SSL_CERT_SET_NEXT) {
- idx = (int)(c->key - c->pkeys + 1);
- if (idx >= SSL_PKEY_NUM)
+ idx = (size_t)(c->key - c->pkeys + 1);
+ if (idx >= c->ssl_pkey_num)
return 0;
} else
return 0;
- for (i = idx; i < SSL_PKEY_NUM; i++) {
+ for (i = idx; i < c->ssl_pkey_num; i++) {
CERT_PKEY *cpk = c->pkeys + i;
if (cpk->x509 && cpk->privatekey) {
c->key = cpk;
}
/*
- * Verify a certificate chain
+ * Verify a certificate chain/raw public key
* Return codes:
* 1: Verify success
* 0: Verify failure or error
* -1: Retry required
*/
-int ssl_verify_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk)
+static int ssl_verify_internal(SSL_CONNECTION *s, STACK_OF(X509) *sk, EVP_PKEY *rpk)
{
X509 *x;
int i = 0;
X509_VERIFY_PARAM *param;
SSL_CTX *sctx;
- if ((sk == NULL) || (sk_X509_num(sk) == 0))
+ /* Something must be passed in */
+ if ((sk == NULL || sk_X509_num(sk) == 0) && rpk == NULL)
+ return 0;
+
+ /* Only one can be set */
+ if (sk != NULL && rpk != NULL)
return 0;
sctx = SSL_CONNECTION_GET_CTX(s);
ctx = X509_STORE_CTX_new_ex(sctx->libctx, sctx->propq);
if (ctx == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
return 0;
}
- x = sk_X509_value(sk, 0);
- if (!X509_STORE_CTX_init(ctx, verify_store, x, sk)) {
- ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
- goto end;
+ if (sk != NULL) {
+ x = sk_X509_value(sk, 0);
+ if (!X509_STORE_CTX_init(ctx, verify_store, x, sk)) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
+ goto end;
+ }
+ } else {
+ if (!X509_STORE_CTX_init_rpk(ctx, verify_store, rpk)) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
+ goto end;
+ }
}
param = X509_STORE_CTX_get0_param(ctx);
/*
s->verify_result = X509_STORE_CTX_get_error(ctx);
OSSL_STACK_OF_X509_free(s->verified_chain);
s->verified_chain = NULL;
- if (X509_STORE_CTX_get0_chain(ctx) != NULL) {
+
+ if (sk != NULL && X509_STORE_CTX_get0_chain(ctx) != NULL) {
s->verified_chain = X509_STORE_CTX_get1_chain(ctx);
if (s->verified_chain == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
i = 0;
}
}
return i;
}
+/*
+ * Verify a raw public key
+ * Return codes:
+ * 1: Verify success
+ * 0: Verify failure or error
+ * -1: Retry required
+ */
+int ssl_verify_rpk(SSL_CONNECTION *s, EVP_PKEY *rpk)
+{
+ return ssl_verify_internal(s, NULL, rpk);
+}
+
+/*
+ * Verify a certificate chain
+ * Return codes:
+ * 1: Verify success
+ * 0: Verify failure or error
+ * -1: Retry required
+ */
+int ssl_verify_cert_chain(SSL_CONNECTION *s, STACK_OF(X509) *sk)
+{
+ return ssl_verify_internal(s, sk, NULL);
+}
+
static void set0_CA_list(STACK_OF(X509_NAME) **ca_list,
STACK_OF(X509_NAME) *name_list)
{
ret = sk_X509_NAME_new_reserve(NULL, num);
if (ret == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
return NULL;
}
for (i = 0; i < num; i++) {
name = X509_NAME_dup(sk_X509_NAME_value(sk, i));
if (name == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
sk_X509_NAME_pop_free(ret, X509_NAME_free);
return NULL;
}
LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp);
OSSL_LIB_CTX *prev_libctx = NULL;
- if ((name_hash == NULL) || (in == NULL)) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ if (name_hash == NULL) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
+ goto err;
+ }
+ if (in == NULL) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_BIO_LIB);
goto err;
}
x = X509_new_ex(libctx, propq);
if (x == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
goto err;
}
if (BIO_read_filename(in, file) <= 0)
if (ret == NULL) {
ret = sk_X509_NAME_new_null();
if (ret == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
goto err;
}
}
in = BIO_new(BIO_s_file());
if (in == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_SSL, ERR_R_BIO_LIB);
goto err;
}
while ((filename = OPENSSL_DIR_read(&d, dir))) {
char buf[1024];
int r;
+#ifndef OPENSSL_NO_POSIX_IO
+ struct stat st;
+#else
+ /* Cannot use stat so just skip current and parent directories */
+ if (strcmp(filename, ".") == 0 || strcmp(filename, "..") == 0)
+ continue;
+#endif
if (strlen(dir) + strlen(filename) + 2 > sizeof(buf)) {
ERR_raise(ERR_LIB_SSL, SSL_R_PATH_TOO_LONG);
goto err;
r = BIO_snprintf(buf, sizeof(buf), "%s%s", dir, filename);
#else
r = BIO_snprintf(buf, sizeof(buf), "%s/%s", dir, filename);
+#endif
+#ifndef OPENSSL_NO_POSIX_IO
+ /* Skip subdirectories */
+ if (!stat(buf, &st) && S_ISDIR(st.st_mode))
+ continue;
#endif
if (r <= 0 || r >= (int)sizeof(buf))
goto err;
xs_ctx = X509_STORE_CTX_new_ex(real_ctx->libctx, real_ctx->propq);
if (xs_ctx == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_SSL, ERR_R_X509_LIB);
goto err;
}
if (!X509_STORE_CTX_init(xs_ctx, chain_store, cpk->x509, untrusted)) {
ctx->cert->sec_ex);
}
-int ssl_cert_lookup_by_nid(int nid, size_t *pidx)
+int ssl_cert_lookup_by_nid(int nid, size_t *pidx, SSL_CTX *ctx)
{
size_t i;
return 1;
}
}
-
+ for (i = 0; i < ctx->sigalg_list_len; i++) {
+ if (ctx->ssl_cert_info[i].nid == nid) {
+ *pidx = SSL_PKEY_NUM + i;
+ return 1;
+ }
+ }
return 0;
}
-const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx)
+SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx, SSL_CTX *ctx)
{
size_t i;
+ /* check classic pk types */
for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) {
- const SSL_CERT_LOOKUP *tmp_lu = &ssl_cert_info[i];
+ SSL_CERT_LOOKUP *tmp_lu = &ssl_cert_info[i];
if (EVP_PKEY_is_a(pk, OBJ_nid2sn(tmp_lu->nid))
|| EVP_PKEY_is_a(pk, OBJ_nid2ln(tmp_lu->nid))) {
return tmp_lu;
}
}
+ /* check provider-loaded pk types */
+ for (i = 0; ctx->sigalg_list_len; i++) {
+ SSL_CERT_LOOKUP *tmp_lu = &(ctx->ssl_cert_info[i]);
+
+ if (EVP_PKEY_is_a(pk, OBJ_nid2sn(tmp_lu->nid))
+ || EVP_PKEY_is_a(pk, OBJ_nid2ln(tmp_lu->nid))) {
+ if (pidx != NULL)
+ *pidx = SSL_PKEY_NUM + i;
+ return &ctx->ssl_cert_info[i];
+ }
+ }
return NULL;
}
-const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx)
+SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx, SSL_CTX *ctx)
{
- if (idx >= OSSL_NELEM(ssl_cert_info))
+ if (idx >= (OSSL_NELEM(ssl_cert_info) + ctx->sigalg_list_len))
return NULL;
+ else if (idx >= (OSSL_NELEM(ssl_cert_info)))
+ return &(ctx->ssl_cert_info[idx - SSL_PKEY_NUM]);
return &ssl_cert_info[idx];
}