X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=crypto%2Fx509%2Fx509_lu.c;h=fbb1497fe211efb718bcea3cca3cca1e6462c45b;hb=f6e7d014508b020818707d4b1544379e8b742e32;hp=18bfecb11ed2b2834a7e134fb72b2b397c5fb009;hpb=5c0a48655fc342086d4babb57fee8e052a7b2e2f;p=openssl.git diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 18bfecb11e..fbb1497fe2 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -60,16 +60,14 @@ #include "cryptlib.h" #include #include - -static STACK *x509_store_meth=NULL; -static STACK *x509_store_ctx_meth=NULL; +#include X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) { X509_LOOKUP *ret; - ret=(X509_LOOKUP *)Malloc(sizeof(X509_LOOKUP)); - if (ret == NULL) return(NULL); + ret=(X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP)); + if (ret == NULL) return NULL; ret->init=0; ret->skip=0; @@ -78,10 +76,10 @@ X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) ret->store_ctx=NULL; if ((method->new_item != NULL) && !method->new_item(ret)) { - Free(ret); - return(NULL); + OPENSSL_free(ret); + return NULL; } - return(ret); + return ret; } void X509_LOOKUP_free(X509_LOOKUP *ctx) @@ -90,44 +88,44 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx) if ( (ctx->method != NULL) && (ctx->method->free != NULL)) ctx->method->free(ctx); - Free(ctx); + OPENSSL_free(ctx); } int X509_LOOKUP_init(X509_LOOKUP *ctx) { - if (ctx->method == NULL) return(0); + if (ctx->method == NULL) return 0; if (ctx->method->init != NULL) - return(ctx->method->init(ctx)); + return ctx->method->init(ctx); else - return(1); + return 1; } int X509_LOOKUP_shutdown(X509_LOOKUP *ctx) { - if (ctx->method == NULL) return(0); + if (ctx->method == NULL) return 0; if (ctx->method->shutdown != NULL) - return(ctx->method->shutdown(ctx)); + return ctx->method->shutdown(ctx); else - return(1); + return 1; } int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret) { - if (ctx->method == NULL) return(-1); + if (ctx->method == NULL) return -1; if (ctx->method->ctrl != NULL) - return(ctx->method->ctrl(ctx,cmd,argc,argl,ret)); + return ctx->method->ctrl(ctx,cmd,argc,argl,ret); else - return(1); + return 1; } int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, X509_OBJECT *ret) { if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL)) - return(X509_LU_FAIL); - if (ctx->skip) return(0); - return(ctx->method->get_by_subject(ctx,type,name,ret)); + return X509_LU_FAIL; + if (ctx->skip) return 0; + return ctx->method->get_by_subject(ctx,type,name,ret); } int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name, @@ -135,79 +133,74 @@ int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name, { if ((ctx->method == NULL) || (ctx->method->get_by_issuer_serial == NULL)) - return(X509_LU_FAIL); - return(ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret)); + return X509_LU_FAIL; + return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret); } int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, unsigned char *bytes, int len, X509_OBJECT *ret) { if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL)) - return(X509_LU_FAIL); - return(ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret)); + return X509_LU_FAIL; + return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret); } int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len, X509_OBJECT *ret) { if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL)) - return(X509_LU_FAIL); - return(ctx->method->get_by_alias(ctx,type,str,len,ret)); + return X509_LU_FAIL; + return ctx->method->get_by_alias(ctx,type,str,len,ret); } -static unsigned long x509_object_hash(X509_OBJECT *a) - { - unsigned long h; - - switch (a->type) - { - case X509_LU_X509: - h=X509_NAME_hash(a->data.x509->cert_info->subject); - break; - case X509_LU_CRL: - h=X509_NAME_hash(a->data.crl->crl->issuer); - break; + +static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b) + { + int ret; + + ret=((*a)->type - (*b)->type); + if (ret) return ret; + switch ((*a)->type) + { + case X509_LU_X509: + ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509); + break; + case X509_LU_CRL: + ret=X509_CRL_cmp((*a)->data.crl,(*b)->data.crl); + break; default: - abort(); + /* abort(); */ + return 0; } - return(h); - } - -static int x509_object_cmp(X509_OBJECT *a, X509_OBJECT *b) - { - int ret; - - ret=(a->type - b->type); - if (ret) return(ret); - switch (a->type) - { - case X509_LU_X509: - ret=X509_subject_name_cmp(a->data.x509,b->data.x509); - break; - case X509_LU_CRL: - ret=X509_CRL_cmp(a->data.crl,b->data.crl); - break; - default: - abort(); - } - return(ret); + return ret; } X509_STORE *X509_STORE_new(void) { X509_STORE *ret; - if ((ret=(X509_STORE *)Malloc(sizeof(X509_STORE))) == NULL) - return(NULL); - ret->certs=lh_new(x509_object_hash,x509_object_cmp); + if ((ret=(X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL) + return NULL; + ret->objs = sk_X509_OBJECT_new(x509_object_cmp); ret->cache=1; ret->get_cert_methods=sk_X509_LOOKUP_new_null(); - ret->verify=NULL; - ret->verify_cb=NULL; - memset(&ret->ex_data,0,sizeof(CRYPTO_EX_DATA)); + ret->verify=0; + ret->verify_cb=0; + + if ((ret->param = X509_VERIFY_PARAM_new()) == NULL) + return NULL; + + ret->get_issuer = 0; + ret->check_issued = 0; + ret->check_revocation = 0; + ret->get_crl = 0; + ret->check_crl = 0; + ret->cert_crl = 0; + ret->cleanup = 0; + + CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data); ret->references=1; - ret->depth=0; - return(ret); + return ret; } static void cleanup(X509_OBJECT *a) @@ -221,9 +214,11 @@ static void cleanup(X509_OBJECT *a) X509_CRL_free(a->data.crl); } else - abort(); + { + /* abort(); */ + } - Free(a); + OPENSSL_free(a); } void X509_STORE_free(X509_STORE *vfy) @@ -232,7 +227,7 @@ void X509_STORE_free(X509_STORE *vfy) STACK_OF(X509_LOOKUP) *sk; X509_LOOKUP *lu; - if(vfy == NULL) + if (vfy == NULL) return; sk=vfy->get_cert_methods; @@ -243,11 +238,12 @@ void X509_STORE_free(X509_STORE *vfy) X509_LOOKUP_free(lu); } sk_X509_LOOKUP_free(sk); + sk_X509_OBJECT_pop_free(vfy->objs, cleanup); - CRYPTO_free_ex_data(x509_store_meth,(char *)vfy,&vfy->ex_data); - lh_doall(vfy->certs,cleanup); - lh_free(vfy->certs); - Free(vfy); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data); + if (vfy->param) + X509_VERIFY_PARAM_free(vfy->param); + OPENSSL_free(vfy); } X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) @@ -262,22 +258,22 @@ X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) lu=sk_X509_LOOKUP_value(sk,i); if (m == lu->method) { - return(lu); + return lu; } } /* a new one */ lu=X509_LOOKUP_new(m); if (lu == NULL) - return(NULL); + return NULL; else { lu->store_ctx=v; if (sk_X509_LOOKUP_push(v->get_cert_methods,lu)) - return(lu); + return lu; else { X509_LOOKUP_free(lu); - return(NULL); + return NULL; } } } @@ -290,7 +286,7 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, X509_OBJECT stmp,*tmp; int i,j; - tmp=X509_OBJECT_retrieve_by_subject(ctx->certs,type,name); + tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name); if (tmp == NULL) { @@ -301,7 +297,7 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, if (j < 0) { vs->current_method=j; - return(j); + return j; } else if (j) { @@ -311,7 +307,7 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, } vs->current_method=0; if (tmp == NULL) - return(0); + return 0; } /* if (ret->data.ptr != NULL) @@ -322,7 +318,74 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, X509_OBJECT_up_ref_count(ret); - return(1); + return 1; + } + +int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) + { + X509_OBJECT *obj; + int ret=1; + + if (x == NULL) return 0; + obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); + if (obj == NULL) + { + X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE); + return 0; + } + obj->type=X509_LU_X509; + obj->data.x509=x; + + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); + + X509_OBJECT_up_ref_count(obj); + + + if (X509_OBJECT_retrieve_match(ctx->objs, obj)) + { + X509_OBJECT_free_contents(obj); + OPENSSL_free(obj); + X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE); + ret=0; + } + else sk_X509_OBJECT_push(ctx->objs, obj); + + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + + return ret; + } + +int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) + { + X509_OBJECT *obj; + int ret=1; + + if (x == NULL) return 0; + obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); + if (obj == NULL) + { + X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE); + return 0; + } + obj->type=X509_LU_CRL; + obj->data.crl=x; + + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); + + X509_OBJECT_up_ref_count(obj); + + if (X509_OBJECT_retrieve_match(ctx->objs, obj)) + { + X509_OBJECT_free_contents(obj); + OPENSSL_free(obj); + X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE); + ret=0; + } + else sk_X509_OBJECT_push(ctx->objs, obj); + + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + + return ret; } void X509_OBJECT_up_ref_count(X509_OBJECT *a) @@ -351,10 +414,10 @@ void X509_OBJECT_free_contents(X509_OBJECT *a) } } -X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h, int type, +int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name) { - X509_OBJECT stmp,*tmp; + X509_OBJECT stmp; X509 x509_s; X509_CINF cinf_s; X509_CRL crl_s; @@ -374,38 +437,142 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h, int type, crl_info_s.issuer=name; break; default: - abort(); + /* abort(); */ + return -1; } - tmp=(X509_OBJECT *)lh_retrieve(h,(char *)&stmp); - return(tmp); + return sk_X509_OBJECT_find(h,&stmp); } -void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, - STACK_OF(X509) *chain) +X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type, + X509_NAME *name) +{ + int idx; + idx = X509_OBJECT_idx_by_subject(h, type, name); + if (idx==-1) return NULL; + return sk_X509_OBJECT_value(h, idx); +} + +X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x) +{ + int idx, i; + X509_OBJECT *obj; + idx = sk_X509_OBJECT_find(h, x); + if (idx == -1) return NULL; + if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL)) + return sk_X509_OBJECT_value(h, idx); + for (i = idx; i < sk_X509_OBJECT_num(h); i++) + { + obj = sk_X509_OBJECT_value(h, i); + if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x)) + return NULL; + if (x->type == X509_LU_X509) + { + if (!X509_cmp(obj->data.x509, x->data.x509)) + return obj; + } + else if (x->type == X509_LU_CRL) + { + if (!X509_CRL_match(obj->data.crl, x->data.crl)) + return obj; + } + else + return obj; + } + return NULL; +} + + +/* Try to get issuer certificate from store. Due to limitations + * of the API this can only retrieve a single certificate matching + * a given subject name. However it will fill the cache with all + * matching certificates, so we can examine the cache for all + * matches. + * + * Return values are: + * 1 lookup successful. + * 0 certificate not found. + * -1 some other error. + */ + + +int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) +{ + X509_NAME *xn; + X509_OBJECT obj, *pobj; + int i, ok, idx; + xn=X509_get_issuer_name(x); + ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj); + if (ok != X509_LU_X509) + { + if (ok == X509_LU_RETRY) + { + X509_OBJECT_free_contents(&obj); + X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY); + return -1; + } + else if (ok != X509_LU_FAIL) + { + X509_OBJECT_free_contents(&obj); + /* not good :-(, break anyway */ + return -1; + } + return 0; + } + /* If certificate matches all OK */ + if (ctx->check_issued(ctx, x, obj.data.x509)) + { + *issuer = obj.data.x509; + return 1; + } + X509_OBJECT_free_contents(&obj); + /* Else find index of first matching cert */ + idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn); + /* This shouldn't normally happen since we already have one match */ + if (idx == -1) return 0; + + /* Look through all matching certificates for a suitable issuer */ + for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) + { + pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i); + /* See if we've ran out of matches */ + if (pobj->type != X509_LU_X509) return 0; + if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) return 0; + if (ctx->check_issued(ctx, x, pobj->data.x509)) + { + *issuer = pobj->data.x509; + X509_OBJECT_up_ref_count(pobj); + return 1; + } + } + return 0; +} + +int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags) { - ctx->ctx=store; - ctx->current_method=0; - ctx->cert=x509; - ctx->untrusted=chain; - ctx->last_untrusted=0; - ctx->valid=0; - ctx->chain=NULL; - ctx->depth=9; - ctx->error=0; - ctx->current_cert=NULL; - memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); + return X509_VERIFY_PARAM_set_flags(ctx->param, flags); } -void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) +int X509_STORE_set_depth(X509_STORE *ctx, int depth) { - if (ctx->chain != NULL) - { - sk_X509_pop_free(ctx->chain,X509_free); - ctx->chain=NULL; - } - CRYPTO_free_ex_data(x509_store_ctx_meth,(char *)ctx,&(ctx->ex_data)); - memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); + X509_VERIFY_PARAM_set_depth(ctx->param, depth); + return 1; + } + +int X509_STORE_set_purpose(X509_STORE *ctx, int purpose) + { + return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose); + } + +int X509_STORE_set_trust(X509_STORE *ctx, int trust) + { + return X509_VERIFY_PARAM_set_trust(ctx->param, trust); + } + +int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param) + { + return X509_VERIFY_PARAM_set1(ctx->param, param); } IMPLEMENT_STACK_OF(X509_LOOKUP) +IMPLEMENT_STACK_OF(X509_OBJECT)