Don't use expired certificates if possible.

[openssl.git] / crypto / x509 / x509_vfy.c

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index b7e3f6e996f6c575afef04f9316b43116fb2bae4..30fc974a2091f58e67820972b4cd1f6b5896dc7a 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -69,7 +69,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
-#include "vpm_int.h"
+#include "x509_lcl.h"
 
 /* CRL score values */
 
@@ -366,8 +366,11 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
        /* If explicitly rejected error */
        if (i == X509_TRUST_REJECTED)
                goto end;
-       /* If not explicitly trusted then indicate error */
-       if (i != X509_TRUST_TRUSTED)
+       /* If not explicitly trusted then indicate error unless it's
+        * a single self signed certificate in which case we've indicated
+        * an error already and set bad_chain == 1
+        */
+       if (i != X509_TRUST_TRUSTED && !bad_chain)
                {
                if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
                        {
@@ -466,14 +469,18 @@ end:
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
 {
        int i;
-       X509 *issuer;
+       X509 *issuer, *rv = NULL;;
        for (i = 0; i < sk_X509_num(sk); i++)
                {
                issuer = sk_X509_value(sk, i);
                if (ctx->check_issued(ctx, x, issuer))
-                       return issuer;
+                       {
+                       rv = issuer;
+                       if (x509_check_cert_time(ctx, rv, 1))
+                               break;
+                       }
                }
-       return NULL;
+       return rv;
 }
 
 /* Given a possible certificate and issuer check them */
@@ -481,6 +488,8 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
 {
        int ret;
+       if (x == issuer)
+               return cert_self_signed(x);
        ret = X509_check_issued(issuer, x);
        if (ret == X509_V_OK)
                {
@@ -739,7 +748,8 @@ static int check_id(X509_STORE_CTX *ctx)
        X509_VERIFY_PARAM *vpm = ctx->param;
        X509_VERIFY_PARAM_ID *id = vpm->id;
        X509 *x = ctx->cert;
-       if (id->host && !X509_check_host(x, id->host, id->hostlen, 0))
+       if (id->host && !X509_check_host(x, id->host, id->hostlen,
+                                        id->hostflags))
                {
                if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
                        return 0;
@@ -1688,7 +1698,7 @@ static int check_policy(X509_STORE_CTX *ctx)
        return 1;
        }
 
-static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
+int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
        {
        time_t *ptime;
        int i;
@@ -1701,6 +1711,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
        i=X509_cmp_time(X509_get_notBefore(x), ptime);
        if (i == 0)
                {
+               if (quiet)
+                       return 0;
                ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
                ctx->current_cert=x;
                if (!ctx->verify_cb(0, ctx))
@@ -1709,6 +1721,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
 
        if (i > 0)
                {
+               if (quiet)
+                       return 0;
                ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
                ctx->current_cert=x;
                if (!ctx->verify_cb(0, ctx))
@@ -1718,6 +1732,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
        i=X509_cmp_time(X509_get_notAfter(x), ptime);
        if (i == 0)
                {
+               if (quiet)
+                       return 0;
                ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
                ctx->current_cert=x;
                if (!ctx->verify_cb(0, ctx))
@@ -1726,6 +1742,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
 
        if (i < 0)
                {
+               if (quiet)
+                       return 0;
                ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
                ctx->current_cert=x;
                if (!ctx->verify_cb(0, ctx))
@@ -1753,7 +1771,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
                xs=xi;
        else
                {
-               if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN && n == 0)
+               if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
                        {
                        xs = xi;
                        goto check_cert;
@@ -1809,7 +1827,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
                xs->valid = 1;
 
                check_cert:
-               ok = check_cert_time(ctx, xs);
+               ok = x509_check_cert_time(ctx, xs, 0);
                if (!ok)
                        goto end;