static int internal_verify(X509_STORE_CTX *ctx);
const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
-static STACK *x509_store_ctx_method=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_method=NULL;
static int x509_store_ctx_num=0;
#if 0
static int x509_store_num=1;
}
/* We have the chain complete: now we need to check its purpose */
- if(ctx->chain_purpose > 0) ok = check_chain_purpose(ctx);
+ if(ctx->purpose > 0) ok = check_chain_purpose(ctx);
if(!ok) goto end;
/* The chain extensions are OK: check trust */
- if(ctx->trust_purpose > 0) ok = check_trust(ctx);
+ if(ctx->trust > 0) ok = check_trust(ctx);
if(!ok) goto end;
/* Check all untrusted certificates */
for(i = 0; i < ctx->last_untrusted; i++) {
x = sk_X509_value(ctx->chain, i);
- if(!X509_check_purpose(x, ctx->chain_purpose, i)) {
+ if(!X509_check_purpose(x, ctx->purpose, i)) {
if(i) ctx->error = X509_V_ERR_INVALID_CA;
else ctx->error = X509_V_ERR_INVALID_PURPOSE;
ctx->error_depth = i;
/* For now just check the last certificate in the chain */
i = sk_X509_num(ctx->chain) - 1;
x = sk_X509_value(ctx->chain, i);
- ok = X509_check_trust(x, ctx->trust_purpose, 0);
+ ok = X509_check_trust(x, ctx->trust, 0);
if(ok == X509_TRUST_TRUSTED) return 1;
ctx->error_depth = sk_X509_num(ctx->chain) - 1;
ctx->current_cert = x;
}
if (X509_verify(xs,pkey) <= 0)
{
- EVP_PKEY_free(pkey);
ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
ctx->current_cert=xs;
ok=(*cb)(0,ctx);
- if (!ok) goto end;
+ if (!ok)
+ {
+ EVP_PKEY_free(pkey);
+ goto end;
+ }
}
EVP_PKEY_free(pkey);
pkey=NULL;
return(ok);
}
-int X509_cmp_current_time(ASN1_UTCTIME *ctm)
+int X509_cmp_current_time(ASN1_TIME *ctm)
{
char *str;
- ASN1_UTCTIME atm;
+ ASN1_TIME atm;
time_t offset;
char buff1[24],buff2[24],*p;
int i,j;
p=buff1;
i=ctm->length;
str=(char *)ctm->data;
- if ((i < 11) || (i > 17)) return(0);
- memcpy(p,str,10);
- p+=10;
- str+=10;
+ if(ctm->type == V_ASN1_UTCTIME) {
+ if ((i < 11) || (i > 17)) return(0);
+ memcpy(p,str,10);
+ p+=10;
+ str+=10;
+ } else {
+ if(i < 13) return 0;
+ memcpy(p,str,12);
+ p+=12;
+ str+=12;
+ }
if ((*str == 'Z') || (*str == '-') || (*str == '+'))
{ *(p++)='0'; *(p++)='0'; }
- else { *(p++)= *(str++); *(p++)= *(str++); }
+ else
+ {
+ *(p++)= *(str++);
+ *(p++)= *(str++);
+ /* Skip any fractional seconds... */
+ if(*str == '.')
+ {
+ str++;
+ while((*str >= '0') && (*str <= '9')) str++;
+ }
+
+ }
*(p++)='Z';
*(p++)='\0';
if (*str == '-')
offset= -offset;
}
- atm.type=V_ASN1_UTCTIME;
+ atm.type=ctm->type;
atm.length=sizeof(buff2);
atm.data=(unsigned char *)buff2;
- X509_gmtime_adj(&atm,-offset);
+ X509_gmtime_adj(&atm,-offset*60);
- i=(buff1[0]-'0')*10+(buff1[1]-'0');
- if (i < 50) i+=100; /* cf. RFC 2459 */
- j=(buff2[0]-'0')*10+(buff2[1]-'0');
- if (j < 50) j+=100;
+ if(ctm->type == V_ASN1_UTCTIME)
+ {
+ i=(buff1[0]-'0')*10+(buff1[1]-'0');
+ if (i < 50) i+=100; /* cf. RFC 2459 */
+ j=(buff2[0]-'0')*10+(buff2[1]-'0');
+ if (j < 50) j+=100;
- if (i < j) return (-1);
- if (i > j) return (1);
+ if (i < j) return (-1);
+ if (i > j) return (1);
+ }
i=strcmp(buff1,buff2);
if (i == 0) /* wait a second then return younger :-) */
return(-1);
return(i);
}
-ASN1_UTCTIME *X509_gmtime_adj(ASN1_UTCTIME *s, long adj)
+ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
{
time_t t;
time(&t);
t+=adj;
- return(ASN1_UTCTIME_set(s,t));
+ if(!s) return ASN1_TIME_set(s, t);
+ if(s->type == V_ASN1_UTCTIME) return(ASN1_UTCTIME_set(s,t));
+ return ASN1_GENERALIZEDTIME_set(s, t);
}
int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
int ret=1;
if (x == NULL) return(0);
- obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
+ obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
if (obj == NULL)
{
X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
X509_OBJECT_up_ref_count(obj);
- r=(X509_OBJECT *)lh_insert(ctx->certs,(char *)obj);
+ r=(X509_OBJECT *)lh_insert(ctx->certs,obj);
if (r != NULL)
{ /* oops, put it back */
- lh_delete(ctx->certs,(char *)obj);
+ lh_delete(ctx->certs,obj);
X509_OBJECT_free_contents(obj);
- Free(obj);
- lh_insert(ctx->certs,(char *)r);
+ OPENSSL_free(obj);
+ lh_insert(ctx->certs,r);
X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
ret=0;
}
int ret=1;
if (x == NULL) return(0);
- obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
+ obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
if (obj == NULL)
{
X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
X509_OBJECT_up_ref_count(obj);
- r=(X509_OBJECT *)lh_insert(ctx->certs,(char *)obj);
+ r=(X509_OBJECT *)lh_insert(ctx->certs,obj);
if (r != NULL)
{ /* oops, put it back */
- lh_delete(ctx->certs,(char *)obj);
+ lh_delete(ctx->certs,obj);
X509_OBJECT_free_contents(obj);
- Free(obj);
- lh_insert(ctx->certs,(char *)r);
+ OPENSSL_free(obj);
+ lh_insert(ctx->certs,r);
X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
ret=0;
}
return(ret);
}
-int X509_STORE_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
- int (*dup_func)(), void (*free_func)())
+int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
{
x509_store_ctx_num++;
return(CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
return(ctx->chain);
}
+STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
+ {
+ int i;
+ X509 *x;
+ STACK_OF(X509) *chain;
+ if(!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
+ for(i = 0; i < sk_X509_num(chain); i++) {
+ x = sk_X509_value(chain, i);
+ CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+ }
+ return(chain);
+ }
+
void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
{
ctx->cert=x;
ctx->untrusted=sk;
}
-int X509_STORE_CTX_chain_purpose(X509_STORE_CTX *ctx, int purpose)
+int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
{
- return X509_set_purpose_and_trust(purpose,
- &ctx->chain_purpose, &ctx->trust_purpose);
+ return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
}
-void X509_STORE_CTX_trust_purpose(X509_STORE_CTX *ctx, int purpose)
+int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
{
- ctx->trust_purpose = purpose;
+ return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
}
-int X509_set_purpose_and_trust(int id, int *purp, int *trust)
+/* This function is used to set the X509_STORE_CTX purpose and trust
+ * values. This is intended to be used when another structure has its
+ * own trust and purpose values which (if set) will be inherited by
+ * the ctx. If they aren't set then we will usually have a default
+ * purpose in mind which should then be used to set the trust value.
+ * An example of this is SSL use: an SSL structure will have its own
+ * purpose and trust settings which the application can set: if they
+ * aren't set then we use the default of SSL client/server.
+ */
+
+int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
+ int purpose, int trust)
{
- X509_PURPOSE *ptmp;
int idx;
- idx = X509_PURPOSE_get_by_id(id);
- if(idx == -1) {
- X509err(X509_F_X509_SET_PURPOSE_AND_TRUST,
- X509_R_UNKNOWN_TRUST_ID);
- return 0;
+ /* If purpose not set use default */
+ if(!purpose) purpose = def_purpose;
+ /* If we have a purpose then check it is valid */
+ if(purpose) {
+ X509_PURPOSE *ptmp;
+ idx = X509_PURPOSE_get_by_id(purpose);
+ if(idx == -1) {
+ X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
+ X509_R_UNKNOWN_PURPOSE_ID);
+ return 0;
+ }
+ ptmp = X509_PURPOSE_get0(idx);
+ if(ptmp->trust == X509_TRUST_DEFAULT) {
+ idx = X509_PURPOSE_get_by_id(def_purpose);
+ if(idx == -1) {
+ X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
+ X509_R_UNKNOWN_PURPOSE_ID);
+ return 0;
+ }
+ ptmp = X509_PURPOSE_get0(idx);
+ }
+ /* If trust not set then get from purpose default */
+ if(!trust) trust = ptmp->trust;
+ }
+ if(trust) {
+ idx = X509_TRUST_get_by_id(trust);
+ if(idx == -1) {
+ X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
+ X509_R_UNKNOWN_TRUST_ID);
+ return 0;
+ }
}
- ptmp = X509_PURPOSE_iget(idx);
- if(purp) *purp = id;
- if(trust) *trust = ptmp->trust_id;
+
+ if(purpose) ctx->purpose = purpose;
+ if(trust) ctx->trust = trust;
return 1;
}
+
IMPLEMENT_STACK_OF(X509)
IMPLEMENT_ASN1_SET_OF(X509)