/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
ret->dh_tmp = cert->dh_tmp;
EVP_PKEY_up_ref(ret->dh_tmp);
}
-#ifndef OPENSSL_NO_DH
+
ret->dh_tmp_cb = cert->dh_tmp_cb;
-#endif
ret->dh_tmp_auto = cert->dh_tmp_auto;
for (i = 0; i < SSL_PKEY_NUM; i++) {
cpk->x509 = NULL;
EVP_PKEY_free(cpk->privatekey);
cpk->privatekey = NULL;
- sk_X509_pop_free(cpk->chain, X509_free);
+ OSSL_STACK_OF_X509_free(cpk->chain);
cpk->chain = NULL;
OPENSSL_free(cpk->serverinfo);
cpk->serverinfo = NULL;
return 0;
}
}
- sk_X509_pop_free(cpk->chain, X509_free);
+ OSSL_STACK_OF_X509_free(cpk->chain);
cpk->chain = chain;
return 1;
}
if (!dchain)
return 0;
if (!ssl_cert_set0_chain(s, ctx, dchain)) {
- sk_X509_pop_free(dchain, X509_free);
+ OSSL_STACK_OF_X509_free(dchain);
return 0;
}
return 1;
c->cert_cb_arg = arg;
}
+/*
+ * Verify a certificate chain
+ * Return codes:
+ * 1: Verify success
+ * 0: Verify failure or error
+ * -1: Retry required
+ */
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
{
X509 *x;
if (s->verify_callback)
X509_STORE_CTX_set_verify_cb(ctx, s->verify_callback);
- if (s->ctx->app_verify_callback != NULL)
+ if (s->ctx->app_verify_callback != NULL) {
i = s->ctx->app_verify_callback(ctx, s->ctx->app_verify_arg);
- else
+ } else {
i = X509_verify_cert(ctx);
+ /* We treat an error in the same way as a failure to verify */
+ if (i < 0)
+ i = 0;
+ }
s->verify_result = X509_STORE_CTX_get_error(ctx);
- sk_X509_pop_free(s->verified_chain, X509_free);
+ OSSL_STACK_OF_X509_free(s->verified_chain);
s->verified_chain = NULL;
if (X509_STORE_CTX_get0_chain(ctx) != NULL) {
s->verified_chain = X509_STORE_CTX_get1_chain(ctx);
static unsigned long xname_hash(const X509_NAME *a)
{
- return X509_NAME_hash((X509_NAME *)a);
+ /* This returns 0 also if SHA1 is not available */
+ return X509_NAME_hash_ex((X509_NAME *)a, NULL, NULL, NULL);
}
STACK_OF(X509_NAME) *SSL_load_client_CA_file_ex(const char *file,
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
- if (!BIO_read_filename(in, file))
+ if (BIO_read_filename(in, file) <= 0)
goto err;
/* Internally lh_X509_NAME_retrieve() needs the libctx to retrieve SHA1 */
goto err;
}
- if (!BIO_read_filename(in, file))
+ if (BIO_read_filename(in, file) <= 0)
goto err;
for (;;) {
untrusted = cpk->chain;
}
- xs_ctx = X509_STORE_CTX_new_ex(real_ctx->libctx, ctx->propq);
+ xs_ctx = X509_STORE_CTX_new_ex(real_ctx->libctx, real_ctx->propq);
if (xs_ctx == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
goto err;
rv = ssl_security_cert(s, ctx, x, 0, 0);
if (rv != 1) {
ERR_raise(ERR_LIB_SSL, rv);
- sk_X509_pop_free(chain, X509_free);
+ OSSL_STACK_OF_X509_free(chain);
rv = 0;
goto err;
}
}
- sk_X509_pop_free(cpk->chain, X509_free);
+ OSSL_STACK_OF_X509_free(cpk->chain);
cpk->chain = chain;
if (rv == 0)
rv = 1;
return 1;
}
-static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
- int op, int bits, int nid, void *other,
- void *ex)
+int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain)
+{
+ *pstore = (chain ? c->chain_store : c->verify_store);
+ return 1;
+}
+
+int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp)
{
- int level, minbits;
- static const int minbits_table[5] = { 80, 112, 128, 192, 256 };
- if (ctx)
+ int level;
+ /*
+ * note that there's a corresponding minbits_table
+ * in crypto/x509/x509_vfy.c that's used for checking the security level
+ * of RSA and DSA keys
+ */
+ static const int minbits_table[5 + 1] = { 0, 80, 112, 128, 192, 256 };
+
+ if (ctx != NULL)
level = SSL_CTX_get_security_level(ctx);
else
level = SSL_get_security_level(s);
- if (level <= 0) {
+ if (level > 5)
+ level = 5;
+ else if (level < 0)
+ level = 0;
+
+ if (levelp != NULL)
+ *levelp = level;
+
+ return minbits_table[level];
+}
+
+static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
+ int op, int bits, int nid, void *other,
+ void *ex)
+{
+ int level, minbits, pfs_mask;
+
+ minbits = ssl_get_security_level_bits(s, ctx, &level);
+
+ if (level == 0) {
/*
* No EDH keys weaker than 1024-bits even at level 0, otherwise,
* anything goes.
return 0;
return 1;
}
- if (level > 5)
- level = 5;
- minbits = minbits_table[level - 1];
switch (op) {
case SSL_SECOP_CIPHER_SUPPORTED:
case SSL_SECOP_CIPHER_SHARED:
/* SHA1 HMAC is 160 bits of security */
if (minbits > 160 && c->algorithm_mac & SSL_SHA1)
return 0;
- /* Level 2: no RC4 */
- if (level >= 2 && c->algorithm_enc == SSL_RC4)
- return 0;
/* Level 3: forward secure ciphersuites only */
+ pfs_mask = SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK;
if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
- !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
+ !(c->algorithm_mkey & pfs_mask))
return 0;
break;
}