X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Focsp%2Focsp_vfy.c;h=809f7f41e13bbdd0f7de776fcaa7c2849167984d;hp=4fb00df3235f003066e778c29a4f36c8948590a8;hb=121738d1cbfffa704eef4073510f13b419e6f08d;hpb=a332635ea0ec7dab14d550c2f151bb4ea8c64f78 diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 4fb00df323..809f7f41e1 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -1,60 +1,10 @@ -/* ocsp_vfy.c */ /* - * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project - * 2000. - */ -/* ==================================================================== - * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). + * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ #include @@ -63,19 +13,17 @@ #include static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, - STACK_OF(X509) *certs, X509_STORE *st, - unsigned long flags); + STACK_OF(X509) *certs, unsigned long flags); static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); -static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, - unsigned long flags); +static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain); static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret); static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp); -static int ocsp_check_delegated(X509 *x, int flags); +static int ocsp_check_delegated(X509 *x); static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs, - X509_STORE *st, unsigned long flags); + unsigned long flags); /* Verify a basic response message */ @@ -85,24 +33,30 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509 *signer, *x; STACK_OF(X509) *chain = NULL; STACK_OF(X509) *untrusted = NULL; - X509_STORE_CTX ctx; - int i, ret = 0; - ret = ocsp_find_signer(&signer, bs, certs, st, flags); + X509_STORE_CTX *ctx = NULL; + int i, ret = ocsp_find_signer(&signer, bs, certs, flags); + if (!ret) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); goto end; } + ctx = X509_STORE_CTX_new(); + if (ctx == NULL) { + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); + goto f_err; + } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) flags |= OCSP_NOVERIFY; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; - skey = X509_get_pubkey(signer); - if (skey) { - ret = OCSP_BASICRESP_verify(bs, skey, 0); - EVP_PKEY_free(skey); + skey = X509_get0_pubkey(signer); + if (skey == NULL) { + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_NO_SIGNER_KEY); + goto err; } - if (!skey || ret <= 0) { + ret = OCSP_BASICRESP_verify(bs, skey, 0); + if (ret <= 0) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); goto end; } @@ -116,25 +70,25 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, for (i = 0; i < sk_X509_num(certs); i++) { if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); - goto end; + goto f_err; } } + } else if (certs != NULL) { + untrusted = certs; } else { untrusted = bs->certs; } - init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted); + init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted); if (!init_res) { - ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); - goto end; + goto f_err; } - X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); - ret = X509_verify_cert(&ctx); - chain = X509_STORE_CTX_get1_chain(&ctx); - X509_STORE_CTX_cleanup(&ctx); + X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); + ret = X509_verify_cert(ctx); + chain = X509_STORE_CTX_get1_chain(ctx); if (ret <= 0) { - i = X509_STORE_CTX_get_error(&ctx); + i = X509_STORE_CTX_get_error(ctx); OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_CERTIFICATE_VERIFY_ERROR); ERR_add_error_data(2, "Verify error:", @@ -149,7 +103,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, * At this point we have a valid certificate chain need to verify it * against the OCSP issuer criteria. */ - ret = ocsp_check_issuer(bs, chain, flags); + ret = ocsp_check_issuer(bs, chain); /* If fatal error or valid match then finish */ if (ret != 0) @@ -165,21 +119,27 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, x = sk_X509_value(chain, sk_X509_num(chain) - 1); if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED); - goto end; + goto err; } ret = 1; } - end: + X509_STORE_CTX_free(ctx); sk_X509_pop_free(chain, X509_free); if (bs->certs && certs) sk_X509_free(untrusted); return ret; + + err: + ret = 0; + goto end; + f_err: + ret = -1; + goto end; } static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, - STACK_OF(X509) *certs, X509_STORE *st, - unsigned long flags) + STACK_OF(X509) *certs, unsigned long flags) { X509 *signer; OCSP_RESPID *rid = &bs->tbsResponseData.responderId; @@ -224,8 +184,7 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) return NULL; } -static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, - unsigned long flags) +static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain) { STACK_OF(OCSP_SINGLERESP) *sresp; X509 *signer, *sca; @@ -254,7 +213,7 @@ static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, return i; if (i) { /* We have a match, if extensions OK then success */ - if (ocsp_check_delegated(signer, flags)) + if (ocsp_check_delegated(signer)) return 1; return 0; } @@ -291,7 +250,7 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; /* Check to see if IDs match */ if (OCSP_id_issuer_cmp(cid, tmpid)) { - /* If algoritm mismatch let caller deal with it */ + /* If algorithm mismatch let caller deal with it */ if (OBJ_cmp(tmpid->hashAlgorithm.algorithm, cid->hashAlgorithm.algorithm)) return 2; @@ -324,16 +283,16 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, mdlen = EVP_MD_size(dgst); if (mdlen < 0) return -1; - if ((cid->issuerNameHash->length != mdlen) || - (cid->issuerKeyHash->length != mdlen)) + if ((cid->issuerNameHash.length != mdlen) || + (cid->issuerKeyHash.length != mdlen)) return 0; iname = X509_get_subject_name(cert); if (!X509_NAME_digest(iname, dgst, md, NULL)) return -1; - if (memcmp(md, cid->issuerNameHash->data, mdlen)) + if (memcmp(md, cid->issuerNameHash.data, mdlen)) return 0; X509_pubkey_digest(cert, dgst, md, NULL); - if (memcmp(md, cid->issuerKeyHash->data, mdlen)) + if (memcmp(md, cid->issuerKeyHash.data, mdlen)) return 0; return 1; @@ -353,7 +312,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, } -static int ocsp_check_delegated(X509 *x, int flags) +static int ocsp_check_delegated(X509 *x) { if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE) && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN)) @@ -374,68 +333,80 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509 *signer; X509_NAME *nm; GENERAL_NAME *gen; - int ret; - X509_STORE_CTX ctx; + int ret = 0; + X509_STORE_CTX *ctx = X509_STORE_CTX_new(); + + if (ctx == NULL) { + OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!req->optionalSignature) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED); - return 0; + goto err; } gen = req->tbsRequest.requestorName; if (!gen || gen->type != GEN_DIRNAME) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); - return 0; + goto err; } nm = gen->d.directoryName; - ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags); + ret = ocsp_req_find_signer(&signer, req, nm, certs, flags); if (ret <= 0) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); - return 0; + goto err; } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) flags |= OCSP_NOVERIFY; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; - skey = X509_get_pubkey(signer); + skey = X509_get0_pubkey(signer); ret = OCSP_REQUEST_verify(req, skey); - EVP_PKEY_free(skey); if (ret <= 0) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE); - return 0; + goto err; } } if (!(flags & OCSP_NOVERIFY)) { int init_res; if (flags & OCSP_NOCHAIN) - init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL); + init_res = X509_STORE_CTX_init(ctx, store, signer, NULL); else - init_res = X509_STORE_CTX_init(&ctx, store, signer, + init_res = X509_STORE_CTX_init(ctx, store, signer, req->optionalSignature->certs); if (!init_res) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB); - return 0; + goto err; } - X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); - X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST); - ret = X509_verify_cert(&ctx); - X509_STORE_CTX_cleanup(&ctx); + X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); + X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST); + ret = X509_verify_cert(ctx); if (ret <= 0) { - ret = X509_STORE_CTX_get_error(&ctx); + ret = X509_STORE_CTX_get_error(ctx); OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_CERTIFICATE_VERIFY_ERROR); ERR_add_error_data(2, "Verify error:", X509_verify_cert_error_string(ret)); - return 0; + goto err; } } - return 1; + ret = 1; + goto end; + +err: + ret = 0; +end: + X509_STORE_CTX_free(ctx); + return ret; + } static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs, - X509_STORE *st, unsigned long flags) + unsigned long flags) { X509 *signer; if (!(flags & OCSP_NOINTERN)) {