X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_cert.c;h=408404958efb3576599487c72ffb4171e621886e;hp=5a465e39425088c0638d9d862886869df8046a99;hb=64e54bf5c6657bf423d3ba463f31095d598d94e7;hpb=320a81277e402f393289ae7229b2320324321fb1;ds=sidebyside diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 5a465e3942..408404958e 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1,8 +1,8 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -15,15 +15,19 @@ #include "internal/o_dir.h" #include #include +#include #include #include #include #include #include "internal/refcount.h" -#include "ssl_locl.h" +#include "ssl_local.h" #include "ssl_cert_table.h" #include "internal/thread_once.h" +DEFINE_STACK_OF(X509) +DEFINE_STACK_OF(X509_NAME) + static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex); @@ -154,8 +158,6 @@ CERT *ssl_cert_dup(CERT *cert) ret->client_sigalgslen = cert->client_sigalgslen; } else ret->client_sigalgs = NULL; - /* Shared sigalgs also NULL */ - ret->shared_sigalgs = NULL; /* Copy any custom client certificate types */ if (cert->ctype) { ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len); @@ -225,6 +227,8 @@ void ssl_cert_free(CERT *c) { int i; + if (c == NULL) + return; CRYPTO_DOWN_REF(&c->references, &i, c->lock); REF_PRINT_COUNT("CERT", c); if (i > 0) @@ -238,7 +242,6 @@ void ssl_cert_free(CERT *c) ssl_cert_clear_certs(c); OPENSSL_free(c->conf_sigalgs); OPENSSL_free(c->client_sigalgs); - OPENSSL_free(c->shared_sigalgs); OPENSSL_free(c->ctype); X509_STORE_free(c->verify_store); X509_STORE_free(c->chain_store); @@ -253,11 +256,20 @@ void ssl_cert_free(CERT *c) int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain) { int i, r; - CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key; + CERT_PKEY *cpk = s != NULL ? s->cert->key : ctx->cert->key; + SSL_CTX *realctx = s != NULL ? s->ctx : ctx; + if (!cpk) return 0; for (i = 0; i < sk_X509_num(chain); i++) { - r = ssl_security_cert(s, ctx, sk_X509_value(chain, i), 0, 0); + X509 *x = sk_X509_value(chain, i); + + if (!X509v3_cache_extensions(x, realctx->libctx, realctx->propq)) { + SSLerr(0, ERR_LIB_X509); + return 0; + } + + r = ssl_security_cert(s, ctx, x, 0, 0); if (r != 1) { SSLerr(SSL_F_SSL_CERT_SET0_CHAIN, r); return 0; @@ -377,7 +389,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) else verify_store = s->ctx->cert_store; - ctx = X509_STORE_CTX_new(); + ctx = X509_STORE_CTX_new_with_libctx(s->ctx->libctx, s->ctx->propq); if (ctx == NULL) { SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_MALLOC_FAILURE); return 0; @@ -499,29 +511,30 @@ const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s) void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) { - SSL_CTX_set0_CA_list(ctx, name_list); + set0_CA_list(&ctx->client_ca_names, name_list); } STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) { - return ctx->ca_names; + return ctx->client_ca_names; } void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) { - SSL_set0_CA_list(s, name_list); + set0_CA_list(&s->client_ca_names, name_list); } const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s) { - return s->s3 != NULL ? s->s3->tmp.peer_ca_names : NULL; + return s->s3.tmp.peer_ca_names; } STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) { if (!s->server) - return s->s3 != NULL ? s->s3->tmp.peer_ca_names : NULL; - return s->ca_names != NULL ? s->ca_names : s->ctx->ca_names; + return s->s3.tmp.peer_ca_names; + return s->client_ca_names != NULL ? s->client_ca_names + : s->ctx->client_ca_names; } static int add_ca_name(STACK_OF(X509_NAME) **sk, const X509 *x) @@ -543,24 +556,28 @@ static int add_ca_name(STACK_OF(X509_NAME) **sk, const X509 *x) return 1; } -int SSL_add1_CA_list(SSL *ssl, const X509 *x) +int SSL_add1_to_CA_list(SSL *ssl, const X509 *x) { return add_ca_name(&ssl->ca_names, x); } -int SSL_CTX_add1_CA_list(SSL_CTX *ctx, const X509 *x) +int SSL_CTX_add1_to_CA_list(SSL_CTX *ctx, const X509 *x) { return add_ca_name(&ctx->ca_names, x); } +/* + * The following two are older names are to be replaced with + * SSL(_CTX)_add1_to_CA_list + */ int SSL_add_client_CA(SSL *ssl, X509 *x) { - return add_ca_name(&ssl->ca_names, x); + return add_ca_name(&ssl->client_ca_names, x); } int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) { - return add_ca_name(&ctx->ca_names, x); + return add_ca_name(&ctx->client_ca_names, x); } static int xname_cmp(const X509_NAME *a, const X509_NAME *b) @@ -597,14 +614,6 @@ static unsigned long xname_hash(const X509_NAME *a) return X509_NAME_hash((X509_NAME *)a); } -/** - * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed; - * it doesn't really have anything to do with clients (except that a common use - * for a stack of CAs is to send it to the client). Actually, it doesn't have - * much to do with CAs, either, since it will load any old cert. - * \param file the file containing one or more certs. - * \return a ::STACK containing the certs. - */ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) { BIO *in = BIO_new(BIO_s_file()); @@ -662,15 +671,6 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) return ret; } -/** - * Add a file of certs to a stack. - * \param stack the stack to add to. - * \param file the file to add from. All certs in this file that are not - * already in the stack will be added. - * \return 1 for success, 0 for failure. Note that in the case of failure some - * certs may have been added to \c stack. - */ - int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *file) { @@ -721,17 +721,6 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, return ret; } -/** - * Add a directory of certs to a stack. - * \param stack the stack to append to. - * \param dir the directory to append from. All files in this directory will be - * examined as potential certs. Any that are acceptable to - * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be - * included. - * \return 1 for success, 0 for failure. Note that in the case of failure some - * certs may have been added to \c stack. - */ - int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *dir) { @@ -762,8 +751,9 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, } if (errno) { - SYSerr(SYS_F_OPENDIR, get_last_sys_error()); - ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')"); + ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(), + "calling OPENSSL_dir_read(%s)", + dir); SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB); goto err; } @@ -777,6 +767,71 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, return ret; } +static int add_uris_recursive(STACK_OF(X509_NAME) *stack, + const char *uri, int depth) +{ + int ok = 1; + OSSL_STORE_CTX *ctx = NULL; + X509 *x = NULL; + X509_NAME *xn = NULL; + + if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL) + goto err; + + while (!OSSL_STORE_eof(ctx) && !OSSL_STORE_error(ctx)) { + OSSL_STORE_INFO *info = OSSL_STORE_load(ctx); + int infotype = info == 0 ? 0 : OSSL_STORE_INFO_get_type(info); + + if (info == NULL) + continue; + + if (infotype == OSSL_STORE_INFO_NAME) { + /* + * This is an entry in the "directory" represented by the current + * uri. if |depth| allows, dive into it. + */ + if (depth > 0) + ok = add_uris_recursive(stack, OSSL_STORE_INFO_get0_NAME(info), + depth - 1); + } else if (infotype == OSSL_STORE_INFO_CERT) { + if ((x = OSSL_STORE_INFO_get0_CERT(info)) == NULL + || (xn = X509_get_subject_name(x)) == NULL + || (xn = X509_NAME_dup(xn)) == NULL) + goto err; + if (sk_X509_NAME_find(stack, xn) >= 0) { + /* Duplicate. */ + X509_NAME_free(xn); + } else if (!sk_X509_NAME_push(stack, xn)) { + X509_NAME_free(xn); + goto err; + } + } + + OSSL_STORE_INFO_free(info); + } + + ERR_clear_error(); + goto done; + + err: + ok = 0; + done: + OSSL_STORE_close(ctx); + + return ok; +} + +int SSL_add_store_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, + const char *store) +{ + int (*oldcmp) (const X509_NAME *const *a, const X509_NAME *const *b) + = sk_X509_NAME_set_cmp_func(stack, xname_sk_cmp); + int ret = add_uris_recursive(stack, store, 1); + + (void)sk_X509_NAME_set_cmp_func(stack, oldcmp); + return ret; +} + /* Build a certificate chain for current certificate */ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) { @@ -817,7 +872,10 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) untrusted = cpk->chain; } - xs_ctx = X509_STORE_CTX_new(); + if (s == NULL) + xs_ctx = X509_STORE_CTX_new_with_libctx(ctx->libctx, ctx->propq); + else + xs_ctx = X509_STORE_CTX_new_with_libctx(s->ctx->libctx, s->ctx->propq); if (xs_ctx == NULL) { SSLerr(SSL_F_SSL_BUILD_CERT_CHAIN, ERR_R_MALLOC_FAILURE); goto err; @@ -945,7 +1003,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, if (level >= 2 && c->algorithm_enc == SSL_RC4) return 0; /* Level 3: forward secure ciphersuites only */ - if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))) + if (level >= 3 && c->min_tls != TLS1_3_VERSION && + !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))) return 0; break; } @@ -993,22 +1052,35 @@ int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other) ctx->cert->sec_ex); } -const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx) +int ssl_cert_lookup_by_nid(int nid, size_t *pidx) { - int nid = EVP_PKEY_id(pk); size_t i; - if (nid == NID_undef) - return NULL; - for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) { if (ssl_cert_info[i].nid == nid) { - if (pidx != NULL) - *pidx = i; - return &ssl_cert_info[i]; + *pidx = i; + return 1; } } - return NULL; + + return 0; +} + +const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx) +{ + int nid = EVP_PKEY_id(pk); + size_t tmpidx; + + if (nid == NID_undef) + return NULL; + + if (!ssl_cert_lookup_by_nid(nid, &tmpidx)) + return NULL; + + if (pidx != NULL) + *pidx = tmpidx; + + return &ssl_cert_info[tmpidx]; } const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx)