Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / d323f4b1e185b43f8d5e5a3b191d4bf0d5b65609 / . / ssl / ssl_cert.c
blob: 28a33c95ff8cab630a2adbca255c9d784f360fa3 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */
114
David Benjamin443a1f62015-09-04 15:05:05 -0400[diff] [blame]115#include <openssl/ssl.h>
116
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]117#include <string.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]118
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]119#include <openssl/bn.h>
David Benjamin676d1e72014-07-08 14:34:10 -0400[diff] [blame]120#include <openssl/buf.h>
David Benjamin680ca962015-06-18 12:37:23 -0400[diff] [blame]121#include <openssl/ec_key.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]122#include <openssl/dh.h>
123#include <openssl/err.h>
124#include <openssl/mem.h>
David Benjamin680ca962015-06-18 12:37:23 -0400[diff] [blame]125#include <openssl/x509.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]126#include <openssl/x509v3.h>
127
128#include "../crypto/dh/internal.h"
Adam Langley0da323a2015-05-15 12:49:30 -0700[diff] [blame]129#include "../crypto/internal.h"
David Benjamin2ee94aa2015-04-07 22:38:30 -0400[diff] [blame]130#include "internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]131
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]132
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]133int SSL_get_ex_data_X509_STORE_CTX_idx(void) {
David Benjaminaa585132015-06-29 23:36:17 -0400[diff] [blame]134 /* The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the
135 * reserved app_data slot. Before ex_data was introduced, app_data was used.
136 * Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|
137 * works. */
138 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]139}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]140
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]141CERT *ssl_cert_new(void) {
Brian Smith5ba06892016-02-07 09:36:04 -1000[diff] [blame]142 CERT *ret = OPENSSL_malloc(sizeof(CERT));
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]143 if (ret == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]144 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]145 return NULL;
146 }
147 memset(ret, 0, sizeof(CERT));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]148
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]149 return ret;
150}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]151
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]152CERT *ssl_cert_dup(CERT *cert) {
Brian Smith5ba06892016-02-07 09:36:04 -1000[diff] [blame]153 CERT *ret = OPENSSL_malloc(sizeof(CERT));
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]154 if (ret == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]155 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]156 return NULL;
157 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]158 memset(ret, 0, sizeof(CERT));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]159
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]160 ret->mask_k = cert->mask_k;
161 ret->mask_a = cert->mask_a;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]162
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]163 if (cert->dh_tmp != NULL) {
164 ret->dh_tmp = DHparams_dup(cert->dh_tmp);
165 if (ret->dh_tmp == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]166 OPENSSL_PUT_ERROR(SSL, ERR_R_DH_LIB);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]167 goto err;
168 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]169 }
170 ret->dh_tmp_cb = cert->dh_tmp_cb;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]171
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]172 if (cert->x509 != NULL) {
173 ret->x509 = X509_up_ref(cert->x509);
174 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]175
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]176 if (cert->privatekey != NULL) {
177 ret->privatekey = EVP_PKEY_up_ref(cert->privatekey);
178 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]179
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]180 if (cert->chain) {
181 ret->chain = X509_chain_up_ref(cert->chain);
182 if (!ret->chain) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]183 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]184 goto err;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]185 }
186 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]187
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]188 ret->cert_cb = cert->cert_cb;
189 ret->cert_cb_arg = cert->cert_cb_arg;
190
Adam Langleyd323f4b2016-03-01 15:58:14 -0800[diff] [blame^]191 if (cert->verify_store != NULL) {
192 X509_STORE_up_ref(cert->verify_store);
193 ret->verify_store = cert->verify_store;
194 }
195
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]196 return ret;
197
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]198err:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]199 ssl_cert_free(ret);
200 return NULL;
201}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]202
203/* Free up and clear all certificates and chains */
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]204void ssl_cert_clear_certs(CERT *cert) {
205 if (cert == NULL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]206 return;
207 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]208
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]209 X509_free(cert->x509);
210 cert->x509 = NULL;
211 EVP_PKEY_free(cert->privatekey);
212 cert->privatekey = NULL;
213 sk_X509_pop_free(cert->chain, X509_free);
214 cert->chain = NULL;
David Benjamin71d2e542015-07-06 00:30:25 -0400[diff] [blame]215 cert->key_method = NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]216}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]217
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]218void ssl_cert_free(CERT *c) {
219 if (c == NULL) {
220 return;
221 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]222
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]223 DH_free(c->dh_tmp);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]224
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]225 ssl_cert_clear_certs(c);
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]226 OPENSSL_free(c->peer_sigalgs);
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]227 OPENSSL_free(c->digest_nids);
Adam Langleyd323f4b2016-03-01 15:58:14 -0800[diff] [blame^]228 X509_STORE_free(c->verify_store);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]229
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]230 OPENSSL_free(c);
231}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]232
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]233int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) {
234 sk_X509_pop_free(cert->chain, X509_free);
235 cert->chain = chain;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]236 return 1;
237}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]238
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]239int ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) {
David Benjamin60da0cd2015-05-03 15:21:28 -0400[diff] [blame]240 STACK_OF(X509) *dchain;
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]241 if (chain == NULL) {
242 return ssl_cert_set0_chain(cert, NULL);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]243 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]244
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]245 dchain = X509_chain_up_ref(chain);
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]246 if (dchain == NULL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]247 return 0;
248 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]249
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]250 if (!ssl_cert_set0_chain(cert, dchain)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]251 sk_X509_pop_free(dchain, X509_free);
252 return 0;
253 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]254
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]255 return 1;
256}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]257
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]258int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509) {
259 if (cert->chain == NULL) {
260 cert->chain = sk_X509_new_null();
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]261 }
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]262 if (cert->chain == NULL || !sk_X509_push(cert->chain, x509)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]263 return 0;
264 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]265
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]266 return 1;
267}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]268
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]269int ssl_cert_add1_chain_cert(CERT *cert, X509 *x509) {
270 if (!ssl_cert_add0_chain_cert(cert, x509)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]271 return 0;
272 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]273
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]274 X509_up_ref(x509);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]275 return 1;
276}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]277
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]278void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg) {
279 c->cert_cb = cb;
280 c->cert_cb_arg = arg;
281}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]282
David Benjamin306ece32015-09-17 13:46:22 -0400[diff] [blame]283int ssl_verify_cert_chain(SSL *ssl, STACK_OF(X509) *cert_chain) {
284 if (cert_chain == NULL || sk_X509_num(cert_chain) == 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]285 return 0;
286 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]287
Adam Langleyd323f4b2016-03-01 15:58:14 -0800[diff] [blame^]288 X509_STORE *verify_store = ssl->ctx->cert_store;
289 if (ssl->cert->verify_store != NULL) {
290 verify_store = ssl->cert->verify_store;
291 }
292
David Benjamin306ece32015-09-17 13:46:22 -0400[diff] [blame]293 X509 *leaf = sk_X509_value(cert_chain, 0);
294 int ret = 0;
295 X509_STORE_CTX ctx;
Adam Langleyd323f4b2016-03-01 15:58:14 -0800[diff] [blame^]296 if (!X509_STORE_CTX_init(&ctx, verify_store, leaf, cert_chain)) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]297 OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]298 return 0;
299 }
David Benjamin306ece32015-09-17 13:46:22 -0400[diff] [blame]300 if (!X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(),
301 ssl)) {
302 goto err;
303 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]304
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]305 /* We need to inherit the verify parameters. These can be determined by the
306 * context: if its a server it will verify SSL client certificates or vice
307 * versa. */
David Benjamin306ece32015-09-17 13:46:22 -0400[diff] [blame]308 X509_STORE_CTX_set_default(&ctx, ssl->server ? "ssl_client" : "ssl_server");
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]309
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]310 /* Anything non-default in "param" should overwrite anything in the ctx. */
David Benjamin306ece32015-09-17 13:46:22 -0400[diff] [blame]311 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), ssl->param);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]312
David Benjamin306ece32015-09-17 13:46:22 -0400[diff] [blame]313 if (ssl->verify_callback) {
314 X509_STORE_CTX_set_verify_cb(&ctx, ssl->verify_callback);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]315 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]316
David Benjamin306ece32015-09-17 13:46:22 -0400[diff] [blame]317 if (ssl->ctx->app_verify_callback != NULL) {
318 ret = ssl->ctx->app_verify_callback(&ctx, ssl->ctx->app_verify_arg);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]319 } else {
David Benjamin306ece32015-09-17 13:46:22 -0400[diff] [blame]320 ret = X509_verify_cert(&ctx);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]321 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]322
David Benjamin306ece32015-09-17 13:46:22 -0400[diff] [blame]323 ssl->verify_result = ctx.error;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]324
David Benjamin306ece32015-09-17 13:46:22 -0400[diff] [blame]325err:
326 X509_STORE_CTX_cleanup(&ctx);
327 return ret;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]328}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]329
David Benjamin60da0cd2015-05-03 15:21:28 -0400[diff] [blame]330static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,
331 STACK_OF(X509_NAME) *name_list) {
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]332 sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]333 *ca_list = name_list;
334}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]335
David Benjamin59937042015-09-19 13:04:22 -0400[diff] [blame]336STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list) {
337 STACK_OF(X509_NAME) *ret = sk_X509_NAME_new_null();
338 if (ret == NULL) {
339 return NULL;
340 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]341
David Benjamin59937042015-09-19 13:04:22 -0400[diff] [blame]342 size_t i;
343 for (i = 0; i < sk_X509_NAME_num(list); i++) {
344 X509_NAME *name = X509_NAME_dup(sk_X509_NAME_value(list, i));
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]345 if (name == NULL || !sk_X509_NAME_push(ret, name)) {
David Benjamin59937042015-09-19 13:04:22 -0400[diff] [blame]346 X509_NAME_free(name);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]347 sk_X509_NAME_pop_free(ret, X509_NAME_free);
348 return NULL;
349 }
350 }
351
352 return ret;
353}
354
David Benjamin59937042015-09-19 13:04:22 -0400[diff] [blame]355void SSL_set_client_CA_list(SSL *ssl, STACK_OF(X509_NAME) *name_list) {
356 set_client_CA_list(&ssl->client_CA, name_list);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]357}
358
David Benjamin60da0cd2015-05-03 15:21:28 -0400[diff] [blame]359void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) {
David Benjamin59937042015-09-19 13:04:22 -0400[diff] [blame]360 set_client_CA_list(&ctx->client_CA, name_list);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]361}
362
David Benjamin60da0cd2015-05-03 15:21:28 -0400[diff] [blame]363STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]364 return ctx->client_CA;
365}
366
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]367STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) {
368 /* For historical reasons, this function is used both to query configuration
369 * state on a server as well as handshake state on a client. However, whether
370 * |ssl| is a client or server is not known until explicitly configured with
371 * |SSL_set_connect_state|. If |handshake_func| is NULL, |ssl| is in an
372 * indeterminate mode and |ssl->server| is unset. */
373 if (ssl->handshake_func != NULL && !ssl->server) {
374 return ssl->s3->tmp.ca_names;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]375 }
David Benjamin1d128f32015-09-08 17:41:40 -0400[diff] [blame]376
377 if (ssl->client_CA != NULL) {
378 return ssl->client_CA;
379 }
380 return ssl->ctx->client_CA;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]381}
382
David Benjamin59937042015-09-19 13:04:22 -0400[diff] [blame]383static int add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x509) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]384 X509_NAME *name;
385
David Benjamin59937042015-09-19 13:04:22 -0400[diff] [blame]386 if (x509 == NULL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]387 return 0;
388 }
389 if (*sk == NULL) {
390 *sk = sk_X509_NAME_new_null();
391 if (*sk == NULL) {
392 return 0;
393 }
394 }
395
David Benjamin59937042015-09-19 13:04:22 -0400[diff] [blame]396 name = X509_NAME_dup(X509_get_subject_name(x509));
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]397 if (name == NULL) {
398 return 0;
399 }
400
401 if (!sk_X509_NAME_push(*sk, name)) {
402 X509_NAME_free(name);
403 return 0;
404 }
405
406 return 1;
407}
408
David Benjamin59937042015-09-19 13:04:22 -0400[diff] [blame]409int SSL_add_client_CA(SSL *ssl, X509 *x509) {
410 return add_client_CA(&ssl->client_CA, x509);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]411}
412
David Benjamin59937042015-09-19 13:04:22 -0400[diff] [blame]413int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509) {
414 return add_client_CA(&ctx->client_CA, x509);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]415}
416
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]417/* Add a certificate to a BUF_MEM structure */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]418static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) {
419 int n;
420 uint8_t *p;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]421
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]422 n = i2d_X509(x, NULL);
423 if (!BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]424 OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]425 return 0;
426 }
427 p = (uint8_t *)&(buf->data[*l]);
428 l2n3(n, p);
429 i2d_X509(x, &p);
430 *l += n + 3;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]431
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]432 return 1;
433}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]434
Adam Langley24819752014-12-15 18:42:07 -0800[diff] [blame]435/* Add certificate chain to internal SSL BUF_MEM structure. */
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]436int ssl_add_cert_chain(SSL *ssl, unsigned long *l) {
437 CERT *cert = ssl->cert;
438 BUF_MEM *buf = ssl->init_buf;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]439 int no_chain = 0;
440 size_t i;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]441
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]442 X509 *x = cert->x509;
443 STACK_OF(X509) *chain = cert->chain;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]444
David Benjamin605641e2015-05-03 15:14:04 -0400[diff] [blame]445 if (x == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]446 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
David Benjamin605641e2015-05-03 15:14:04 -0400[diff] [blame]447 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]448 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]449
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]450 if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || chain != NULL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]451 no_chain = 1;
452 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]453
David Benjamin605641e2015-05-03 15:14:04 -0400[diff] [blame]454 if (no_chain) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]455 if (!ssl_add_cert_to_buf(buf, l, x)) {
456 return 0;
457 }
David Benjamin605641e2015-05-03 15:14:04 -0400[diff] [blame]458
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]459 for (i = 0; i < sk_X509_num(chain); i++) {
460 x = sk_X509_value(chain, i);
David Benjamin605641e2015-05-03 15:14:04 -0400[diff] [blame]461 if (!ssl_add_cert_to_buf(buf, l, x)) {
462 return 0;
463 }
464 }
465 } else {
466 X509_STORE_CTX xs_ctx;
467
David Benjamind27441a2015-08-09 11:05:17 -0400[diff] [blame]468 if (!X509_STORE_CTX_init(&xs_ctx, ssl->ctx->cert_store, x, NULL)) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]469 OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
David Benjamin605641e2015-05-03 15:14:04 -0400[diff] [blame]470 return 0;
471 }
472 X509_verify_cert(&xs_ctx);
473 /* Don't leave errors in the queue */
474 ERR_clear_error();
475 for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {
476 x = sk_X509_value(xs_ctx.chain, i);
477
478 if (!ssl_add_cert_to_buf(buf, l, x)) {
479 X509_STORE_CTX_cleanup(&xs_ctx);
480 return 0;
481 }
482 }
483 X509_STORE_CTX_cleanup(&xs_ctx);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]484 }
485
486 return 1;
487}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]488
Adam Langleyd323f4b2016-03-01 15:58:14 -0800[diff] [blame^]489static int set_cert_store(X509_STORE **store_ptr, X509_STORE *new_store, int take_ref) {
490 X509_STORE_free(*store_ptr);
491 *store_ptr = new_store;
492
493 if (new_store != NULL && take_ref) {
494 X509_STORE_up_ref(new_store);
495 }
496
497 return 1;
498}
499
500int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {
501 return set_cert_store(&ctx->cert->verify_store, store, 0);
502}
503
504int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {
505 return set_cert_store(&ctx->cert->verify_store, store, 1);
506}
507
508int SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *store) {
509 return set_cert_store(&ssl->cert->verify_store, store, 0);
510}
511
512int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store) {
513 return set_cert_store(&ssl->cert->verify_store, store, 1);
514}
515
David Benjamin11c0f8e2015-07-06 00:18:15 -0400[diff] [blame]516int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {
517 return ssl_cert_set0_chain(ctx->cert, chain);
518}
519
520int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {
521 return ssl_cert_set1_chain(ctx->cert, chain);
522}
523
524int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) {
525 return ssl_cert_set0_chain(ssl->cert, chain);
526}
527
528int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) {
529 return ssl_cert_set1_chain(ssl->cert, chain);
530}
531
532int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) {
533 return ssl_cert_add0_chain_cert(ctx->cert, x509);
534}
535
536int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) {
537 return ssl_cert_add1_chain_cert(ctx->cert, x509);
538}
539
540int SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509) {
541 return SSL_CTX_add0_chain_cert(ctx, x509);
542}
543
544int SSL_add0_chain_cert(SSL *ssl, X509 *x509) {
545 return ssl_cert_add0_chain_cert(ssl->cert, x509);
546}
547
548int SSL_add1_chain_cert(SSL *ssl, X509 *x509) {
549 return ssl_cert_add1_chain_cert(ssl->cert, x509);
550}
551
552int SSL_CTX_clear_chain_certs(SSL_CTX *ctx) {
553 return SSL_CTX_set0_chain(ctx, NULL);
554}
555
556int SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) {
557 return SSL_CTX_clear_chain_certs(ctx);
558}
559
560int SSL_clear_chain_certs(SSL *ssl) {
561 return SSL_set0_chain(ssl, NULL);
562}
563
564int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) {
565 *out_chain = ctx->cert->chain;
566 return 1;
567}
568
569int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx,
570 STACK_OF(X509) **out_chain) {
571 return SSL_CTX_get0_chain_certs(ctx, out_chain);
572}
573
574int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) {
575 *out_chain = ssl->cert->chain;
576 return 1;
577}