[openssl-commits] [openssl] master update

Viktor Dukhovni viktor at openssl.org
Sun Jan 3 22:22:20 UTC 2016


The branch master has been updated
       via  0e7abc903799a32d9d4eb34316cb72f1f4b28a52 (commit)
       via  d9b8b89bec4480de3a10bdaf9425db371c19145b (commit)
      from  63c6aa6b9311d2834cbfea2b6311d44be9075dd0 (commit)


- Log -----------------------------------------------------------------
commit 0e7abc903799a32d9d4eb34316cb72f1f4b28a52
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Tue Dec 29 13:16:47 2015 -0500

    Drop incorrect id == -1 case from X509_check_trust
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit d9b8b89bec4480de3a10bdaf9425db371c19145b
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Tue Dec 29 12:42:57 2015 -0500

    X509_verify_cert() cleanup
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_err.c     |   1 +
 crypto/x509/x509_trs.c     |   3 +-
 crypto/x509/x509_vfy.c     | 739 ++++++++++++++++++++++++---------------------
 include/openssl/x509.h     |   1 +
 include/openssl/x509_vfy.h |   4 +-
 5 files changed, 401 insertions(+), 347 deletions(-)

diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c
index 25f90ea..668af28 100644
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -71,6 +71,7 @@
 
 static ERR_STRING_DATA X509_str_functs[] = {
     {ERR_FUNC(X509_F_ADD_CERT_DIR), "add_cert_dir"},
+    {ERR_FUNC(X509_F_BUILD_CHAIN), "build_chain"},
     {ERR_FUNC(X509_F_BY_FILE_CTRL), "by_file_ctrl"},
     {ERR_FUNC(X509_F_CHECK_POLICY), "check_policy"},
     {ERR_FUNC(X509_F_DIR_CTRL), "dir_ctrl"},
diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c
index 27ee475..8f2ff83 100644
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@@ -116,8 +116,7 @@ int X509_check_trust(X509 *x, int id, int flags)
 {
     X509_TRUST *pt;
     int idx;
-    if (id == -1)
-        return 1;
+
     /* We get this as a default value */
     if (id == 0) {
         int rv;
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 3acb374..9b88031 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
+#include <limits.h>
 
 #include "internal/cryptlib.h"
 #include <openssl/crypto.h>
@@ -69,7 +70,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
-#include "internal/x509_int.h"
+#include <internal/x509_int.h>
 #include "x509_lcl.h"
 
 /* CRL score values */
@@ -110,13 +111,15 @@
 
 #define CRL_SCORE_TIME_DELTA    0x002
 
+static int build_chain(X509_STORE_CTX *ctx);
+static int verify_chain(X509_STORE_CTX *ctx);
 static int null_callback(int ok, X509_STORE_CTX *e);
 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
 static int check_chain_extensions(X509_STORE_CTX *ctx);
 static int check_name_constraints(X509_STORE_CTX *ctx);
 static int check_id(X509_STORE_CTX *ctx);
-static int check_trust(X509_STORE_CTX *ctx);
+static int check_trust(X509_STORE_CTX *ctx, int num_untrusted);
 static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx);
 static int check_policy(X509_STORE_CTX *ctx);
@@ -148,6 +151,11 @@ static int null_callback(int ok, X509_STORE_CTX *e)
 /* Return 1 is a certificate is self signed */
 static int cert_self_signed(X509 *x)
 {
+    /*
+     * FIXME: x509v3_cache_extensions() needs to detect more failures and not
+     * set EXFLAG_SET when that happens.  Especially, if the failures are
+     * parse errors, rather than memory pressure!
+     */
     X509_check_purpose(x, -1, 0);
     if (x->ex_flags & EXFLAG_SS)
         return 1;
@@ -180,19 +188,60 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
     return xtmp;
 }
 
+static int verify_chain(X509_STORE_CTX *ctx)
+{
+    int (*cb) (int xok, X509_STORE_CTX *xctx) = ctx->verify_cb;
+    int err;
+    int ok;
+
+    /*
+     * Before either returning with an error, or continuing with CRL checks,
+     * instantiate chain public key parameters.
+     */
+    if ((ok = build_chain(ctx)) == 0 ||
+        (ok = check_chain_extensions(ctx)) == 0 ||
+        (ok = check_name_constraints(ctx)) == 0 ||
+        (ok = check_id(ctx)) == 0 || 1)
+        X509_get_pubkey_parameters(NULL, ctx->chain);
+    if (ok == 0 || (ok = ctx->check_revocation(ctx)) == 0)
+        return ok;
+
+    err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
+                                  ctx->param->flags);
+    if (err != X509_V_OK) {
+        ctx->error = err;
+        ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
+        if ((ok = cb(0, ctx)) == 0)
+            return ok;
+    }
+
+    /* Verify chain signatures and expiration times */
+    ok = (ctx->verify != NULL) ? ctx->verify(ctx) : internal_verify(ctx);
+    if (!ok)
+        return ok;
+
+#ifndef OPENSSL_NO_RFC3779
+    /* RFC 3779 path validation, now that CRL check has been done */
+    if ((ok = v3_asid_validate_path(ctx)) == 0)
+        return ok;
+    if ((ok = v3_addr_validate_path(ctx)) == 0)
+        return ok;
+#endif
+
+    /* If we get this far evaluate policies */
+    if (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)
+        ok = ctx->check_policy(ctx);
+    return ok;
+}
+
 int X509_verify_cert(X509_STORE_CTX *ctx)
 {
-    X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
-    int bad_chain = 0;
-    X509_VERIFY_PARAM *param = ctx->param;
-    int depth, i, ok = 0;
-    int num, j, retry;
-    int (*cb) (int xok, X509_STORE_CTX *xctx);
-    STACK_OF(X509) *sktmp = NULL;
+
     if (ctx->cert == NULL) {
         X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
         return -1;
     }
+
     if (ctx->chain != NULL) {
         /*
          * This X509_STORE_CTX has already been used to verify a cert. We
@@ -202,8 +251,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
         return -1;
     }
 
-    cb = ctx->verify_cb;
-
     /*
      * first we make sure the chain we are going to build is present and that
      * the first entry is in place
@@ -211,302 +258,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
     if (((ctx->chain = sk_X509_new_null()) == NULL) ||
         (!sk_X509_push(ctx->chain, ctx->cert))) {
         X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
-        goto end;
+        return -1;
     }
     X509_up_ref(ctx->cert);
-    ctx->last_untrusted = 1;
-
-    /* We use a temporary STACK so we can chop and hack at it */
-    if (ctx->untrusted != NULL
-        && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
-        X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
-        goto end;
-    }
-
-    num = sk_X509_num(ctx->chain);
-    x = sk_X509_value(ctx->chain, num - 1);
-    depth = param->depth;
-
-    for (;;) {
-        /* If we have enough, we break */
-        if (depth < num)
-            break;              /* FIXME: If this happens, we should take
-                                 * note of it and, if appropriate, use the
-                                 * X509_V_ERR_CERT_CHAIN_TOO_LONG error code
-                                 * later. */
-
-        /* If we are self signed, we break */
-        if (cert_self_signed(x))
-            break;
-        /*
-         * If asked see if we can find issuer in trusted store first
-         */
-        if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
-            ok = ctx->get_issuer(&xtmp, ctx, x);
-            if (ok < 0)
-                goto end;
-            /*
-             * If successful for now free up cert so it will be picked up
-             * again later.
-             */
-            if (ok > 0) {
-                X509_free(xtmp);
-                break;
-            }
-        }
-
-        /* If we were passed a cert chain, use it first */
-        if (ctx->untrusted != NULL) {
-            xtmp = find_issuer(ctx, sktmp, x);
-            if (xtmp != NULL) {
-                if (!sk_X509_push(ctx->chain, xtmp)) {
-                    X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
-                    goto end;
-                }
-                X509_up_ref(xtmp);
-                (void)sk_X509_delete_ptr(sktmp, xtmp);
-                ctx->last_untrusted++;
-                x = xtmp;
-                num++;
-                /*
-                 * reparse the full chain for the next one
-                 */
-                continue;
-            }
-        }
-        break;
-    }
-
-    /* Remember how many untrusted certs we have */
-    j = num;
-    /*
-     * at this point, chain should contain a list of untrusted certificates.
-     * We now need to add at least one trusted one, if possible, otherwise we
-     * complain.
-     */
-
-    do {
-        /*
-         * Examine last certificate in chain and see if it is self signed.
-         */
-        i = sk_X509_num(ctx->chain);
-        x = sk_X509_value(ctx->chain, i - 1);
-        if (cert_self_signed(x)) {
-            /* we have a self signed certificate */
-            if (sk_X509_num(ctx->chain) == 1) {
-                /*
-                 * We have a single self signed certificate: see if we can
-                 * find it in the store. We must have an exact match to avoid
-                 * possible impersonation.
-                 */
-                ok = ctx->get_issuer(&xtmp, ctx, x);
-                if ((ok <= 0) || X509_cmp(x, xtmp)) {
-                    ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
-                    ctx->current_cert = x;
-                    ctx->error_depth = i - 1;
-                    if (ok == 1)
-                        X509_free(xtmp);
-                    bad_chain = 1;
-                    ok = cb(0, ctx);
-                    if (!ok)
-                        goto end;
-                } else {
-                    /*
-                     * We have a match: replace certificate with store
-                     * version so we get any trust settings.
-                     */
-                    X509_free(x);
-                    x = xtmp;
-                    (void)sk_X509_set(ctx->chain, i - 1, x);
-                    ctx->last_untrusted = 0;
-                }
-            } else {
-                /*
-                 * extract and save self signed certificate for later use
-                 */
-                chain_ss = sk_X509_pop(ctx->chain);
-                ctx->last_untrusted--;
-                num--;
-                j--;
-                x = sk_X509_value(ctx->chain, num - 1);
-            }
-        }
-        /* We now lookup certs from the certificate store */
-        for (;;) {
-            /* If we have enough, we break */
-            if (depth < num)
-                break;
-            /* If we are self signed, we break */
-            if (cert_self_signed(x))
-                break;
-            ok = ctx->get_issuer(&xtmp, ctx, x);
-
-            if (ok < 0)
-                goto end;
-            if (ok == 0)
-                break;
-            x = xtmp;
-            if (!sk_X509_push(ctx->chain, x)) {
-                X509_free(xtmp);
-                X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
-                ok = 0;
-                goto done;
-            }
-            num++;
-        }
-
-        /* we now have our chain, lets check it... */
-        i = check_trust(ctx);
-
-        /* If explicitly rejected error */
-        if (i == X509_TRUST_REJECTED)
-            goto end;
-        /*
-         * If it's not explicitly trusted then check if there is an alternative
-         * chain that could be used. We only do this if we haven't already
-         * checked via TRUSTED_FIRST and the user hasn't switched off alternate
-         * chain checking
-         */
-        retry = 0;
-        if (i != X509_TRUST_TRUSTED
-            && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
-            && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
-            while (j-- > 1) {
-                STACK_OF(X509) *chtmp = ctx->chain;
-                xtmp2 = sk_X509_value(ctx->chain, j - 1);
-                /*
-                 * Temporarily set chain to NULL so we don't discount
-                 * duplicates: the same certificate could be an untrusted
-                 * CA found in the trusted store.
-                 */
-                ctx->chain = NULL;
-                ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
-                ctx->chain = chtmp;
-                if (ok < 0)
-                    goto end;
-                /* Check if we found an alternate chain */
-                if (ok > 0) {
-                    /*
-                     * Free up the found cert we'll add it again later
-                     */
-                    X509_free(xtmp);
-
-                    /*
-                     * Dump all the certs above this point - we've found an
-                     * alternate chain
-                     */
-                    while (num > j) {
-                        xtmp = sk_X509_pop(ctx->chain);
-                        X509_free(xtmp);
-                        num--;
-                    }
-                    ctx->last_untrusted = sk_X509_num(ctx->chain);
-                    retry = 1;
-                    break;
-                }
-            }
-        }
-    } while (retry);
-
-    /*
-     * If not explicitly trusted then indicate error unless it's a single
-     * self signed certificate in which case we've indicated an error already
-     * and set bad_chain == 1
-     */
-    if (i != X509_TRUST_TRUSTED && !bad_chain) {
-        if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
-            if (ctx->last_untrusted >= num)
-                ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
-            else
-                ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
-            ctx->current_cert = x;
-        } else {
-
-            sk_X509_push(ctx->chain, chain_ss);
-            num++;
-            ctx->last_untrusted = num;
-            ctx->current_cert = chain_ss;
-            ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
-            chain_ss = NULL;
-        }
-
-        ctx->error_depth = num - 1;
-        bad_chain = 1;
-        ok = cb(0, ctx);
-        if (!ok)
-            goto end;
-    }
-
-    /* We have the chain complete: now we need to check its purpose */
-    ok = check_chain_extensions(ctx);
-
-    if (!ok)
-        goto end;
-
-    /* Check name constraints */
-
-    ok = check_name_constraints(ctx);
-
-    if (!ok)
-        goto end;
-
-    ok = check_id(ctx);
-
-    if (!ok)
-        goto end;
-
-    /* We may as well copy down any DSA parameters that are required */
-    X509_get_pubkey_parameters(NULL, ctx->chain);
-
-    /*
-     * Check revocation status: we do this after copying parameters because
-     * they may be needed for CRL signature verification.
-     */
-
-    ok = ctx->check_revocation(ctx);
-    if (!ok)
-        goto end;
-
-    i = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
-                                ctx->param->flags);
-    if (i != X509_V_OK) {
-        ctx->error = i;
-        ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
-        ok = cb(0, ctx);
-        if (!ok)
-            goto end;
-    }
-
-    /* At this point, we have a chain and need to verify it */
-    if (ctx->verify != NULL)
-        ok = ctx->verify(ctx);
-    else
-        ok = internal_verify(ctx);
-    if (!ok)
-        goto end;
+    ctx->num_untrusted = 1;
 
-#ifndef OPENSSL_NO_RFC3779
-    /* RFC 3779 path validation, now that CRL check has been done */
-    ok = v3_asid_validate_path(ctx);
-    if (!ok)
-        goto end;
-    ok = v3_addr_validate_path(ctx);
-    if (!ok)
-        goto end;
-#endif
-
-    /* If we get this far evaluate policies */
-    if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
-        ok = ctx->check_policy(ctx);
-    if (ok)
-        goto done;
-
- end:
-    X509_get_pubkey_parameters(NULL, ctx->chain);
- done:
-    sk_X509_free(sktmp);
-    X509_free(chain_ss);
-    return ok;
+    return verify_chain(ctx);
 }
 
 /*
@@ -618,7 +375,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
     }
 
     /* Check all untrusted certificates */
-    for (i = 0; i < ctx->last_untrusted; i++) {
+    for (i = 0; i == 0 || i < ctx->num_untrusted; i++) {
         int ret;
         x = sk_X509_value(ctx->chain, i);
         if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
@@ -801,48 +558,66 @@ static int check_id(X509_STORE_CTX *ctx)
     return 1;
 }
 
-static int check_trust(X509_STORE_CTX *ctx)
+static int check_trust(X509_STORE_CTX *ctx, int num_untrusted)
 {
-    int i, ok;
+    int i, ok = 0;
     X509 *x = NULL;
-    int (*cb) (int xok, X509_STORE_CTX *xctx);
-    cb = ctx->verify_cb;
-    /* Check all trusted certificates in chain */
-    for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
+    X509 *mx;
+    int (*cb) (int xok, X509_STORE_CTX *xctx) = ctx->verify_cb;
+    int num = sk_X509_num(ctx->chain);
+    int trust;
+
+    /*
+     * Check trusted certificates in chain at depth num_untrusted and up.
+     * Note, that depths 0..num_untrusted-1 may also contain trusted
+     * certificates, but the caller is expected to have already checked those,
+     * and wants to incrementally check just any added since.
+     */
+    for (i = num_untrusted; i < num; i++) {
         x = sk_X509_value(ctx->chain, i);
-        ok = X509_check_trust(x, ctx->param->trust, 0);
+        trust = X509_check_trust(x, ctx->param->trust, 0);
         /* If explicitly trusted return trusted */
-        if (ok == X509_TRUST_TRUSTED)
-            return X509_TRUST_TRUSTED;
-        /*
-         * If explicitly rejected notify callback and reject if not
-         * overridden.
-         */
-        if (ok == X509_TRUST_REJECTED) {
-            ctx->error_depth = i;
-            ctx->current_cert = x;
-            ctx->error = X509_V_ERR_CERT_REJECTED;
-            ok = cb(0, ctx);
-            if (!ok)
-                return X509_TRUST_REJECTED;
-        }
+        if (trust == X509_TRUST_TRUSTED)
+            goto trusted;
+        if (trust == X509_TRUST_REJECTED)
+            goto rejected;
     }
+
     /*
-     * If we accept partial chains and have at least one trusted certificate
-     * return success.
+     * If we are looking at a trusted certificate, and accept partial chains,
+     * the chain is PKIX trusted.
      */
+    if (num_untrusted < num) {
+        if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
+            goto trusted;
+        return X509_TRUST_UNTRUSTED;
+    }
+
     if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
-        X509 *mx;
-        if (ctx->last_untrusted < sk_X509_num(ctx->chain))
-            return X509_TRUST_TRUSTED;
+        /*
+         * Last-resort call with no new trusted certificates, check the leaf
+         * for a direct trust store match.
+         */
         x = sk_X509_value(ctx->chain, 0);
         mx = lookup_cert_match(ctx, x);
-        if (mx) {
-            (void)sk_X509_set(ctx->chain, 0, mx);
-            X509_free(x);
-            ctx->last_untrusted = 0;
-            return X509_TRUST_TRUSTED;
+        if (!mx)
+            return X509_TRUST_UNTRUSTED;
+
+        /*
+         * Check explicit auxiliary trust/reject settings.  If none are set,
+         * we'll accept X509_TRUST_UNTRUSTED when not self-signed.
+         */
+        trust = X509_check_trust(mx, ctx->param->trust, 0);
+        if (trust == X509_TRUST_REJECTED) {
+            X509_free(mx);
+            goto rejected;
         }
+
+        /* Replace leaf with trusted match */
+        (void) sk_X509_set(ctx->chain, 0, mx);
+        X509_free(x);
+        ctx->num_untrusted = 0;
+        goto trusted;
     }
 
     /*
@@ -850,6 +625,18 @@ static int check_trust(X509_STORE_CTX *ctx)
      * standard (no issuer cert) etc errors to be indicated.
      */
     return X509_TRUST_UNTRUSTED;
+
+ rejected:
+    ctx->error_depth = i;
+    ctx->current_cert = x;
+    ctx->error = X509_V_ERR_CERT_REJECTED;
+    ok = cb(0, ctx);
+    if (!ok)
+        return X509_TRUST_REJECTED;
+    return X509_TRUST_UNTRUSTED;
+
+ trusted:
+    return X509_TRUST_TRUSTED;
 }
 
 static int check_revocation(X509_STORE_CTX *ctx)
@@ -1732,9 +1519,8 @@ static int internal_verify(X509_STORE_CTX *ctx)
 
     cb = ctx->verify_cb;
 
-    n = sk_X509_num(ctx->chain);
-    ctx->error_depth = n - 1;
-    n--;
+    n = sk_X509_num(ctx->chain) - 1;
+    ctx->error_depth = n;
     xi = sk_X509_value(ctx->chain, n);
 
     if (ctx->check_issued(ctx, xi, xi))
@@ -1756,7 +1542,10 @@ static int internal_verify(X509_STORE_CTX *ctx)
         }
     }
 
-/*      ctx->error=0;  not needed */
+    /*
+     * Do not clear ctx->error=0, it must be "sticky", only the user's callback
+     * is allowed to reset errors (at its own peril).
+     */
     while (n >= 0) {
         ctx->error_depth = n;
 
@@ -2269,7 +2058,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
     ctx->cert = x509;
     ctx->untrusted = chain;
     ctx->crls = NULL;
-    ctx->last_untrusted = 0;
+    ctx->num_untrusted = 0;
     ctx->other_ctx = NULL;
     ctx->valid = 0;
     ctx->chain = NULL;
@@ -2380,7 +2169,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
     }
     return 1;
 
-err:
+ err:
     X509_STORE_CTX_cleanup(ctx);
     return 0;
 }
@@ -2447,7 +2236,7 @@ int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
 
 int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)
 {
-    return ctx->last_untrusted;
+    return ctx->num_untrusted;
 }
 
 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
@@ -2469,3 +2258,267 @@ void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
     X509_VERIFY_PARAM_free(ctx->param);
     ctx->param = param;
 }
+
+static int build_chain(X509_STORE_CTX *ctx)
+{
+    int (*cb) (int, X509_STORE_CTX *) = ctx->verify_cb;
+    int num = sk_X509_num(ctx->chain);
+    X509 *cert = sk_X509_value(ctx->chain, num - 1);
+    int ss = cert_self_signed(cert);
+    STACK_OF(X509) *sktmp = NULL;
+    unsigned int search;
+    int may_trusted = 1;
+    int may_alternate = 0;
+    int trust = X509_TRUST_UNTRUSTED;
+    int alt_untrusted = 0;
+    int depth;
+    int ok = 0;
+    int i;
+
+    /* Our chain starts with a single untrusted element. */
+    OPENSSL_assert(num == 1 && ctx->num_untrusted == num);
+
+#define S_DOUNTRUSTED      (1 << 0)     /* Search untrusted chain */
+#define S_DOTRUSTED        (1 << 1)     /* Search trusted store */
+#define S_DOALTERNATE      (1 << 2)     /* Retry with pruned alternate chain */
+    /*
+     * Set up search policy, untrusted if possible, trusted-first if enabled.
+     * If not trusted-first, and alternate chains are not disabled, try
+     * building an alternate chain if no luck with untrusted first.
+     */
+    search = (ctx->untrusted != NULL) ? S_DOUNTRUSTED : 0;
+    if (search == 0 || ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+        search |= S_DOTRUSTED;
+    else if (!(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS))
+        may_alternate = 1;
+
+    /*
+     * Shallow-copy the stack of untrusted certificates (with TLS, this is
+     * typically the content of the peer's certificate message) so can make
+     * multiple passes over it, while free to remove elements as we go.
+     */
+    if (ctx->untrusted && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
+        X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
+        return 0;
+    }
+
+    /*
+     * Still absurdly large, but arithmetically safe, a lower hard upper bound
+     * might be reasonable.
+     */
+    if (ctx->param->depth > INT_MAX/2)
+        ctx->param->depth = INT_MAX/2;
+
+    /*
+     * Try to Extend the chain until we reach an ultimately trusted issuer.
+     * Build chains up to one longer the limit, later fail if we hit the limit,
+     * with an X509_V_ERR_CERT_CHAIN_TOO_LONG error code.
+     */
+    depth = ctx->param->depth + 1;
+
+    while (search != 0) {
+        X509 *x;
+        X509 *xtmp = NULL;
+
+        /*
+         * Look in the trust store if enabled for first lookup, or we've run
+         * out of untrusted issuers and search here is not disabled.  When
+         * we exceed the depth limit, we simulate absence of a match.
+         */
+        if ((search & S_DOTRUSTED) != 0) {
+            STACK_OF(X509) *hide = ctx->chain;
+
+            i = num = sk_X509_num(ctx->chain);
+            if ((search & S_DOALTERNATE) != 0) {
+                /*
+                 * As high up the chain as we can, look for an alternative
+                 * trusted issuer of an untrusted certificate that currently
+                 * has an untrusted issuer.  We use the alt_untrusted variable
+                 * to track how far up the chain we find the first match.  It
+                 * is only if and when we find a match, that we prune the chain
+                 * and reset ctx->num_untrusted to the reduced count of
+                 * untrusted certificates.  While we're searching for such a
+                 * match (which may never be found), it is neither safe nor
+                 * wise to preemptively modify either the chain or
+                 * ctx->num_untrusted.
+                 *
+                 * Note, like ctx->num_untrusted, alt_untrusted is a count of
+                 * untrusted certificates, not a "depth".
+                 */
+                i = alt_untrusted;
+            }
+            x = sk_X509_value(ctx->chain, i-1);
+
+            /* Suppress duplicate suppression */
+            ctx->chain = NULL;
+            ok = (depth < num) ? 0 : ctx->get_issuer(&xtmp, ctx, x);
+            ctx->chain = hide;
+
+            if (ok < 0) {
+                trust = X509_TRUST_REJECTED;
+                search = 0;
+                continue;
+            }
+
+            if (ok > 0) {
+                /*
+                 * Alternative trusted issuer for a mid-chain untrusted cert?
+                 * Pop the untrusted cert's successors and retry.  We might now
+                 * be able to complete a valid chain via the trust store.  Note
+                 * that despite the current trust-store match we might still
+                 * fail complete the chain to a suitable trust-anchor, in which
+                 * case we may prune some more untrusted certificates and try
+                 * again.  Thus the S_DOALTERNATE bit may yet be turned on
+                 * again with an even shorter untrusted chain!
+                 */
+                if ((search & S_DOALTERNATE) != 0) {
+                    OPENSSL_assert(num > i && i > 0 && ss == 0);
+                    search &= ~S_DOALTERNATE;
+                    for (; num > i; --num)
+                        X509_free(sk_X509_pop(ctx->chain));
+                    ctx->num_untrusted = num;
+                }
+
+                /*
+                 * Self-signed untrusted certificates get replaced by their
+                 * trusted matching issuer.  Otherwise, grow the chain.
+                 */
+                if (ss == 0) {
+                    if (!sk_X509_push(ctx->chain, x = xtmp)) {
+                        X509_free(xtmp);
+                        X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
+                        trust = X509_TRUST_REJECTED;
+                        search = 0;
+                        continue;
+                    }
+                    ss = cert_self_signed(x);
+                } else if (num == ctx->num_untrusted) {
+                    /*
+                     * We have a self-signed certificate that has the same
+                     * subject name (and perhaps keyid and/or serial number) as
+                     * a trust-anchor.  We must have an exact match to avoid
+                     * possible impersonation via key substitution etc.
+                     */
+                    if (X509_cmp(x, xtmp) != 0) {
+                        /* Self-signed untrusted mimic. */
+                        X509_free(xtmp);
+                        ok = 0;
+                    } else {
+                        X509_free(x);
+                        ctx->num_untrusted = --num;
+                        (void) sk_X509_set(ctx->chain, num, x = xtmp);
+                    }
+                }
+
+                /*
+                 * We've added a new trusted certificate to the chain, recheck
+                 * trust.  If not done, and not self-signed look deeper.
+                 * Whether or not we're doing "trusted first", we no longer
+                 * look for untrusted certificates from the peer's chain.
+                 */
+                if (ok) {
+                    OPENSSL_assert(ctx->num_untrusted <= num);
+                    search &= ~S_DOUNTRUSTED;
+                    switch (trust = check_trust(ctx, num)) {
+                    case X509_TRUST_TRUSTED:
+                    case X509_TRUST_REJECTED:
+                        search = 0;
+                        continue;
+                    }
+                    if (ss == 0)
+                        continue;
+                }
+            }
+
+            /*
+             * No dispositive decision, and either self-signed or no match, if
+             * we were doing untrusted-first, and alt-chains are not disabled,
+             * do that, by repeatedly losing one untrusted element at a time,
+             * and trying to extend the shorted chain.
+             */
+            if ((search & S_DOUNTRUSTED) == 0) {
+                /* Continue search for a trusted issuer of a shorter chain? */
+                if ((search & S_DOALTERNATE) != 0 && --alt_untrusted > 0)
+                    continue;
+                /* Still no luck and no fallbacks left? */
+                if (!may_alternate || (search & S_DOALTERNATE) != 0 ||
+                    ctx->num_untrusted < 2)
+                    break;
+                /* Search for a trusted issuer of a shorter chain */
+                search |= S_DOALTERNATE;
+                alt_untrusted = ctx->num_untrusted - 1;
+                ss = 0;
+            }
+        }
+
+        /*
+         * Extend chain with peer-provided certificates
+         */
+        if ((search & S_DOUNTRUSTED) != 0) {
+            num = sk_X509_num(ctx->chain);
+            OPENSSL_assert(num == ctx->num_untrusted);
+            x = sk_X509_value(ctx->chain, num-1);
+            xtmp = (depth < num) ? NULL : find_issuer(ctx, sktmp, x);
+
+            /*
+             * Once we run out of untrusted issuers, we stop looking for more
+             * and start looking only in the trust store if enabled.
+             */
+            if (xtmp == NULL) {
+                search &= ~S_DOUNTRUSTED;
+                if (may_trusted)
+                    search |= S_DOTRUSTED;
+                continue;
+            }
+
+            if (!sk_X509_push(ctx->chain, x = xtmp)) {
+                X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
+                trust = X509_TRUST_REJECTED;
+                search = 0;
+                continue;
+            }
+            X509_up_ref(x);
+            ++ctx->num_untrusted;
+            ss = cert_self_signed(xtmp);
+
+            /*
+             * Not strictly necessary, but saves cycles looking at the same
+             * certificates over and over.
+             */
+            (void) sk_X509_delete_ptr(sktmp, x);
+        }
+    }
+    sk_X509_free(sktmp);
+
+    /*
+     * Last chance to make a trusted chain, check for direct leaf PKIX trust.
+     */
+    if (sk_X509_num(ctx->chain) <= depth) {
+        if (trust == X509_TRUST_UNTRUSTED &&
+            sk_X509_num(ctx->chain) == ctx->num_untrusted)
+            trust = check_trust(ctx, 1);
+    }
+
+    switch (trust) {
+    case X509_TRUST_TRUSTED:
+        return 1;
+    case X509_TRUST_REJECTED:
+        return 0;
+    case X509_TRUST_UNTRUSTED:
+    default:
+        num = sk_X509_num(ctx->chain);
+        ctx->current_cert = sk_X509_value(ctx->chain, num - 1);
+        ctx->error_depth = num-1;
+        if (num > depth)
+            ctx->error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+        else if (ss && sk_X509_num(ctx->chain) == 1)
+            ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
+        else if (ss)
+            ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
+        else if (ctx->num_untrusted == num)
+            ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
+        else
+            ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
+        return cb(0, ctx);
+    }
+}
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 167aae8..4133fc1 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -1070,6 +1070,7 @@ void ERR_load_X509_strings(void);
 
 /* Function codes. */
 # define X509_F_ADD_CERT_DIR                              100
+# define X509_F_BUILD_CHAIN                               106
 # define X509_F_BY_FILE_CTRL                              101
 # define X509_F_CHECK_POLICY                              145
 # define X509_F_DIR_CTRL                                  102
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index f949bd9..b78b59c 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -240,8 +240,8 @@ struct x509_store_ctx_st {      /* X509_STORE_CTX */
     /* The following is built up */
     /* if 0, rebuild chain */
     int valid;
-    /* index of last untrusted cert */
-    int last_untrusted;
+    /* number of untrusted certs */
+    int num_untrusted;
     /* chain of X509s - built up and trusted */
     STACK_OF(X509) *chain;
     /* Valid policy tree */


More information about the openssl-commits mailing list