Symaptic: os/ossrv/ssl/libcrypto/src/crypto/x509/x509

sl@0	1	/* crypto/x509/x509_vfy.c */
sl@0	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
sl@0	3	* All rights reserved.
sl@0	4	*
sl@0	5	* This package is an SSL implementation written
sl@0	6	* by Eric Young (eay@cryptsoft.com).
sl@0	7	* The implementation was written so as to conform with Netscapes SSL.
sl@0	8	*
sl@0	9	* This library is free for commercial and non-commercial use as long as
sl@0	10	* the following conditions are aheared to. The following conditions
sl@0	11	* apply to all code found in this distribution, be it the RC4, RSA,
sl@0	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
sl@0	13	* included with this distribution is covered by the same copyright terms
sl@0	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
sl@0	15	*
sl@0	16	* Copyright remains Eric Young's, and as such any Copyright notices in
sl@0	17	* the code are not to be removed.
sl@0	18	* If this package is used in a product, Eric Young should be given attribution
sl@0	19	* as the author of the parts of the library used.
sl@0	20	* This can be in the form of a textual message at program startup or
sl@0	21	* in documentation (online or textual) provided with the package.
sl@0	22	*
sl@0	23	* Redistribution and use in source and binary forms, with or without
sl@0	24	* modification, are permitted provided that the following conditions
sl@0	25	* are met:
sl@0	26	* 1. Redistributions of source code must retain the copyright
sl@0	27	* notice, this list of conditions and the following disclaimer.
sl@0	28	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	29	* notice, this list of conditions and the following disclaimer in the
sl@0	30	* documentation and/or other materials provided with the distribution.
sl@0	31	* 3. All advertising materials mentioning features or use of this software
sl@0	32	* must display the following acknowledgement:
sl@0	33	* "This product includes cryptographic software written by
sl@0	34	* Eric Young (eay@cryptsoft.com)"
sl@0	35	* The word 'cryptographic' can be left out if the rouines from the library
sl@0	36	* being used are not cryptographic related :-).
sl@0	37	* 4. If you include any Windows specific code (or a derivative thereof) from
sl@0	38	* the apps directory (application code) you must include an acknowledgement:
sl@0	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
sl@0	40	*
sl@0	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
sl@0	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
sl@0	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
sl@0	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
sl@0	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
sl@0	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
sl@0	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
sl@0	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
sl@0	51	* SUCH DAMAGE.
sl@0	52	*
sl@0	53	* The licence and distribution terms for any publically available version or
sl@0	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
sl@0	55	* copied and put under another distribution licence
sl@0	56	* [including the GNU Public Licence.]
sl@0	57	*/
sl@0	58
sl@0	59	#include <stdio.h>
sl@0	60	#include <time.h>
sl@0	61	#include <errno.h>
sl@0	62
sl@0	63	#include "cryptlib.h"
sl@0	64	#include <openssl/crypto.h>
sl@0	65	#include <openssl/lhash.h>
sl@0	66	#include <openssl/buffer.h>
sl@0	67	#include <openssl/evp.h>
sl@0	68	#include <openssl/asn1.h>
sl@0	69	#include <openssl/x509.h>
sl@0	70	#include <openssl/x509v3.h>
sl@0	71	#include <openssl/objects.h>
sl@0	72
sl@0	73	static int null_callback(int ok,X509_STORE_CTX *e);
sl@0	74	static int check_issued(X509_STORE_CTX ctx, X509 x, X509 *issuer);
sl@0	75	static X509 find_issuer(X509_STORE_CTX ctx, STACK_OF(X509) sk, X509 x);
sl@0	76	static int check_chain_extensions(X509_STORE_CTX *ctx);
sl@0	77	static int check_trust(X509_STORE_CTX *ctx);
sl@0	78	static int check_revocation(X509_STORE_CTX *ctx);
sl@0	79	static int check_cert(X509_STORE_CTX *ctx);
sl@0	80	static int check_policy(X509_STORE_CTX *ctx);
sl@0	81	static int internal_verify(X509_STORE_CTX *ctx);
sl@0	82	const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
sl@0	83
sl@0	84
sl@0	85	static int null_callback(int ok, X509_STORE_CTX *e)
sl@0	86	{
sl@0	87	return ok;
sl@0	88	}
sl@0	89
sl@0	90	#if 0
sl@0	91	static int x509_subject_cmp(X509 a, X509 b)
sl@0	92	{
sl@0	93	return X509_subject_name_cmp(a,b);
sl@0	94	}
sl@0	95	#endif
sl@0	96
sl@0	97	EXPORT_C int X509_verify_cert(X509_STORE_CTX *ctx)
sl@0	98	{
sl@0	99	X509 x,xtmp,*chain_ss=NULL;
sl@0	100	X509_NAME *xn;
sl@0	101	int bad_chain = 0;
sl@0	102	X509_VERIFY_PARAM *param = ctx->param;
sl@0	103	int depth,i,ok=0;
sl@0	104	int num;
sl@0	105	int (cb)(int xok,X509_STORE_CTX xctx);
sl@0	106	STACK_OF(X509) *sktmp=NULL;
sl@0	107	if (ctx->cert == NULL)
sl@0	108	{
sl@0	109	X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
sl@0	110	return -1;
sl@0	111	}
sl@0	112
sl@0	113	cb=ctx->verify_cb;
sl@0	114
sl@0	115	/* first we make sure the chain we are going to build is
sl@0	116	* present and that the first entry is in place */
sl@0	117	if (ctx->chain == NULL)
sl@0	118	{
sl@0	119	if ( ((ctx->chain=sk_X509_new_null()) == NULL) \|\|
sl@0	120	(!sk_X509_push(ctx->chain,ctx->cert)))
sl@0	121	{
sl@0	122	X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
sl@0	123	goto end;
sl@0	124	}
sl@0	125	CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
sl@0	126	ctx->last_untrusted=1;
sl@0	127	}
sl@0	128
sl@0	129	/* We use a temporary STACK so we can chop and hack at it */
sl@0	130	if (ctx->untrusted != NULL
sl@0	131	&& (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
sl@0	132	{
sl@0	133	X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
sl@0	134	goto end;
sl@0	135	}
sl@0	136
sl@0	137	num=sk_X509_num(ctx->chain);
sl@0	138	x=sk_X509_value(ctx->chain,num-1);
sl@0	139	depth=param->depth;
sl@0	140
sl@0	141
sl@0	142	for (;;)
sl@0	143	{
sl@0	144	/* If we have enough, we break */
sl@0	145	if (depth < num) break; /* FIXME: If this happens, we should take
sl@0	146	* note of it and, if appropriate, use the
sl@0	147	* X509_V_ERR_CERT_CHAIN_TOO_LONG error
sl@0	148	* code later.
sl@0	149	*/
sl@0	150
sl@0	151	/* If we are self signed, we break */
sl@0	152	xn=X509_get_issuer_name(x);
sl@0	153	if (ctx->check_issued(ctx, x,x)) break;
sl@0	154
sl@0	155	/* If we were passed a cert chain, use it first */
sl@0	156	if (ctx->untrusted != NULL)
sl@0	157	{
sl@0	158	xtmp=find_issuer(ctx, sktmp,x);
sl@0	159	if (xtmp != NULL)
sl@0	160	{
sl@0	161	if (!sk_X509_push(ctx->chain,xtmp))
sl@0	162	{
sl@0	163	X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
sl@0	164	goto end;
sl@0	165	}
sl@0	166	CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
sl@0	167	(void)sk_X509_delete_ptr(sktmp,xtmp);
sl@0	168	ctx->last_untrusted++;
sl@0	169	x=xtmp;
sl@0	170	num++;
sl@0	171	/* reparse the full chain for
sl@0	172	* the next one */
sl@0	173	continue;
sl@0	174	}
sl@0	175	}
sl@0	176	break;
sl@0	177	}
sl@0	178
sl@0	179	/* at this point, chain should contain a list of untrusted
sl@0	180	* certificates. We now need to add at least one trusted one,
sl@0	181	* if possible, otherwise we complain. */
sl@0	182
sl@0	183	/* Examine last certificate in chain and see if it
sl@0	184	* is self signed.
sl@0	185	*/
sl@0	186
sl@0	187	i=sk_X509_num(ctx->chain);
sl@0	188	x=sk_X509_value(ctx->chain,i-1);
sl@0	189	xn = X509_get_subject_name(x);
sl@0	190	if (ctx->check_issued(ctx, x, x))
sl@0	191	{
sl@0	192	/* we have a self signed certificate */
sl@0	193	if (sk_X509_num(ctx->chain) == 1)
sl@0	194	{
sl@0	195	/* We have a single self signed certificate: see if
sl@0	196	* we can find it in the store. We must have an exact
sl@0	197	* match to avoid possible impersonation.
sl@0	198	*/
sl@0	199	ok = ctx->get_issuer(&xtmp, ctx, x);
sl@0	200	if ((ok <= 0) \|\| X509_cmp(x, xtmp))
sl@0	201	{
sl@0	202	ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
sl@0	203	ctx->current_cert=x;
sl@0	204	ctx->error_depth=i-1;
sl@0	205	if (ok == 1) X509_free(xtmp);
sl@0	206	bad_chain = 1;
sl@0	207	ok=cb(0,ctx);
sl@0	208	if (!ok) goto end;
sl@0	209	}
sl@0	210	else
sl@0	211	{
sl@0	212	/* We have a match: replace certificate with store version
sl@0	213	* so we get any trust settings.
sl@0	214	*/
sl@0	215	X509_free(x);
sl@0	216	x = xtmp;
sl@0	217	(void)sk_X509_set(ctx->chain, i - 1, x);
sl@0	218	ctx->last_untrusted=0;
sl@0	219	}
sl@0	220	}
sl@0	221	else
sl@0	222	{
sl@0	223	/* extract and save self signed certificate for later use */
sl@0	224	chain_ss=sk_X509_pop(ctx->chain);
sl@0	225	ctx->last_untrusted--;
sl@0	226	num--;
sl@0	227	x=sk_X509_value(ctx->chain,num-1);
sl@0	228	}
sl@0	229	}
sl@0	230
sl@0	231	/* We now lookup certs from the certificate store */
sl@0	232	for (;;)
sl@0	233	{
sl@0	234	/* If we have enough, we break */
sl@0	235	if (depth < num) break;
sl@0	236
sl@0	237	/* If we are self signed, we break */
sl@0	238	xn=X509_get_issuer_name(x);
sl@0	239	if (ctx->check_issued(ctx,x,x)) break;
sl@0	240
sl@0	241	ok = ctx->get_issuer(&xtmp, ctx, x);
sl@0	242
sl@0	243	if (ok < 0) return ok;
sl@0	244	if (ok == 0) break;
sl@0	245
sl@0	246	x = xtmp;
sl@0	247	if (!sk_X509_push(ctx->chain,x))
sl@0	248	{
sl@0	249	X509_free(xtmp);
sl@0	250	X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
sl@0	251	return 0;
sl@0	252	}
sl@0	253	num++;
sl@0	254	}
sl@0	255
sl@0	256	/* we now have our chain, lets check it... */
sl@0	257	xn=X509_get_issuer_name(x);
sl@0	258
sl@0	259	/* Is last certificate looked up self signed? */
sl@0	260	if (!ctx->check_issued(ctx,x,x))
sl@0	261	{
sl@0	262	if ((chain_ss == NULL) \|\| !ctx->check_issued(ctx, x, chain_ss))
sl@0	263	{
sl@0	264	if (ctx->last_untrusted >= num)
sl@0	265	ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
sl@0	266	else
sl@0	267	ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
sl@0	268	ctx->current_cert=x;
sl@0	269	}
sl@0	270	else
sl@0	271	{
sl@0	272
sl@0	273	sk_X509_push(ctx->chain,chain_ss);
sl@0	274	num++;
sl@0	275	ctx->last_untrusted=num;
sl@0	276	ctx->current_cert=chain_ss;
sl@0	277	ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
sl@0	278	chain_ss=NULL;
sl@0	279	}
sl@0	280
sl@0	281	ctx->error_depth=num-1;
sl@0	282	bad_chain = 1;
sl@0	283	ok=cb(0,ctx);
sl@0	284	if (!ok) goto end;
sl@0	285	}
sl@0	286
sl@0	287	/* We have the chain complete: now we need to check its purpose */
sl@0	288	ok = check_chain_extensions(ctx);
sl@0	289
sl@0	290	if (!ok) goto end;
sl@0	291
sl@0	292	/* The chain extensions are OK: check trust */
sl@0	293
sl@0	294	if (param->trust > 0) ok = check_trust(ctx);
sl@0	295
sl@0	296	if (!ok) goto end;
sl@0	297
sl@0	298	/* We may as well copy down any DSA parameters that are required */
sl@0	299	X509_get_pubkey_parameters(NULL,ctx->chain);
sl@0	300
sl@0	301	/* Check revocation status: we do this after copying parameters
sl@0	302	* because they may be needed for CRL signature verification.
sl@0	303	*/
sl@0	304
sl@0	305	ok = ctx->check_revocation(ctx);
sl@0	306	if(!ok) goto end;
sl@0	307
sl@0	308	/* At this point, we have a chain and need to verify it */
sl@0	309	if (ctx->verify != NULL)
sl@0	310	ok=ctx->verify(ctx);
sl@0	311	else
sl@0	312	ok=internal_verify(ctx);
sl@0	313	if(!ok) goto end;
sl@0	314
sl@0	315
sl@0	316	/* If we get this far evaluate policies */
sl@0	317	if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
sl@0	318	ok = ctx->check_policy(ctx);
sl@0	319	if(!ok) goto end;
sl@0	320	if (0)
sl@0	321	{
sl@0	322	end:
sl@0	323	X509_get_pubkey_parameters(NULL,ctx->chain);
sl@0	324	}
sl@0	325	if (sktmp != NULL) sk_X509_free(sktmp);
sl@0	326	if (chain_ss != NULL) X509_free(chain_ss);
sl@0	327	return ok;
sl@0	328	}
sl@0	329
sl@0	330
sl@0	331	/* Given a STACK_OF(X509) find the issuer of cert (if any)
sl@0	332	*/
sl@0	333
sl@0	334	static X509 find_issuer(X509_STORE_CTX ctx, STACK_OF(X509) sk, X509 x)
sl@0	335	{
sl@0	336	int i;
sl@0	337	X509 *issuer;
sl@0	338	for (i = 0; i < sk_X509_num(sk); i++)
sl@0	339	{
sl@0	340	issuer = sk_X509_value(sk, i);
sl@0	341	if (ctx->check_issued(ctx, x, issuer))
sl@0	342	return issuer;
sl@0	343	}
sl@0	344	return NULL;
sl@0	345	}
sl@0	346
sl@0	347	/* Given a possible certificate and issuer check them */
sl@0	348
sl@0	349	static int check_issued(X509_STORE_CTX ctx, X509 x, X509 *issuer)
sl@0	350	{
sl@0	351	int ret;
sl@0	352	ret = X509_check_issued(issuer, x);
sl@0	353	if (ret == X509_V_OK)
sl@0	354	return 1;
sl@0	355	/* If we haven't asked for issuer errors don't set ctx */
sl@0	356	if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
sl@0	357	return 0;
sl@0	358
sl@0	359	ctx->error = ret;
sl@0	360	ctx->current_cert = x;
sl@0	361	ctx->current_issuer = issuer;
sl@0	362	return ctx->verify_cb(0, ctx);
sl@0	363	return 0;
sl@0	364	}
sl@0	365
sl@0	366	/* Alternative lookup method: look from a STACK stored in other_ctx */
sl@0	367
sl@0	368	static int get_issuer_sk(X509 *issuer, X509_STORE_CTX ctx, X509 *x)
sl@0	369	{
sl@0	370	*issuer = find_issuer(ctx, ctx->other_ctx, x);
sl@0	371	if (*issuer)
sl@0	372	{
sl@0	373	CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
sl@0	374	return 1;
sl@0	375	}
sl@0	376	else
sl@0	377	return 0;
sl@0	378	}
sl@0	379
sl@0	380
sl@0	381	/* Check a certificate chains extensions for consistency
sl@0	382	* with the supplied purpose
sl@0	383	*/
sl@0	384
sl@0	385	static int check_chain_extensions(X509_STORE_CTX *ctx)
sl@0	386	{
sl@0	387	#ifdef OPENSSL_NO_CHAIN_VERIFY
sl@0	388	return 1;
sl@0	389	#else
sl@0	390	int i, ok=0, must_be_ca;
sl@0	391	X509 *x;
sl@0	392	int (cb)(int xok,X509_STORE_CTX xctx);
sl@0	393	int proxy_path_length = 0;
sl@0	394	int allow_proxy_certs =
sl@0	395	!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
sl@0	396	cb=ctx->verify_cb;
sl@0	397
sl@0	398	/* must_be_ca can have 1 of 3 values:
sl@0	399	-1: we accept both CA and non-CA certificates, to allow direct
sl@0	400	use of self-signed certificates (which are marked as CA).
sl@0	401	0: we only accept non-CA certificates. This is currently not
sl@0	402	used, but the possibility is present for future extensions.
sl@0	403	1: we only accept CA certificates. This is currently used for
sl@0	404	all certificates in the chain except the leaf certificate.
sl@0	405	*/
sl@0	406	must_be_ca = -1;
sl@0	407
sl@0	408	/* A hack to keep people who don't want to modify their software
sl@0	409	happy */
sl@0	410	if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
sl@0	411	allow_proxy_certs = 1;
sl@0	412
sl@0	413	/* Check all untrusted certificates */
sl@0	414	for (i = 0; i < ctx->last_untrusted; i++)
sl@0	415	{
sl@0	416	int ret;
sl@0	417	x = sk_X509_value(ctx->chain, i);
sl@0	418	if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
sl@0	419	&& (x->ex_flags & EXFLAG_CRITICAL))
sl@0	420	{
sl@0	421	ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
sl@0	422	ctx->error_depth = i;
sl@0	423	ctx->current_cert = x;
sl@0	424	ok=cb(0,ctx);
sl@0	425	if (!ok) goto end;
sl@0	426	}
sl@0	427	if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
sl@0	428	{
sl@0	429	ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
sl@0	430	ctx->error_depth = i;
sl@0	431	ctx->current_cert = x;
sl@0	432	ok=cb(0,ctx);
sl@0	433	if (!ok) goto end;
sl@0	434	}
sl@0	435	ret = X509_check_ca(x);
sl@0	436	switch(must_be_ca)
sl@0	437	{
sl@0	438	case -1:
sl@0	439	if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
sl@0	440	&& (ret != 1) && (ret != 0))
sl@0	441	{
sl@0	442	ret = 0;
sl@0	443	ctx->error = X509_V_ERR_INVALID_CA;
sl@0	444	}
sl@0	445	else
sl@0	446	ret = 1;
sl@0	447	break;
sl@0	448	case 0:
sl@0	449	if (ret != 0)
sl@0	450	{
sl@0	451	ret = 0;
sl@0	452	ctx->error = X509_V_ERR_INVALID_NON_CA;
sl@0	453	}
sl@0	454	else
sl@0	455	ret = 1;
sl@0	456	break;
sl@0	457	default:
sl@0	458	if ((ret == 0)
sl@0	459	\|\| ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
sl@0	460	&& (ret != 1)))
sl@0	461	{
sl@0	462	ret = 0;
sl@0	463	ctx->error = X509_V_ERR_INVALID_CA;
sl@0	464	}
sl@0	465	else
sl@0	466	ret = 1;
sl@0	467	break;
sl@0	468	}
sl@0	469	if (ret == 0)
sl@0	470	{
sl@0	471	ctx->error_depth = i;
sl@0	472	ctx->current_cert = x;
sl@0	473	ok=cb(0,ctx);
sl@0	474	if (!ok) goto end;
sl@0	475	}
sl@0	476	if (ctx->param->purpose > 0)
sl@0	477	{
sl@0	478	ret = X509_check_purpose(x, ctx->param->purpose,
sl@0	479	must_be_ca > 0);
sl@0	480	if ((ret == 0)
sl@0	481	\|\| ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
sl@0	482	&& (ret != 1)))
sl@0	483	{
sl@0	484	ctx->error = X509_V_ERR_INVALID_PURPOSE;
sl@0	485	ctx->error_depth = i;
sl@0	486	ctx->current_cert = x;
sl@0	487	ok=cb(0,ctx);
sl@0	488	if (!ok) goto end;
sl@0	489	}
sl@0	490	}
sl@0	491	/* Check pathlen */
sl@0	492	if ((i > 1) && (x->ex_pathlen != -1)
sl@0	493	&& (i > (x->ex_pathlen + proxy_path_length + 1)))
sl@0	494	{
sl@0	495	ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
sl@0	496	ctx->error_depth = i;
sl@0	497	ctx->current_cert = x;
sl@0	498	ok=cb(0,ctx);
sl@0	499	if (!ok) goto end;
sl@0	500	}
sl@0	501	/* If this certificate is a proxy certificate, the next
sl@0	502	certificate must be another proxy certificate or a EE
sl@0	503	certificate. If not, the next certificate must be a
sl@0	504	CA certificate. */
sl@0	505	if (x->ex_flags & EXFLAG_PROXY)
sl@0	506	{
sl@0	507	if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
sl@0	508	{
sl@0	509	ctx->error =
sl@0	510	X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
sl@0	511	ctx->error_depth = i;
sl@0	512	ctx->current_cert = x;
sl@0	513	ok=cb(0,ctx);
sl@0	514	if (!ok) goto end;
sl@0	515	}
sl@0	516	proxy_path_length++;
sl@0	517	must_be_ca = 0;
sl@0	518	}
sl@0	519	else
sl@0	520	must_be_ca = 1;
sl@0	521	}
sl@0	522	ok = 1;
sl@0	523	end:
sl@0	524	return ok;
sl@0	525	#endif
sl@0	526	}
sl@0	527
sl@0	528	static int check_trust(X509_STORE_CTX *ctx)
sl@0	529	{
sl@0	530	#ifdef OPENSSL_NO_CHAIN_VERIFY
sl@0	531	return 1;
sl@0	532	#else
sl@0	533	int i, ok;
sl@0	534	X509 *x;
sl@0	535	int (cb)(int xok,X509_STORE_CTX xctx);
sl@0	536	cb=ctx->verify_cb;
sl@0	537	/* For now just check the last certificate in the chain */
sl@0	538	i = sk_X509_num(ctx->chain) - 1;
sl@0	539	x = sk_X509_value(ctx->chain, i);
sl@0	540	ok = X509_check_trust(x, ctx->param->trust, 0);
sl@0	541	if (ok == X509_TRUST_TRUSTED)
sl@0	542	return 1;
sl@0	543	ctx->error_depth = i;
sl@0	544	ctx->current_cert = x;
sl@0	545	if (ok == X509_TRUST_REJECTED)
sl@0	546	ctx->error = X509_V_ERR_CERT_REJECTED;
sl@0	547	else
sl@0	548	ctx->error = X509_V_ERR_CERT_UNTRUSTED;
sl@0	549	ok = cb(0, ctx);
sl@0	550	return ok;
sl@0	551	#endif
sl@0	552	}
sl@0	553
sl@0	554	static int check_revocation(X509_STORE_CTX *ctx)
sl@0	555	{
sl@0	556	int i, last, ok;
sl@0	557	if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
sl@0	558	return 1;
sl@0	559	if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
sl@0	560	last = sk_X509_num(ctx->chain) - 1;
sl@0	561	else
sl@0	562	last = 0;
sl@0	563	for(i = 0; i <= last; i++)
sl@0	564	{
sl@0	565	ctx->error_depth = i;
sl@0	566	ok = check_cert(ctx);
sl@0	567	if (!ok) return ok;
sl@0	568	}
sl@0	569	return 1;
sl@0	570	}
sl@0	571
sl@0	572	static int check_cert(X509_STORE_CTX *ctx)
sl@0	573	{
sl@0	574	X509_CRL *crl = NULL;
sl@0	575	X509 *x;
sl@0	576	int ok, cnum;
sl@0	577	cnum = ctx->error_depth;
sl@0	578	x = sk_X509_value(ctx->chain, cnum);
sl@0	579	ctx->current_cert = x;
sl@0	580	/* Try to retrieve relevant CRL */
sl@0	581	ok = ctx->get_crl(ctx, &crl, x);
sl@0	582	/* If error looking up CRL, nothing we can do except
sl@0	583	* notify callback
sl@0	584	*/
sl@0	585	if(!ok)
sl@0	586	{
sl@0	587	ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
sl@0	588	ok = ctx->verify_cb(0, ctx);
sl@0	589	goto err;
sl@0	590	}
sl@0	591	ctx->current_crl = crl;
sl@0	592	ok = ctx->check_crl(ctx, crl);
sl@0	593	if (!ok) goto err;
sl@0	594	ok = ctx->cert_crl(ctx, crl, x);
sl@0	595	err:
sl@0	596	ctx->current_crl = NULL;
sl@0	597	X509_CRL_free(crl);
sl@0	598	return ok;
sl@0	599
sl@0	600	}
sl@0	601
sl@0	602	/* Check CRL times against values in X509_STORE_CTX */
sl@0	603
sl@0	604	static int check_crl_time(X509_STORE_CTX ctx, X509_CRL crl, int notify)
sl@0	605	{
sl@0	606	time_t *ptime;
sl@0	607	int i;
sl@0	608	ctx->current_crl = crl;
sl@0	609	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
sl@0	610	ptime = &ctx->param->check_time;
sl@0	611	else
sl@0	612	ptime = NULL;
sl@0	613
sl@0	614	i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
sl@0	615	if (i == 0)
sl@0	616	{
sl@0	617	ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
sl@0	618	if (!notify \|\| !ctx->verify_cb(0, ctx))
sl@0	619	return 0;
sl@0	620	}
sl@0	621
sl@0	622	if (i > 0)
sl@0	623	{
sl@0	624	ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
sl@0	625	if (!notify \|\| !ctx->verify_cb(0, ctx))
sl@0	626	return 0;
sl@0	627	}
sl@0	628
sl@0	629	if(X509_CRL_get_nextUpdate(crl))
sl@0	630	{
sl@0	631	i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
sl@0	632
sl@0	633	if (i == 0)
sl@0	634	{
sl@0	635	ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
sl@0	636	if (!notify \|\| !ctx->verify_cb(0, ctx))
sl@0	637	return 0;
sl@0	638	}
sl@0	639
sl@0	640	if (i < 0)
sl@0	641	{
sl@0	642	ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
sl@0	643	if (!notify \|\| !ctx->verify_cb(0, ctx))
sl@0	644	return 0;
sl@0	645	}
sl@0	646	}
sl@0	647
sl@0	648	ctx->current_crl = NULL;
sl@0	649
sl@0	650	return 1;
sl@0	651	}
sl@0	652
sl@0	653	/* Lookup CRLs from the supplied list. Look for matching isser name
sl@0	654	* and validity. If we can't find a valid CRL return the last one
sl@0	655	* with matching name. This gives more meaningful error codes. Otherwise
sl@0	656	* we'd get a CRL not found error if a CRL existed with matching name but
sl@0	657	* was invalid.
sl@0	658	*/
sl@0	659
sl@0	660	static int get_crl_sk(X509_STORE_CTX ctx, X509_CRL *pcrl,
sl@0	661	X509_NAME nm, STACK_OF(X509_CRL) crls)
sl@0	662	{
sl@0	663	int i;
sl@0	664	X509_CRL crl, best_crl = NULL;
sl@0	665	for (i = 0; i < sk_X509_CRL_num(crls); i++)
sl@0	666	{
sl@0	667	crl = sk_X509_CRL_value(crls, i);
sl@0	668	if (X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)))
sl@0	669	continue;
sl@0	670	if (check_crl_time(ctx, crl, 0))
sl@0	671	{
sl@0	672	*pcrl = crl;
sl@0	673	CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509);
sl@0	674	return 1;
sl@0	675	}
sl@0	676	best_crl = crl;
sl@0	677	}
sl@0	678	if (best_crl)
sl@0	679	{
sl@0	680	*pcrl = best_crl;
sl@0	681	CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509);
sl@0	682	}
sl@0	683
sl@0	684	return 0;
sl@0	685	}
sl@0	686
sl@0	687	/* Retrieve CRL corresponding to certificate: currently just a
sl@0	688	* subject lookup: maybe use AKID later...
sl@0	689	*/
sl@0	690	static int get_crl(X509_STORE_CTX ctx, X509_CRL pcrl, X509 x)
sl@0	691	{
sl@0	692	int ok;
sl@0	693	X509_CRL *crl = NULL;
sl@0	694	X509_OBJECT xobj;
sl@0	695	X509_NAME *nm;
sl@0	696	nm = X509_get_issuer_name(x);
sl@0	697	ok = get_crl_sk(ctx, &crl, nm, ctx->crls);
sl@0	698	if (ok)
sl@0	699	{
sl@0	700	*pcrl = crl;
sl@0	701	return 1;
sl@0	702	}
sl@0	703
sl@0	704	ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj);
sl@0	705
sl@0	706	if (!ok)
sl@0	707	{
sl@0	708	/* If we got a near match from get_crl_sk use that */
sl@0	709	if (crl)
sl@0	710	{
sl@0	711	*pcrl = crl;
sl@0	712	return 1;
sl@0	713	}
sl@0	714	return 0;
sl@0	715	}
sl@0	716
sl@0	717	*pcrl = xobj.data.crl;
sl@0	718	if (crl)
sl@0	719	X509_CRL_free(crl);
sl@0	720	return 1;
sl@0	721	}
sl@0	722
sl@0	723	/* Check CRL validity */
sl@0	724	static int check_crl(X509_STORE_CTX ctx, X509_CRL crl)
sl@0	725	{
sl@0	726	X509 *issuer = NULL;
sl@0	727	EVP_PKEY *ikey = NULL;
sl@0	728	int ok = 0, chnum, cnum;
sl@0	729	cnum = ctx->error_depth;
sl@0	730	chnum = sk_X509_num(ctx->chain) - 1;
sl@0	731	/* Find CRL issuer: if not last certificate then issuer
sl@0	732	* is next certificate in chain.
sl@0	733	*/
sl@0	734	if(cnum < chnum)
sl@0	735	issuer = sk_X509_value(ctx->chain, cnum + 1);
sl@0	736	else
sl@0	737	{
sl@0	738	issuer = sk_X509_value(ctx->chain, chnum);
sl@0	739	/* If not self signed, can't check signature */
sl@0	740	if(!ctx->check_issued(ctx, issuer, issuer))
sl@0	741	{
sl@0	742	ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
sl@0	743	ok = ctx->verify_cb(0, ctx);
sl@0	744	if(!ok) goto err;
sl@0	745	}
sl@0	746	}
sl@0	747
sl@0	748	if(issuer)
sl@0	749	{
sl@0	750	/* Check for cRLSign bit if keyUsage present */
sl@0	751	if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
sl@0	752	!(issuer->ex_kusage & KU_CRL_SIGN))
sl@0	753	{
sl@0	754	ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
sl@0	755	ok = ctx->verify_cb(0, ctx);
sl@0	756	if(!ok) goto err;
sl@0	757	}
sl@0	758
sl@0	759	/* Attempt to get issuer certificate public key */
sl@0	760	ikey = X509_get_pubkey(issuer);
sl@0	761
sl@0	762	if(!ikey)
sl@0	763	{
sl@0	764	ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
sl@0	765	ok = ctx->verify_cb(0, ctx);
sl@0	766	if (!ok) goto err;
sl@0	767	}
sl@0	768	else
sl@0	769	{
sl@0	770	/* Verify CRL signature */
sl@0	771	if(X509_CRL_verify(crl, ikey) <= 0)
sl@0	772	{
sl@0	773	ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
sl@0	774	ok = ctx->verify_cb(0, ctx);
sl@0	775	if (!ok) goto err;
sl@0	776	}
sl@0	777	}
sl@0	778	}
sl@0	779
sl@0	780	ok = check_crl_time(ctx, crl, 1);
sl@0	781	if (!ok)
sl@0	782	goto err;
sl@0	783
sl@0	784	ok = 1;
sl@0	785
sl@0	786	err:
sl@0	787	EVP_PKEY_free(ikey);
sl@0	788	return ok;
sl@0	789	}
sl@0	790
sl@0	791	/* Check certificate against CRL */
sl@0	792	static int cert_crl(X509_STORE_CTX ctx, X509_CRL crl, X509 *x)
sl@0	793	{
sl@0	794	int idx, ok;
sl@0	795	X509_REVOKED rtmp;
sl@0	796	STACK_OF(X509_EXTENSION) *exts;
sl@0	797	X509_EXTENSION *ext;
sl@0	798	/* Look for serial number of certificate in CRL */
sl@0	799	rtmp.serialNumber = X509_get_serialNumber(x);
sl@0	800	/* Sort revoked into serial number order if not already sorted.
sl@0	801	* Do this under a lock to avoid race condition.
sl@0	802	*/
sl@0	803	if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked))
sl@0	804	{
sl@0	805	CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL);
sl@0	806	sk_X509_REVOKED_sort(crl->crl->revoked);
sl@0	807	CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL);
sl@0	808	}
sl@0	809	idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
sl@0	810	/* If found assume revoked: want something cleverer than
sl@0	811	* this to handle entry extensions in V2 CRLs.
sl@0	812	*/
sl@0	813	if(idx >= 0)
sl@0	814	{
sl@0	815	ctx->error = X509_V_ERR_CERT_REVOKED;
sl@0	816	ok = ctx->verify_cb(0, ctx);
sl@0	817	if (!ok) return 0;
sl@0	818	}
sl@0	819
sl@0	820	if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
sl@0	821	return 1;
sl@0	822
sl@0	823	/* See if we have any critical CRL extensions: since we
sl@0	824	* currently don't handle any CRL extensions the CRL must be
sl@0	825	* rejected.
sl@0	826	* This code accesses the X509_CRL structure directly: applications
sl@0	827	* shouldn't do this.
sl@0	828	*/
sl@0	829
sl@0	830	exts = crl->crl->extensions;
sl@0	831
sl@0	832	for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++)
sl@0	833	{
sl@0	834	ext = sk_X509_EXTENSION_value(exts, idx);
sl@0	835	if (ext->critical > 0)
sl@0	836	{
sl@0	837	ctx->error =
sl@0	838	X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
sl@0	839	ok = ctx->verify_cb(0, ctx);
sl@0	840	if(!ok) return 0;
sl@0	841	break;
sl@0	842	}
sl@0	843	}
sl@0	844	return 1;
sl@0	845	}
sl@0	846
sl@0	847	static int check_policy(X509_STORE_CTX *ctx)
sl@0	848	{
sl@0	849	int ret;
sl@0	850	ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
sl@0	851	ctx->param->policies, ctx->param->flags);
sl@0	852	if (ret == 0)
sl@0	853	{
sl@0	854	X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
sl@0	855	return 0;
sl@0	856	}
sl@0	857	/* Invalid or inconsistent extensions */
sl@0	858	if (ret == -1)
sl@0	859	{
sl@0	860	/* Locate certificates with bad extensions and notify
sl@0	861	* callback.
sl@0	862	*/
sl@0	863	X509 *x;
sl@0	864	int i;
sl@0	865	for (i = 1; i < sk_X509_num(ctx->chain); i++)
sl@0	866	{
sl@0	867	x = sk_X509_value(ctx->chain, i);
sl@0	868	if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
sl@0	869	continue;
sl@0	870	ctx->current_cert = x;
sl@0	871	ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
sl@0	872	ret = ctx->verify_cb(0, ctx);
sl@0	873	}
sl@0	874	return 1;
sl@0	875	}
sl@0	876	if (ret == -2)
sl@0	877	{
sl@0	878	ctx->current_cert = NULL;
sl@0	879	ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
sl@0	880	return ctx->verify_cb(0, ctx);
sl@0	881	}
sl@0	882
sl@0	883	if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY)
sl@0	884	{
sl@0	885	ctx->current_cert = NULL;
sl@0	886	ctx->error = X509_V_OK;
sl@0	887	if (!ctx->verify_cb(2, ctx))
sl@0	888	return 0;
sl@0	889	}
sl@0	890
sl@0	891	return 1;
sl@0	892	}
sl@0	893
sl@0	894	static int check_cert_time(X509_STORE_CTX ctx, X509 x)
sl@0	895	{
sl@0	896	time_t *ptime;
sl@0	897	int i;
sl@0	898
sl@0	899	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
sl@0	900	ptime = &ctx->param->check_time;
sl@0	901	else
sl@0	902	ptime = NULL;
sl@0	903
sl@0	904	i=X509_cmp_time(X509_get_notBefore(x), ptime);
sl@0	905	if (i == 0)
sl@0	906	{
sl@0	907	ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
sl@0	908	ctx->current_cert=x;
sl@0	909	if (!ctx->verify_cb(0, ctx))
sl@0	910	return 0;
sl@0	911	}
sl@0	912
sl@0	913	if (i > 0)
sl@0	914	{
sl@0	915	ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
sl@0	916	ctx->current_cert=x;
sl@0	917	if (!ctx->verify_cb(0, ctx))
sl@0	918	return 0;
sl@0	919	}
sl@0	920
sl@0	921	i=X509_cmp_time(X509_get_notAfter(x), ptime);
sl@0	922	if (i == 0)
sl@0	923	{
sl@0	924	ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
sl@0	925	ctx->current_cert=x;
sl@0	926	if (!ctx->verify_cb(0, ctx))
sl@0	927	return 0;
sl@0	928	}
sl@0	929
sl@0	930	if (i < 0)
sl@0	931	{
sl@0	932	ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
sl@0	933	ctx->current_cert=x;
sl@0	934	if (!ctx->verify_cb(0, ctx))
sl@0	935	return 0;
sl@0	936	}
sl@0	937
sl@0	938	return 1;
sl@0	939	}
sl@0	940
sl@0	941	static int internal_verify(X509_STORE_CTX *ctx)
sl@0	942	{
sl@0	943	int ok=0,n;
sl@0	944	X509 xs,xi;
sl@0	945	EVP_PKEY *pkey=NULL;
sl@0	946	int (cb)(int xok,X509_STORE_CTX xctx);
sl@0	947
sl@0	948	cb=ctx->verify_cb;
sl@0	949
sl@0	950	n=sk_X509_num(ctx->chain);
sl@0	951	ctx->error_depth=n-1;
sl@0	952	n--;
sl@0	953	xi=sk_X509_value(ctx->chain,n);
sl@0	954
sl@0	955	if (ctx->check_issued(ctx, xi, xi))
sl@0	956	xs=xi;
sl@0	957	else
sl@0	958	{
sl@0	959	if (n <= 0)
sl@0	960	{
sl@0	961	ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
sl@0	962	ctx->current_cert=xi;
sl@0	963	ok=cb(0,ctx);
sl@0	964	goto end;
sl@0	965	}
sl@0	966	else
sl@0	967	{
sl@0	968	n--;
sl@0	969	ctx->error_depth=n;
sl@0	970	xs=sk_X509_value(ctx->chain,n);
sl@0	971	}
sl@0	972	}
sl@0	973
sl@0	974	/* ctx->error=0; not needed */
sl@0	975	while (n >= 0)
sl@0	976	{
sl@0	977	ctx->error_depth=n;
sl@0	978	if (!xs->valid)
sl@0	979	{
sl@0	980	if ((pkey=X509_get_pubkey(xi)) == NULL)
sl@0	981	{
sl@0	982	ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
sl@0	983	ctx->current_cert=xi;
sl@0	984	ok=(*cb)(0,ctx);
sl@0	985	if (!ok) goto end;
sl@0	986	}
sl@0	987	else if (X509_verify(xs,pkey) <= 0)
sl@0	988	/* XXX For the final trusted self-signed cert,
sl@0	989	* this is a waste of time. That check should
sl@0	990	* optional so that e.g. 'openssl x509' can be
sl@0	991	* used to detect invalid self-signatures, but
sl@0	992	* we don't verify again and again in SSL
sl@0	993	* handshakes and the like once the cert has
sl@0	994	* been declared trusted. */
sl@0	995	{
sl@0	996	ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
sl@0	997	ctx->current_cert=xs;
sl@0	998	ok=(*cb)(0,ctx);
sl@0	999	if (!ok)
sl@0	1000	{
sl@0	1001	EVP_PKEY_free(pkey);
sl@0	1002	goto end;
sl@0	1003	}
sl@0	1004	}
sl@0	1005	EVP_PKEY_free(pkey);
sl@0	1006	pkey=NULL;
sl@0	1007	}
sl@0	1008
sl@0	1009	xs->valid = 1;
sl@0	1010
sl@0	1011	ok = check_cert_time(ctx, xs);
sl@0	1012	if (!ok)
sl@0	1013	goto end;
sl@0	1014
sl@0	1015	/* The last error (if any) is still in the error value */
sl@0	1016	ctx->current_issuer=xi;
sl@0	1017	ctx->current_cert=xs;
sl@0	1018	ok=(*cb)(1,ctx);
sl@0	1019	if (!ok) goto end;
sl@0	1020
sl@0	1021	n--;
sl@0	1022	if (n >= 0)
sl@0	1023	{
sl@0	1024	xi=xs;
sl@0	1025	xs=sk_X509_value(ctx->chain,n);
sl@0	1026	}
sl@0	1027	}
sl@0	1028	ok=1;
sl@0	1029	end:
sl@0	1030	return ok;
sl@0	1031	}
sl@0	1032
sl@0	1033	EXPORT_C int X509_cmp_current_time(ASN1_TIME *ctm)
sl@0	1034	{
sl@0	1035	return X509_cmp_time(ctm, NULL);
sl@0	1036	}
sl@0	1037
sl@0	1038	EXPORT_C int X509_cmp_time(ASN1_TIME ctm, time_t cmp_time)
sl@0	1039	{
sl@0	1040	char *str;
sl@0	1041	ASN1_TIME atm;
sl@0	1042	long offset;
sl@0	1043	char buff1[24],buff2[24],*p;
sl@0	1044	int i,j;
sl@0	1045
sl@0	1046	p=buff1;
sl@0	1047	i=ctm->length;
sl@0	1048	str=(char *)ctm->data;
sl@0	1049	if (ctm->type == V_ASN1_UTCTIME)
sl@0	1050	{
sl@0	1051	if ((i < 11) \|\| (i > 17)) return 0;
sl@0	1052	memcpy(p,str,10);
sl@0	1053	p+=10;
sl@0	1054	str+=10;
sl@0	1055	}
sl@0	1056	else
sl@0	1057	{
sl@0	1058	if (i < 13) return 0;
sl@0	1059	memcpy(p,str,12);
sl@0	1060	p+=12;
sl@0	1061	str+=12;
sl@0	1062	}
sl@0	1063
sl@0	1064	if ((str == 'Z') \|\| (str == '-') \|\| (*str == '+'))
sl@0	1065	{ (p++)='0'; (p++)='0'; }
sl@0	1066	else
sl@0	1067	{
sl@0	1068	(p++)= (str++);
sl@0	1069	(p++)= (str++);
sl@0	1070	/* Skip any fractional seconds... */
sl@0	1071	if (*str == '.')
sl@0	1072	{
sl@0	1073	str++;
sl@0	1074	while ((str >= '0') && (str <= '9')) str++;
sl@0	1075	}
sl@0	1076
sl@0	1077	}
sl@0	1078	*(p++)='Z';
sl@0	1079	*(p++)='\0';
sl@0	1080
sl@0	1081	if (*str == 'Z')
sl@0	1082	offset=0;
sl@0	1083	else
sl@0	1084	{
sl@0	1085	if ((str != '+') && (str != '-'))
sl@0	1086	return 0;
sl@0	1087	offset=((str[1]-'0')10+(str[2]-'0'))60;
sl@0	1088	offset+=(str[3]-'0')*10+(str[4]-'0');
sl@0	1089	if (*str == '-')
sl@0	1090	offset= -offset;
sl@0	1091	}
sl@0	1092	atm.type=ctm->type;
sl@0	1093	atm.length=sizeof(buff2);
sl@0	1094	atm.data=(unsigned char *)buff2;
sl@0	1095
sl@0	1096	if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
sl@0	1097	return 0;
sl@0	1098
sl@0	1099	if (ctm->type == V_ASN1_UTCTIME)
sl@0	1100	{
sl@0	1101	i=(buff1[0]-'0')*10+(buff1[1]-'0');
sl@0	1102	if (i < 50) i+=100; /* cf. RFC 2459 */
sl@0	1103	j=(buff2[0]-'0')*10+(buff2[1]-'0');
sl@0	1104	if (j < 50) j+=100;
sl@0	1105
sl@0	1106	if (i < j) return -1;
sl@0	1107	if (i > j) return 1;
sl@0	1108	}
sl@0	1109	i=strcmp(buff1,buff2);
sl@0	1110	if (i == 0) /* wait a second then return younger :-) */
sl@0	1111	return -1;
sl@0	1112	else
sl@0	1113	return i;
sl@0	1114	}
sl@0	1115
sl@0	1116	EXPORT_C ASN1_TIME X509_gmtime_adj(ASN1_TIME s, long adj)
sl@0	1117	{
sl@0	1118	return X509_time_adj(s, adj, NULL);
sl@0	1119	}
sl@0	1120
sl@0	1121	EXPORT_C ASN1_TIME X509_time_adj(ASN1_TIME s, long adj, time_t *in_tm)
sl@0	1122	{
sl@0	1123	time_t t;
sl@0	1124	int type = -1;
sl@0	1125
sl@0	1126	if (in_tm) t = *in_tm;
sl@0	1127	else time(&t);
sl@0	1128
sl@0	1129	t+=adj;
sl@0	1130	if (s) type = s->type;
sl@0	1131	if (type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t);
sl@0	1132	if (type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_set(s, t);
sl@0	1133	return ASN1_TIME_set(s, t);
sl@0	1134	}
sl@0	1135
sl@0	1136	EXPORT_C int X509_get_pubkey_parameters(EVP_PKEY pkey, STACK_OF(X509) chain)
sl@0	1137	{
sl@0	1138	EVP_PKEY ktmp=NULL,ktmp2;
sl@0	1139	int i,j;
sl@0	1140
sl@0	1141	if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
sl@0	1142
sl@0	1143	for (i=0; i<sk_X509_num(chain); i++)
sl@0	1144	{
sl@0	1145	ktmp=X509_get_pubkey(sk_X509_value(chain,i));
sl@0	1146	if (ktmp == NULL)
sl@0	1147	{
sl@0	1148	X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
sl@0	1149	return 0;
sl@0	1150	}
sl@0	1151	if (!EVP_PKEY_missing_parameters(ktmp))
sl@0	1152	break;
sl@0	1153	else
sl@0	1154	{
sl@0	1155	EVP_PKEY_free(ktmp);
sl@0	1156	ktmp=NULL;
sl@0	1157	}
sl@0	1158	}
sl@0	1159	if (ktmp == NULL)
sl@0	1160	{
sl@0	1161	X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
sl@0	1162	return 0;
sl@0	1163	}
sl@0	1164
sl@0	1165	/* first, populate the other certs */
sl@0	1166	for (j=i-1; j >= 0; j--)
sl@0	1167	{
sl@0	1168	ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
sl@0	1169	EVP_PKEY_copy_parameters(ktmp2,ktmp);
sl@0	1170	EVP_PKEY_free(ktmp2);
sl@0	1171	}
sl@0	1172
sl@0	1173	if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
sl@0	1174	EVP_PKEY_free(ktmp);
sl@0	1175	return 1;
sl@0	1176	}
sl@0	1177
sl@0	1178	EXPORT_C int X509_STORE_CTX_get_ex_new_index(long argl, void argp, CRYPTO_EX_new new_func,
sl@0	1179	CRYPTO_EX_dup dup_func, CRYPTO_EX_free free_func)
sl@0	1180	{
sl@0	1181	/* This function is (usually) called only once, by
sl@0	1182	* SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
sl@0	1183	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
sl@0	1184	new_func, dup_func, free_func);
sl@0	1185	}
sl@0	1186
sl@0	1187	EXPORT_C int X509_STORE_CTX_set_ex_data(X509_STORE_CTX ctx, int idx, void data)
sl@0	1188	{
sl@0	1189	return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
sl@0	1190	}
sl@0	1191
sl@0	1192	EXPORT_C void X509_STORE_CTX_get_ex_data(X509_STORE_CTX ctx, int idx)
sl@0	1193	{
sl@0	1194	return CRYPTO_get_ex_data(&ctx->ex_data,idx);
sl@0	1195	}
sl@0	1196
sl@0	1197	EXPORT_C int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
sl@0	1198	{
sl@0	1199	return ctx->error;
sl@0	1200	}
sl@0	1201
sl@0	1202	EXPORT_C void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
sl@0	1203	{
sl@0	1204	ctx->error=err;
sl@0	1205	}
sl@0	1206
sl@0	1207	EXPORT_C int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
sl@0	1208	{
sl@0	1209	return ctx->error_depth;
sl@0	1210	}
sl@0	1211
sl@0	1212	EXPORT_C X509 X509_STORE_CTX_get_current_cert(X509_STORE_CTX ctx)
sl@0	1213	{
sl@0	1214	return ctx->current_cert;
sl@0	1215	}
sl@0	1216
sl@0	1217	EXPORT_C STACK_OF(X509) X509_STORE_CTX_get_chain(X509_STORE_CTX ctx)
sl@0	1218	{
sl@0	1219	return ctx->chain;
sl@0	1220	}
sl@0	1221
sl@0	1222	EXPORT_C STACK_OF(X509) X509_STORE_CTX_get1_chain(X509_STORE_CTX ctx)
sl@0	1223	{
sl@0	1224	int i;
sl@0	1225	X509 *x;
sl@0	1226	STACK_OF(X509) *chain;
sl@0	1227	if (!ctx->chain \|\| !(chain = sk_X509_dup(ctx->chain))) return NULL;
sl@0	1228	for (i = 0; i < sk_X509_num(chain); i++)
sl@0	1229	{
sl@0	1230	x = sk_X509_value(chain, i);
sl@0	1231	CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
sl@0	1232	}
sl@0	1233	return chain;
sl@0	1234	}
sl@0	1235
sl@0	1236	EXPORT_C void X509_STORE_CTX_set_cert(X509_STORE_CTX ctx, X509 x)
sl@0	1237	{
sl@0	1238	ctx->cert=x;
sl@0	1239	}
sl@0	1240
sl@0	1241	EXPORT_C void X509_STORE_CTX_set_chain(X509_STORE_CTX ctx, STACK_OF(X509) sk)
sl@0	1242	{
sl@0	1243	ctx->untrusted=sk;
sl@0	1244	}
sl@0	1245
sl@0	1246	EXPORT_C void X509_STORE_CTX_set0_crls(X509_STORE_CTX ctx, STACK_OF(X509_CRL) sk)
sl@0	1247	{
sl@0	1248	ctx->crls=sk;
sl@0	1249	}
sl@0	1250
sl@0	1251	EXPORT_C int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
sl@0	1252	{
sl@0	1253	return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
sl@0	1254	}
sl@0	1255
sl@0	1256	EXPORT_C int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
sl@0	1257	{
sl@0	1258	return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
sl@0	1259	}
sl@0	1260
sl@0	1261	/* This function is used to set the X509_STORE_CTX purpose and trust
sl@0	1262	* values. This is intended to be used when another structure has its
sl@0	1263	* own trust and purpose values which (if set) will be inherited by
sl@0	1264	* the ctx. If they aren't set then we will usually have a default
sl@0	1265	* purpose in mind which should then be used to set the trust value.
sl@0	1266	* An example of this is SSL use: an SSL structure will have its own
sl@0	1267	* purpose and trust settings which the application can set: if they
sl@0	1268	* aren't set then we use the default of SSL client/server.
sl@0	1269	*/
sl@0	1270
sl@0	1271	EXPORT_C int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
sl@0	1272	int purpose, int trust)
sl@0	1273	{
sl@0	1274	int idx;
sl@0	1275	/* If purpose not set use default */
sl@0	1276	if (!purpose) purpose = def_purpose;
sl@0	1277	/* If we have a purpose then check it is valid */
sl@0	1278	if (purpose)
sl@0	1279	{
sl@0	1280	X509_PURPOSE *ptmp;
sl@0	1281	idx = X509_PURPOSE_get_by_id(purpose);
sl@0	1282	if (idx == -1)
sl@0	1283	{
sl@0	1284	X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
sl@0	1285	X509_R_UNKNOWN_PURPOSE_ID);
sl@0	1286	return 0;
sl@0	1287	}
sl@0	1288	ptmp = X509_PURPOSE_get0(idx);
sl@0	1289	if (ptmp->trust == X509_TRUST_DEFAULT)
sl@0	1290	{
sl@0	1291	idx = X509_PURPOSE_get_by_id(def_purpose);
sl@0	1292	if (idx == -1)
sl@0	1293	{
sl@0	1294	X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
sl@0	1295	X509_R_UNKNOWN_PURPOSE_ID);
sl@0	1296	return 0;
sl@0	1297	}
sl@0	1298	ptmp = X509_PURPOSE_get0(idx);
sl@0	1299	}
sl@0	1300	/* If trust not set then get from purpose default */
sl@0	1301	if (!trust) trust = ptmp->trust;
sl@0	1302	}
sl@0	1303	if (trust)
sl@0	1304	{
sl@0	1305	idx = X509_TRUST_get_by_id(trust);
sl@0	1306	if (idx == -1)
sl@0	1307	{
sl@0	1308	X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
sl@0	1309	X509_R_UNKNOWN_TRUST_ID);
sl@0	1310	return 0;
sl@0	1311	}
sl@0	1312	}
sl@0	1313
sl@0	1314	if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
sl@0	1315	if (trust && !ctx->param->trust) ctx->param->trust = trust;
sl@0	1316	return 1;
sl@0	1317	}
sl@0	1318
sl@0	1319	EXPORT_C X509_STORE_CTX *X509_STORE_CTX_new(void)
sl@0	1320	{
sl@0	1321	X509_STORE_CTX *ctx;
sl@0	1322	ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
sl@0	1323	if (!ctx)
sl@0	1324	{
sl@0	1325	X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
sl@0	1326	return NULL;
sl@0	1327	}
sl@0	1328	memset(ctx, 0, sizeof(X509_STORE_CTX));
sl@0	1329	return ctx;
sl@0	1330	}
sl@0	1331
sl@0	1332	EXPORT_C void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
sl@0	1333	{
sl@0	1334	X509_STORE_CTX_cleanup(ctx);
sl@0	1335	OPENSSL_free(ctx);
sl@0	1336	}
sl@0	1337
sl@0	1338	EXPORT_C int X509_STORE_CTX_init(X509_STORE_CTX ctx, X509_STORE store, X509 *x509,
sl@0	1339	STACK_OF(X509) *chain)
sl@0	1340	{
sl@0	1341	int ret = 1;
sl@0	1342	ctx->ctx=store;
sl@0	1343	ctx->current_method=0;
sl@0	1344	ctx->cert=x509;
sl@0	1345	ctx->untrusted=chain;
sl@0	1346	ctx->crls = NULL;
sl@0	1347	ctx->last_untrusted=0;
sl@0	1348	ctx->other_ctx=NULL;
sl@0	1349	ctx->valid=0;
sl@0	1350	ctx->chain=NULL;
sl@0	1351	ctx->error=0;
sl@0	1352	ctx->explicit_policy=0;
sl@0	1353	ctx->error_depth=0;
sl@0	1354	ctx->current_cert=NULL;
sl@0	1355	ctx->current_issuer=NULL;
sl@0	1356	ctx->tree = NULL;
sl@0	1357
sl@0	1358	ctx->param = X509_VERIFY_PARAM_new();
sl@0	1359
sl@0	1360	if (!ctx->param)
sl@0	1361	{
sl@0	1362	X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
sl@0	1363	return 0;
sl@0	1364	}
sl@0	1365
sl@0	1366	/* Inherit callbacks and flags from X509_STORE if not set
sl@0	1367	* use defaults.
sl@0	1368	*/
sl@0	1369
sl@0	1370
sl@0	1371	if (store)
sl@0	1372	ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
sl@0	1373	else
sl@0	1374	ctx->param->flags \|= X509_VP_FLAG_DEFAULT\|X509_VP_FLAG_ONCE;
sl@0	1375
sl@0	1376	if (store)
sl@0	1377	{
sl@0	1378	ctx->verify_cb = store->verify_cb;
sl@0	1379	ctx->cleanup = store->cleanup;
sl@0	1380	}
sl@0	1381	else
sl@0	1382	ctx->cleanup = 0;
sl@0	1383
sl@0	1384	if (ret)
sl@0	1385	ret = X509_VERIFY_PARAM_inherit(ctx->param,
sl@0	1386	X509_VERIFY_PARAM_lookup("default"));
sl@0	1387
sl@0	1388	if (ret == 0)
sl@0	1389	{
sl@0	1390	X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
sl@0	1391	return 0;
sl@0	1392	}
sl@0	1393
sl@0	1394	if (store && store->check_issued)
sl@0	1395	ctx->check_issued = store->check_issued;
sl@0	1396	else
sl@0	1397	ctx->check_issued = check_issued;
sl@0	1398
sl@0	1399	if (store && store->get_issuer)
sl@0	1400	ctx->get_issuer = store->get_issuer;
sl@0	1401	else
sl@0	1402	ctx->get_issuer = X509_STORE_CTX_get1_issuer;
sl@0	1403
sl@0	1404	if (store && store->verify_cb)
sl@0	1405	ctx->verify_cb = store->verify_cb;
sl@0	1406	else
sl@0	1407	ctx->verify_cb = null_callback;
sl@0	1408
sl@0	1409	if (store && store->verify)
sl@0	1410	ctx->verify = store->verify;
sl@0	1411	else
sl@0	1412	ctx->verify = internal_verify;
sl@0	1413
sl@0	1414	if (store && store->check_revocation)
sl@0	1415	ctx->check_revocation = store->check_revocation;
sl@0	1416	else
sl@0	1417	ctx->check_revocation = check_revocation;
sl@0	1418
sl@0	1419	if (store && store->get_crl)
sl@0	1420	ctx->get_crl = store->get_crl;
sl@0	1421	else
sl@0	1422	ctx->get_crl = get_crl;
sl@0	1423
sl@0	1424	if (store && store->check_crl)
sl@0	1425	ctx->check_crl = store->check_crl;
sl@0	1426	else
sl@0	1427	ctx->check_crl = check_crl;
sl@0	1428
sl@0	1429	if (store && store->cert_crl)
sl@0	1430	ctx->cert_crl = store->cert_crl;
sl@0	1431	else
sl@0	1432	ctx->cert_crl = cert_crl;
sl@0	1433
sl@0	1434	ctx->check_policy = check_policy;
sl@0	1435
sl@0	1436
sl@0	1437	/* This memset() can't make any sense anyway, so it's removed. As
sl@0	1438	* X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
sl@0	1439	* corresponding "new" here and remove this bogus initialisation. */
sl@0	1440	/* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
sl@0	1441	if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
sl@0	1442	&(ctx->ex_data)))
sl@0	1443	{
sl@0	1444	OPENSSL_free(ctx);
sl@0	1445	X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
sl@0	1446	return 0;
sl@0	1447	}
sl@0	1448	return 1;
sl@0	1449	}
sl@0	1450
sl@0	1451	/* Set alternative lookup method: just a STACK of trusted certificates.
sl@0	1452	* This avoids X509_STORE nastiness where it isn't needed.
sl@0	1453	*/
sl@0	1454
sl@0	1455	EXPORT_C void X509_STORE_CTX_trusted_stack(X509_STORE_CTX ctx, STACK_OF(X509) sk)
sl@0	1456	{
sl@0	1457	ctx->other_ctx = sk;
sl@0	1458	ctx->get_issuer = get_issuer_sk;
sl@0	1459	}
sl@0	1460
sl@0	1461	EXPORT_C void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
sl@0	1462	{
sl@0	1463	if (ctx->cleanup) ctx->cleanup(ctx);
sl@0	1464	if (ctx->param != NULL)
sl@0	1465	{
sl@0	1466	X509_VERIFY_PARAM_free(ctx->param);
sl@0	1467	ctx->param=NULL;
sl@0	1468	}
sl@0	1469	if (ctx->tree != NULL)
sl@0	1470	{
sl@0	1471	X509_policy_tree_free(ctx->tree);
sl@0	1472	ctx->tree=NULL;
sl@0	1473	}
sl@0	1474	if (ctx->chain != NULL)
sl@0	1475	{
sl@0	1476	sk_X509_pop_free(ctx->chain,X509_free);
sl@0	1477	ctx->chain=NULL;
sl@0	1478	}
sl@0	1479	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
sl@0	1480	memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
sl@0	1481	}
sl@0	1482
sl@0	1483	EXPORT_C void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
sl@0	1484	{
sl@0	1485	X509_VERIFY_PARAM_set_depth(ctx->param, depth);
sl@0	1486	}
sl@0	1487
sl@0	1488	EXPORT_C void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
sl@0	1489	{
sl@0	1490	X509_VERIFY_PARAM_set_flags(ctx->param, flags);
sl@0	1491	}
sl@0	1492
sl@0	1493	EXPORT_C void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
sl@0	1494	{
sl@0	1495	X509_VERIFY_PARAM_set_time(ctx->param, t);
sl@0	1496	}
sl@0	1497
sl@0	1498	EXPORT_C void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
sl@0	1499	int (verify_cb)(int, X509_STORE_CTX ))
sl@0	1500	{
sl@0	1501	ctx->verify_cb=verify_cb;
sl@0	1502	}
sl@0	1503
sl@0	1504	EXPORT_C X509_POLICY_TREE X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX ctx)
sl@0	1505	{
sl@0	1506	return ctx->tree;
sl@0	1507	}
sl@0	1508
sl@0	1509	EXPORT_C int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
sl@0	1510	{
sl@0	1511	return ctx->explicit_policy;
sl@0	1512	}
sl@0	1513
sl@0	1514	EXPORT_C int X509_STORE_CTX_set_default(X509_STORE_CTX ctx, const char name)
sl@0	1515	{
sl@0	1516	const X509_VERIFY_PARAM *param;
sl@0	1517	param = X509_VERIFY_PARAM_lookup(name);
sl@0	1518	if (!param)
sl@0	1519	return 0;
sl@0	1520	return X509_VERIFY_PARAM_inherit(ctx->param, param);
sl@0	1521	}
sl@0	1522
sl@0	1523	EXPORT_C X509_VERIFY_PARAM X509_STORE_CTX_get0_param(X509_STORE_CTX ctx)
sl@0	1524	{
sl@0	1525	return ctx->param;
sl@0	1526	}
sl@0	1527
sl@0	1528	EXPORT_C void X509_STORE_CTX_set0_param(X509_STORE_CTX ctx, X509_VERIFY_PARAM param)
sl@0	1529	{
sl@0	1530	if (ctx->param)
sl@0	1531	X509_VERIFY_PARAM_free(ctx->param);
sl@0	1532	ctx->param = param;
sl@0	1533	}
sl@0	1534
sl@0	1535	IMPLEMENT_STACK_OF(X509)
sl@0	1536	IMPLEMENT_ASN1_SET_OF(X509)
sl@0	1537
sl@0	1538	IMPLEMENT_STACK_OF(X509_NAME)
sl@0	1539
sl@0	1540	IMPLEMENT_STACK_OF(X509_ATTRIBUTE)
sl@0	1541	IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)

author	sl
	Tue, 10 Jun 2014 14:32:02 +0200
changeset 1	260cb5ec6c19
permissions	-rw-r--r--