Symaptic: os/ossrv/ssl/libcrypto/src/crypto/x509/x509

     1 /* x509_trs.c */

     2 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL

     3  * project 1999.

     4  */

     5 /* ====================================================================

     6  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.

     7  *

     8  * Redistribution and use in source and binary forms, with or without

     9  * modification, are permitted provided that the following conditions

    10  * are met:

    11  *

    12  * 1. Redistributions of source code must retain the above copyright

    13  *    notice, this list of conditions and the following disclaimer.

    14  *

    15  * 2. Redistributions in binary form must reproduce the above copyright

    16  *    notice, this list of conditions and the following disclaimer in

    17  *    the documentation and/or other materials provided with the

    18  *    distribution.

    19  *

    20  * 3. All advertising materials mentioning features or use of this

    21  *    software must display the following acknowledgment:

    22  *    "This product includes software developed by the OpenSSL Project

    23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

    24  *

    25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

    26  *    endorse or promote products derived from this software without

    27  *    prior written permission. For written permission, please contact

    28  *    licensing@OpenSSL.org.

    29  *

    30  * 5. Products derived from this software may not be called "OpenSSL"

    31  *    nor may "OpenSSL" appear in their names without prior written

    32  *    permission of the OpenSSL Project.

    33  *

    34  * 6. Redistributions of any form whatsoever must retain the following

    35  *    acknowledgment:

    36  *    "This product includes software developed by the OpenSSL Project

    37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

    38  *

    39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

    40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

    41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

    42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

    43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

    44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

    45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

    46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

    47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

    48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

    49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

    50  * OF THE POSSIBILITY OF SUCH DAMAGE.

    51  * ====================================================================

    52  *

    53  * This product includes cryptographic software written by Eric Young

    54  * (eay@cryptsoft.com).  This product includes software written by Tim

    55  * Hudson (tjh@cryptsoft.com).

    56  *

    57  */

    58  /*

    59  © Portions copyright (c) 2006 Nokia Corporation.  All rights reserved.

    60  */

    62 #include <stdio.h>

    63 #include "cryptlib.h"

    64 #include <openssl/x509v3.h>

    65 #if (defined(SYMBIAN) && (defined(__WINSCW__) || defined(__WINS__)))

    66 #include "libcrypto_wsd_macros.h"

    67 #include "libcrypto_wsd.h"

    68 #endif

    71 static int tr_cmp(const X509_TRUST * const *a,

    72 		const X509_TRUST * const *b);

    73 static void trtable_free(X509_TRUST *p);

    75 static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);

    76 static int trust_1oid(X509_TRUST *trust, X509 *x, int flags);

    77 static int trust_compat(X509_TRUST *trust, X509 *x, int flags);

    79 static int obj_trust(int id, X509 *x, int flags);

    80 static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;

    83 #ifndef EMULATOR

    84 /* WARNING: the following table should be kept in order of trust

    85  * and without any gaps so we can just subtract the minimum trust

    86  * value to get an index into the table

    87  */

    89 static X509_TRUST trstandard[] = {

    90 {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},

    91 {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},

    92 {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},

    93 {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},

    94 {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},

    95 {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},

    96 {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}

    97 };

    98 #else

    99 static const X509_TRUST trstandard[] = {

   100 {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},

   101 {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},

   102 {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},

   103 {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},

   104 {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},

   105 {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},

   106 {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}

   107 };

   108 #endif

   109 #define X509_TRUST_COUNT	(sizeof(trstandard)/sizeof(X509_TRUST))

   111 IMPLEMENT_STACK_OF(X509_TRUST)

   112 #ifndef EMULATOR

   113 static STACK_OF(X509_TRUST) *trtable = NULL;

   114 #else

   115 GET_STATIC_VAR_FROM_TLS(trtable,x509_trs,STACK_OF(X509_TRUST) *)

   116 #define trtable (*GET_WSD_VAR_NAME(trtable,x509_trs, s)())

   117 #endif

   119 static int tr_cmp(const X509_TRUST * const *a,

   120 		const X509_TRUST * const *b)

   121 {

   122 	return (*a)->trust - (*b)->trust;

   123 }

   125 EXPORT_C int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)

   126 {

   127 	int (*oldtrust)(int , X509 *, int);

   128 	oldtrust = default_trust;

   129 	default_trust = trust;

   130 	return oldtrust;

   131 }

   134 EXPORT_C int X509_check_trust(X509 *x, int id, int flags)

   135 {

   136 	X509_TRUST *pt;

   137 	int idx;

   138 	if(id == -1) return 1;

   139 	idx = X509_TRUST_get_by_id(id);

   140 	if(idx == -1) return default_trust(id, x, flags);

   141 	pt = X509_TRUST_get0(idx);

   142 	return pt->check_trust(pt, x, flags);

   143 }

   145 EXPORT_C int X509_TRUST_get_count(void)

   146 {

   147 	if(!trtable) return X509_TRUST_COUNT;

   148 	return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;

   149 }

   151 EXPORT_C X509_TRUST * X509_TRUST_get0(int idx)

   152 {

   153 	if(idx < 0) return NULL;

   154 	if(idx < (int)X509_TRUST_COUNT) return ((X509_TRUST *)trstandard + idx);

   155 	return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);

   156 }

   158 EXPORT_C int X509_TRUST_get_by_id(int id)

   159 {

   160 	X509_TRUST tmp;

   161 	int idx;

   162 	if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))

   163 				 return id - X509_TRUST_MIN;

   164 	tmp.trust = id;

   165 	if(!trtable) return -1;

   166 	idx = sk_X509_TRUST_find(trtable, &tmp);

   167 	if(idx == -1) return -1;

   168 	return idx + X509_TRUST_COUNT;

   169 }

   171 EXPORT_C int X509_TRUST_set(int *t, int trust)

   172 {

   173 	if(X509_TRUST_get_by_id(trust) == -1) {

   174 		X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST);

   175 		return 0;

   176 	}

   177 	*t = trust;

   178 	return 1;

   179 }

   181 EXPORT_C int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),

   182 					char *name, int arg1, void *arg2)

   183 {

   184 	int idx;

   185 	X509_TRUST *trtmp;

   186 	/* This is set according to what we change: application can't set it */

   187 	flags &= ~X509_TRUST_DYNAMIC;

   188 	/* This will always be set for application modified trust entries */

   189 	flags |= X509_TRUST_DYNAMIC_NAME;

   190 	/* Get existing entry if any */

   191 	idx = X509_TRUST_get_by_id(id);

   192 	/* Need a new entry */

   193 	if(idx == -1) {

   194 		if(!(trtmp = OPENSSL_malloc(sizeof(X509_TRUST)))) {

   195 			X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);

   196 			return 0;

   197 		}

   198 		trtmp->flags = X509_TRUST_DYNAMIC;

   199 	} else trtmp = X509_TRUST_get0(idx);

   201 	/* OPENSSL_free existing name if dynamic */

   202 	if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) OPENSSL_free(trtmp->name);

   203 	/* dup supplied name */

   204 	if(!(trtmp->name = BUF_strdup(name))) {

   205 		X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);

   206 		return 0;

   207 	}

   208 	/* Keep the dynamic flag of existing entry */

   209 	trtmp->flags &= X509_TRUST_DYNAMIC;

   210 	/* Set all other flags */

   211 	trtmp->flags |= flags;

   213 	trtmp->trust = id;

   214 	trtmp->check_trust = ck;

   215 	trtmp->arg1 = arg1;

   216 	trtmp->arg2 = arg2;

   218 	/* If its a new entry manage the dynamic table */

   219 	if(idx == -1) {

   220 		if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {

   221 			X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);

   222 			return 0;

   223 		}

   224 		if (!sk_X509_TRUST_push(trtable, trtmp)) {

   225 			X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);

   226 			return 0;

   227 		}

   228 	}

   229 	return 1;

   230 }

   232 static void trtable_free(X509_TRUST *p)

   233 	{

   234 	if(!p) return;

   235 	if (p->flags & X509_TRUST_DYNAMIC)

   236 		{

   237 		if (p->flags & X509_TRUST_DYNAMIC_NAME)

   238 			OPENSSL_free(p->name);

   239 		OPENSSL_free(p);

   240 		}

   241 	}

   243 EXPORT_C void X509_TRUST_cleanup(void)

   244 {

   245 	unsigned int i;

   246 	for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free((X509_TRUST *)trstandard + i);

   247 	sk_X509_TRUST_pop_free(trtable, trtable_free);

   248 	trtable = NULL;

   249 }

   251 EXPORT_C int X509_TRUST_get_flags(X509_TRUST *xp)

   252 {

   253 	return xp->flags;

   254 }

   256 EXPORT_C char *X509_TRUST_get0_name(X509_TRUST *xp)

   257 {

   258 	return xp->name;

   259 }

   261 EXPORT_C int X509_TRUST_get_trust(X509_TRUST *xp)

   262 {

   263 	return xp->trust;

   264 }

   266 static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)

   267 {

   268 	if(x->aux && (x->aux->trust || x->aux->reject))

   269 		return obj_trust(trust->arg1, x, flags);

   270 	/* we don't have any trust settings: for compatibility

   271 	 * we return trusted if it is self signed

   272 	 */

   273 	return trust_compat(trust, x, flags);

   274 }

   276 static int trust_1oid(X509_TRUST *trust, X509 *x, int flags)

   277 {

   278 	if(x->aux) return obj_trust(trust->arg1, x, flags);

   279 	return X509_TRUST_UNTRUSTED;

   280 }

   282 static int trust_compat(X509_TRUST *trust, X509 *x, int flags)

   283 {

   284 	X509_check_purpose(x, -1, 0);

   285 	if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED;

   286 	else return X509_TRUST_UNTRUSTED;

   287 }

   289 static int obj_trust(int id, X509 *x, int flags)

   290 {

   291 	ASN1_OBJECT *obj;

   292 	int i;

   293 	X509_CERT_AUX *ax;

   294 	ax = x->aux;

   295 	if(!ax) return X509_TRUST_UNTRUSTED;

   296 	if(ax->reject) {

   297 		for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {

   298 			obj = sk_ASN1_OBJECT_value(ax->reject, i);

   299 			if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED;

   300 		}

   301 	}

   302 	if(ax->trust) {

   303 		for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {

   304 			obj = sk_ASN1_OBJECT_value(ax->trust, i);

   305 			if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED;

   306 		}

   307 	}

   308 	return X509_TRUST_UNTRUSTED;

   309 }

author	sl
	Tue, 10 Jun 2014 14:32:02 +0200
changeset 1	260cb5ec6c19
permissions	-rw-r--r--