diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2019-12-23 17:37:17 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-07-01 11:14:54 +0200 |
| commit | 023697870bcd4372a142a606546253d719a81024 (patch) | |
| tree | 93c511280830104d1fb4a8319294560a81c7dd98 /crypto/x509/x509_vfy.c | |
| parent | ade08735f9d0ac85d611c5abee8a1df651bbca13 (diff) | |
Refactor (without semantic changes) crypto/x509/{v3_purp.c,x509_vfy.c}
This prepares some corrections and improves readability (coding style).
Among others, it adds the static function check_sig_alg_match() and
the internal functions x509_likely_issued() and x509_signing_allowed().
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)
Diffstat (limited to 'crypto/x509/x509_vfy.c')
| -rw-r--r-- | crypto/x509/x509_vfy.c | 55 |
1 files changed, 24 insertions, 31 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index ef149a2e28..a7541d8572 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -344,15 +344,9 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { int ret; - int ss; - - if (x == issuer) { - ss = cert_self_signed(ctx, x); - if (ss < 0) - return 0; - return ss; - } + if (x == issuer) + return cert_self_signed(ctx, x) == 1; ret = x509_check_issued_int(issuer, x, ctx->libctx, ctx->propq); if (ret == X509_V_OK) { int i; @@ -367,7 +361,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) return 1; for (i = 0; i < sk_X509_num(ctx->chain); i++) { ch = sk_X509_value(ctx->chain, i); - if (ch == issuer || !X509_cmp(ch, issuer)) { + if (ch == issuer || X509_cmp(ch, issuer) == 0) { ret = X509_V_ERR_PATH_LOOP; break; } @@ -1779,8 +1773,6 @@ static int internal_verify(X509_STORE_CTX *ctx) * is allowed to reset errors (at its own peril). */ while (n >= 0) { - EVP_PKEY *pkey; - /* * Skip signature check for self-signed certificates unless explicitly * asked for because it does not add any security and just wastes time. @@ -1788,9 +1780,12 @@ static int internal_verify(X509_STORE_CTX *ctx) * and its depth (rather than the depth of the subject). */ if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { + EVP_PKEY *pkey; + int issuer_depth = n + (xi == xs ? 0 : 1); + if ((pkey = X509_get0_pubkey(xi)) == NULL) { - if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, - X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) + if (!verify_cb_cert(ctx, xi, issuer_depth, + X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) return 0; } else if (X509_verify_ex(xs, pkey, ctx->libctx, ctx->propq) <= 0) { if (!verify_cb_cert(ctx, xs, n, @@ -2962,7 +2957,7 @@ static int build_chain(X509_STORE_CTX *ctx) SSL_DANE *dane = ctx->dane; int num = sk_X509_num(ctx->chain); X509 *cert = sk_X509_value(ctx->chain, num - 1); - int ss; + int self_signed = cert_self_signed(ctx, cert); STACK_OF(X509) *sktmp = NULL; unsigned int search; int may_trusted = 0; @@ -2980,9 +2975,8 @@ static int build_chain(X509_STORE_CTX *ctx) return 0; } - ss = cert_self_signed(ctx, cert); - if (ss < 0) { - X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR); + self_signed = cert_self_signed(ctx, cert); + if (self_signed < 0) { ctx->error = X509_V_ERR_UNSPECIFIED; return 0; } @@ -3122,7 +3116,7 @@ static int build_chain(X509_STORE_CTX *ctx) * certificate among the ones from the trust store. */ if ((search & S_DOALTERNATE) != 0) { - if (!ossl_assert(num > i && i > 0 && ss == 0)) { + if (!ossl_assert(num > i && i > 0 && !self_signed)) { X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR); X509_free(xtmp); trust = X509_TRUST_REJECTED; @@ -3150,7 +3144,7 @@ static int build_chain(X509_STORE_CTX *ctx) * Self-signed untrusted certificates get replaced by their * trusted matching issuer. Otherwise, grow the chain. */ - if (ss == 0) { + if (!self_signed) { if (!sk_X509_push(ctx->chain, x = xtmp)) { X509_free(xtmp); X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); @@ -3159,9 +3153,8 @@ static int build_chain(X509_STORE_CTX *ctx) search = 0; continue; } - ss = cert_self_signed(ctx, x); - if (ss < 0) { - X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR); + self_signed = cert_self_signed(ctx, x); + if (self_signed < 0) { ctx->error = X509_V_ERR_UNSPECIFIED; return 0; } @@ -3211,7 +3204,7 @@ static int build_chain(X509_STORE_CTX *ctx) search = 0; continue; } - if (ss == 0) + if (!self_signed) continue; } } @@ -3233,7 +3226,7 @@ static int build_chain(X509_STORE_CTX *ctx) /* Search for a trusted issuer of a shorter chain */ search |= S_DOALTERNATE; alt_untrusted = ctx->num_untrusted - 1; - ss = 0; + self_signed = 0; } } @@ -3255,7 +3248,8 @@ static int build_chain(X509_STORE_CTX *ctx) * Once we run out of untrusted issuers, we stop looking for more * and start looking only in the trust store if enabled. */ - xtmp = (ss || depth < num) ? NULL : find_issuer(ctx, sktmp, x); + xtmp = (self_signed || depth < num) ? NULL + : find_issuer(ctx, sktmp, x); if (xtmp == NULL) { search &= ~S_DOUNTRUSTED; if (may_trusted) @@ -3285,11 +3279,10 @@ static int build_chain(X509_STORE_CTX *ctx) x = xtmp; ++ctx->num_untrusted; - ss = cert_self_signed(ctx, xtmp); - if (ss < 0) { - X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR); - ctx->error = X509_V_ERR_UNSPECIFIED; + self_signed = cert_self_signed(ctx, xtmp); + if (self_signed < 0) { sk_X509_free(sktmp); + ctx->error = X509_V_ERR_UNSPECIFIED; return 0; } @@ -3333,10 +3326,10 @@ static int build_chain(X509_STORE_CTX *ctx) if (DANETLS_ENABLED(dane) && (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0)) return verify_cb_cert(ctx, NULL, num-1, X509_V_ERR_DANE_NO_MATCH); - if (ss && sk_X509_num(ctx->chain) == 1) + if (self_signed && sk_X509_num(ctx->chain) == 1) return verify_cb_cert(ctx, NULL, num-1, X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT); - if (ss) + if (self_signed) return verify_cb_cert(ctx, NULL, num-1, X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN); if (ctx->num_untrusted < num) |