Lines Matching refs:ctx
117 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
118 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
119 static int check_chain_extensions(X509_STORE_CTX *ctx);
120 static int check_name_constraints(X509_STORE_CTX *ctx);
121 static int check_id(X509_STORE_CTX *ctx);
122 static int check_trust(X509_STORE_CTX *ctx);
123 static int check_revocation(X509_STORE_CTX *ctx);
124 static int check_cert(X509_STORE_CTX *ctx);
125 static int check_policy(X509_STORE_CTX *ctx);
127 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
129 static int get_crl_delta(X509_STORE_CTX *ctx,
131 static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl,
134 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
138 static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
139 static int check_crl_chain(X509_STORE_CTX *ctx,
143 static int internal_verify(X509_STORE_CTX *ctx);
162 static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) in lookup_cert_match() argument
168 certs = ctx->lookup_certs(ctx, X509_get_subject_name(x)); in lookup_cert_match()
185 int X509_verify_cert(X509_STORE_CTX *ctx) in X509_verify_cert() argument
189 X509_VERIFY_PARAM *param = ctx->param; in X509_verify_cert()
194 if (ctx->cert == NULL) { in X509_verify_cert()
196 ctx->error = X509_V_ERR_INVALID_CALL; in X509_verify_cert()
199 if (ctx->chain != NULL) { in X509_verify_cert()
205 ctx->error = X509_V_ERR_INVALID_CALL; in X509_verify_cert()
209 cb = ctx->verify_cb; in X509_verify_cert()
215 ctx->chain = sk_X509_new_null(); in X509_verify_cert()
216 if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) { in X509_verify_cert()
218 ctx->error = X509_V_ERR_OUT_OF_MEM; in X509_verify_cert()
221 X509_up_ref(ctx->cert); in X509_verify_cert()
222 ctx->last_untrusted = 1; in X509_verify_cert()
226 if (ctx->untrusted != NULL in X509_verify_cert()
227 && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { in X509_verify_cert()
229 ctx->error = X509_V_ERR_OUT_OF_MEM; in X509_verify_cert()
233 if (ctx->ctx->additional_untrusted != NULL) { in X509_verify_cert()
238 ctx->error = X509_V_ERR_OUT_OF_MEM; in X509_verify_cert()
243 for (size_t k = 0; k < sk_X509_num(ctx->ctx->additional_untrusted); in X509_verify_cert()
246 sk_X509_value(ctx->ctx->additional_untrusted, in X509_verify_cert()
249 ctx->error = X509_V_ERR_OUT_OF_MEM; in X509_verify_cert()
255 num = sk_X509_num(ctx->chain); in X509_verify_cert()
256 x = sk_X509_value(ctx->chain, num - 1); in X509_verify_cert()
273 if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) { in X509_verify_cert()
274 ok = ctx->get_issuer(&xtmp, ctx, x); in X509_verify_cert()
276 ctx->error = X509_V_ERR_STORE_LOOKUP; in X509_verify_cert()
291 xtmp = find_issuer(ctx, sktmp, x); in X509_verify_cert()
293 if (!sk_X509_push(ctx->chain, xtmp)) { in X509_verify_cert()
295 ctx->error = X509_V_ERR_OUT_OF_MEM; in X509_verify_cert()
301 ctx->last_untrusted++; in X509_verify_cert()
325 i = sk_X509_num(ctx->chain); in X509_verify_cert()
326 x = sk_X509_value(ctx->chain, i - 1); in X509_verify_cert()
329 if (sk_X509_num(ctx->chain) == 1) { in X509_verify_cert()
335 ok = ctx->get_issuer(&xtmp, ctx, x); in X509_verify_cert()
337 ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; in X509_verify_cert()
338 ctx->current_cert = x; in X509_verify_cert()
339 ctx->error_depth = i - 1; in X509_verify_cert()
343 ok = cb(0, ctx); in X509_verify_cert()
353 (void)sk_X509_set(ctx->chain, i - 1, x); in X509_verify_cert()
354 ctx->last_untrusted = 0; in X509_verify_cert()
360 chain_ss = sk_X509_pop(ctx->chain); in X509_verify_cert()
361 ctx->last_untrusted--; in X509_verify_cert()
364 x = sk_X509_value(ctx->chain, num - 1); in X509_verify_cert()
375 ok = ctx->get_issuer(&xtmp, ctx, x); in X509_verify_cert()
378 ctx->error = X509_V_ERR_STORE_LOOKUP; in X509_verify_cert()
384 if (!sk_X509_push(ctx->chain, x)) { in X509_verify_cert()
387 ctx->error = X509_V_ERR_OUT_OF_MEM; in X509_verify_cert()
395 trust = check_trust(ctx); in X509_verify_cert()
410 && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) in X509_verify_cert()
411 && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { in X509_verify_cert()
413 xtmp2 = sk_X509_value(ctx->chain, j - 1); in X509_verify_cert()
414 ok = ctx->get_issuer(&xtmp, ctx, xtmp2); in X509_verify_cert()
429 xtmp = sk_X509_pop(ctx->chain); in X509_verify_cert()
433 ctx->last_untrusted = sk_X509_num(ctx->chain); in X509_verify_cert()
447 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { in X509_verify_cert()
448 if (ctx->last_untrusted >= num) in X509_verify_cert()
449 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; in X509_verify_cert()
451 ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; in X509_verify_cert()
452 ctx->current_cert = x; in X509_verify_cert()
455 sk_X509_push(ctx->chain, chain_ss); in X509_verify_cert()
457 ctx->last_untrusted = num; in X509_verify_cert()
458 ctx->current_cert = chain_ss; in X509_verify_cert()
459 ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; in X509_verify_cert()
463 ctx->error_depth = num - 1; in X509_verify_cert()
465 ok = cb(0, ctx); in X509_verify_cert()
471 ok = check_chain_extensions(ctx); in X509_verify_cert()
476 ok = check_id(ctx); in X509_verify_cert()
486 ok = ctx->check_revocation(ctx); in X509_verify_cert()
490 int err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain, in X509_verify_cert()
491 ctx->param->flags); in X509_verify_cert()
493 ctx->error = err; in X509_verify_cert()
494 ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth); in X509_verify_cert()
495 ok = cb(0, ctx); in X509_verify_cert()
501 if (ctx->verify != NULL) in X509_verify_cert()
502 ok = ctx->verify(ctx); in X509_verify_cert()
504 ok = internal_verify(ctx); in X509_verify_cert()
510 ok = check_name_constraints(ctx); in X509_verify_cert()
515 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) in X509_verify_cert()
516 ok = ctx->check_policy(ctx); in X509_verify_cert()
525 if (ok <= 0 && ctx->error == X509_V_OK) in X509_verify_cert()
526 ctx->error = X509_V_ERR_UNSPECIFIED; in X509_verify_cert()
534 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) in find_issuer() argument
540 if (ctx->check_issued(ctx, x, issuer)) in find_issuer()
548 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) in check_issued() argument
555 if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) in check_issued()
558 ctx->error = ret; in check_issued()
559 ctx->current_cert = x; in check_issued()
560 ctx->current_issuer = issuer; in check_issued()
561 return ctx->verify_cb(0, ctx); in check_issued()
566 static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) in get_issuer_sk() argument
568 *issuer = find_issuer(ctx, ctx->other_ctx, x); in get_issuer_sk()
581 static int check_chain_extensions(X509_STORE_CTX *ctx) in check_chain_extensions() argument
589 cb = ctx->verify_cb; in check_chain_extensions()
600 if (ctx->parent) { in check_chain_extensions()
605 ! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); in check_chain_extensions()
606 purpose = ctx->param->purpose; in check_chain_extensions()
612 for (i = 0; i < ctx->last_untrusted; i++) { in check_chain_extensions()
614 x = sk_X509_value(ctx->chain, i); in check_chain_extensions()
615 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) in check_chain_extensions()
617 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; in check_chain_extensions()
618 ctx->error_depth = i; in check_chain_extensions()
619 ctx->current_cert = x; in check_chain_extensions()
620 ok = cb(0, ctx); in check_chain_extensions()
625 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; in check_chain_extensions()
626 ctx->error_depth = i; in check_chain_extensions()
627 ctx->current_cert = x; in check_chain_extensions()
628 ok = cb(0, ctx); in check_chain_extensions()
640 ctx->error = X509_V_ERR_INVALID_NON_CA; in check_chain_extensions()
647 ctx->error = X509_V_ERR_INVALID_CA; in check_chain_extensions()
657 ctx->error_depth = i; in check_chain_extensions()
658 ctx->current_cert = x; in check_chain_extensions()
659 ok = cb(0, ctx); in check_chain_extensions()
663 if (ctx->param->purpose > 0) { in check_chain_extensions()
667 ctx->error = X509_V_ERR_INVALID_PURPOSE; in check_chain_extensions()
668 ctx->error_depth = i; in check_chain_extensions()
669 ctx->current_cert = x; in check_chain_extensions()
670 ok = cb(0, ctx); in check_chain_extensions()
679 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; in check_chain_extensions()
680 ctx->error_depth = i; in check_chain_extensions()
681 ctx->current_cert = x; in check_chain_extensions()
682 ok = cb(0, ctx); in check_chain_extensions()
696 ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; in check_chain_extensions()
697 ctx->error_depth = i; in check_chain_extensions()
698 ctx->current_cert = x; in check_chain_extensions()
699 ok = cb(0, ctx); in check_chain_extensions()
741 static int check_name_constraints(X509_STORE_CTX *ctx) in check_name_constraints() argument
746 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { in check_name_constraints()
747 X509 *x = sk_X509_value(ctx->chain, i); in check_name_constraints()
757 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) { in check_name_constraints()
758 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; in check_name_constraints()
766 ctx->error = rv; in check_name_constraints()
769 ctx->error = rv; in check_name_constraints()
770 ctx->error_depth = i; in check_name_constraints()
771 ctx->current_cert = x; in check_name_constraints()
772 if (!ctx->verify_cb(0, ctx)) in check_name_constraints()
790 X509 *leaf = sk_X509_value(ctx->chain, 0); in check_name_constraints()
797 ctx->error = rv; in check_name_constraints()
800 ctx->error = rv; in check_name_constraints()
801 ctx->error_depth = i; in check_name_constraints()
802 ctx->current_cert = leaf; in check_name_constraints()
803 if (!ctx->verify_cb(0, ctx)) in check_name_constraints()
812 static int check_id_error(X509_STORE_CTX *ctx, int errcode) in check_id_error() argument
814 ctx->error = errcode; in check_id_error()
815 ctx->current_cert = ctx->cert; in check_id_error()
816 ctx->error_depth = 0; in check_id_error()
817 return ctx->verify_cb(0, ctx); in check_id_error()
839 static int check_id(X509_STORE_CTX *ctx) in check_id() argument
841 X509_VERIFY_PARAM *vpm = ctx->param; in check_id()
843 X509 *x = ctx->cert; in check_id()
845 if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL)) in check_id()
849 if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) in check_id()
853 if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH)) in check_id()
857 if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH)) in check_id()
863 static int check_trust(X509_STORE_CTX *ctx) in check_trust() argument
869 cb = ctx->verify_cb; in check_trust()
871 for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) { in check_trust()
872 x = sk_X509_value(ctx->chain, i); in check_trust()
873 ok = X509_check_trust(x, ctx->param->trust, 0); in check_trust()
882 ctx->error_depth = i; in check_trust()
883 ctx->current_cert = x; in check_trust()
884 ctx->error = X509_V_ERR_CERT_REJECTED; in check_trust()
885 ok = cb(0, ctx); in check_trust()
894 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { in check_trust()
896 if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain)) in check_trust()
898 x = sk_X509_value(ctx->chain, 0); in check_trust()
899 mx = lookup_cert_match(ctx, x); in check_trust()
901 (void)sk_X509_set(ctx->chain, 0, mx); in check_trust()
903 ctx->last_untrusted = 0; in check_trust()
915 static int check_revocation(X509_STORE_CTX *ctx) in check_revocation() argument
918 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) in check_revocation()
920 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) in check_revocation()
921 last = sk_X509_num(ctx->chain) - 1; in check_revocation()
924 if (ctx->parent) in check_revocation()
929 ctx->error_depth = i; in check_revocation()
930 ok = check_cert(ctx); in check_revocation()
937 static int check_cert(X509_STORE_CTX *ctx) in check_cert() argument
943 cnum = ctx->error_depth; in check_cert()
944 x = sk_X509_value(ctx->chain, cnum); in check_cert()
945 ctx->current_cert = x; in check_cert()
946 ctx->current_issuer = NULL; in check_cert()
947 ctx->current_crl_score = 0; in check_cert()
948 ctx->current_reasons = 0; in check_cert()
949 while (ctx->current_reasons != CRLDP_ALL_REASONS) { in check_cert()
950 last_reasons = ctx->current_reasons; in check_cert()
952 if (ctx->get_crl) in check_cert()
953 ok = ctx->get_crl(ctx, &crl, x); in check_cert()
955 ok = get_crl_delta(ctx, &crl, &dcrl, x); in check_cert()
960 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; in check_cert()
961 ok = ctx->verify_cb(0, ctx); in check_cert()
964 ctx->current_crl = crl; in check_cert()
965 ok = ctx->check_crl(ctx, crl); in check_cert()
970 ok = ctx->check_crl(ctx, dcrl); in check_cert()
973 ok = ctx->cert_crl(ctx, dcrl, x); in check_cert()
981 ok = ctx->cert_crl(ctx, crl, x); in check_cert()
994 if (last_reasons == ctx->current_reasons) { in check_cert()
995 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; in check_cert()
996 ok = ctx->verify_cb(0, ctx); in check_cert()
1004 ctx->current_crl = NULL; in check_cert()
1011 static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) in check_crl_time() argument
1016 ctx->current_crl = crl; in check_crl_time()
1017 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) in check_crl_time()
1018 ptime = &ctx->param->check_time; in check_crl_time()
1026 ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; in check_crl_time()
1027 if (!ctx->verify_cb(0, ctx)) in check_crl_time()
1034 ctx->error = X509_V_ERR_CRL_NOT_YET_VALID; in check_crl_time()
1035 if (!ctx->verify_cb(0, ctx)) in check_crl_time()
1045 ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; in check_crl_time()
1046 if (!ctx->verify_cb(0, ctx)) in check_crl_time()
1050 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { in check_crl_time()
1053 ctx->error = X509_V_ERR_CRL_HAS_EXPIRED; in check_crl_time()
1054 if (!ctx->verify_cb(0, ctx)) in check_crl_time()
1060 ctx->current_crl = NULL; in check_crl_time()
1065 static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, in get_crl_sk() argument
1072 X509 *x = ctx->current_cert; in get_crl_sk()
1079 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); in get_crl_sk()
1113 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); in get_crl_sk()
1194 static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, in get_delta_sk() argument
1199 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) in get_delta_sk()
1201 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) in get_delta_sk()
1206 if (check_crl_time(ctx, delta, 0)) in get_delta_sk()
1224 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, in get_crl_score() argument
1237 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) { in get_crl_score()
1259 if (check_crl_time(ctx, crl, 0)) in get_crl_score()
1263 crl_akid_check(ctx, crl, pissuer, &crl_score); in get_crl_score()
1286 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, in crl_akid_check() argument
1291 int cidx = ctx->error_depth; in crl_akid_check()
1294 if ((size_t)cidx != sk_X509_num(ctx->chain) - 1) in crl_akid_check()
1297 crl_issuer = sk_X509_value(ctx->chain, cidx); in crl_akid_check()
1307 for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) { in crl_akid_check()
1308 crl_issuer = sk_X509_value(ctx->chain, cidx); in crl_akid_check()
1320 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) in crl_akid_check()
1327 for (i = 0; i < sk_X509_num(ctx->untrusted); i++) { in crl_akid_check()
1328 crl_issuer = sk_X509_value(ctx->untrusted, i); in crl_akid_check()
1338 for (i = 0; i < sk_X509_num(ctx->ctx->additional_untrusted); i++) { in crl_akid_check()
1339 crl_issuer = sk_X509_value(ctx->ctx->additional_untrusted, i); in crl_akid_check()
1357 static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) in check_crl_path() argument
1362 if (ctx->parent) in check_crl_path()
1364 if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted)) in check_crl_path()
1367 crl_ctx.crls = ctx->crls; in check_crl_path()
1369 X509_STORE_CTX_set0_param(&crl_ctx, ctx->param); in check_crl_path()
1371 crl_ctx.parent = ctx; in check_crl_path()
1372 crl_ctx.verify_cb = ctx->verify_cb; in check_crl_path()
1382 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); in check_crl_path()
1397 static int check_crl_chain(X509_STORE_CTX *ctx, in check_crl_chain() argument
1527 static int get_crl_delta(X509_STORE_CTX *ctx, in get_crl_delta() argument
1537 reasons = ctx->current_reasons; in get_crl_delta()
1538 ok = get_crl_sk(ctx, &crl, &dcrl, in get_crl_delta()
1539 &issuer, &crl_score, &reasons, ctx->crls); in get_crl_delta()
1546 skcrl = ctx->lookup_crls(ctx, nm); in get_crl_delta()
1552 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl); in get_crl_delta()
1560 ctx->current_issuer = issuer; in get_crl_delta()
1561 ctx->current_crl_score = crl_score; in get_crl_delta()
1562 ctx->current_reasons = reasons; in get_crl_delta()
1572 static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) in check_crl() argument
1577 cnum = ctx->error_depth; in check_crl()
1578 chnum = sk_X509_num(ctx->chain) - 1; in check_crl()
1580 if (ctx->current_issuer) in check_crl()
1581 issuer = ctx->current_issuer; in check_crl()
1588 issuer = sk_X509_value(ctx->chain, cnum + 1); in check_crl()
1590 issuer = sk_X509_value(ctx->chain, chnum); in check_crl()
1592 if (!ctx->check_issued(ctx, issuer, issuer)) { in check_crl()
1593 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; in check_crl()
1594 ok = ctx->verify_cb(0, ctx); in check_crl()
1608 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; in check_crl()
1609 ok = ctx->verify_cb(0, ctx); in check_crl()
1614 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { in check_crl()
1615 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; in check_crl()
1616 ok = ctx->verify_cb(0, ctx); in check_crl()
1621 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { in check_crl()
1622 if (check_crl_path(ctx, ctx->current_issuer) <= 0) { in check_crl()
1623 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; in check_crl()
1624 ok = ctx->verify_cb(0, ctx); in check_crl()
1631 ctx->error = X509_V_ERR_INVALID_EXTENSION; in check_crl()
1632 ok = ctx->verify_cb(0, ctx); in check_crl()
1639 if (!(ctx->current_crl_score & CRL_SCORE_TIME)) { in check_crl()
1640 ok = check_crl_time(ctx, crl, 1); in check_crl()
1649 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; in check_crl()
1650 ok = ctx->verify_cb(0, ctx); in check_crl()
1655 rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags); in check_crl()
1657 ctx->error = rv; in check_crl()
1658 ok = ctx->verify_cb(0, ctx); in check_crl()
1664 ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE; in check_crl()
1665 ok = ctx->verify_cb(0, ctx); in check_crl()
1680 static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) in cert_crl() argument
1690 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) in cert_crl()
1692 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; in cert_crl()
1693 ok = ctx->verify_cb(0, ctx); in cert_crl()
1704 ctx->error = X509_V_ERR_CERT_REVOKED; in cert_crl()
1705 ok = ctx->verify_cb(0, ctx); in cert_crl()
1713 static int check_policy(X509_STORE_CTX *ctx) in check_policy() argument
1716 if (ctx->parent) in check_policy()
1718 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, in check_policy()
1719 ctx->param->policies, ctx->param->flags); in check_policy()
1722 ctx->error = X509_V_ERR_OUT_OF_MEM; in check_policy()
1732 for (i = 1; i < sk_X509_num(ctx->chain); i++) { in check_policy()
1733 x = sk_X509_value(ctx->chain, i); in check_policy()
1736 ctx->current_cert = x; in check_policy()
1737 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; in check_policy()
1738 if (!ctx->verify_cb(0, ctx)) in check_policy()
1744 ctx->current_cert = NULL; in check_policy()
1745 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; in check_policy()
1746 return ctx->verify_cb(0, ctx); in check_policy()
1749 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { in check_policy()
1750 ctx->current_cert = NULL; in check_policy()
1757 if (!ctx->verify_cb(2, ctx)) in check_policy()
1764 static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) in check_cert_time() argument
1769 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) in check_cert_time()
1770 ptime = &ctx->param->check_time; in check_cert_time()
1776 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; in check_cert_time()
1777 ctx->current_cert = x; in check_cert_time()
1778 if (!ctx->verify_cb(0, ctx)) in check_cert_time()
1783 ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; in check_cert_time()
1784 ctx->current_cert = x; in check_cert_time()
1785 if (!ctx->verify_cb(0, ctx)) in check_cert_time()
1791 ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; in check_cert_time()
1792 ctx->current_cert = x; in check_cert_time()
1793 if (!ctx->verify_cb(0, ctx)) in check_cert_time()
1798 ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; in check_cert_time()
1799 ctx->current_cert = x; in check_cert_time()
1800 if (!ctx->verify_cb(0, ctx)) in check_cert_time()
1807 static int internal_verify(X509_STORE_CTX *ctx) in internal_verify() argument
1814 cb = ctx->verify_cb; in internal_verify()
1816 n = sk_X509_num(ctx->chain); in internal_verify()
1817 ctx->error_depth = n - 1; in internal_verify()
1819 xi = sk_X509_value(ctx->chain, n); in internal_verify()
1821 if (ctx->check_issued(ctx, xi, xi)) in internal_verify()
1824 if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { in internal_verify()
1829 ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; in internal_verify()
1830 ctx->current_cert = xi; in internal_verify()
1831 ok = cb(0, ctx); in internal_verify()
1835 ctx->error_depth = n; in internal_verify()
1836 xs = sk_X509_value(ctx->chain, n); in internal_verify()
1842 ctx->error_depth = n; in internal_verify()
1849 if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { in internal_verify()
1851 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; in internal_verify()
1852 ctx->current_cert = xi; in internal_verify()
1853 ok = (*cb) (0, ctx); in internal_verify()
1857 ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE; in internal_verify()
1858 ctx->current_cert = xs; in internal_verify()
1859 ok = (*cb) (0, ctx); in internal_verify()
1870 ok = check_cert_time(ctx, xs); in internal_verify()
1875 ctx->current_issuer = xi; in internal_verify()
1876 ctx->current_cert = xs; in internal_verify()
1877 ok = (*cb) (1, ctx); in internal_verify()
1884 xs = sk_X509_value(ctx->chain, n); in internal_verify()
2117 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) in X509_STORE_CTX_set_ex_data() argument
2119 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); in X509_STORE_CTX_set_ex_data()
2122 void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) in X509_STORE_CTX_get_ex_data() argument
2124 return CRYPTO_get_ex_data(&ctx->ex_data, idx); in X509_STORE_CTX_get_ex_data()
2127 int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) in X509_STORE_CTX_get_error() argument
2129 return ctx->error; in X509_STORE_CTX_get_error()
2132 void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) in X509_STORE_CTX_set_error() argument
2134 ctx->error = err; in X509_STORE_CTX_set_error()
2137 int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) in X509_STORE_CTX_get_error_depth() argument
2139 return ctx->error_depth; in X509_STORE_CTX_get_error_depth()
2142 X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) in X509_STORE_CTX_get_current_cert() argument
2144 return ctx->current_cert; in X509_STORE_CTX_get_current_cert()
2147 STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) in STACK_OF()
2149 return ctx->chain; in STACK_OF()
2152 STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) in STACK_OF()
2154 if (!ctx->chain) in STACK_OF()
2156 return X509_chain_up_ref(ctx->chain); in STACK_OF()
2159 X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) in X509_STORE_CTX_get0_current_issuer() argument
2161 return ctx->current_issuer; in X509_STORE_CTX_get0_current_issuer()
2164 X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) in X509_STORE_CTX_get0_current_crl() argument
2166 return ctx->current_crl; in X509_STORE_CTX_get0_current_crl()
2169 X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) in X509_STORE_CTX_get0_parent_ctx() argument
2171 return ctx->parent; in X509_STORE_CTX_get0_parent_ctx()
2174 void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) in X509_STORE_CTX_set_cert() argument
2176 ctx->cert = x; in X509_STORE_CTX_set_cert()
2179 void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) in X509_STORE_CTX_set_chain() argument
2181 ctx->untrusted = sk; in X509_STORE_CTX_set_chain()
2184 STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) in STACK_OF()
2186 return ctx->untrusted; in STACK_OF()
2189 void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) in X509_STORE_CTX_set0_crls() argument
2191 ctx->crls = sk; in X509_STORE_CTX_set0_crls()
2194 int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) in X509_STORE_CTX_set_purpose() argument
2196 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); in X509_STORE_CTX_set_purpose()
2199 int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) in X509_STORE_CTX_set_trust() argument
2201 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); in X509_STORE_CTX_set_trust()
2215 int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, in X509_STORE_CTX_purpose_inherit() argument
2251 if (purpose && !ctx->param->purpose) in X509_STORE_CTX_purpose_inherit()
2252 ctx->param->purpose = purpose; in X509_STORE_CTX_purpose_inherit()
2253 if (trust && !ctx->param->trust) in X509_STORE_CTX_purpose_inherit()
2254 ctx->param->trust = trust; in X509_STORE_CTX_purpose_inherit()
2260 X509_STORE_CTX *ctx; in X509_STORE_CTX_new() local
2261 ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); in X509_STORE_CTX_new()
2262 if (!ctx) { in X509_STORE_CTX_new()
2266 X509_STORE_CTX_zero(ctx); in X509_STORE_CTX_new()
2267 return ctx; in X509_STORE_CTX_new()
2270 void X509_STORE_CTX_zero(X509_STORE_CTX *ctx) in X509_STORE_CTX_zero() argument
2272 OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX)); in X509_STORE_CTX_zero()
2275 void X509_STORE_CTX_free(X509_STORE_CTX *ctx) in X509_STORE_CTX_free() argument
2277 if (ctx == NULL) { in X509_STORE_CTX_free()
2280 X509_STORE_CTX_cleanup(ctx); in X509_STORE_CTX_free()
2281 OPENSSL_free(ctx); in X509_STORE_CTX_free()
2284 int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, in X509_STORE_CTX_init() argument
2289 X509_STORE_CTX_zero(ctx); in X509_STORE_CTX_init()
2290 ctx->ctx = store; in X509_STORE_CTX_init()
2291 ctx->cert = x509; in X509_STORE_CTX_init()
2292 ctx->untrusted = chain; in X509_STORE_CTX_init()
2294 CRYPTO_new_ex_data(&ctx->ex_data); in X509_STORE_CTX_init()
2296 ctx->param = X509_VERIFY_PARAM_new(); in X509_STORE_CTX_init()
2297 if (!ctx->param) in X509_STORE_CTX_init()
2305 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); in X509_STORE_CTX_init()
2307 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE; in X509_STORE_CTX_init()
2310 ctx->verify_cb = store->verify_cb; in X509_STORE_CTX_init()
2311 ctx->cleanup = store->cleanup; in X509_STORE_CTX_init()
2313 ctx->cleanup = 0; in X509_STORE_CTX_init()
2316 ret = X509_VERIFY_PARAM_inherit(ctx->param, in X509_STORE_CTX_init()
2323 ctx->check_issued = store->check_issued; in X509_STORE_CTX_init()
2325 ctx->check_issued = check_issued; in X509_STORE_CTX_init()
2328 ctx->get_issuer = store->get_issuer; in X509_STORE_CTX_init()
2330 ctx->get_issuer = X509_STORE_CTX_get1_issuer; in X509_STORE_CTX_init()
2333 ctx->verify_cb = store->verify_cb; in X509_STORE_CTX_init()
2335 ctx->verify_cb = null_callback; in X509_STORE_CTX_init()
2338 ctx->verify = store->verify; in X509_STORE_CTX_init()
2340 ctx->verify = internal_verify; in X509_STORE_CTX_init()
2343 ctx->check_revocation = store->check_revocation; in X509_STORE_CTX_init()
2345 ctx->check_revocation = check_revocation; in X509_STORE_CTX_init()
2348 ctx->get_crl = store->get_crl; in X509_STORE_CTX_init()
2350 ctx->get_crl = NULL; in X509_STORE_CTX_init()
2353 ctx->check_crl = store->check_crl; in X509_STORE_CTX_init()
2355 ctx->check_crl = check_crl; in X509_STORE_CTX_init()
2358 ctx->cert_crl = store->cert_crl; in X509_STORE_CTX_init()
2360 ctx->cert_crl = cert_crl; in X509_STORE_CTX_init()
2363 ctx->lookup_certs = store->lookup_certs; in X509_STORE_CTX_init()
2365 ctx->lookup_certs = X509_STORE_get1_certs; in X509_STORE_CTX_init()
2368 ctx->lookup_crls = store->lookup_crls; in X509_STORE_CTX_init()
2370 ctx->lookup_crls = X509_STORE_get1_crls; in X509_STORE_CTX_init()
2372 ctx->check_policy = check_policy; in X509_STORE_CTX_init()
2377 CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data); in X509_STORE_CTX_init()
2378 if (ctx->param != NULL) { in X509_STORE_CTX_init()
2379 X509_VERIFY_PARAM_free(ctx->param); in X509_STORE_CTX_init()
2382 OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX)); in X509_STORE_CTX_init()
2392 void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) in X509_STORE_CTX_trusted_stack() argument
2394 ctx->other_ctx = sk; in X509_STORE_CTX_trusted_stack()
2395 ctx->get_issuer = get_issuer_sk; in X509_STORE_CTX_trusted_stack()
2398 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) in X509_STORE_CTX_cleanup() argument
2402 if (ctx->cleanup != NULL) { in X509_STORE_CTX_cleanup()
2403 ctx->cleanup(ctx); in X509_STORE_CTX_cleanup()
2404 ctx->cleanup = NULL; in X509_STORE_CTX_cleanup()
2406 if (ctx->param != NULL) { in X509_STORE_CTX_cleanup()
2407 if (ctx->parent == NULL) in X509_STORE_CTX_cleanup()
2408 X509_VERIFY_PARAM_free(ctx->param); in X509_STORE_CTX_cleanup()
2409 ctx->param = NULL; in X509_STORE_CTX_cleanup()
2411 if (ctx->tree != NULL) { in X509_STORE_CTX_cleanup()
2412 X509_policy_tree_free(ctx->tree); in X509_STORE_CTX_cleanup()
2413 ctx->tree = NULL; in X509_STORE_CTX_cleanup()
2415 if (ctx->chain != NULL) { in X509_STORE_CTX_cleanup()
2416 sk_X509_pop_free(ctx->chain, X509_free); in X509_STORE_CTX_cleanup()
2417 ctx->chain = NULL; in X509_STORE_CTX_cleanup()
2419 CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data)); in X509_STORE_CTX_cleanup()
2420 OPENSSL_memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA)); in X509_STORE_CTX_cleanup()
2423 void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) in X509_STORE_CTX_set_depth() argument
2425 X509_VERIFY_PARAM_set_depth(ctx->param, depth); in X509_STORE_CTX_set_depth()
2428 void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) in X509_STORE_CTX_set_flags() argument
2430 X509_VERIFY_PARAM_set_flags(ctx->param, flags); in X509_STORE_CTX_set_flags()
2433 void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, in X509_STORE_CTX_set_time() argument
2436 X509_VERIFY_PARAM_set_time(ctx->param, t); in X509_STORE_CTX_set_time()
2439 X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) in X509_STORE_CTX_get0_cert() argument
2441 return ctx->cert; in X509_STORE_CTX_get0_cert()
2444 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, in X509_STORE_CTX_set_verify_cb() argument
2447 ctx->verify_cb = verify_cb; in X509_STORE_CTX_set_verify_cb()
2450 X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) in X509_STORE_CTX_get0_policy_tree() argument
2452 return ctx->tree; in X509_STORE_CTX_get0_policy_tree()
2455 int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) in X509_STORE_CTX_get_explicit_policy() argument
2457 return ctx->explicit_policy; in X509_STORE_CTX_get_explicit_policy()
2460 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) in X509_STORE_CTX_set_default() argument
2466 return X509_VERIFY_PARAM_inherit(ctx->param, param); in X509_STORE_CTX_set_default()
2469 X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) in X509_STORE_CTX_get0_param() argument
2471 return ctx->param; in X509_STORE_CTX_get0_param()
2474 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) in X509_STORE_CTX_set0_param() argument
2476 if (ctx->param) in X509_STORE_CTX_set0_param()
2477 X509_VERIFY_PARAM_free(ctx->param); in X509_STORE_CTX_set0_param()
2478 ctx->param = param; in X509_STORE_CTX_set0_param()