1 /* crypto/x509/x509_lu.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.] */
57
58 #include <openssl/err.h>
59 #include <openssl/lhash.h>
60 #include <openssl/mem.h>
61 #include <openssl/x509.h>
62 #include <openssl/x509v3.h>
63
64
X509_LOOKUP_new(X509_LOOKUP_METHOD * method)65 X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
66 {
67 X509_LOOKUP *ret;
68
69 ret=(X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP));
70 if (ret == NULL) return NULL;
71
72 ret->init=0;
73 ret->skip=0;
74 ret->method=method;
75 ret->method_data=NULL;
76 ret->store_ctx=NULL;
77 if ((method->new_item != NULL) && !method->new_item(ret))
78 {
79 OPENSSL_free(ret);
80 return NULL;
81 }
82 return ret;
83 }
84
X509_LOOKUP_free(X509_LOOKUP * ctx)85 void X509_LOOKUP_free(X509_LOOKUP *ctx)
86 {
87 if (ctx == NULL) return;
88 if ( (ctx->method != NULL) &&
89 (ctx->method->free != NULL))
90 (*ctx->method->free)(ctx);
91 OPENSSL_free(ctx);
92 }
93
X509_LOOKUP_init(X509_LOOKUP * ctx)94 int X509_LOOKUP_init(X509_LOOKUP *ctx)
95 {
96 if (ctx->method == NULL) return 0;
97 if (ctx->method->init != NULL)
98 return ctx->method->init(ctx);
99 else
100 return 1;
101 }
102
X509_LOOKUP_shutdown(X509_LOOKUP * ctx)103 int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
104 {
105 if (ctx->method == NULL) return 0;
106 if (ctx->method->shutdown != NULL)
107 return ctx->method->shutdown(ctx);
108 else
109 return 1;
110 }
111
X509_LOOKUP_ctrl(X509_LOOKUP * ctx,int cmd,const char * argc,long argl,char ** ret)112 int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
113 char **ret)
114 {
115 if (ctx->method == NULL) return -1;
116 if (ctx->method->ctrl != NULL)
117 return ctx->method->ctrl(ctx,cmd,argc,argl,ret);
118 else
119 return 1;
120 }
121
X509_LOOKUP_by_subject(X509_LOOKUP * ctx,int type,X509_NAME * name,X509_OBJECT * ret)122 int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
123 X509_OBJECT *ret)
124 {
125 if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))
126 return X509_LU_FAIL;
127 if (ctx->skip) return 0;
128 return ctx->method->get_by_subject(ctx,type,name,ret);
129 }
130
X509_LOOKUP_by_issuer_serial(X509_LOOKUP * ctx,int type,X509_NAME * name,ASN1_INTEGER * serial,X509_OBJECT * ret)131 int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
132 ASN1_INTEGER *serial, X509_OBJECT *ret)
133 {
134 if ((ctx->method == NULL) ||
135 (ctx->method->get_by_issuer_serial == NULL))
136 return X509_LU_FAIL;
137 return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret);
138 }
139
X509_LOOKUP_by_fingerprint(X509_LOOKUP * ctx,int type,unsigned char * bytes,int len,X509_OBJECT * ret)140 int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
141 unsigned char *bytes, int len, X509_OBJECT *ret)
142 {
143 if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
144 return X509_LU_FAIL;
145 return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret);
146 }
147
X509_LOOKUP_by_alias(X509_LOOKUP * ctx,int type,char * str,int len,X509_OBJECT * ret)148 int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
149 X509_OBJECT *ret)
150 {
151 if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
152 return X509_LU_FAIL;
153 return ctx->method->get_by_alias(ctx,type,str,len,ret);
154 }
155
156
x509_object_cmp(const X509_OBJECT ** a,const X509_OBJECT ** b)157 static int x509_object_cmp(const X509_OBJECT **a, const X509_OBJECT **b)
158 {
159 int ret;
160
161 ret=((*a)->type - (*b)->type);
162 if (ret) return ret;
163 switch ((*a)->type)
164 {
165 case X509_LU_X509:
166 ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);
167 break;
168 case X509_LU_CRL:
169 ret=X509_CRL_cmp((*a)->data.crl,(*b)->data.crl);
170 break;
171 default:
172 /* abort(); */
173 return 0;
174 }
175 return ret;
176 }
177
X509_STORE_new(void)178 X509_STORE *X509_STORE_new(void)
179 {
180 X509_STORE *ret;
181
182 if ((ret=(X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL)
183 return NULL;
184 memset(ret, 0, sizeof(*ret));
185 ret->objs = sk_X509_OBJECT_new(x509_object_cmp);
186 ret->cache = 1;
187 ret->get_cert_methods = sk_X509_LOOKUP_new_null();
188
189 if ((ret->param = X509_VERIFY_PARAM_new()) == NULL)
190 goto err;
191
192 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
193 goto err;
194
195 ret->references = 1;
196 return ret;
197 err:
198 if (ret)
199 {
200 if (ret->param)
201 X509_VERIFY_PARAM_free(ret->param);
202 if (ret->get_cert_methods)
203 sk_X509_LOOKUP_free(ret->get_cert_methods);
204 if (ret->objs)
205 sk_X509_OBJECT_free(ret->objs);
206 OPENSSL_free(ret);
207 }
208 return NULL;
209 }
210
cleanup(X509_OBJECT * a)211 static void cleanup(X509_OBJECT *a)
212 {
213 if (a->type == X509_LU_X509)
214 {
215 X509_free(a->data.x509);
216 }
217 else if (a->type == X509_LU_CRL)
218 {
219 X509_CRL_free(a->data.crl);
220 }
221 else
222 {
223 /* abort(); */
224 }
225
226 OPENSSL_free(a);
227 }
228
X509_STORE_free(X509_STORE * vfy)229 void X509_STORE_free(X509_STORE *vfy)
230 {
231 int i;
232 size_t j;
233 STACK_OF(X509_LOOKUP) *sk;
234 X509_LOOKUP *lu;
235
236 if (vfy == NULL)
237 return;
238
239 i=CRYPTO_add(&vfy->references,-1,CRYPTO_LOCK_X509_STORE);
240 #ifdef REF_PRINT
241 REF_PRINT("X509_STORE",vfy);
242 #endif
243 if (i > 0) return;
244 #ifdef REF_CHECK
245 if (i < 0)
246 {
247 fprintf(stderr,"X509_STORE_free, bad reference count\n");
248 abort(); /* ok */
249 }
250 #endif
251
252 sk=vfy->get_cert_methods;
253 for (j=0; j<sk_X509_LOOKUP_num(sk); j++)
254 {
255 lu=sk_X509_LOOKUP_value(sk,j);
256 X509_LOOKUP_shutdown(lu);
257 X509_LOOKUP_free(lu);
258 }
259 sk_X509_LOOKUP_free(sk);
260 sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
261
262 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
263 if (vfy->param)
264 X509_VERIFY_PARAM_free(vfy->param);
265 OPENSSL_free(vfy);
266 }
267
X509_STORE_add_lookup(X509_STORE * v,X509_LOOKUP_METHOD * m)268 X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
269 {
270 size_t i;
271 STACK_OF(X509_LOOKUP) *sk;
272 X509_LOOKUP *lu;
273
274 sk=v->get_cert_methods;
275 for (i=0; i<sk_X509_LOOKUP_num(sk); i++)
276 {
277 lu=sk_X509_LOOKUP_value(sk,i);
278 if (m == lu->method)
279 {
280 return lu;
281 }
282 }
283 /* a new one */
284 lu=X509_LOOKUP_new(m);
285 if (lu == NULL)
286 return NULL;
287 else
288 {
289 lu->store_ctx=v;
290 if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))
291 return lu;
292 else
293 {
294 X509_LOOKUP_free(lu);
295 return NULL;
296 }
297 }
298 }
299
X509_STORE_get_by_subject(X509_STORE_CTX * vs,int type,X509_NAME * name,X509_OBJECT * ret)300 int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
301 X509_OBJECT *ret)
302 {
303 X509_STORE *ctx=vs->ctx;
304 X509_LOOKUP *lu;
305 X509_OBJECT stmp,*tmp;
306 int i,j;
307
308 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
309 tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
310 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
311
312 if (tmp == NULL || type == X509_LU_CRL)
313 {
314 for (i=vs->current_method; i<(int)sk_X509_LOOKUP_num(ctx->get_cert_methods); i++)
315 {
316 lu=sk_X509_LOOKUP_value(ctx->get_cert_methods,i);
317 j=X509_LOOKUP_by_subject(lu,type,name,&stmp);
318 if (j < 0)
319 {
320 vs->current_method=j;
321 return j;
322 }
323 else if (j)
324 {
325 tmp= &stmp;
326 break;
327 }
328 }
329 vs->current_method=0;
330 if (tmp == NULL)
331 return 0;
332 }
333
334 /* if (ret->data.ptr != NULL)
335 X509_OBJECT_free_contents(ret); */
336
337 ret->type=tmp->type;
338 ret->data.ptr=tmp->data.ptr;
339
340 X509_OBJECT_up_ref_count(ret);
341
342 return 1;
343 }
344
X509_STORE_add_cert(X509_STORE * ctx,X509 * x)345 int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
346 {
347 X509_OBJECT *obj;
348 int ret=1;
349
350 if (x == NULL) return 0;
351 obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
352 if (obj == NULL)
353 {
354 OPENSSL_PUT_ERROR(X509, X509_STORE_add_cert, ERR_R_MALLOC_FAILURE);
355 return 0;
356 }
357 obj->type=X509_LU_X509;
358 obj->data.x509=x;
359
360 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
361
362 X509_OBJECT_up_ref_count(obj);
363
364 if (X509_OBJECT_retrieve_match(ctx->objs, obj))
365 {
366 X509_OBJECT_free_contents(obj);
367 OPENSSL_free(obj);
368 OPENSSL_PUT_ERROR(X509, X509_STORE_add_cert, X509_R_CERT_ALREADY_IN_HASH_TABLE);
369 ret=0;
370 }
371 else sk_X509_OBJECT_push(ctx->objs, obj);
372
373 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
374
375 return ret;
376 }
377
X509_STORE_add_crl(X509_STORE * ctx,X509_CRL * x)378 int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
379 {
380 X509_OBJECT *obj;
381 int ret=1;
382
383 if (x == NULL) return 0;
384 obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
385 if (obj == NULL)
386 {
387 OPENSSL_PUT_ERROR(X509, X509_STORE_add_crl, ERR_R_MALLOC_FAILURE);
388 return 0;
389 }
390 obj->type=X509_LU_CRL;
391 obj->data.crl=x;
392
393 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
394
395 X509_OBJECT_up_ref_count(obj);
396
397 if (X509_OBJECT_retrieve_match(ctx->objs, obj))
398 {
399 X509_OBJECT_free_contents(obj);
400 OPENSSL_free(obj);
401 OPENSSL_PUT_ERROR(X509, X509_STORE_add_crl, X509_R_CERT_ALREADY_IN_HASH_TABLE);
402 ret=0;
403 }
404 else sk_X509_OBJECT_push(ctx->objs, obj);
405
406 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
407
408 return ret;
409 }
410
X509_OBJECT_up_ref_count(X509_OBJECT * a)411 void X509_OBJECT_up_ref_count(X509_OBJECT *a)
412 {
413 switch (a->type)
414 {
415 case X509_LU_X509:
416 X509_up_ref(a->data.x509);
417 break;
418 case X509_LU_CRL:
419 CRYPTO_add(&a->data.crl->references,1,CRYPTO_LOCK_X509_CRL);
420 break;
421 }
422 }
423
X509_OBJECT_free_contents(X509_OBJECT * a)424 void X509_OBJECT_free_contents(X509_OBJECT *a)
425 {
426 switch (a->type)
427 {
428 case X509_LU_X509:
429 X509_free(a->data.x509);
430 break;
431 case X509_LU_CRL:
432 X509_CRL_free(a->data.crl);
433 break;
434 }
435 }
436
x509_object_idx_cnt(STACK_OF (X509_OBJECT)* h,int type,X509_NAME * name,int * pnmatch)437 static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
438 X509_NAME *name, int *pnmatch)
439 {
440 X509_OBJECT stmp;
441 X509 x509_s;
442 X509_CINF cinf_s;
443 X509_CRL crl_s;
444 X509_CRL_INFO crl_info_s;
445 size_t idx;
446
447 stmp.type=type;
448 switch (type)
449 {
450 case X509_LU_X509:
451 stmp.data.x509= &x509_s;
452 x509_s.cert_info= &cinf_s;
453 cinf_s.subject=name;
454 break;
455 case X509_LU_CRL:
456 stmp.data.crl= &crl_s;
457 crl_s.crl= &crl_info_s;
458 crl_info_s.issuer=name;
459 break;
460 default:
461 /* abort(); */
462 return -1;
463 }
464
465 idx = -1;
466 if (sk_X509_OBJECT_find(h, &idx, &stmp) && pnmatch)
467 {
468 int tidx;
469 const X509_OBJECT *tobj, *pstmp;
470 *pnmatch = 1;
471 pstmp = &stmp;
472 for (tidx = idx + 1; tidx < (int)sk_X509_OBJECT_num(h); tidx++)
473 {
474 tobj = sk_X509_OBJECT_value(h, tidx);
475 if (x509_object_cmp(&tobj, &pstmp))
476 break;
477 (*pnmatch)++;
478 }
479 }
480
481 return idx;
482 }
483
484
X509_OBJECT_idx_by_subject(STACK_OF (X509_OBJECT)* h,int type,X509_NAME * name)485 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
486 X509_NAME *name)
487 {
488 return x509_object_idx_cnt(h, type, name, NULL);
489 }
490
X509_OBJECT_retrieve_by_subject(STACK_OF (X509_OBJECT)* h,int type,X509_NAME * name)491 X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
492 X509_NAME *name)
493 {
494 int idx;
495 idx = X509_OBJECT_idx_by_subject(h, type, name);
496 if (idx==-1) return NULL;
497 return sk_X509_OBJECT_value(h, idx);
498 }
499
STACK_OF(X509)500 STACK_OF(X509)* X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
501 {
502 int i, idx, cnt;
503 STACK_OF(X509) *sk;
504 X509 *x;
505 X509_OBJECT *obj;
506 sk = sk_X509_new_null();
507 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
508 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
509 if (idx < 0)
510 {
511 /* Nothing found in cache: do lookup to possibly add new
512 * objects to cache
513 */
514 X509_OBJECT xobj;
515 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
516 if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj))
517 {
518 sk_X509_free(sk);
519 return NULL;
520 }
521 X509_OBJECT_free_contents(&xobj);
522 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
523 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_X509,nm, &cnt);
524 if (idx < 0)
525 {
526 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
527 sk_X509_free(sk);
528 return NULL;
529 }
530 }
531 for (i = 0; i < cnt; i++, idx++)
532 {
533 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
534 x = obj->data.x509;
535 if (!sk_X509_push(sk, X509_up_ref(x)))
536 {
537 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
538 X509_free(x);
539 sk_X509_pop_free(sk, X509_free);
540 return NULL;
541 }
542 }
543 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
544 return sk;
545
546 }
547
STACK_OF(X509_CRL)548 STACK_OF(X509_CRL)* X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
549 {
550 int i, idx, cnt;
551 STACK_OF(X509_CRL) *sk;
552 X509_CRL *x;
553 X509_OBJECT *obj, xobj;
554 sk = sk_X509_CRL_new_null();
555 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
556 /* Check cache first */
557 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
558
559 /* Always do lookup to possibly add new CRLs to cache
560 */
561 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
562 if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj))
563 {
564 sk_X509_CRL_free(sk);
565 return NULL;
566 }
567 X509_OBJECT_free_contents(&xobj);
568 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
569 idx = x509_object_idx_cnt(ctx->ctx->objs,X509_LU_CRL, nm, &cnt);
570 if (idx < 0)
571 {
572 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
573 sk_X509_CRL_free(sk);
574 return NULL;
575 }
576
577 for (i = 0; i < cnt; i++, idx++)
578 {
579 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
580 x = obj->data.crl;
581 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
582 if (!sk_X509_CRL_push(sk, x))
583 {
584 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
585 X509_CRL_free(x);
586 sk_X509_CRL_pop_free(sk, X509_CRL_free);
587 return NULL;
588 }
589 }
590 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
591 return sk;
592 }
593
X509_OBJECT_retrieve_match(STACK_OF (X509_OBJECT)* h,X509_OBJECT * x)594 X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
595 {
596 size_t idx, i;
597 X509_OBJECT *obj;
598
599 if (!sk_X509_OBJECT_find(h, &idx, x)) {
600 return NULL;
601 }
602 if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
603 return sk_X509_OBJECT_value(h, idx);
604 for (i = idx; i < sk_X509_OBJECT_num(h); i++)
605 {
606 obj = sk_X509_OBJECT_value(h, i);
607 if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
608 return NULL;
609 if (x->type == X509_LU_X509)
610 {
611 if (!X509_cmp(obj->data.x509, x->data.x509))
612 return obj;
613 }
614 else if (x->type == X509_LU_CRL)
615 {
616 if (!X509_CRL_match(obj->data.crl, x->data.crl))
617 return obj;
618 }
619 else
620 return obj;
621 }
622 return NULL;
623 }
624
625
626 /* Try to get issuer certificate from store. Due to limitations
627 * of the API this can only retrieve a single certificate matching
628 * a given subject name. However it will fill the cache with all
629 * matching certificates, so we can examine the cache for all
630 * matches.
631 *
632 * Return values are:
633 * 1 lookup successful.
634 * 0 certificate not found.
635 * -1 some other error.
636 */
X509_STORE_CTX_get1_issuer(X509 ** issuer,X509_STORE_CTX * ctx,X509 * x)637 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
638 {
639 X509_NAME *xn;
640 X509_OBJECT obj, *pobj;
641 int ok, idx, ret;
642 size_t i;
643 xn=X509_get_issuer_name(x);
644 ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
645 if (ok != X509_LU_X509)
646 {
647 if (ok == X509_LU_RETRY)
648 {
649 X509_OBJECT_free_contents(&obj);
650 OPENSSL_PUT_ERROR(X509, X509_STORE_CTX_get1_issuer, X509_R_SHOULD_RETRY);
651 return -1;
652 }
653 else if (ok != X509_LU_FAIL)
654 {
655 X509_OBJECT_free_contents(&obj);
656 /* not good :-(, break anyway */
657 return -1;
658 }
659 return 0;
660 }
661 /* If certificate matches all OK */
662 if (ctx->check_issued(ctx, x, obj.data.x509))
663 {
664 *issuer = obj.data.x509;
665 return 1;
666 }
667 X509_OBJECT_free_contents(&obj);
668
669 /* Else find index of first cert accepted by 'check_issued' */
670 ret = 0;
671 CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
672 idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
673 if (idx != -1) /* should be true as we've had at least one match */
674 {
675 /* Look through all matching certs for suitable issuer */
676 for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
677 {
678 pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
679 /* See if we've run past the matches */
680 if (pobj->type != X509_LU_X509)
681 break;
682 if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
683 break;
684 if (ctx->check_issued(ctx, x, pobj->data.x509))
685 {
686 *issuer = pobj->data.x509;
687 X509_OBJECT_up_ref_count(pobj);
688 ret = 1;
689 break;
690 }
691 }
692 }
693 CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
694 return ret;
695 }
696
X509_STORE_set_flags(X509_STORE * ctx,unsigned long flags)697 int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
698 {
699 return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
700 }
701
X509_STORE_set_depth(X509_STORE * ctx,int depth)702 int X509_STORE_set_depth(X509_STORE *ctx, int depth)
703 {
704 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
705 return 1;
706 }
707
X509_STORE_set_purpose(X509_STORE * ctx,int purpose)708 int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
709 {
710 return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
711 }
712
X509_STORE_set_trust(X509_STORE * ctx,int trust)713 int X509_STORE_set_trust(X509_STORE *ctx, int trust)
714 {
715 return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
716 }
717
X509_STORE_set1_param(X509_STORE * ctx,X509_VERIFY_PARAM * param)718 int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
719 {
720 return X509_VERIFY_PARAM_set1(ctx->param, param);
721 }
722
X509_STORE_set_verify_cb(X509_STORE * ctx,int (* verify_cb)(int,X509_STORE_CTX *))723 void X509_STORE_set_verify_cb(X509_STORE *ctx,
724 int (*verify_cb)(int, X509_STORE_CTX *))
725 {
726 ctx->verify_cb = verify_cb;
727 }
728
X509_STORE_set_lookup_crls_cb(X509_STORE * ctx,STACK_OF (X509_CRL)* (* cb)(X509_STORE_CTX * ctx,X509_NAME * nm))729 void X509_STORE_set_lookup_crls_cb(X509_STORE *ctx,
730 STACK_OF(X509_CRL)* (*cb)(X509_STORE_CTX *ctx, X509_NAME *nm))
731 {
732 ctx->lookup_crls = cb;
733 }
734
X509_STORE_CTX_get0_store(X509_STORE_CTX * ctx)735 X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx)
736 {
737 return ctx->ctx;
738 }
739