aboutsummaryrefslogtreecommitdiff
path: root/crypto/x509/x509_vpm.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/x509/x509_vpm.c')
-rw-r--r--crypto/x509/x509_vpm.c157
1 files changed, 100 insertions, 57 deletions
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 535f169a29e7..0f62e331f68c 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -1,7 +1,7 @@
/*
- * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2004-2025 The OpenSSL Project Authors. All Rights Reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
@@ -44,7 +44,8 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode,
*/
if (namelen == 0 || name == NULL)
namelen = name ? strlen(name) : 0;
- else if (name && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen))
+ else if (name != NULL
+ && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen) != NULL)
return 0;
if (namelen > 0 && name[namelen - 1] == '\0')
--namelen;
@@ -78,14 +79,13 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode,
return 1;
}
-
X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
{
X509_VERIFY_PARAM *param;
param = OPENSSL_zalloc(sizeof(*param));
if (param == NULL) {
- X509err(X509_F_X509_VERIFY_PARAM_NEW, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
return NULL;
}
param->trust = X509_TRUST_DEFAULT;
@@ -142,39 +142,32 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
/* Macro to test if a field should be copied from src to dest */
#define test_x509_verify_param_copy(field, def) \
- (to_overwrite || \
- ((src->field != def) && (to_default || (dest->field == def))))
+ (to_overwrite || (src->field != def && (to_default || dest->field == def)))
/* Macro to test and copy a field if necessary */
#define x509_verify_param_copy(field, def) \
- if (test_x509_verify_param_copy(field, def)) \
- dest->field = src->field
+ if (test_x509_verify_param_copy(field, def)) \
+ dest->field = src->field;
int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
const X509_VERIFY_PARAM *src)
{
unsigned long inh_flags;
int to_default, to_overwrite;
- if (!src)
+
+ if (src == NULL)
return 1;
inh_flags = dest->inh_flags | src->inh_flags;
- if (inh_flags & X509_VP_FLAG_ONCE)
+ if ((inh_flags & X509_VP_FLAG_ONCE) != 0)
dest->inh_flags = 0;
- if (inh_flags & X509_VP_FLAG_LOCKED)
+ if ((inh_flags & X509_VP_FLAG_LOCKED) != 0)
return 1;
- if (inh_flags & X509_VP_FLAG_DEFAULT)
- to_default = 1;
- else
- to_default = 0;
-
- if (inh_flags & X509_VP_FLAG_OVERWRITE)
- to_overwrite = 1;
- else
- to_overwrite = 0;
+ to_default = (inh_flags & X509_VP_FLAG_DEFAULT) != 0;
+ to_overwrite = (inh_flags & X509_VP_FLAG_OVERWRITE) != 0;
x509_verify_param_copy(purpose, 0);
x509_verify_param_copy(trust, X509_TRUST_DEFAULT);
@@ -183,13 +176,13 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
/* If overwrite or check time not set, copy across */
- if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {
+ if (to_overwrite || (dest->flags & X509_V_FLAG_USE_CHECK_TIME) == 0) {
dest->check_time = src->check_time;
dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
/* Don't need to copy flag: that is done below */
}
- if (inh_flags & X509_VP_FLAG_RESET_FLAGS)
+ if ((inh_flags & X509_VP_FLAG_RESET_FLAGS) != 0)
dest->flags = 0;
dest->flags |= src->flags;
@@ -204,7 +197,7 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
if (test_x509_verify_param_copy(hosts, NULL)) {
sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
dest->hosts = NULL;
- if (src->hosts) {
+ if (src->hosts != NULL) {
dest->hosts =
sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free);
if (dest->hosts == NULL)
@@ -228,8 +221,14 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
const X509_VERIFY_PARAM *from)
{
- unsigned long save_flags = to->inh_flags;
+ unsigned long save_flags;
int ret;
+
+ if (to == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
+ return 0;
+ }
+ save_flags = to->inh_flags;
to->inh_flags |= X509_VP_FLAG_DEFAULT;
ret = X509_VERIFY_PARAM_inherit(to, from);
to->inh_flags = save_flags;
@@ -239,14 +238,17 @@ int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
static int int_x509_param_set1(char **pdest, size_t *pdestlen,
const char *src, size_t srclen)
{
- void *tmp;
- if (src) {
+ char *tmp;
+
+ if (src != NULL) {
if (srclen == 0)
srclen = strlen(src);
- tmp = OPENSSL_memdup(src, srclen);
+ tmp = OPENSSL_malloc(srclen + 1);
if (tmp == NULL)
return 0;
+ memcpy(tmp, src, srclen);
+ tmp[srclen] = '\0'; /* enforce NUL termination */
} else {
tmp = NULL;
srclen = 0;
@@ -262,15 +264,13 @@ int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
{
OPENSSL_free(param->name);
param->name = OPENSSL_strdup(name);
- if (param->name)
- return 1;
- return 0;
+ return param->name != NULL;
}
int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
{
param->flags |= flags;
- if (flags & X509_V_FLAG_POLICY_MASK)
+ if ((flags & X509_V_FLAG_POLICY_MASK) != 0)
param->flags |= X509_V_FLAG_POLICY_CHECK;
return 1;
}
@@ -282,7 +282,7 @@ int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
return 1;
}
-unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
+unsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param)
{
return param->flags;
}
@@ -332,12 +332,13 @@ void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
ASN1_OBJECT *policy)
{
- if (!param->policies) {
+ if (param->policies == NULL) {
param->policies = sk_ASN1_OBJECT_new_null();
- if (!param->policies)
+ if (param->policies == NULL)
return 0;
}
- if (!sk_ASN1_OBJECT_push(param->policies, policy))
+
+ if (sk_ASN1_OBJECT_push(param->policies, policy) <= 0)
return 0;
return 1;
}
@@ -348,23 +349,25 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
int i;
ASN1_OBJECT *oid, *doid;
- if (!param)
+ if (param == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
return 0;
+ }
sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
- if (!policies) {
+ if (policies == NULL) {
param->policies = NULL;
return 1;
}
param->policies = sk_ASN1_OBJECT_new_null();
- if (!param->policies)
+ if (param->policies == NULL)
return 0;
for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) {
oid = sk_ASN1_OBJECT_value(policies, i);
doid = OBJ_dup(oid);
- if (!doid)
+ if (doid == NULL)
return 0;
if (!sk_ASN1_OBJECT_push(param->policies, doid)) {
ASN1_OBJECT_free(doid);
@@ -375,6 +378,11 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
return 1;
}
+char *X509_VERIFY_PARAM_get0_host(X509_VERIFY_PARAM *param, int idx)
+{
+ return sk_OPENSSL_STRING_value(param->hosts, idx);
+}
+
int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
const char *name, size_t namelen)
{
@@ -398,7 +406,7 @@ unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param)
return param->hostflags;
}
-char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
+char *X509_VERIFY_PARAM_get0_peername(const X509_VERIFY_PARAM *param)
{
return param->peername;
}
@@ -417,10 +425,15 @@ void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *to,
OPENSSL_free(to->peername);
to->peername = peername;
}
- if (from)
+ if (from != NULL)
from->peername = NULL;
}
+char *X509_VERIFY_PARAM_get0_email(X509_VERIFY_PARAM *param)
+{
+ return param->email;
+}
+
int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
const char *email, size_t emaillen)
{
@@ -428,11 +441,33 @@ int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
email, emaillen);
}
+static unsigned char
+*int_X509_VERIFY_PARAM_get0_ip(X509_VERIFY_PARAM *param, size_t *plen)
+{
+ if (param == NULL || param->ip == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
+ return NULL;
+ }
+ if (plen != NULL)
+ *plen = param->iplen;
+ return param->ip;
+}
+
+char *X509_VERIFY_PARAM_get1_ip_asc(X509_VERIFY_PARAM *param)
+{
+ size_t iplen;
+ unsigned char *ip = int_X509_VERIFY_PARAM_get0_ip(param, &iplen);
+
+ return ip == NULL ? NULL : ossl_ipaddr_to_asc(ip, iplen);
+}
+
int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
const unsigned char *ip, size_t iplen)
{
- if (iplen != 0 && iplen != 4 && iplen != 16)
+ if (iplen != 0 && iplen != 4 && iplen != 16) {
+ ERR_raise(ERR_LIB_X509, ERR_R_PASSED_INVALID_ARGUMENT);
return 0;
+ }
return int_x509_param_set1((char **)&param->ip, &param->iplen,
(char *)ip, iplen);
}
@@ -440,9 +475,8 @@ int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
{
unsigned char ipout[16];
- size_t iplen;
+ size_t iplen = (size_t)ossl_a2i_ipadd(ipout, ipasc);
- iplen = (size_t)a2i_ipadd(ipout, ipasc);
if (iplen == 0)
return 0;
return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);
@@ -474,8 +508,8 @@ const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
static const X509_VERIFY_PARAM default_table[] = {
{
"default", /* X509 default parameters */
- 0, /* Check time */
- 0, /* internal flags */
+ 0, /* check time to use */
+ 0, /* inheritance flags */
X509_V_FLAG_TRUSTED_FIRST, /* flags */
0, /* purpose */
0, /* trust */
@@ -485,8 +519,8 @@ static const X509_VERIFY_PARAM default_table[] = {
vpm_empty_id},
{
"pkcs7", /* S/MIME sign parameters */
- 0, /* Check time */
- 0, /* internal flags */
+ 0, /* check time to use */
+ 0, /* inheritance flags */
0, /* flags */
X509_PURPOSE_SMIME_SIGN, /* purpose */
X509_TRUST_EMAIL, /* trust */
@@ -496,8 +530,8 @@ static const X509_VERIFY_PARAM default_table[] = {
vpm_empty_id},
{
"smime_sign", /* S/MIME sign parameters */
- 0, /* Check time */
- 0, /* internal flags */
+ 0, /* check time to use */
+ 0, /* inheritance flags */
0, /* flags */
X509_PURPOSE_SMIME_SIGN, /* purpose */
X509_TRUST_EMAIL, /* trust */
@@ -507,8 +541,8 @@ static const X509_VERIFY_PARAM default_table[] = {
vpm_empty_id},
{
"ssl_client", /* SSL/TLS client parameters */
- 0, /* Check time */
- 0, /* internal flags */
+ 0, /* check time to use */
+ 0, /* inheritance flags */
0, /* flags */
X509_PURPOSE_SSL_CLIENT, /* purpose */
X509_TRUST_SSL_CLIENT, /* trust */
@@ -518,8 +552,8 @@ static const X509_VERIFY_PARAM default_table[] = {
vpm_empty_id},
{
"ssl_server", /* SSL/TLS server parameters */
- 0, /* Check time */
- 0, /* internal flags */
+ 0, /* check time to use */
+ 0, /* inheritance flags */
0, /* flags */
X509_PURPOSE_SSL_SERVER, /* purpose */
X509_TRUST_SSL_SERVER, /* trust */
@@ -549,6 +583,7 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
{
int idx;
X509_VERIFY_PARAM *ptmp;
+
if (param_table == NULL) {
param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
if (param_table == NULL)
@@ -560,7 +595,8 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
X509_VERIFY_PARAM_free(ptmp);
}
}
- if (!sk_X509_VERIFY_PARAM_push(param_table, param))
+
+ if (sk_X509_VERIFY_PARAM_push(param_table, param) <= 0)
return 0;
return 1;
}
@@ -568,7 +604,8 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
int X509_VERIFY_PARAM_get_count(void)
{
int num = OSSL_NELEM(default_table);
- if (param_table)
+
+ if (param_table != NULL)
num += sk_X509_VERIFY_PARAM_num(param_table);
return num;
}
@@ -576,6 +613,12 @@ int X509_VERIFY_PARAM_get_count(void)
const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
{
int num = OSSL_NELEM(default_table);
+
+ if (id < 0) {
+ ERR_raise(ERR_LIB_X509, ERR_R_PASSED_INVALID_ARGUMENT);
+ return NULL;
+ }
+
if (id < num)
return default_table + id;
return sk_X509_VERIFY_PARAM_value(param_table, id - num);
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-20 11:51:06 +0000