diff options
author | Miod Vallat <miod@cvs.openbsd.org> | 2014-07-11 12:52:42 +0000 |
---|---|---|
committer | Miod Vallat <miod@cvs.openbsd.org> | 2014-07-11 12:52:42 +0000 |
commit | d246221a1881cce80c71acb6090f9f38a2bb78ff (patch) | |
tree | eb4630697fd9d846479666f5d4780d57e20d7e6f | |
parent | da4dd7c473160af5399f503b233bc09e00e1f6c9 (diff) |
When looking for the issuer of a certificate, if the current candidate is
expired or not valid yet, continue looking; only return an expired certificate
if no valid certificates have been found.
OpenSSL PR #3359 via OpenSSL trunk.
-rw-r--r-- | lib/libcrypto/x509/x509_lcl.h | 59 | ||||
-rw-r--r-- | lib/libcrypto/x509/x509_lu.c | 23 | ||||
-rw-r--r-- | lib/libcrypto/x509/x509_vfy.c | 28 |
3 files changed, 97 insertions, 13 deletions
diff --git a/lib/libcrypto/x509/x509_lcl.h b/lib/libcrypto/x509/x509_lcl.h new file mode 100644 index 00000000000..b16df78ad7c --- /dev/null +++ b/lib/libcrypto/x509/x509_lcl.h @@ -0,0 +1,59 @@ +/* x509_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 2013. + */ +/* ==================================================================== + * Copyright (c) 2013 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet); diff --git a/lib/libcrypto/x509/x509_lu.c b/lib/libcrypto/x509/x509_lu.c index 8d3e4f4dce0..b522c88c251 100644 --- a/lib/libcrypto/x509/x509_lu.c +++ b/lib/libcrypto/x509/x509_lu.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_lu.c,v 1.16 2014/07/11 08:44:49 jsing Exp $ */ +/* $OpenBSD: x509_lu.c,v 1.17 2014/07/11 12:52:41 miod Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,6 +62,7 @@ #include <openssl/lhash.h> #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" X509_LOOKUP * X509_LOOKUP_new(X509_LOOKUP_METHOD *method) @@ -632,6 +633,8 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) X509_NAME *xn; X509_OBJECT obj, *pobj; int i, ok, idx, ret; + + *issuer = NULL; xn = X509_get_issuer_name(x); ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj); if (ok != X509_LU_X509) { @@ -649,8 +652,10 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) } /* If certificate matches all OK */ if (ctx->check_issued(ctx, x, obj.data.x509)) { - *issuer = obj.data.x509; - return 1; + if (x509_check_cert_time(ctx, obj.data.x509, 1)) { + *issuer = obj.data.x509; + return 1; + } } X509_OBJECT_free_contents(&obj); @@ -670,13 +675,21 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) break; if (ctx->check_issued(ctx, x, pobj->data.x509)) { *issuer = pobj->data.x509; - X509_OBJECT_up_ref_count(pobj); ret = 1; - break; + /* + * If times check, exit with match, + * otherwise keep looking. Leave last + * match in issuer so we return nearest + * match if no certificate time is OK. + */ + if (x509_check_cert_time(ctx, *issuer, 1)) + break; } } } CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + if (*issuer) + CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509); return ret; } diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index f7feb85f360..9d7a7d12289 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.33 2014/07/11 08:44:49 jsing Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.34 2014/07/11 12:52:41 miod Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -73,6 +73,7 @@ #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/x509v3.h> +#include "x509_lcl.h" /* CRL score values */ @@ -408,14 +409,17 @@ static X509 * find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { int i; - X509 *issuer; + X509 *issuer, *rv = NULL; for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); - if (ctx->check_issued(ctx, x, issuer)) - return issuer; + if (ctx->check_issued(ctx, x, issuer)) { + rv = issuer; + if (x509_check_cert_time(ctx, rv, 1)) + break; + } } - return NULL; + return rv; } /* Given a possible certificate and issuer check them */ @@ -1492,8 +1496,8 @@ check_policy(X509_STORE_CTX *ctx) return 1; } -static int -check_cert_time(X509_STORE_CTX *ctx, X509 *x) +int +x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet) { time_t *ptime; int i; @@ -1505,6 +1509,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x) i = X509_cmp_time(X509_get_notBefore(x), ptime); if (i == 0) { + if (quiet) + return 0; ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; ctx->current_cert = x; if (!ctx->verify_cb(0, ctx)) @@ -1512,6 +1518,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x) } if (i > 0) { + if (quiet) + return 0; ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; ctx->current_cert = x; if (!ctx->verify_cb(0, ctx)) @@ -1520,6 +1528,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x) i = X509_cmp_time(X509_get_notAfter(x), ptime); if (i == 0) { + if (quiet) + return 0; ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; ctx->current_cert = x; if (!ctx->verify_cb(0, ctx)) @@ -1527,6 +1537,8 @@ check_cert_time(X509_STORE_CTX *ctx, X509 *x) } if (i < 0) { + if (quiet) + return 0; ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; ctx->current_cert = x; if (!ctx->verify_cb(0, ctx)) @@ -1597,7 +1609,7 @@ internal_verify(X509_STORE_CTX *ctx) xs->valid = 1; - ok = check_cert_time(ctx, xs); + ok = x509_check_cert_time(ctx, xs, 0); if (!ok) goto end; |