diff options
Diffstat (limited to 'lib/x509/verify-high.c')
-rw-r--r-- | lib/x509/verify-high.c | 434 |
1 files changed, 247 insertions, 187 deletions
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 5d29929e7d..7b8b270d69 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -62,7 +62,7 @@ struct gnutls_x509_trust_list_iter { unsigned int ca_index; #ifdef ENABLE_PKCS11 - gnutls_pkcs11_obj_t* pkcs11_list; + gnutls_pkcs11_obj_t *pkcs11_list; unsigned int pkcs11_index; unsigned int pkcs11_size; #endif @@ -70,19 +70,18 @@ struct gnutls_x509_trust_list_iter { #define DEFAULT_SIZE 127 -static bool -cert_eq(const void *cert1, const void *cert2) +static bool cert_eq(const void *cert1, const void *cert2) { const gnutls_x509_crt_t c1 = (const gnutls_x509_crt_t)cert1; const gnutls_x509_crt_t c2 = (const gnutls_x509_crt_t)cert2; return gnutls_x509_crt_equals(c1, c2); } -static size_t -cert_hashcode(const void *cert) +static size_t cert_hashcode(const void *cert) { const gnutls_x509_crt_t c = (const gnutls_x509_crt_t)cert; - return hash_pjw_bare(c->raw_dn.data, c->raw_dn.size) % DEFAULT_MAX_VERIFY_DEPTH; + return hash_pjw_bare(c->raw_dn.data, + c->raw_dn.size) % DEFAULT_MAX_VERIFY_DEPTH; } /** @@ -98,16 +97,14 @@ cert_hashcode(const void *cert) * Since: 3.0.0 **/ int -gnutls_x509_trust_list_init(gnutls_x509_trust_list_t * list, - unsigned int size) +gnutls_x509_trust_list_init(gnutls_x509_trust_list_t * list, unsigned int size) { gnutls_x509_trust_list_t tmp; *list = NULL; FAIL_IF_LIB_ERROR; - tmp = - gnutls_calloc(1, sizeof(struct gnutls_x509_trust_list_st)); + tmp = gnutls_calloc(1, sizeof(struct gnutls_x509_trust_list_st)); if (!tmp) return GNUTLS_E_MEMORY_ERROR; @@ -141,8 +138,7 @@ gnutls_x509_trust_list_init(gnutls_x509_trust_list_t * list, * Since: 3.0.0 **/ void -gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list, - unsigned int all) +gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list, unsigned int all) { unsigned int i, j; @@ -168,20 +164,17 @@ gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list, } gnutls_free(list->node[i].trusted_cas); - if (all) { for (j = 0; j < list->node[i].crl_size; j++) { - gnutls_x509_crl_deinit(list->node[i]. - crls[j]); + gnutls_x509_crl_deinit(list->node[i].crls[j]); } } gnutls_free(list->node[i].crls); if (all) { for (j = 0; j < list->node[i].named_cert_size; j++) { - gnutls_x509_crt_deinit(list->node[i]. - named_certs[j]. - cert); + gnutls_x509_crt_deinit(list->node[i].named_certs + [j].cert); } } gnutls_free(list->node[i].named_certs); @@ -194,8 +187,7 @@ gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list, } static int -add_new_ca_to_rdn_seq(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t ca) +add_new_ca_to_rdn_seq(gnutls_x509_trust_list_t list, gnutls_x509_crt_t ca) { gnutls_datum_t tmp; size_t newsize; @@ -214,9 +206,7 @@ add_new_ca_to_rdn_seq(gnutls_x509_trust_list_t list, return GNUTLS_E_SHORT_MEMORY_BUFFER; } - newdata = - gnutls_realloc_fast(list->x509_rdn_sequence.data, - newsize); + newdata = gnutls_realloc_fast(list->x509_rdn_sequence.data, newsize); if (newdata == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; @@ -239,17 +229,16 @@ add_new_ca_to_rdn_seq(gnutls_x509_trust_list_t list, * pkcs11 trust modules when the GNUTLS_TL_GET_COPY flag isn't * given. It is not thread safe. */ static int -trust_list_add_compat(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t cert) +trust_list_add_compat(gnutls_x509_trust_list_t list, gnutls_x509_crt_t cert) { if (unlikely(INT_ADD_OVERFLOW(list->keep_certs_size, 1))) { return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); } list->keep_certs = - _gnutls_reallocarray_fast(list->keep_certs, - list->keep_certs_size + 1, - sizeof(list->keep_certs[0])); + _gnutls_reallocarray_fast(list->keep_certs, + list->keep_certs_size + 1, + sizeof(list->keep_certs[0])); if (list->keep_certs == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; @@ -303,17 +292,26 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, for (i = 0; i < clist_size; i++) { exists = 0; hash = - hash_pjw_bare(clist[i]->raw_dn.data, - clist[i]->raw_dn.size); + hash_pjw_bare(clist[i]->raw_dn.data, clist[i]->raw_dn.size); hash %= list->size; /* avoid duplicates */ - if (flags & GNUTLS_TL_NO_DUPLICATES || flags & GNUTLS_TL_NO_DUPLICATE_KEY) { - for (j=0;j<list->node[hash].trusted_ca_size;j++) { + if (flags & GNUTLS_TL_NO_DUPLICATES + || flags & GNUTLS_TL_NO_DUPLICATE_KEY) { + for (j = 0; j < list->node[hash].trusted_ca_size; j++) { if (flags & GNUTLS_TL_NO_DUPLICATES) - ret = gnutls_x509_crt_equals(list->node[hash].trusted_cas[j], clist[i]); + ret = + gnutls_x509_crt_equals(list->node + [hash].trusted_cas + [j], + clist[i]); else - ret = _gnutls_check_if_same_key(list->node[hash].trusted_cas[j], clist[i], 1); + ret = + _gnutls_check_if_same_key(list->node + [hash].trusted_cas + [j], + clist[i], + 1); if (ret != 0) { exists = 1; break; @@ -321,21 +319,27 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, } if (exists != 0) { - gnutls_x509_crt_deinit(list->node[hash].trusted_cas[j]); + gnutls_x509_crt_deinit(list-> + node[hash].trusted_cas + [j]); list->node[hash].trusted_cas[j] = clist[i]; continue; } } - if (unlikely(INT_ADD_OVERFLOW(list->node[hash].trusted_ca_size, 1))) { + if (unlikely + (INT_ADD_OVERFLOW(list->node[hash].trusted_ca_size, 1))) { gnutls_assert(); return i; } list->node[hash].trusted_cas = - _gnutls_reallocarray_fast(list->node[hash].trusted_cas, - list->node[hash].trusted_ca_size + 1, - sizeof(list->node[hash].trusted_cas[0])); + _gnutls_reallocarray_fast(list->node[hash].trusted_cas, + list->node[hash].trusted_ca_size + + 1, + sizeof(list-> + node[hash].trusted_cas + [0])); if (list->node[hash].trusted_cas == NULL) { gnutls_assert(); return i; @@ -347,21 +351,21 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, gnutls_assert(); if (gnutls_x509_crt_get_dn2(clist[i], &dn) >= 0) { _gnutls_audit_log(NULL, - "There was a non-CA certificate in the trusted list: %s.\n", - dn.data); + "There was a non-CA certificate in the trusted list: %s.\n", + dn.data); gnutls_free(dn.data); } } - list->node[hash].trusted_cas[list->node[hash]. - trusted_ca_size] = clist[i]; + list->node[hash].trusted_cas[list->node[hash].trusted_ca_size] = + clist[i]; list->node[hash].trusted_ca_size++; if (flags & GNUTLS_TL_USE_IN_TLS) { ret = add_new_ca_to_rdn_seq(list, clist[i]); if (ret < 0) { gnutls_assert(); - return i+1; + return i + 1; } } } @@ -370,15 +374,15 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, } static int -advance_iter(gnutls_x509_trust_list_t list, - gnutls_x509_trust_list_iter_t iter) +advance_iter(gnutls_x509_trust_list_t list, gnutls_x509_trust_list_iter_t iter) { if (iter->node_index < list->size) { ++iter->ca_index; /* skip entries */ while (iter->node_index < list->size && - iter->ca_index >= list->node[iter->node_index].trusted_ca_size) { + iter->ca_index >= + list->node[iter->node_index].trusted_ca_size) { ++iter->node_index; iter->ca_index = 0; } @@ -390,8 +394,18 @@ advance_iter(gnutls_x509_trust_list_t list, #ifdef ENABLE_PKCS11 if (list->pkcs11_token != NULL) { if (iter->pkcs11_list == NULL) { - int ret = gnutls_pkcs11_obj_list_import_url2(&iter->pkcs11_list, &iter->pkcs11_size, - list->pkcs11_token, (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), 0); + int ret = + gnutls_pkcs11_obj_list_import_url2 + (&iter->pkcs11_list, + &iter->pkcs11_size, + list->pkcs11_token, + (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE + | + GNUTLS_PKCS11_OBJ_FLAG_CRT + | + GNUTLS_PKCS11_OBJ_FLAG_MARK_CA + | GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), + 0); if (ret < 0) return gnutls_assert_val(ret); @@ -434,14 +448,15 @@ advance_iter(gnutls_x509_trust_list_t list, **/ int gnutls_x509_trust_list_iter_get_ca(gnutls_x509_trust_list_t list, - gnutls_x509_trust_list_iter_t *iter, - gnutls_x509_crt_t *crt) + gnutls_x509_trust_list_iter_t * iter, + gnutls_x509_crt_t * crt) { int ret; /* initialize iterator */ if (*iter == NULL) { - *iter = gnutls_malloc(sizeof (struct gnutls_x509_trust_list_iter)); + *iter = + gnutls_malloc(sizeof(struct gnutls_x509_trust_list_iter)); if (*iter == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); @@ -473,19 +488,25 @@ gnutls_x509_trust_list_iter_get_ca(gnutls_x509_trust_list_t list, if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_x509_crt_cpy(*crt, list->node[(*iter)->node_index].trusted_cas[(*iter)->ca_index]); + ret = + _gnutls_x509_crt_cpy(*crt, + list->node[(*iter)-> + node_index].trusted_cas[(*iter)->ca_index]); if (ret < 0) { gnutls_x509_crt_deinit(*crt); return gnutls_assert_val(ret); } } #ifdef ENABLE_PKCS11 - else if ( (*iter)->pkcs11_index < (*iter)->pkcs11_size) { + else if ((*iter)->pkcs11_index < (*iter)->pkcs11_size) { ret = gnutls_x509_crt_init(crt); if (ret < 0) return gnutls_assert_val(ret); - ret = gnutls_x509_crt_import_pkcs11(*crt, (*iter)->pkcs11_list[(*iter)->pkcs11_index]); + ret = + gnutls_x509_crt_import_pkcs11(*crt, + (*iter)-> + pkcs11_list[(*iter)->pkcs11_index]); if (ret < 0) { gnutls_x509_crt_deinit(*crt); return gnutls_assert_val(ret); @@ -508,7 +529,7 @@ gnutls_x509_trust_list_iter_get_ca(gnutls_x509_trust_list_t list, * certificate that we read and when this function is called again we * report GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE to our caller. */ ret = advance_iter(list, *iter); - if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { gnutls_x509_crt_deinit(*crt); *crt = NULL; @@ -545,8 +566,8 @@ void gnutls_x509_trust_list_iter_deinit(gnutls_x509_trust_list_iter_t iter) static gnutls_x509_crt_t crt_cpy(gnutls_x509_crt_t src) { -gnutls_x509_crt_t dst; -int ret; + gnutls_x509_crt_t dst; + int ret; ret = gnutls_x509_crt_init(&dst); if (ret < 0) { @@ -594,21 +615,18 @@ gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t list, for (i = 0; i < clist_size; i++) { hash = - hash_pjw_bare(clist[i]->raw_dn.data, - clist[i]->raw_dn.size); + hash_pjw_bare(clist[i]->raw_dn.data, clist[i]->raw_dn.size); hash %= list->size; for (j = 0; j < list->node[hash].trusted_ca_size; j++) { if (gnutls_x509_crt_equals - (clist[i], - list->node[hash].trusted_cas[j]) != 0) { + (clist[i], list->node[hash].trusted_cas[j]) != 0) { gnutls_x509_crt_deinit(list->node[hash]. trusted_cas[j]); list->node[hash].trusted_cas[j] = list->node[hash].trusted_cas[list-> - node - [hash]. + node[hash]. trusted_ca_size - 1]; list->node[hash].trusted_ca_size--; @@ -626,9 +644,9 @@ gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t list, * ensure that a server certificate will also get rejected. */ list->distrusted = - _gnutls_reallocarray_fast(list->distrusted, - list->distrusted_size + 1, - sizeof(list->distrusted[0])); + _gnutls_reallocarray_fast(list->distrusted, + list->distrusted_size + 1, + sizeof(list->distrusted[0])); if (list->distrusted == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); @@ -679,8 +697,7 @@ gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list, return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); hash = - hash_pjw_bare(cert->raw_issuer_dn.data, - cert->raw_issuer_dn.size); + hash_pjw_bare(cert->raw_issuer_dn.data, cert->raw_issuer_dn.size); hash %= list->size; if (unlikely(INT_ADD_OVERFLOW(list->node[hash].named_cert_size, 1))) { @@ -688,20 +705,19 @@ gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list, } list->node[hash].named_certs = - _gnutls_reallocarray_fast(list->node[hash].named_certs, - list->node[hash].named_cert_size + 1, - sizeof(list->node[hash].named_certs[0])); + _gnutls_reallocarray_fast(list->node[hash].named_certs, + list->node[hash].named_cert_size + 1, + sizeof(list->node[hash].named_certs[0])); if (list->node[hash].named_certs == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - list->node[hash].named_certs[list->node[hash].named_cert_size]. - cert = cert; + list->node[hash].named_certs[list->node[hash].named_cert_size].cert = + cert; memcpy(list->node[hash]. named_certs[list->node[hash].named_cert_size].name, name, name_size); list->node[hash].named_certs[list->node[hash]. - named_cert_size].name_size = - name_size; + named_cert_size].name_size = name_size; list->node[hash].named_cert_size++; @@ -763,18 +779,19 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, ret = gnutls_x509_crl_verify(crl_list[i], - list->node[hash]. - trusted_cas, + list->node[hash].trusted_cas, list->node[hash]. trusted_ca_size, - verification_flags, - &vret); + verification_flags, &vret); if (ret < 0 || vret != 0) { - _gnutls_debug_log("CRL verification failed, not adding it\n"); + _gnutls_debug_log + ("CRL verification failed, not adding it\n"); if (flags & GNUTLS_TL_NO_DUPLICATES) gnutls_x509_crl_deinit(crl_list[i]); if (flags & GNUTLS_TL_FAIL_ON_INVALID_CRL) - return gnutls_assert_val(GNUTLS_E_CRL_VERIFICATION_ERROR); + return + gnutls_assert_val + (GNUTLS_E_CRL_VERIFICATION_ERROR); continue; } } @@ -782,18 +799,28 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, /* If the CRL added overrides a previous one, then overwrite * the old one */ if (flags & GNUTLS_TL_NO_DUPLICATES) { - for (x=0;x<list->node[hash].crl_size;x++) { - if (crl_list[i]->raw_issuer_dn.size == list->node[hash].crls[x]->raw_issuer_dn.size && - memcmp(crl_list[i]->raw_issuer_dn.data, list->node[hash].crls[x]->raw_issuer_dn.data, crl_list[i]->raw_issuer_dn.size) == 0) { - if (gnutls_x509_crl_get_this_update(crl_list[i]) >= - gnutls_x509_crl_get_this_update(list->node[hash].crls[x])) { - - gnutls_x509_crl_deinit(list->node[hash].crls[x]); - list->node[hash].crls[x] = crl_list[i]; + for (x = 0; x < list->node[hash].crl_size; x++) { + if (crl_list[i]->raw_issuer_dn.size == + list->node[hash].crls[x]->raw_issuer_dn.size + && memcmp(crl_list[i]->raw_issuer_dn.data, + list->node[hash]. + crls[x]->raw_issuer_dn.data, + crl_list[i]-> + raw_issuer_dn.size) == 0) { + if (gnutls_x509_crl_get_this_update + (crl_list[i]) >= + gnutls_x509_crl_get_this_update + (list->node[hash].crls[x])) { + + gnutls_x509_crl_deinit + (list->node[hash].crls[x]); + list->node[hash].crls[x] = + crl_list[i]; goto next; } else { /* The new is older, discard it */ - gnutls_x509_crl_deinit(crl_list[i]); + gnutls_x509_crl_deinit(crl_list + [i]); goto next; } } @@ -814,9 +841,7 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, } list->node[hash].crls = tmp; - - list->node[hash].crls[list->node[hash].crl_size] = - crl_list[i]; + list->node[hash].crls[list->node[hash].crl_size] = crl_list[i]; list->node[hash].crl_size++; next: @@ -896,7 +921,7 @@ static int shorten_clist(gnutls_x509_trust_list_t list, static int retrieve_issuers(gnutls_x509_trust_list_t list, gnutls_x509_crt_t subject, - gnutls_x509_crt_t *certificate_list, + gnutls_x509_crt_t * certificate_list, unsigned int clist_size_max) { gnutls_x509_crt_t *issuers; @@ -959,8 +984,7 @@ int _gnutls_trust_list_get_issuer(gnutls_x509_trust_list_t list, size_t hash; hash = - hash_pjw_bare(cert->raw_issuer_dn.data, - cert->raw_issuer_dn.size); + hash_pjw_bare(cert->raw_issuer_dn.data, cert->raw_issuer_dn.size); hash %= list->size; for (i = 0; i < list->node[hash].trusted_ca_size; i++) { @@ -970,7 +994,8 @@ int _gnutls_trust_list_get_issuer(gnutls_x509_trust_list_t list, trusted_cas[i]); if (ret != 0) { if (flags & GNUTLS_TL_GET_COPY) { - *issuer = crt_cpy(list->node[hash].trusted_cas[i]); + *issuer = + crt_cpy(list->node[hash].trusted_cas[i]); } else { *issuer = list->node[hash].trusted_cas[i]; } @@ -983,10 +1008,9 @@ int _gnutls_trust_list_get_issuer(gnutls_x509_trust_list_t list, static int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, - const gnutls_datum_t *dn, - const gnutls_datum_t *spki, - gnutls_x509_crt_t * issuer, - unsigned int flags) + const gnutls_datum_t * dn, + const gnutls_datum_t * spki, + gnutls_x509_crt_t * issuer, unsigned int flags) { int ret; unsigned int i, j; @@ -995,24 +1019,32 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, size_t tmp_size; if (dn) { - hash = - hash_pjw_bare(dn->data, - dn->size); + hash = hash_pjw_bare(dn->data, dn->size); hash %= list->size; for (i = 0; i < list->node[hash].trusted_ca_size; i++) { - ret = _gnutls_x509_compare_raw_dn(dn, &list->node[hash].trusted_cas[i]->raw_dn); + ret = + _gnutls_x509_compare_raw_dn(dn, + &list-> + node[hash].trusted_cas + [i]->raw_dn); if (ret != 0) { if (spki && spki->size > 0) { tmp_size = sizeof(tmp); - ret = gnutls_x509_crt_get_subject_key_id(list->node[hash].trusted_cas[i], tmp, &tmp_size, NULL); + ret = + gnutls_x509_crt_get_subject_key_id + (list->node[hash].trusted_cas[i], + tmp, &tmp_size, NULL); if (ret < 0) continue; - if (spki->size != tmp_size || memcmp(spki->data, tmp, spki->size) != 0) + if (spki->size != tmp_size + || memcmp(spki->data, tmp, + spki->size) != 0) continue; } - *issuer = crt_cpy(list->node[hash].trusted_cas[i]); + *issuer = + crt_cpy(list->node[hash].trusted_cas[i]); return 0; } } @@ -1022,11 +1054,15 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, for (j = 0; j < list->node[i].trusted_ca_size; j++) { tmp_size = sizeof(tmp); - ret = gnutls_x509_crt_get_subject_key_id(list->node[i].trusted_cas[j], tmp, &tmp_size, NULL); + ret = + gnutls_x509_crt_get_subject_key_id + (list->node[i].trusted_cas[j], tmp, + &tmp_size, NULL); if (ret < 0) continue; - if (spki->size != tmp_size || memcmp(spki->data, tmp, spki->size) != 0) + if (spki->size != tmp_size + || memcmp(spki->data, tmp, spki->size) != 0) continue; *issuer = crt_cpy(list->node[i].trusted_cas[j]); @@ -1074,10 +1110,12 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, #ifdef ENABLE_PKCS11 if (ret < 0 && list->pkcs11_token) { gnutls_x509_crt_t crt; - gnutls_datum_t der = {NULL, 0}; + gnutls_datum_t der = { NULL, 0 }; /* use the token for verification */ - ret = gnutls_pkcs11_get_raw_issuer(list->pkcs11_token, cert, &der, - GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); + ret = + gnutls_pkcs11_get_raw_issuer(list->pkcs11_token, cert, &der, + GNUTLS_X509_FMT_DER, + GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); if (ret < 0) { gnutls_assert(); return ret; @@ -1132,9 +1170,9 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, * Since: 3.4.0 **/ int gnutls_x509_trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, - const gnutls_datum_t *dn, - gnutls_x509_crt_t *issuer, - unsigned int flags) + const gnutls_datum_t * dn, + gnutls_x509_crt_t * issuer, + unsigned int flags) { int ret; @@ -1146,10 +1184,13 @@ int gnutls_x509_trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, #ifdef ENABLE_PKCS11 if (ret < 0 && list->pkcs11_token) { gnutls_x509_crt_t crt; - gnutls_datum_t der = {NULL, 0}; + gnutls_datum_t der = { NULL, 0 }; /* use the token for verification */ - ret = gnutls_pkcs11_get_raw_issuer_by_dn(list->pkcs11_token, dn, &der, - GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); + ret = + gnutls_pkcs11_get_raw_issuer_by_dn(list->pkcs11_token, dn, + &der, + GNUTLS_X509_FMT_DER, + GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); if (ret < 0) { gnutls_assert(); return ret; @@ -1191,11 +1232,15 @@ int gnutls_x509_trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, * * Since: 3.4.2 **/ -int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t list, - const gnutls_datum_t *dn, - const gnutls_datum_t *spki, - gnutls_x509_crt_t *issuer, - unsigned int flags) +int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t + list, + const gnutls_datum_t * + dn, + const gnutls_datum_t * + spki, + gnutls_x509_crt_t * + issuer, + unsigned int flags) { int ret; @@ -1207,10 +1252,12 @@ int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t #ifdef ENABLE_PKCS11 if (ret < 0 && list->pkcs11_token) { gnutls_x509_crt_t crt; - gnutls_datum_t der = {NULL, 0}; + gnutls_datum_t der = { NULL, 0 }; /* use the token for verification */ - ret = gnutls_pkcs11_get_raw_issuer_by_subject_key_id(list->pkcs11_token, dn, spki, &der, - GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); + ret = + gnutls_pkcs11_get_raw_issuer_by_subject_key_id + (list->pkcs11_token, dn, spki, &der, GNUTLS_X509_FMT_DER, + GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); if (ret < 0) { gnutls_assert(); return ret; @@ -1237,17 +1284,20 @@ int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t } static -int check_if_in_blocklist(gnutls_x509_crt_t * cert_list, unsigned int cert_list_size, - gnutls_x509_crt_t * blocklist, unsigned int blocklist_size) +int check_if_in_blocklist(gnutls_x509_crt_t * cert_list, + unsigned int cert_list_size, + gnutls_x509_crt_t * blocklist, + unsigned int blocklist_size) { -unsigned i, j; + unsigned i, j; if (blocklist_size == 0) return 0; - for (i=0;i<cert_list_size;i++) { - for (j=0;j<blocklist_size;j++) { - if (gnutls_x509_crt_equals(cert_list[i], blocklist[j]) != 0) { + for (i = 0; i < cert_list_size; i++) { + for (j = 0; j < blocklist_size; j++) { + if (gnutls_x509_crt_equals(cert_list[i], blocklist[j]) + != 0) { return 1; } } @@ -1284,8 +1334,9 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, unsigned int *voutput, gnutls_verify_output_function func) { - return gnutls_x509_trust_list_verify_crt2(list, cert_list, cert_list_size, - NULL, 0, flags, voutput, func); + return gnutls_x509_trust_list_verify_crt2(list, cert_list, + cert_list_size, NULL, 0, + flags, voutput, func); } #define LAST_DN cert_list[cert_list_size-1]->raw_dn @@ -1349,7 +1400,7 @@ int gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, gnutls_x509_crt_t * cert_list, unsigned int cert_list_size, - gnutls_typed_vdata_st *data, + gnutls_typed_vdata_st * data, unsigned int elements, unsigned int flags, unsigned int *voutput, @@ -1365,20 +1416,22 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, unsigned hostname_size = 0; unsigned have_set_name = 0; unsigned saved_output; - gnutls_datum_t ip = {NULL, 0}; + gnutls_datum_t ip = { NULL, 0 }; gl_list_t records; if (cert_list == NULL || cert_list_size < 1) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - for (i=0;i<elements;i++) { + for (i = 0; i < elements; i++) { if (data[i].type == GNUTLS_DT_DNS_HOSTNAME) { - hostname = (void*)data[i].data; + hostname = (void *)data[i].data; if (data[i].size > 0) { hostname_size = data[i].size; } - if (have_set_name != 0) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + if (have_set_name != 0) + return + gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); have_set_name = 1; } else if (data[i].type == GNUTLS_DT_IP_ADDRESS) { if (data[i].size > 0) { @@ -1386,26 +1439,33 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, ip.size = data[i].size; } - if (have_set_name != 0) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + if (have_set_name != 0) + return + gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); have_set_name = 1; } else if (data[i].type == GNUTLS_DT_RFC822NAME) { - email = (void*)data[i].data; + email = (void *)data[i].data; - if (have_set_name != 0) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + if (have_set_name != 0) + return + gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); have_set_name = 1; } else if (data[i].type == GNUTLS_DT_KEY_PURPOSE_OID) { - purpose = (void*)data[i].data; + purpose = (void *)data[i].data; } } - if (hostname) { /* shortcut using the named certs - if any */ + if (hostname) { /* shortcut using the named certs - if any */ unsigned vtmp = 0; if (hostname_size == 0) hostname_size = strlen(hostname); ret = gnutls_x509_trust_list_verify_named_crt(list, - cert_list[0], hostname, hostname_size, - flags, &vtmp, func); + cert_list[0], + hostname, + hostname_size, + flags, &vtmp, + func); if (ret == 0 && vtmp == 0) { *voutput = vtmp; return 0; @@ -1415,12 +1475,14 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t)); cert_list = sorted; - records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false); + records = + gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, + NULL, false); if (records == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); for (i = 0; i < cert_list_size && - cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { + cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH;) { unsigned int sorted_size = 1; unsigned int j; gnutls_x509_crt_t issuer; @@ -1461,7 +1523,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, if (gnutls_x509_trust_list_get_issuer(list, cert_list[i - 1], &issuer, - GNUTLS_TL_GET_COPY) == 0) { + GNUTLS_TL_GET_COPY) == + 0) { gnutls_x509_crt_deinit(issuer); cert_list_size = i; break; @@ -1479,8 +1542,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, cert_list[i - 1], &retrieved[retrieved_size], DEFAULT_MAX_VERIFY_DEPTH - - MAX(retrieved_size, - cert_list_size)); + MAX(retrieved_size, cert_list_size)); if (ret < 0) { break; } else if (ret > 0) { @@ -1507,14 +1569,12 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); hash = - hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn. - data, - cert_list[cert_list_size - - 1]->raw_issuer_dn.size); + hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.data, + cert_list[cert_list_size - 1]->raw_issuer_dn.size); hash %= list->size; ret = check_if_in_blocklist(cert_list, cert_list_size, - list->distrusted, list->distrusted_size); + list->distrusted, list->distrusted_size); if (ret != 0) { *voutput = 0; *voutput |= GNUTLS_CERT_REVOKED; @@ -1531,18 +1591,19 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, saved_output = *voutput; if (SIGNER_OLD_OR_UNKNOWN(*voutput) && - (LAST_DN.size != LAST_IDN.size || - memcmp(LAST_DN.data, LAST_IDN.data, LAST_IDN.size) != 0)) { + (LAST_DN.size != LAST_IDN.size || + memcmp(LAST_DN.data, LAST_IDN.data, LAST_IDN.size) != 0)) { /* if we couldn't find the issuer, try to see if the last * certificate is in the trusted list and try to verify against * (if it is not self signed) */ hash = - hash_pjw_bare(cert_list[cert_list_size - 1]->raw_dn. - data, cert_list[cert_list_size - 1]->raw_dn.size); + hash_pjw_bare(cert_list[cert_list_size - 1]->raw_dn.data, + cert_list[cert_list_size - 1]->raw_dn.size); hash %= list->size; - _gnutls_debug_log("issuer in verification was not found or insecure; trying against trust list\n"); + _gnutls_debug_log + ("issuer in verification was not found or insecure; trying against trust list\n"); *voutput = _gnutls_verify_crt_status(list, cert_list, cert_list_size, @@ -1562,10 +1623,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, if (SIGNER_OLD_OR_UNKNOWN(*voutput) && list->pkcs11_token) { /* use the token for verification */ - *voutput = _gnutls_pkcs11_verify_crt_status(list, list->pkcs11_token, - cert_list, cert_list_size, - purpose, - flags, func); + *voutput = + _gnutls_pkcs11_verify_crt_status(list, list->pkcs11_token, + cert_list, cert_list_size, + purpose, flags, func); if (*voutput != 0) { if (SIGNER_WAS_KNOWN(saved_output)) *voutput = saved_output; @@ -1579,34 +1640,39 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, ret = _gnutls_check_key_purpose(cert_list[0], purpose, 0); if (ret != 1) { gnutls_assert(); - *voutput |= GNUTLS_CERT_PURPOSE_MISMATCH|GNUTLS_CERT_INVALID; + *voutput |= + GNUTLS_CERT_PURPOSE_MISMATCH | GNUTLS_CERT_INVALID; } } if (hostname) { ret = - gnutls_x509_crt_check_hostname2(cert_list[0], hostname, flags); + gnutls_x509_crt_check_hostname2(cert_list[0], hostname, + flags); if (ret == 0) { gnutls_assert(); - *voutput |= GNUTLS_CERT_UNEXPECTED_OWNER|GNUTLS_CERT_INVALID; + *voutput |= + GNUTLS_CERT_UNEXPECTED_OWNER | GNUTLS_CERT_INVALID; } } if (ip.data) { ret = - gnutls_x509_crt_check_ip(cert_list[0], ip.data, ip.size, flags); + gnutls_x509_crt_check_ip(cert_list[0], ip.data, ip.size, + flags); if (ret == 0) { gnutls_assert(); - *voutput |= GNUTLS_CERT_UNEXPECTED_OWNER|GNUTLS_CERT_INVALID; + *voutput |= + GNUTLS_CERT_UNEXPECTED_OWNER | GNUTLS_CERT_INVALID; } } if (email) { - ret = - gnutls_x509_crt_check_email(cert_list[0], email, 0); + ret = gnutls_x509_crt_check_email(cert_list[0], email, 0); if (ret == 0) { gnutls_assert(); - *voutput |= GNUTLS_CERT_UNEXPECTED_OWNER|GNUTLS_CERT_INVALID; + *voutput |= + GNUTLS_CERT_UNEXPECTED_OWNER | GNUTLS_CERT_INVALID; } } @@ -1624,8 +1690,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, _gnutls_x509_crt_check_revocation(cert_list [cert_list_size - 1], list->node[hash].crls, - list->node[hash].crl_size, - func); + list->node[hash].crl_size, func); if (ret == 1) { /* revoked */ *voutput |= GNUTLS_CERT_REVOKED; *voutput |= GNUTLS_CERT_INVALID; @@ -1640,8 +1705,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, hash %= list->size; ret = _gnutls_x509_crt_check_revocation(cert_list[i], - list->node[hash]. - crls, + list->node[hash].crls, list->node[hash]. crl_size, func); if (ret < 0) { @@ -1701,14 +1765,12 @@ gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list, unsigned int i; size_t hash; - hash = - hash_pjw_bare(cert->raw_issuer_dn.data, - cert->raw_issuer_dn.size); + hash_pjw_bare(cert->raw_issuer_dn.data, cert->raw_issuer_dn.size); hash %= list->size; ret = check_if_in_blocklist(&cert, 1, - list->distrusted, list->distrusted_size); + list->distrusted, list->distrusted_size); if (ret != 0) { *voutput = 0; *voutput |= GNUTLS_CERT_REVOKED; @@ -1751,8 +1813,7 @@ gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list, /* return 1 if @cert is in @list, 0 if not */ int -_gnutls_trustlist_inlist(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t cert) +_gnutls_trustlist_inlist(gnutls_x509_trust_list_t list, gnutls_x509_crt_t cert) { int ret; unsigned int i; @@ -1764,8 +1825,7 @@ _gnutls_trustlist_inlist(gnutls_x509_trust_list_t list, for (i = 0; i < list->node[hash].trusted_ca_size; i++) { ret = gnutls_x509_crt_equals(cert, - list->node[hash]. - trusted_cas[i]); + list->node[hash].trusted_cas[i]); if (ret != 0) return 1; } |