Commit 17716680 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Tidy up and fix verify callbacks to avoid structure dereference, use of 

obsolete functions and enhance to handle new conditions such as policy printing.
parent 38663fcc

CHANGES

+5 −0
Original line number Diff line number Diff line
@@ -4,6 +4,11 @@ 


 Changes between 0.9.8k and 1.0  [xx XXX xxxx]



  *) Update verify callback code in apps/s_cb.c and apps/verify.c, it

     needlessly dereferenced structures, used obsolete functions and

     didn't handle all updated verify codes correctly.

     [Steve Henson]



  *) Delete MD2 from algorithm tables. This follows the recommendation in 

     several standards that it is not used in new applications due to

     several cryptographic weaknesses. The algorithm is also disabled in

apps/s_cb.c

+22 −8
Original line number Diff line number Diff line
@@ -127,7 +127,6 @@ int verify_return_error=0; 


int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)

	{

	char buf[256];

	X509 *err_cert;

	int err,depth;
@@ -135,8 +134,15 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) 
	err=	X509_STORE_CTX_get_error(ctx);

	depth=	X509_STORE_CTX_get_error_depth(ctx);



	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf);

	BIO_printf(bio_err,"depth=%d %s\n",depth,buf);

	BIO_printf(bio_err,"depth=%d ",depth);

	if (err_cert)

		{

		X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),

					0, XN_FLAG_ONELINE);

		BIO_puts(bio_err, "\n");

		}

	else

		BIO_puts(bio_err, "<no cert>\n");

	if (!ok)

		{

		BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
@@ -153,25 +159,33 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) 
			verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG;

			}

		}

	switch (ctx->error)

	switch (err)

		{

	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:

		X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf);

		BIO_printf(bio_err,"issuer= %s\n",buf);

		BIO_puts(bio_err,"issuer= ");

		X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),

					0, XN_FLAG_ONELINE);

		BIO_puts(bio_err, "\n");

		break;

	case X509_V_ERR_CERT_NOT_YET_VALID:

	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:

		BIO_printf(bio_err,"notBefore=");

		ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert));

		ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert));

		BIO_printf(bio_err,"\n");

		break;

	case X509_V_ERR_CERT_HAS_EXPIRED:

	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:

		BIO_printf(bio_err,"notAfter=");

		ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert));

		ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert));

		BIO_printf(bio_err,"\n");

		break;

	case X509_V_ERR_NO_EXPLICIT_POLICY:

		policies_print(bio_err, ctx);

		break;

		}

	if (err == X509_V_OK && ok == 2)

		policies_print(bio_err, ctx);



	BIO_printf(bio_err,"verify return:%d\n",ok);

	return(ok);

	}

apps/verify.c

+35 −28
Original line number Diff line number Diff line
@@ -326,42 +326,49 @@ end: 


static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)

	{

	char buf[256];

	int cert_error = X509_STORE_CTX_get_error(ctx);

	X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);



	if (!ok)

		{

		if (ctx->current_cert)

		if (current_cert)

			{

			X509_NAME_oneline(

				X509_get_subject_name(ctx->current_cert),buf,

				sizeof buf);

			printf("%s\n",buf);

			}

		printf("error %d at %d depth lookup:%s\n",ctx->error,

			ctx->error_depth,

			X509_verify_cert_error_string(ctx->error));

		if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1;

			X509_NAME_print_ex_fp(stdout,

				X509_get_subject_name(current_cert),

				0, XN_FLAG_ONELINE);

			printf("\n");

			}

		printf("error %d at %d depth lookup:%s\n",cert_error,

			X509_STORE_CTX_get_error_depth(ctx),

			X509_verify_cert_error_string(cert_error));

		switch(cert_error)

			{

			case X509_V_ERR_NO_EXPLICIT_POLICY:

				policies_print(NULL, ctx);

			case X509_V_ERR_CERT_HAS_EXPIRED:



			/* since we are just checking the certificates, it is

			 * ok if they are self signed. But we should still warn

			 * the user.

			 */

		if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;



			case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:

			/* Continue after extension errors too */

		if (ctx->error == X509_V_ERR_INVALID_CA) ok=1;

		if (ctx->error == X509_V_ERR_INVALID_NON_CA) ok=1;

		if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1;

		if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1;

		if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;

		if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1;

		if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1;

		if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1;



		if (ctx->error == X509_V_ERR_NO_EXPLICIT_POLICY)

			policies_print(NULL, ctx);

			case X509_V_ERR_INVALID_CA:

			case X509_V_ERR_INVALID_NON_CA:

			case X509_V_ERR_PATH_LENGTH_EXCEEDED:

			case X509_V_ERR_INVALID_PURPOSE:

			case X509_V_ERR_CRL_HAS_EXPIRED:

			case X509_V_ERR_CRL_NOT_YET_VALID:

			case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:

			ok = 1;



			}



		return ok;



		}

	if ((ctx->error == X509_V_OK) && (ok == 2))

	if (cert_error == X509_V_OK && ok == 2)

		policies_print(NULL, ctx);

	if (!v_verbose)

		ERR_clear_error();