File: | src/lib/libcrypto/ts/ts_rsp_verify.c |
Warning: | line 665, column 12 Use of memory allocated with size zero |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: ts_rsp_verify.c,v 1.30 2023/07/07 07:25:21 beck Exp $ */ | |||
2 | /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL | |||
3 | * project 2002. | |||
4 | */ | |||
5 | /* ==================================================================== | |||
6 | * Copyright (c) 2006 The OpenSSL Project. All rights reserved. | |||
7 | * | |||
8 | * Redistribution and use in source and binary forms, with or without | |||
9 | * modification, are permitted provided that the following conditions | |||
10 | * are met: | |||
11 | * | |||
12 | * 1. Redistributions of source code must retain the above copyright | |||
13 | * notice, this list of conditions and the following disclaimer. | |||
14 | * | |||
15 | * 2. Redistributions in binary form must reproduce the above copyright | |||
16 | * notice, this list of conditions and the following disclaimer in | |||
17 | * the documentation and/or other materials provided with the | |||
18 | * distribution. | |||
19 | * | |||
20 | * 3. All advertising materials mentioning features or use of this | |||
21 | * software must display the following acknowledgment: | |||
22 | * "This product includes software developed by the OpenSSL Project | |||
23 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | |||
24 | * | |||
25 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |||
26 | * endorse or promote products derived from this software without | |||
27 | * prior written permission. For written permission, please contact | |||
28 | * licensing@OpenSSL.org. | |||
29 | * | |||
30 | * 5. Products derived from this software may not be called "OpenSSL" | |||
31 | * nor may "OpenSSL" appear in their names without prior written | |||
32 | * permission of the OpenSSL Project. | |||
33 | * | |||
34 | * 6. Redistributions of any form whatsoever must retain the following | |||
35 | * acknowledgment: | |||
36 | * "This product includes software developed by the OpenSSL Project | |||
37 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | |||
38 | * | |||
39 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |||
40 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |||
41 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |||
42 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |||
43 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
44 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |||
45 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |||
46 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||
47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |||
48 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |||
49 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |||
50 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |||
51 | * ==================================================================== | |||
52 | * | |||
53 | * This product includes cryptographic software written by Eric Young | |||
54 | * (eay@cryptsoft.com). This product includes software written by Tim | |||
55 | * Hudson (tjh@cryptsoft.com). | |||
56 | * | |||
57 | */ | |||
58 | ||||
59 | #include <stdio.h> | |||
60 | #include <string.h> | |||
61 | ||||
62 | #include <openssl/err.h> | |||
63 | #include <openssl/objects.h> | |||
64 | #include <openssl/pkcs7.h> | |||
65 | #include <openssl/ts.h> | |||
66 | ||||
67 | #include "evp_local.h" | |||
68 | #include "ts_local.h" | |||
69 | #include "x509_local.h" | |||
70 | ||||
71 | /* Private function declarations. */ | |||
72 | ||||
73 | static int TS_verify_cert(X509_STORE *store, STACK_OF(X509)struct stack_st_X509 *untrusted, | |||
74 | X509 *signer, STACK_OF(X509)struct stack_st_X509 **chain); | |||
75 | static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509)struct stack_st_X509 *chain); | |||
76 | static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si); | |||
77 | static int TS_find_cert(STACK_OF(ESS_CERT_ID)struct stack_st_ESS_CERT_ID *cert_ids, X509 *cert); | |||
78 | static ESS_SIGNING_CERT_V2 *ESS_get_signing_cert_v2(PKCS7_SIGNER_INFO *si); | |||
79 | static int TS_find_cert_v2(STACK_OF(ESS_CERT_ID_V2)struct stack_st_ESS_CERT_ID_V2 *cert_ids, X509 *cert); | |||
80 | static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert); | |||
81 | static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, | |||
82 | PKCS7 *token, TS_TST_INFO *tst_info); | |||
83 | static int TS_check_status_info(TS_RESP *response); | |||
84 | static char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING)struct stack_st_ASN1_UTF8STRING *text); | |||
85 | static int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info); | |||
86 | static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, | |||
87 | X509_ALGOR **md_alg, | |||
88 | unsigned char **imprint, unsigned *imprint_len); | |||
89 | static int TS_check_imprints(X509_ALGOR *algor_a, | |||
90 | unsigned char *imprint_a, unsigned len_a, | |||
91 | TS_TST_INFO *tst_info); | |||
92 | static int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info); | |||
93 | static int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer); | |||
94 | static int TS_find_name(STACK_OF(GENERAL_NAME)struct stack_st_GENERAL_NAME *gen_names, GENERAL_NAME *name); | |||
95 | ||||
96 | /* | |||
97 | * Local mapping between response codes and descriptions. | |||
98 | * Don't forget to change TS_STATUS_BUF_SIZE when modifying | |||
99 | * the elements of this array. | |||
100 | */ | |||
101 | static const char *TS_status_text[] = { | |||
102 | "granted", | |||
103 | "grantedWithMods", | |||
104 | "rejection", | |||
105 | "waiting", | |||
106 | "revocationWarning", | |||
107 | "revocationNotification" | |||
108 | }; | |||
109 | ||||
110 | #define TS_STATUS_TEXT_SIZE(sizeof(TS_status_text)/sizeof(*TS_status_text)) (sizeof(TS_status_text)/sizeof(*TS_status_text)) | |||
111 | ||||
112 | /* | |||
113 | * This must be greater or equal to the sum of the strings in TS_status_text | |||
114 | * plus the number of its elements. | |||
115 | */ | |||
116 | #define TS_STATUS_BUF_SIZE256 256 | |||
117 | ||||
118 | static struct { | |||
119 | int code; | |||
120 | const char *text; | |||
121 | } TS_failure_info[] = { | |||
122 | { TS_INFO_BAD_ALG0, "badAlg" }, | |||
123 | { TS_INFO_BAD_REQUEST2, "badRequest" }, | |||
124 | { TS_INFO_BAD_DATA_FORMAT5, "badDataFormat" }, | |||
125 | { TS_INFO_TIME_NOT_AVAILABLE14, "timeNotAvailable" }, | |||
126 | { TS_INFO_UNACCEPTED_POLICY15, "unacceptedPolicy" }, | |||
127 | { TS_INFO_UNACCEPTED_EXTENSION16, "unacceptedExtension" }, | |||
128 | { TS_INFO_ADD_INFO_NOT_AVAILABLE17, "addInfoNotAvailable" }, | |||
129 | { TS_INFO_SYSTEM_FAILURE25, "systemFailure" } | |||
130 | }; | |||
131 | ||||
132 | #define TS_FAILURE_INFO_SIZE(sizeof(TS_failure_info) / sizeof(*TS_failure_info)) (sizeof(TS_failure_info) / \ | |||
133 | sizeof(*TS_failure_info)) | |||
134 | ||||
135 | /* Functions for verifying a signed TS_TST_INFO structure. */ | |||
136 | ||||
137 | /* | |||
138 | * This function carries out the following tasks: | |||
139 | * - Checks if there is one and only one signer. | |||
140 | * - Search for the signing certificate in 'certs' and in the response. | |||
141 | * - Check the extended key usage and key usage fields of the signer | |||
142 | * certificate (done by the path validation). | |||
143 | * - Build and validate the certificate path. | |||
144 | * - Check if the certificate path meets the requirements of the | |||
145 | * SigningCertificate ESS signed attribute. | |||
146 | * - Verify the signature value. | |||
147 | * - Returns the signer certificate in 'signer', if 'signer' is not NULL. | |||
148 | */ | |||
149 | int | |||
150 | TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509)struct stack_st_X509 *certs, | |||
151 | X509_STORE *store, X509 **signer_out) | |||
152 | { | |||
153 | STACK_OF(PKCS7_SIGNER_INFO)struct stack_st_PKCS7_SIGNER_INFO *sinfos = NULL((void *)0); | |||
154 | PKCS7_SIGNER_INFO *si; | |||
155 | STACK_OF(X509)struct stack_st_X509 *signers = NULL((void *)0); | |||
156 | X509 *signer; | |||
157 | STACK_OF(X509)struct stack_st_X509 *chain = NULL((void *)0); | |||
158 | char buf[4096]; | |||
159 | int i, j = 0, ret = 0; | |||
160 | BIO *p7bio = NULL((void *)0); | |||
161 | ||||
162 | /* Some sanity checks first. */ | |||
163 | if (!token) { | |||
164 | TSerror(TS_R_INVALID_NULL_POINTER)ERR_put_error(47,(0xfff),(102),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,164); | |||
165 | goto err; | |||
166 | } | |||
167 | ||||
168 | /* Check for the correct content type */ | |||
169 | if (!PKCS7_type_is_signed(token)(OBJ_obj2nid((token)->type) == 22)) { | |||
170 | TSerror(TS_R_WRONG_CONTENT_TYPE)ERR_put_error(47,(0xfff),(114),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,170); | |||
171 | goto err; | |||
172 | } | |||
173 | ||||
174 | /* Check if there is one and only one signer. */ | |||
175 | sinfos = PKCS7_get_signer_info(token); | |||
176 | if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos)sk_num(((_STACK*) (1 ? (sinfos) : (struct stack_st_PKCS7_SIGNER_INFO *)0))) != 1) { | |||
177 | TSerror(TS_R_THERE_MUST_BE_ONE_SIGNER)ERR_put_error(47,(0xfff),(110),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,177); | |||
178 | goto err; | |||
179 | } | |||
180 | si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0)((PKCS7_SIGNER_INFO *)sk_value(((_STACK*) (1 ? (sinfos) : (struct stack_st_PKCS7_SIGNER_INFO*)0)), (0))); | |||
181 | ||||
182 | /* Check for no content: no data to verify signature. */ | |||
183 | if (PKCS7_get_detached(token)PKCS7_ctrl(token,2,0,((void *)0))) { | |||
184 | TSerror(TS_R_NO_CONTENT)ERR_put_error(47,(0xfff),(106),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,184); | |||
185 | goto err; | |||
186 | } | |||
187 | ||||
188 | /* Get hold of the signer certificate, search only internal | |||
189 | certificates if it was requested. */ | |||
190 | signers = PKCS7_get0_signers(token, certs, 0); | |||
191 | if (!signers || sk_X509_num(signers)sk_num(((_STACK*) (1 ? (signers) : (struct stack_st_X509*)0)) ) != 1) | |||
192 | goto err; | |||
193 | signer = sk_X509_value(signers, 0)((X509 *)sk_value(((_STACK*) (1 ? (signers) : (struct stack_st_X509 *)0)), (0))); | |||
194 | ||||
195 | /* Now verify the certificate. */ | |||
196 | if (!TS_verify_cert(store, certs, signer, &chain)) | |||
197 | goto err; | |||
198 | ||||
199 | /* Check if the signer certificate is consistent with the | |||
200 | ESS extension. */ | |||
201 | if (!TS_check_signing_certs(si, chain)) | |||
202 | goto err; | |||
203 | ||||
204 | /* Creating the message digest. */ | |||
205 | p7bio = PKCS7_dataInit(token, NULL((void *)0)); | |||
206 | ||||
207 | /* We now have to 'read' from p7bio to calculate digests etc. */ | |||
208 | while ((i = BIO_read(p7bio, buf, sizeof(buf))) > 0) | |||
209 | ; | |||
210 | ||||
211 | /* Verifying the signature. */ | |||
212 | j = PKCS7_signatureVerify(p7bio, token, si, signer); | |||
213 | if (j <= 0) { | |||
214 | TSerror(TS_R_SIGNATURE_FAILURE)ERR_put_error(47,(0xfff),(109),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,214); | |||
215 | goto err; | |||
216 | } | |||
217 | ||||
218 | /* Return the signer certificate if needed. */ | |||
219 | if (signer_out) { | |||
220 | *signer_out = signer; | |||
221 | CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509)CRYPTO_add_lock(&signer->references,1,3,((void *)0),0); | |||
222 | } | |||
223 | ||||
224 | ret = 1; | |||
225 | ||||
226 | err: | |||
227 | BIO_free_all(p7bio); | |||
228 | sk_X509_pop_free(chain, X509_free)sk_pop_free(((_STACK*) (1 ? (chain) : (struct stack_st_X509*) 0)), ((void (*)(void *)) ((1 ? (X509_free) : (void (*)(X509 * ))0)))); | |||
229 | sk_X509_free(signers)sk_free(((_STACK*) (1 ? (signers) : (struct stack_st_X509*)0) )); | |||
230 | ||||
231 | return ret; | |||
232 | } | |||
233 | LCRYPTO_ALIAS(TS_RESP_verify_signature)asm(""); | |||
234 | ||||
235 | /* | |||
236 | * The certificate chain is returned in chain. Caller is responsible for | |||
237 | * freeing the vector. | |||
238 | */ | |||
239 | static int | |||
240 | TS_verify_cert(X509_STORE *store, STACK_OF(X509)struct stack_st_X509 *untrusted, X509 *signer, | |||
241 | STACK_OF(X509)struct stack_st_X509 **chain) | |||
242 | { | |||
243 | X509_STORE_CTX cert_ctx; | |||
244 | int i; | |||
245 | int ret = 0; | |||
246 | ||||
247 | /* chain is an out argument. */ | |||
248 | *chain = NULL((void *)0); | |||
249 | if (X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted) == 0) { | |||
250 | TSerror(ERR_R_X509_LIB)ERR_put_error(47,(0xfff),(11),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,250); | |||
251 | goto err; | |||
252 | } | |||
253 | if (X509_STORE_CTX_set_purpose(&cert_ctx, | |||
254 | X509_PURPOSE_TIMESTAMP_SIGN9) == 0) | |||
255 | goto err; | |||
256 | i = X509_verify_cert(&cert_ctx); | |||
257 | if (i <= 0) { | |||
258 | int j = X509_STORE_CTX_get_error(&cert_ctx); | |||
259 | ||||
260 | TSerror(TS_R_CERTIFICATE_VERIFY_ERROR)ERR_put_error(47,(0xfff),(100),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,260); | |||
261 | ERR_asprintf_error_data("Verify error:%s", | |||
262 | X509_verify_cert_error_string(j)); | |||
263 | goto err; | |||
264 | } else { | |||
265 | /* Get a copy of the certificate chain. */ | |||
266 | *chain = X509_STORE_CTX_get1_chain(&cert_ctx); | |||
267 | ret = 1; | |||
268 | } | |||
269 | ||||
270 | err: | |||
271 | X509_STORE_CTX_cleanup(&cert_ctx); | |||
272 | ||||
273 | return ret; | |||
274 | } | |||
275 | ||||
276 | static int | |||
277 | TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509)struct stack_st_X509 *chain) | |||
278 | { | |||
279 | ESS_SIGNING_CERT *ss = NULL((void *)0); | |||
280 | STACK_OF(ESS_CERT_ID)struct stack_st_ESS_CERT_ID *cert_ids; | |||
281 | ESS_SIGNING_CERT_V2 *ssv2 = NULL((void *)0); | |||
282 | STACK_OF(ESS_CERT_ID_V2)struct stack_st_ESS_CERT_ID_V2 *cert_ids_v2; | |||
283 | X509 *cert; | |||
284 | int i = 0; | |||
285 | int ret = 0; | |||
286 | ||||
287 | if ((ss = ESS_get_signing_cert(si)) != NULL((void *)0)) { | |||
288 | cert_ids = ss->cert_ids; | |||
289 | /* The signer certificate must be the first in cert_ids. */ | |||
290 | cert = sk_X509_value(chain, 0)((X509 *)sk_value(((_STACK*) (1 ? (chain) : (struct stack_st_X509 *)0)), (0))); | |||
291 | ||||
292 | if (TS_find_cert(cert_ids, cert) != 0) | |||
293 | goto err; | |||
294 | ||||
295 | /* | |||
296 | * Check the other certificates of the chain if there are more | |||
297 | * than one certificate ids in cert_ids. | |||
298 | */ | |||
299 | if (sk_ESS_CERT_ID_num(cert_ids)sk_num(((_STACK*) (1 ? (cert_ids) : (struct stack_st_ESS_CERT_ID *)0))) > 1) { | |||
300 | /* All the certificates of the chain must be in cert_ids. */ | |||
301 | for (i = 1; i < sk_X509_num(chain)sk_num(((_STACK*) (1 ? (chain) : (struct stack_st_X509*)0))); i++) { | |||
302 | cert = sk_X509_value(chain, i)((X509 *)sk_value(((_STACK*) (1 ? (chain) : (struct stack_st_X509 *)0)), (i))); | |||
303 | ||||
304 | if (TS_find_cert(cert_ids, cert) < 0) | |||
305 | goto err; | |||
306 | } | |||
307 | } | |||
308 | } | |||
309 | ||||
310 | if ((ssv2 = ESS_get_signing_cert_v2(si)) != NULL((void *)0)) { | |||
311 | cert_ids_v2 = ssv2->cert_ids; | |||
312 | /* The signer certificate must be the first in cert_ids_v2. */ | |||
313 | cert = sk_X509_value(chain, 0)((X509 *)sk_value(((_STACK*) (1 ? (chain) : (struct stack_st_X509 *)0)), (0))); | |||
314 | ||||
315 | if (TS_find_cert_v2(cert_ids_v2, cert) != 0) | |||
316 | goto err; | |||
317 | ||||
318 | /* | |||
319 | * Check the other certificates of the chain if there are more | |||
320 | * than one certificate ids in cert_ids_v2. | |||
321 | */ | |||
322 | if (sk_ESS_CERT_ID_V2_num(cert_ids_v2)sk_num(((_STACK*) (1 ? (cert_ids_v2) : (struct stack_st_ESS_CERT_ID_V2 *)0))) > 1) { | |||
323 | /* All the certificates of the chain must be in cert_ids_v2. */ | |||
324 | for (i = 1; i < sk_X509_num(chain)sk_num(((_STACK*) (1 ? (chain) : (struct stack_st_X509*)0))); i++) { | |||
325 | cert = sk_X509_value(chain, i)((X509 *)sk_value(((_STACK*) (1 ? (chain) : (struct stack_st_X509 *)0)), (i))); | |||
326 | ||||
327 | if (TS_find_cert_v2(cert_ids_v2, cert) < 0) | |||
328 | goto err; | |||
329 | } | |||
330 | } | |||
331 | } | |||
332 | ||||
333 | ret = 1; | |||
334 | ||||
335 | err: | |||
336 | if (!ret) | |||
337 | TSerror(TS_R_ESS_SIGNING_CERTIFICATE_ERROR)ERR_put_error(47,(0xfff),(101),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,337); | |||
338 | ESS_SIGNING_CERT_free(ss); | |||
339 | ESS_SIGNING_CERT_V2_free(ssv2); | |||
340 | return ret; | |||
341 | } | |||
342 | ||||
343 | static ESS_SIGNING_CERT * | |||
344 | ESS_get_signing_cert(PKCS7_SIGNER_INFO *si) | |||
345 | { | |||
346 | ASN1_TYPE *attr; | |||
347 | const unsigned char *p; | |||
348 | ||||
349 | attr = PKCS7_get_signed_attribute(si, | |||
350 | NID_id_smime_aa_signingCertificate223); | |||
351 | if (!attr) | |||
352 | return NULL((void *)0); | |||
353 | if (attr->type != V_ASN1_SEQUENCE16) | |||
354 | return NULL((void *)0); | |||
355 | p = attr->value.sequence->data; | |||
356 | return d2i_ESS_SIGNING_CERT(NULL((void *)0), &p, attr->value.sequence->length); | |||
357 | } | |||
358 | ||||
359 | static ESS_SIGNING_CERT_V2 * | |||
360 | ESS_get_signing_cert_v2(PKCS7_SIGNER_INFO *si) | |||
361 | { | |||
362 | ASN1_TYPE *attr; | |||
363 | const unsigned char *p; | |||
364 | ||||
365 | attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV21023); | |||
366 | if (attr == NULL((void *)0)) | |||
367 | return NULL((void *)0); | |||
368 | p = attr->value.sequence->data; | |||
369 | return d2i_ESS_SIGNING_CERT_V2(NULL((void *)0), &p, attr->value.sequence->length); | |||
370 | } | |||
371 | ||||
372 | /* Returns < 0 if certificate is not found, certificate index otherwise. */ | |||
373 | static int | |||
374 | TS_find_cert(STACK_OF(ESS_CERT_ID)struct stack_st_ESS_CERT_ID *cert_ids, X509 *cert) | |||
375 | { | |||
376 | int i; | |||
377 | unsigned char cert_hash[TS_HASH_LEN20]; | |||
378 | ||||
379 | if (!cert_ids || !cert) | |||
380 | return -1; | |||
381 | ||||
382 | if (!X509_digest(cert, TS_HASH_EVPEVP_sha1(), cert_hash, NULL((void *)0))) | |||
383 | return -1; | |||
384 | ||||
385 | /* Recompute SHA1 hash of certificate if necessary (side effect). */ | |||
386 | if (X509_check_purpose(cert, -1, 0) == -1) | |||
387 | return -1; | |||
388 | ||||
389 | /* Look for cert in the cert_ids vector. */ | |||
390 | for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids)sk_num(((_STACK*) (1 ? (cert_ids) : (struct stack_st_ESS_CERT_ID *)0))); ++i) { | |||
391 | ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i)((ESS_CERT_ID *)sk_value(((_STACK*) (1 ? (cert_ids) : (struct stack_st_ESS_CERT_ID*)0)), (i))); | |||
392 | ||||
393 | /* Check the SHA-1 hash first. */ | |||
394 | if (cid->hash->length == TS_HASH_LEN20 && !memcmp(cid->hash->data, | |||
395 | cert_hash, TS_HASH_LEN20)) { | |||
396 | /* Check the issuer/serial as well if specified. */ | |||
397 | ESS_ISSUER_SERIAL *is = cid->issuer_serial; | |||
398 | ||||
399 | if (is == NULL((void *)0) || TS_issuer_serial_cmp(is, cert) == 0) | |||
400 | return i; | |||
401 | } | |||
402 | } | |||
403 | ||||
404 | return -1; | |||
405 | } | |||
406 | ||||
407 | /* Returns < 0 if certificate is not found, certificate index otherwise. */ | |||
408 | static int | |||
409 | TS_find_cert_v2(STACK_OF(ESS_CERT_ID_V2)struct stack_st_ESS_CERT_ID_V2 *cert_ids, X509 *cert) | |||
410 | { | |||
411 | int i; | |||
412 | unsigned char cert_digest[EVP_MAX_MD_SIZE64]; | |||
413 | unsigned int len; | |||
414 | ||||
415 | /* Look for cert in the cert_ids vector. */ | |||
416 | for (i = 0; i < sk_ESS_CERT_ID_V2_num(cert_ids)sk_num(((_STACK*) (1 ? (cert_ids) : (struct stack_st_ESS_CERT_ID_V2 *)0))); ++i) { | |||
417 | ESS_CERT_ID_V2 *cid = sk_ESS_CERT_ID_V2_value(cert_ids, i)((ESS_CERT_ID_V2 *)sk_value(((_STACK*) (1 ? (cert_ids) : (struct stack_st_ESS_CERT_ID_V2*)0)), (i))); | |||
418 | const EVP_MD *md = EVP_sha256(); | |||
419 | ||||
420 | if (cid->hash_alg != NULL((void *)0)) | |||
421 | md = EVP_get_digestbyobj(cid->hash_alg->algorithm)EVP_get_digestbyname(OBJ_nid2sn(OBJ_obj2nid(cid->hash_alg-> algorithm))); | |||
422 | if (md == NULL((void *)0)) | |||
423 | return -1; | |||
424 | ||||
425 | if (!X509_digest(cert, md, cert_digest, &len)) | |||
426 | return -1; | |||
427 | ||||
428 | if ((unsigned int)cid->hash->length != len) | |||
429 | return -1; | |||
430 | ||||
431 | if (memcmp(cid->hash->data, cert_digest, cid->hash->length) == 0) { | |||
432 | ESS_ISSUER_SERIAL *is = cid->issuer_serial; | |||
433 | ||||
434 | if (is == NULL((void *)0) || TS_issuer_serial_cmp(is, cert) == 0) | |||
435 | return i; | |||
436 | } | |||
437 | } | |||
438 | ||||
439 | return -1; | |||
440 | } | |||
441 | ||||
442 | static int | |||
443 | TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert) | |||
444 | { | |||
445 | GENERAL_NAME *issuer; | |||
446 | ||||
447 | if (is == NULL((void *)0) || cert == NULL((void *)0) || sk_GENERAL_NAME_num(is->issuer)sk_num(((_STACK*) (1 ? (is->issuer) : (struct stack_st_GENERAL_NAME *)0))) != 1) | |||
448 | return -1; | |||
449 | ||||
450 | /* Check the issuer first. It must be a directory name. */ | |||
451 | issuer = sk_GENERAL_NAME_value(is->issuer, 0)((GENERAL_NAME *)sk_value(((_STACK*) (1 ? (is->issuer) : ( struct stack_st_GENERAL_NAME*)0)), (0))); | |||
452 | if (issuer->type != GEN_DIRNAME4 || | |||
453 | X509_NAME_cmp(issuer->d.dirn, X509_get_issuer_name(cert))) | |||
454 | return -1; | |||
455 | ||||
456 | /* Check the serial number, too. */ | |||
457 | if (ASN1_INTEGER_cmp(is->serial, X509_get_serialNumber(cert))) | |||
458 | return -1; | |||
459 | ||||
460 | return 0; | |||
461 | } | |||
462 | ||||
463 | /* | |||
464 | * Verifies whether 'response' contains a valid response with regards | |||
465 | * to the settings of the context: | |||
466 | * - Gives an error message if the TS_TST_INFO is not present. | |||
467 | * - Calls _TS_RESP_verify_token to verify the token content. | |||
468 | */ | |||
469 | int | |||
470 | TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response) | |||
471 | { | |||
472 | PKCS7 *token = TS_RESP_get_token(response); | |||
473 | TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response); | |||
474 | int ret = 0; | |||
475 | ||||
476 | /* Check if we have a successful TS_TST_INFO object in place. */ | |||
477 | if (!TS_check_status_info(response)) | |||
| ||||
478 | goto err; | |||
479 | ||||
480 | /* Check the contents of the time stamp token. */ | |||
481 | if (!int_TS_RESP_verify_token(ctx, token, tst_info)) | |||
482 | goto err; | |||
483 | ||||
484 | ret = 1; | |||
485 | ||||
486 | err: | |||
487 | return ret; | |||
488 | } | |||
489 | LCRYPTO_ALIAS(TS_RESP_verify_response)asm(""); | |||
490 | ||||
491 | /* | |||
492 | * Tries to extract a TS_TST_INFO structure from the PKCS7 token and | |||
493 | * calls the internal int_TS_RESP_verify_token function for verifying it. | |||
494 | */ | |||
495 | int | |||
496 | TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token) | |||
497 | { | |||
498 | TS_TST_INFO *tst_info = PKCS7_to_TS_TST_INFO(token); | |||
499 | int ret = 0; | |||
500 | ||||
501 | if (tst_info) { | |||
502 | ret = int_TS_RESP_verify_token(ctx, token, tst_info); | |||
503 | TS_TST_INFO_free(tst_info); | |||
504 | } | |||
505 | return ret; | |||
506 | } | |||
507 | LCRYPTO_ALIAS(TS_RESP_verify_token)asm(""); | |||
508 | ||||
509 | /* | |||
510 | * Verifies whether the 'token' contains a valid time stamp token | |||
511 | * with regards to the settings of the context. Only those checks are | |||
512 | * carried out that are specified in the context: | |||
513 | * - Verifies the signature of the TS_TST_INFO. | |||
514 | * - Checks the version number of the response. | |||
515 | * - Check if the requested and returned policies math. | |||
516 | * - Check if the message imprints are the same. | |||
517 | * - Check if the nonces are the same. | |||
518 | * - Check if the TSA name matches the signer. | |||
519 | * - Check if the TSA name is the expected TSA. | |||
520 | */ | |||
521 | static int | |||
522 | int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token, | |||
523 | TS_TST_INFO *tst_info) | |||
524 | { | |||
525 | X509 *signer = NULL((void *)0); | |||
526 | GENERAL_NAME *tsa_name = TS_TST_INFO_get_tsa(tst_info); | |||
527 | X509_ALGOR *md_alg = NULL((void *)0); | |||
528 | unsigned char *imprint = NULL((void *)0); | |||
529 | unsigned imprint_len = 0; | |||
530 | int ret = 0; | |||
531 | ||||
532 | /* Verify the signature. */ | |||
533 | if ((ctx->flags & TS_VFY_SIGNATURE(1u << 0)) && | |||
534 | !TS_RESP_verify_signature(token, ctx->certs, ctx->store, &signer)) | |||
535 | goto err; | |||
536 | ||||
537 | /* Check version number of response. */ | |||
538 | if ((ctx->flags & TS_VFY_VERSION(1u << 1)) && | |||
539 | TS_TST_INFO_get_version(tst_info) != 1) { | |||
540 | TSerror(TS_R_UNSUPPORTED_VERSION)ERR_put_error(47,(0xfff),(113),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,540); | |||
541 | goto err; | |||
542 | } | |||
543 | ||||
544 | /* Check policies. */ | |||
545 | if ((ctx->flags & TS_VFY_POLICY(1u << 2)) && | |||
546 | !TS_check_policy(ctx->policy, tst_info)) | |||
547 | goto err; | |||
548 | ||||
549 | /* Check message imprints. */ | |||
550 | if ((ctx->flags & TS_VFY_IMPRINT(1u << 3)) && | |||
551 | !TS_check_imprints(ctx->md_alg, ctx->imprint, ctx->imprint_len, | |||
552 | tst_info)) | |||
553 | goto err; | |||
554 | ||||
555 | /* Compute and check message imprints. */ | |||
556 | if ((ctx->flags & TS_VFY_DATA(1u << 4)) && | |||
557 | (!TS_compute_imprint(ctx->data, tst_info, | |||
558 | &md_alg, &imprint, &imprint_len) || | |||
559 | !TS_check_imprints(md_alg, imprint, imprint_len, tst_info))) | |||
560 | goto err; | |||
561 | ||||
562 | /* Check nonces. */ | |||
563 | if ((ctx->flags & TS_VFY_NONCE(1u << 5)) && | |||
564 | !TS_check_nonces(ctx->nonce, tst_info)) | |||
565 | goto err; | |||
566 | ||||
567 | /* Check whether TSA name and signer certificate match. */ | |||
568 | if ((ctx->flags & TS_VFY_SIGNER(1u << 6)) && | |||
569 | tsa_name && !TS_check_signer_name(tsa_name, signer)) { | |||
570 | TSerror(TS_R_TSA_NAME_MISMATCH)ERR_put_error(47,(0xfff),(111),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,570); | |||
571 | goto err; | |||
572 | } | |||
573 | ||||
574 | /* Check whether the TSA is the expected one. */ | |||
575 | if ((ctx->flags & TS_VFY_TSA_NAME(1u << 7)) && | |||
576 | !TS_check_signer_name(ctx->tsa_name, signer)) { | |||
577 | TSerror(TS_R_TSA_UNTRUSTED)ERR_put_error(47,(0xfff),(112),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,577); | |||
578 | goto err; | |||
579 | } | |||
580 | ||||
581 | ret = 1; | |||
582 | ||||
583 | err: | |||
584 | X509_free(signer); | |||
585 | X509_ALGOR_free(md_alg); | |||
586 | free(imprint); | |||
587 | return ret; | |||
588 | } | |||
589 | ||||
590 | static int | |||
591 | TS_check_status_info(TS_RESP *response) | |||
592 | { | |||
593 | TS_STATUS_INFO *info = TS_RESP_get_status_info(response); | |||
594 | long status = ASN1_INTEGER_get(info->status); | |||
595 | const char *status_text = NULL((void *)0); | |||
596 | char *embedded_status_text = NULL((void *)0); | |||
597 | char failure_text[TS_STATUS_BUF_SIZE256] = ""; | |||
598 | ||||
599 | /* Check if everything went fine. */ | |||
600 | if (status == 0 || status == 1) | |||
601 | return 1; | |||
602 | ||||
603 | /* There was an error, get the description in status_text. */ | |||
604 | if (0 <= status && status < (long)TS_STATUS_TEXT_SIZE(sizeof(TS_status_text)/sizeof(*TS_status_text))) | |||
605 | status_text = TS_status_text[status]; | |||
606 | else | |||
607 | status_text = "unknown code"; | |||
608 | ||||
609 | /* Set the embedded_status_text to the returned description. */ | |||
610 | if (sk_ASN1_UTF8STRING_num(info->text)sk_num(((_STACK*) (1 ? (info->text) : (struct stack_st_ASN1_UTF8STRING *)0))) > 0 && | |||
611 | !(embedded_status_text = TS_get_status_text(info->text))) | |||
612 | return 0; | |||
613 | ||||
614 | /* Filling in failure_text with the failure information. */ | |||
615 | if (info->failure_info) { | |||
616 | int i; | |||
617 | int first = 1; | |||
618 | for (i = 0; i < (int)TS_FAILURE_INFO_SIZE(sizeof(TS_failure_info) / sizeof(*TS_failure_info)); ++i) { | |||
619 | if (ASN1_BIT_STRING_get_bit(info->failure_info, | |||
620 | TS_failure_info[i].code)) { | |||
621 | if (!first) | |||
622 | strlcat(failure_text, ",", | |||
623 | TS_STATUS_BUF_SIZE256); | |||
624 | else | |||
625 | first = 0; | |||
626 | strlcat(failure_text, TS_failure_info[i].text, | |||
627 | TS_STATUS_BUF_SIZE256); | |||
628 | } | |||
629 | } | |||
630 | } | |||
631 | if (failure_text[0] == '\0') | |||
632 | strlcpy(failure_text, "unspecified", TS_STATUS_BUF_SIZE256); | |||
633 | ||||
634 | /* Making up the error string. */ | |||
635 | TSerror(TS_R_NO_TIME_STAMP_TOKEN)ERR_put_error(47,(0xfff),(107),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,635); | |||
636 | ERR_asprintf_error_data | |||
637 | ("status code: %s, status text: %s, failure codes: %s", | |||
638 | status_text, | |||
639 | embedded_status_text ? embedded_status_text : "unspecified", | |||
640 | failure_text); | |||
641 | free(embedded_status_text); | |||
642 | ||||
643 | return 0; | |||
644 | } | |||
645 | ||||
646 | static char * | |||
647 | TS_get_status_text(STACK_OF(ASN1_UTF8STRING)struct stack_st_ASN1_UTF8STRING *text) | |||
648 | { | |||
649 | int i; | |||
650 | unsigned int length = 0; | |||
651 | char *result = NULL((void *)0); | |||
652 | ||||
653 | /* Determine length first. */ | |||
654 | for (i = 0; i < sk_ASN1_UTF8STRING_num(text)sk_num(((_STACK*) (1 ? (text) : (struct stack_st_ASN1_UTF8STRING *)0))); ++i) { | |||
655 | ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i)((ASN1_UTF8STRING *)sk_value(((_STACK*) (1 ? (text) : (struct stack_st_ASN1_UTF8STRING*)0)), (i))); | |||
656 | length += ASN1_STRING_length(current); | |||
657 | length += 1; /* separator character */ | |||
658 | } | |||
659 | /* Allocate memory (closing '\0' included). */ | |||
660 | if (!(result = malloc(length))) { | |||
661 | TSerror(ERR_R_MALLOC_FAILURE)ERR_put_error(47,(0xfff),((1|64)),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,661); | |||
662 | return NULL((void *)0); | |||
663 | } | |||
664 | /* Concatenate the descriptions. */ | |||
665 | result[0] = '\0'; | |||
| ||||
666 | for (i = 0; i < sk_ASN1_UTF8STRING_num(text)sk_num(((_STACK*) (1 ? (text) : (struct stack_st_ASN1_UTF8STRING *)0))); ++i) { | |||
667 | ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i)((ASN1_UTF8STRING *)sk_value(((_STACK*) (1 ? (text) : (struct stack_st_ASN1_UTF8STRING*)0)), (i))); | |||
668 | if (i > 0) | |||
669 | strlcat(result, "/", length); | |||
670 | strlcat(result, (const char *)ASN1_STRING_data(current), length); | |||
671 | } | |||
672 | return result; | |||
673 | } | |||
674 | ||||
675 | static int | |||
676 | TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info) | |||
677 | { | |||
678 | ASN1_OBJECT *resp_oid = TS_TST_INFO_get_policy_id(tst_info); | |||
679 | ||||
680 | if (OBJ_cmp(req_oid, resp_oid) != 0) { | |||
681 | TSerror(TS_R_POLICY_MISMATCH)ERR_put_error(47,(0xfff),(108),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,681); | |||
682 | return 0; | |||
683 | } | |||
684 | ||||
685 | return 1; | |||
686 | } | |||
687 | ||||
688 | static int | |||
689 | TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **out_md_alg, | |||
690 | unsigned char **out_imprint, unsigned int *out_imprint_len) | |||
691 | { | |||
692 | TS_MSG_IMPRINT *msg_imprint; | |||
693 | X509_ALGOR *md_alg_resp; | |||
694 | X509_ALGOR *md_alg = NULL((void *)0); | |||
695 | unsigned char *imprint = NULL((void *)0); | |||
696 | unsigned int imprint_len = 0; | |||
697 | const EVP_MD *md; | |||
698 | EVP_MD_CTX md_ctx; | |||
699 | unsigned char buffer[4096]; | |||
700 | int length; | |||
701 | ||||
702 | *out_md_alg = NULL((void *)0); | |||
703 | *out_imprint = NULL((void *)0); | |||
704 | *out_imprint_len = 0; | |||
705 | ||||
706 | /* Retrieve the MD algorithm of the response. */ | |||
707 | msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info); | |||
708 | md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint); | |||
709 | if ((md_alg = X509_ALGOR_dup(md_alg_resp)) == NULL((void *)0)) | |||
710 | goto err; | |||
711 | ||||
712 | /* Getting the MD object. */ | |||
713 | if ((md = EVP_get_digestbyobj((md_alg)->algorithm)EVP_get_digestbyname(OBJ_nid2sn(OBJ_obj2nid((md_alg)->algorithm )))) == NULL((void *)0)) { | |||
714 | TSerror(TS_R_UNSUPPORTED_MD_ALGORITHM)ERR_put_error(47,(0xfff),(126),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,714); | |||
715 | goto err; | |||
716 | } | |||
717 | ||||
718 | /* Compute message digest. */ | |||
719 | if ((length = EVP_MD_size(md)) < 0) | |||
720 | goto err; | |||
721 | imprint_len = length; | |||
722 | if ((imprint = malloc(imprint_len)) == NULL((void *)0)) { | |||
723 | TSerror(ERR_R_MALLOC_FAILURE)ERR_put_error(47,(0xfff),((1|64)),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,723); | |||
724 | goto err; | |||
725 | } | |||
726 | ||||
727 | if (!EVP_DigestInit(&md_ctx, md)) | |||
728 | goto err; | |||
729 | while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0) { | |||
730 | if (!EVP_DigestUpdate(&md_ctx, buffer, length)) | |||
731 | goto err; | |||
732 | } | |||
733 | if (!EVP_DigestFinal(&md_ctx, imprint, NULL((void *)0))) | |||
734 | goto err; | |||
735 | ||||
736 | *out_md_alg = md_alg; | |||
737 | md_alg = NULL((void *)0); | |||
738 | *out_imprint = imprint; | |||
739 | imprint = NULL((void *)0); | |||
740 | *out_imprint_len = imprint_len; | |||
741 | ||||
742 | return 1; | |||
743 | ||||
744 | err: | |||
745 | X509_ALGOR_free(md_alg); | |||
746 | free(imprint); | |||
747 | return 0; | |||
748 | } | |||
749 | ||||
750 | static int | |||
751 | TS_check_imprints(X509_ALGOR *algor_a, unsigned char *imprint_a, unsigned len_a, | |||
752 | TS_TST_INFO *tst_info) | |||
753 | { | |||
754 | TS_MSG_IMPRINT *b = TS_TST_INFO_get_msg_imprint(tst_info); | |||
755 | X509_ALGOR *algor_b = TS_MSG_IMPRINT_get_algo(b); | |||
756 | int ret = 0; | |||
757 | ||||
758 | /* algor_a is optional. */ | |||
759 | if (algor_a) { | |||
760 | /* Compare algorithm OIDs. */ | |||
761 | if (OBJ_cmp(algor_a->algorithm, algor_b->algorithm)) | |||
762 | goto err; | |||
763 | ||||
764 | /* The parameter must be NULL in both. */ | |||
765 | if ((algor_a->parameter && | |||
766 | ASN1_TYPE_get(algor_a->parameter) != V_ASN1_NULL5) || | |||
767 | (algor_b->parameter && | |||
768 | ASN1_TYPE_get(algor_b->parameter) != V_ASN1_NULL5)) | |||
769 | goto err; | |||
770 | } | |||
771 | ||||
772 | /* Compare octet strings. */ | |||
773 | ret = len_a == (unsigned) ASN1_STRING_length(b->hashed_msg) && | |||
774 | memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0; | |||
775 | ||||
776 | err: | |||
777 | if (!ret) | |||
778 | TSerror(TS_R_MESSAGE_IMPRINT_MISMATCH)ERR_put_error(47,(0xfff),(103),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,778); | |||
779 | return ret; | |||
780 | } | |||
781 | ||||
782 | static int | |||
783 | TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info) | |||
784 | { | |||
785 | const ASN1_INTEGER *b = TS_TST_INFO_get_nonce(tst_info); | |||
786 | ||||
787 | /* Error if nonce is missing. */ | |||
788 | if (!b) { | |||
789 | TSerror(TS_R_NONCE_NOT_RETURNED)ERR_put_error(47,(0xfff),(105),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,789); | |||
790 | return 0; | |||
791 | } | |||
792 | ||||
793 | /* No error if a nonce is returned without being requested. */ | |||
794 | if (ASN1_INTEGER_cmp(a, b) != 0) { | |||
795 | TSerror(TS_R_NONCE_MISMATCH)ERR_put_error(47,(0xfff),(104),"/usr/src/lib/libcrypto/ts/ts_rsp_verify.c" ,795); | |||
796 | return 0; | |||
797 | } | |||
798 | ||||
799 | return 1; | |||
800 | } | |||
801 | ||||
802 | /* Check if the specified TSA name matches either the subject | |||
803 | or one of the subject alternative names of the TSA certificate. */ | |||
804 | static int | |||
805 | TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer) | |||
806 | { | |||
807 | STACK_OF(GENERAL_NAME)struct stack_st_GENERAL_NAME *gen_names = NULL((void *)0); | |||
808 | int idx = -1; | |||
809 | int found = 0; | |||
810 | ||||
811 | if (signer == NULL((void *)0)) | |||
812 | return 0; | |||
813 | ||||
814 | /* Check the subject name first. */ | |||
815 | if (tsa_name->type == GEN_DIRNAME4 && | |||
816 | X509_name_cmp(tsa_name->d.dirn, X509_get_subject_name(signer))X509_NAME_cmp((tsa_name->d.dirn),(X509_get_subject_name(signer ))) == 0) | |||
817 | return 1; | |||
818 | ||||
819 | /* Check all the alternative names. */ | |||
820 | gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name85, | |||
821 | NULL((void *)0), &idx); | |||
822 | while (gen_names != NULL((void *)0) && | |||
823 | !(found = (TS_find_name(gen_names, tsa_name) >= 0))) { | |||
824 | /* Get the next subject alternative name, | |||
825 | although there should be no more than one. */ | |||
826 | GENERAL_NAMES_free(gen_names); | |||
827 | gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name85, | |||
828 | NULL((void *)0), &idx); | |||
829 | } | |||
830 | if (gen_names) | |||
831 | GENERAL_NAMES_free(gen_names); | |||
832 | ||||
833 | return found; | |||
834 | } | |||
835 | ||||
836 | /* Returns 1 if name is in gen_names, 0 otherwise. */ | |||
837 | static int | |||
838 | TS_find_name(STACK_OF(GENERAL_NAME)struct stack_st_GENERAL_NAME *gen_names, GENERAL_NAME *name) | |||
839 | { | |||
840 | int i, found; | |||
841 | for (i = 0, found = 0; !found && i < sk_GENERAL_NAME_num(gen_names)sk_num(((_STACK*) (1 ? (gen_names) : (struct stack_st_GENERAL_NAME *)0))); | |||
842 | ++i) { | |||
843 | GENERAL_NAME *current = sk_GENERAL_NAME_value(gen_names, i)((GENERAL_NAME *)sk_value(((_STACK*) (1 ? (gen_names) : (struct stack_st_GENERAL_NAME*)0)), (i))); | |||
844 | found = GENERAL_NAME_cmp(current, name) == 0; | |||
845 | } | |||
846 | return found ? i - 1 : -1; | |||
847 | } |