vendor/libressl: upgrade from 3.1.4 to 3.2.2

[dragonfly.git] / crypto / libressl / crypto / x509 / x509_internal.h

/* $OpenBSD: x509_internal.h,v 1.3 2020/09/15 11:55:14 beck Exp $ */
/*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
#ifndef HEADER_X509_INTERNAL_H
#define HEADER_X509_INTERNAL_H

/* Internal use only, not public API */
#include <netinet/in.h>

#include <openssl/x509_verify.h>

/* Hard limits on structure size and number of signature checks. */
#define X509_VERIFY_MAX_CHAINS          8       /* Max validated chains */
#define X509_VERIFY_MAX_CHAIN_CERTS     32      /* Max depth of a chain */
#define X509_VERIFY_MAX_SIGCHECKS       256     /* Max signature checks */

/*
 * Limit the number of names and constraints we will check in a chain
 * to avoid a hostile input DOS
 */
#define X509_VERIFY_MAX_CHAIN_NAMES             512
#define X509_VERIFY_MAX_CHAIN_CONSTRAINTS       512

/*
 * Hold the parsed and validated result of names from a certificate.
 * these typically come from a GENERALNAME, but we store the parsed
 * and validated results, not the ASN1 bytes.
 */
struct x509_constraints_name {
        int type;                       /* GEN_* types from GENERAL_NAME */
        char *name;                     /* Name to check */
        char *local;                    /* holds the local part of GEN_EMAIL */
        uint8_t *der;                   /* DER encoded value or NULL*/
        size_t der_len;
        int af;                         /* INET and INET6 are supported */
        uint8_t address[32];            /* Must hold ipv6 + mask */
};

struct x509_constraints_names {
        struct x509_constraints_name **names;
        size_t names_len;
        size_t names_count;
};

struct x509_verify_chain {
        STACK_OF(X509) *certs;          /* Kept in chain order, includes leaf */
        struct x509_constraints_names *names;   /* All names from all certs */
};

struct x509_verify_ctx {
        X509_STORE_CTX *xsc;
        struct x509_verify_chain **chains;      /* Validated chains */
        size_t chains_count;
        STACK_OF(X509) *roots;          /* Trusted roots for this validation */
        STACK_OF(X509) *intermediates;  /* Intermediates provided by peer */
        time_t *check_time;             /* Time for validity checks */
        int purpose;                    /* Cert purpose we are validating */
        size_t max_chains;              /* Max chains to return */
        size_t max_depth;               /* Max chain depth for validation */
        size_t max_sigs;                /* Max number of signature checks */
        size_t sig_checks;              /* Number of signature checks done */
        size_t error_depth;             /* Depth of last error seen */
        int error;                      /* Last error seen */
};

int ASN1_time_tm_clamp_notafter(struct tm *tm);

__BEGIN_HIDDEN_DECLS

int x509_vfy_check_id(X509_STORE_CTX *ctx);
int x509_vfy_check_revocation(X509_STORE_CTX *ctx);
int x509_vfy_check_policy(X509_STORE_CTX *ctx);
int x509_vfy_check_trust(X509_STORE_CTX *ctx);
int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);
void x509v3_cache_extensions(X509 *x);

int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm,
    int notafter);

struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc,
    STACK_OF(X509) *roots);

void x509_constraints_name_clear(struct x509_constraints_name *name);
int x509_constraints_names_add(struct x509_constraints_names *names,
    struct x509_constraints_name *name);
struct x509_constraints_names *x509_constraints_names_dup(
    struct x509_constraints_names *names);
void x509_constraints_names_clear(struct x509_constraints_names *names);
struct x509_constraints_names *x509_constraints_names_new(void);
void x509_constraints_names_free(struct x509_constraints_names *names);
int x509_constraints_valid_host(uint8_t *name, size_t len);
int x509_constraints_valid_sandns(uint8_t *name, size_t len);
int x509_constraints_domain(char *domain, size_t dlen, char *constraint,
    size_t len);
int x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
    struct x509_constraints_name *name);
int x509_constraints_valid_domain_constraint(uint8_t *constraint,
    size_t len);
int x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostp);
int x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint,
    size_t len, int *error);
int x509_constraints_extract_names(struct x509_constraints_names *names,
    X509 *cert, int include_cn, int *error);
int x509_constraints_extract_constraints(X509 *cert,
    struct x509_constraints_names *permitted,
    struct x509_constraints_names *excluded, int *error);
int x509_constraints_check(struct x509_constraints_names *names,
    struct x509_constraints_names *permitted,
    struct x509_constraints_names *excluded, int *error);
int x509_constraints_chain(STACK_OF(X509) *chain, int *error,
    int *depth);

__END_HIDDEN_DECLS

#endif