GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: sbin/isakmpd/x509.c Lines: 0 590 0.0 %
Date: 2017-11-07 Branches: 0 415 0.0 %

Line Branch Exec Source
1
/* $OpenBSD: x509.c,v 1.118 2015/01/16 06:39:59 deraadt Exp $	 */
2
/* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $	 */
3
4
/*
5
 * Copyright (c) 1998, 1999 Niels Provos.  All rights reserved.
6
 * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist.  All rights reserved.
7
 * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis.  All rights reserved.
8
 *
9
 * Redistribution and use in source and binary forms, with or without
10
 * modification, are permitted provided that the following conditions
11
 * are met:
12
 * 1. Redistributions of source code must retain the above copyright
13
 *    notice, this list of conditions and the following disclaimer.
14
 * 2. Redistributions in binary form must reproduce the above copyright
15
 *    notice, this list of conditions and the following disclaimer in the
16
 *    documentation and/or other materials provided with the distribution.
17
 *
18
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
 */
29
30
/*
31
 * This code was written under funding by Ericsson Radio Systems.
32
 */
33
34
#include <sys/types.h>
35
#include <sys/stat.h>
36
#include <dirent.h>
37
#include <errno.h>
38
#include <fcntl.h>
39
#include <stdio.h>
40
#include <stdlib.h>
41
#include <string.h>
42
#include <unistd.h>
43
#include <limits.h>
44
45
#include <regex.h>
46
#include <keynote.h>
47
48
#include "cert.h"
49
#include "conf.h"
50
#include "exchange.h"
51
#include "hash.h"
52
#include "ike_auth.h"
53
#include "ipsec.h"
54
#include "log.h"
55
#include "dh.h"
56
#include "monitor.h"
57
#include "policy.h"
58
#include "sa.h"
59
#include "util.h"
60
#include "x509.h"
61
62
static u_int16_t x509_hash(u_int8_t *, size_t);
63
static void	 x509_hash_init(void);
64
static X509	*x509_hash_find(u_int8_t *, size_t);
65
static int	 x509_hash_enter(X509 *);
66
67
/*
68
 * X509_STOREs do not support subjectAltNames, so we have to build
69
 * our own hash table.
70
 */
71
72
/*
73
 * XXX Actually this store is not really useful, we never use it as we have
74
 * our own hash table.  It also gets collisions if we have several certificates
75
 * only differing in subjectAltName.
76
 */
77
static X509_STORE *x509_certs = 0;
78
static X509_STORE *x509_cas = 0;
79
80
static int n_x509_cas = 0;
81
82
/* Initial number of bits used as hash.  */
83
#define INITIAL_BUCKET_BITS 6
84
85
struct x509_hash {
86
	LIST_ENTRY(x509_hash) link;
87
88
	X509		*cert;
89
};
90
91
static LIST_HEAD(x509_list, x509_hash) *x509_tab = 0;
92
93
/* Works both as a maximum index and a mask.  */
94
static int	bucket_mask;
95
96
/*
97
 * Given an X509 certificate, create a KeyNote assertion where
98
 * Issuer/Subject -> Authorizer/Licensees.
99
 * XXX RSA-specific.
100
 */
101
int
102
x509_generate_kn(int id, X509 *cert)
103
{
104
	static const char fmt[] = "Authorizer: \"rsa-hex:%s\"\nLicensees: \"rsa-hex:%s"
105
		    "\"\nConditions: %s >= \"%s\" && %s <= \"%s\";\n";
106
	char	*ikey = NULL, *skey = NULL, *buf = NULL;
107
	char	isname[256], subname[256];
108
	static const char fmt2[] = "Authorizer: \"DN:%s\"\nLicensees: \"DN:%s\"\n"
109
		    "Conditions: %s >= \"%s\" && %s <= \"%s\";\n";
110
	X509_NAME *issuer, *subject;
111
	struct keynote_deckey dc;
112
	X509_STORE_CTX csc;
113
	X509_OBJECT obj;
114
	X509	*icert;
115
	RSA	*key = NULL;
116
	time_t	tt;
117
	char	before[15], after[15], *timecomp, *timecomp2;
118
	ASN1_TIME *tm;
119
	int	i;
120
121
	LOG_DBG((LOG_POLICY, 90,
122
	    "x509_generate_kn: generating KeyNote policy for certificate %p",
123
	    cert));
124
125
	issuer = X509_get_issuer_name(cert);
126
	subject = X509_get_subject_name(cert);
127
128
	/* Missing or self-signed, ignore cert but don't report failure.  */
129
	if (!issuer || !subject || !X509_name_cmp(issuer, subject))
130
		return 1;
131
132
	if (!x509_cert_get_key(cert, &key)) {
133
		LOG_DBG((LOG_POLICY, 30,
134
		    "x509_generate_kn: failed to get public key from cert"));
135
		return 0;
136
	}
137
	dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA;
138
	dc.dec_key = key;
139
	ikey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX,
140
	    KEYNOTE_PUBLIC_KEY);
141
	if (keynote_errno == ERROR_MEMORY) {
142
		log_print("x509_generate_kn: failed to get memory for "
143
		    "public key");
144
		LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get "
145
		    "subject key"));
146
		goto fail;
147
	}
148
	if (!ikey) {
149
		LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get "
150
		    "subject key"));
151
		goto fail;
152
	}
153
154
	RSA_free(key);
155
	key = NULL;
156
157
	/* Now find issuer's certificate so we can get the public key.  */
158
	X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
159
	if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj) !=
160
	    X509_LU_X509) {
161
		X509_STORE_CTX_cleanup(&csc);
162
		X509_STORE_CTX_init(&csc, x509_certs, cert, NULL);
163
		if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj)
164
		    != X509_LU_X509) {
165
			X509_STORE_CTX_cleanup(&csc);
166
			LOG_DBG((LOG_POLICY, 30,
167
			    "x509_generate_kn: no certificate found for "
168
			    "issuer"));
169
			goto fail;
170
		}
171
	}
172
	X509_STORE_CTX_cleanup(&csc);
173
	icert = obj.data.x509;
174
175
	if (icert == NULL) {
176
		LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: "
177
		    "missing certificates, cannot construct X509 chain"));
178
		goto fail;
179
	}
180
	if (!x509_cert_get_key(icert, &key)) {
181
		LOG_DBG((LOG_POLICY, 30,
182
		    "x509_generate_kn: failed to get public key from cert"));
183
		goto fail;
184
	}
185
	X509_OBJECT_free_contents(&obj);
186
187
	dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA;
188
	dc.dec_key = key;
189
	skey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX,
190
	    KEYNOTE_PUBLIC_KEY);
191
	if (keynote_errno == ERROR_MEMORY) {
192
		log_error("x509_generate_kn: failed to get memory for public "
193
		    "key");
194
		LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer "
195
		    "key"));
196
		goto fail;
197
	}
198
	if (!skey) {
199
		LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer "
200
		    "key"));
201
		goto fail;
202
	}
203
204
	RSA_free(key);
205
	key = NULL;
206
207
	if (((tm = X509_get_notBefore(cert)) == NULL) ||
208
	    (tm->type != V_ASN1_UTCTIME &&
209
		tm->type != V_ASN1_GENERALIZEDTIME)) {
210
		tt = time(0);
211
		strftime(before, 14, "%Y%m%d%H%M%S", localtime(&tt));
212
		timecomp = "LocalTimeOfDay";
213
	} else {
214
		if (tm->data[tm->length - 1] == 'Z') {
215
			timecomp = "GMTTimeOfDay";
216
			i = tm->length - 2;
217
		} else {
218
			timecomp = "LocalTimeOfDay";
219
			i = tm->length - 1;
220
		}
221
222
		for (; i >= 0; i--) {
223
			if (tm->data[i] < '0' || tm->data[i] > '9') {
224
				LOG_DBG((LOG_POLICY, 30,
225
				    "x509_generate_kn: invalid data in "
226
				    "NotValidBefore time field"));
227
				goto fail;
228
			}
229
		}
230
231
		if (tm->type == V_ASN1_UTCTIME) {
232
			if ((tm->length < 10) || (tm->length > 13)) {
233
				LOG_DBG((LOG_POLICY, 30,
234
				    "x509_generate_kn: invalid length "
235
				    "of NotValidBefore time field (%d)",
236
				    tm->length));
237
				goto fail;
238
			}
239
			/* Validity checks.  */
240
			if ((tm->data[2] != '0' && tm->data[2] != '1') ||
241
			    (tm->data[2] == '0' && tm->data[3] == '0') ||
242
			    (tm->data[2] == '1' && tm->data[3] > '2') ||
243
			    (tm->data[4] > '3') ||
244
			    (tm->data[4] == '0' && tm->data[5] == '0') ||
245
			    (tm->data[4] == '3' && tm->data[5] > '1') ||
246
			    (tm->data[6] > '2') ||
247
			    (tm->data[6] == '2' && tm->data[7] > '3') ||
248
			    (tm->data[8] > '5')) {
249
				LOG_DBG((LOG_POLICY, 30,
250
				    "x509_generate_kn: invalid value in "
251
				    "NotValidBefore time field"));
252
				goto fail;
253
			}
254
			/* Stupid UTC tricks.  */
255
			if (tm->data[0] < '5')
256
				snprintf(before, sizeof before, "20%s",
257
				    tm->data);
258
			else
259
				snprintf(before, sizeof before, "19%s",
260
				    tm->data);
261
		} else {	/* V_ASN1_GENERICTIME */
262
			if ((tm->length < 12) || (tm->length > 15)) {
263
				LOG_DBG((LOG_POLICY, 30,
264
				    "x509_generate_kn: invalid length of "
265
				    "NotValidBefore time field (%d)",
266
				    tm->length));
267
				goto fail;
268
			}
269
			/* Validity checks.  */
270
			if ((tm->data[4] != '0' && tm->data[4] != '1') ||
271
			    (tm->data[4] == '0' && tm->data[5] == '0') ||
272
			    (tm->data[4] == '1' && tm->data[5] > '2') ||
273
			    (tm->data[6] > '3') ||
274
			    (tm->data[6] == '0' && tm->data[7] == '0') ||
275
			    (tm->data[6] == '3' && tm->data[7] > '1') ||
276
			    (tm->data[8] > '2') ||
277
			    (tm->data[8] == '2' && tm->data[9] > '3') ||
278
			    (tm->data[10] > '5')) {
279
				LOG_DBG((LOG_POLICY, 30,
280
				    "x509_generate_kn: invalid value in "
281
				    "NotValidBefore time field"));
282
				goto fail;
283
			}
284
			snprintf(before, sizeof before, "%s", tm->data);
285
		}
286
287
		/* Fix missing seconds.  */
288
		if (tm->length < 12) {
289
			before[12] = '0';
290
			before[13] = '0';
291
		}
292
		/* This will overwrite trailing 'Z'.  */
293
		before[14] = '\0';
294
	}
295
296
	tm = X509_get_notAfter(cert);
297
	if (tm == NULL ||
298
	    (tm->type != V_ASN1_UTCTIME &&
299
		tm->type != V_ASN1_GENERALIZEDTIME)) {
300
		tt = time(0);
301
		strftime(after, 14, "%Y%m%d%H%M%S", localtime(&tt));
302
		timecomp2 = "LocalTimeOfDay";
303
	} else {
304
		if (tm->data[tm->length - 1] == 'Z') {
305
			timecomp2 = "GMTTimeOfDay";
306
			i = tm->length - 2;
307
		} else {
308
			timecomp2 = "LocalTimeOfDay";
309
			i = tm->length - 1;
310
		}
311
312
		for (; i >= 0; i--) {
313
			if (tm->data[i] < '0' || tm->data[i] > '9') {
314
				LOG_DBG((LOG_POLICY, 30,
315
				    "x509_generate_kn: invalid data in "
316
				    "NotValidAfter time field"));
317
				goto fail;
318
			}
319
		}
320
321
		if (tm->type == V_ASN1_UTCTIME) {
322
			if ((tm->length < 10) || (tm->length > 13)) {
323
				LOG_DBG((LOG_POLICY, 30,
324
				    "x509_generate_kn: invalid length of "
325
				    "NotValidAfter time field (%d)",
326
				    tm->length));
327
				goto fail;
328
			}
329
			/* Validity checks. */
330
			if ((tm->data[2] != '0' && tm->data[2] != '1') ||
331
			    (tm->data[2] == '0' && tm->data[3] == '0') ||
332
			    (tm->data[2] == '1' && tm->data[3] > '2') ||
333
			    (tm->data[4] > '3') ||
334
			    (tm->data[4] == '0' && tm->data[5] == '0') ||
335
			    (tm->data[4] == '3' && tm->data[5] > '1') ||
336
			    (tm->data[6] > '2') ||
337
			    (tm->data[6] == '2' && tm->data[7] > '3') ||
338
			    (tm->data[8] > '5')) {
339
				LOG_DBG((LOG_POLICY, 30,
340
				    "x509_generate_kn: invalid value in "
341
				    "NotValidAfter time field"));
342
				goto fail;
343
			}
344
			/* Stupid UTC tricks.  */
345
			if (tm->data[0] < '5')
346
				snprintf(after, sizeof after, "20%s",
347
				    tm->data);
348
			else
349
				snprintf(after, sizeof after, "19%s",
350
				    tm->data);
351
		} else {	/* V_ASN1_GENERICTIME */
352
			if ((tm->length < 12) || (tm->length > 15)) {
353
				LOG_DBG((LOG_POLICY, 30,
354
				    "x509_generate_kn: invalid length of "
355
				    "NotValidAfter time field (%d)",
356
				    tm->length));
357
				goto fail;
358
			}
359
			/* Validity checks.  */
360
			if ((tm->data[4] != '0' && tm->data[4] != '1') ||
361
			    (tm->data[4] == '0' && tm->data[5] == '0') ||
362
			    (tm->data[4] == '1' && tm->data[5] > '2') ||
363
			    (tm->data[6] > '3') ||
364
			    (tm->data[6] == '0' && tm->data[7] == '0') ||
365
			    (tm->data[6] == '3' && tm->data[7] > '1') ||
366
			    (tm->data[8] > '2') ||
367
			    (tm->data[8] == '2' && tm->data[9] > '3') ||
368
			    (tm->data[10] > '5')) {
369
				LOG_DBG((LOG_POLICY, 30,
370
				    "x509_generate_kn: invalid value in "
371
				    "NotValidAfter time field"));
372
				goto fail;
373
			}
374
			snprintf(after, sizeof after, "%s", tm->data);
375
		}
376
377
		/* Fix missing seconds.  */
378
		if (tm->length < 12) {
379
			after[12] = '0';
380
			after[13] = '0';
381
		}
382
		after[14] = '\0';	/* This will overwrite trailing 'Z' */
383
	}
384
385
	if (asprintf(&buf, fmt, skey, ikey, timecomp, before, timecomp2,
386
	    after) == -1) {
387
		log_error("x509_generate_kn: "
388
		    "failed to allocate memory for KeyNote credential");
389
		goto fail;
390
	}
391
392
	free(ikey);
393
	ikey = NULL;
394
	free(skey);
395
	skey = NULL;
396
397
	if (kn_add_assertion(id, buf, strlen(buf), ASSERT_FLAG_LOCAL) == -1) {
398
		LOG_DBG((LOG_POLICY, 30,
399
		    "x509_generate_kn: failed to add new KeyNote credential"));
400
		goto fail;
401
	}
402
	/* We could print the assertion here, but log_print() truncates...  */
403
	LOG_DBG((LOG_POLICY, 60, "x509_generate_kn: added credential"));
404
405
	free(buf);
406
	buf = NULL;
407
408
	if (!X509_NAME_oneline(issuer, isname, 256)) {
409
		LOG_DBG((LOG_POLICY, 50,
410
		    "x509_generate_kn: "
411
		    "X509_NAME_oneline (issuer, ...) failed"));
412
		goto fail;
413
	}
414
	if (!X509_NAME_oneline(subject, subname, 256)) {
415
		LOG_DBG((LOG_POLICY, 50,
416
		    "x509_generate_kn: "
417
		    "X509_NAME_oneline (subject, ...) failed"));
418
		goto fail;
419
	}
420
	if (asprintf(&buf, fmt2, isname, subname, timecomp, before,
421
	    timecomp2, after) == -1) {
422
		log_error("x509_generate_kn: malloc failed");
423
		return 0;
424
	}
425
426
	if (kn_add_assertion(id, buf, strlen(buf), ASSERT_FLAG_LOCAL) == -1) {
427
		LOG_DBG((LOG_POLICY, 30,
428
		    "x509_generate_kn: failed to add new KeyNote credential"));
429
		goto fail;
430
	}
431
	LOG_DBG((LOG_POLICY, 80, "x509_generate_kn: added credential:\n%s",
432
	    buf));
433
434
	free(buf);
435
	return 1;
436
437
fail:
438
	free(buf);
439
	free(skey);
440
	free(ikey);
441
	if (key)
442
		RSA_free(key);
443
444
	return 0;
445
}
446
447
static u_int16_t
448
x509_hash(u_int8_t *id, size_t len)
449
{
450
	u_int16_t bucket = 0;
451
	size_t	i;
452
453
	/* XXX We might resize if we are crossing a certain threshold.  */
454
	for (i = 4; i < (len & ~1); i += 2) {
455
		/* Doing it this way avoids alignment problems.  */
456
		bucket ^= (id[i] + 1) * (id[i + 1] + 257);
457
	}
458
	/* Hash in the last character of odd length IDs too.  */
459
	if (i < len)
460
		bucket ^= (id[i] + 1) * (id[i] + 257);
461
462
	bucket &= bucket_mask;
463
	return bucket;
464
}
465
466
static void
467
x509_hash_init(void)
468
{
469
	struct x509_hash *certh;
470
	int	i;
471
472
	bucket_mask = (1 << INITIAL_BUCKET_BITS) - 1;
473
474
	/* If reinitializing, free existing entries.  */
475
	if (x509_tab) {
476
		for (i = 0; i <= bucket_mask; i++)
477
			for (certh = LIST_FIRST(&x509_tab[i]); certh;
478
			    certh = LIST_FIRST(&x509_tab[i])) {
479
				LIST_REMOVE(certh, link);
480
				free(certh);
481
			}
482
		free(x509_tab);
483
	}
484
	x509_tab = calloc(bucket_mask + 1, sizeof(struct x509_list));
485
	if (!x509_tab)
486
		log_fatal("x509_hash_init: malloc (%lu) failed",
487
		    (bucket_mask + 1) *
488
		    (unsigned long)sizeof(struct x509_list));
489
	for (i = 0; i <= bucket_mask; i++) {
490
		LIST_INIT(&x509_tab[i]);
491
	}
492
}
493
494
/* Lookup a certificate by an ID blob.  */
495
static X509 *
496
x509_hash_find(u_int8_t *id, size_t len)
497
{
498
	struct x509_hash *cert;
499
	u_int8_t	**cid;
500
	u_int32_t	*clen;
501
	int	n, i, id_found;
502
503
	for (cert = LIST_FIRST(&x509_tab[x509_hash(id, len)]); cert;
504
	    cert = LIST_NEXT(cert, link)) {
505
		if (!x509_cert_get_subjects(cert->cert, &n, &cid, &clen))
506
			continue;
507
508
		id_found = 0;
509
		for (i = 0; i < n; i++) {
510
			LOG_DBG_BUF((LOG_CRYPTO, 70, "cert_cmp", id, len));
511
			LOG_DBG_BUF((LOG_CRYPTO, 70, "cert_cmp", cid[i],
512
			    clen[i]));
513
			/*
514
			 * XXX This identity predicate needs to be
515
			 * understood.
516
			 */
517
			if (clen[i] == len && id[0] == cid[i][0] &&
518
			    memcmp(id + 4, cid[i] + 4, len - 4) == 0) {
519
				id_found++;
520
				break;
521
			}
522
		}
523
		cert_free_subjects(n, cid, clen);
524
		if (!id_found)
525
			continue;
526
527
		LOG_DBG((LOG_CRYPTO, 70, "x509_hash_find: return X509 %p",
528
		    cert->cert));
529
		return cert->cert;
530
	}
531
532
	LOG_DBG((LOG_CRYPTO, 70,
533
	    "x509_hash_find: no certificate matched query"));
534
	return 0;
535
}
536
537
static int
538
x509_hash_enter(X509 *cert)
539
{
540
	u_int16_t	bucket = 0;
541
	u_int8_t	**id;
542
	u_int32_t	*len;
543
	struct x509_hash *certh;
544
	int	n, i;
545
546
	if (!x509_cert_get_subjects(cert, &n, &id, &len)) {
547
		log_print("x509_hash_enter: cannot retrieve subjects");
548
		return 0;
549
	}
550
	for (i = 0; i < n; i++) {
551
		certh = calloc(1, sizeof *certh);
552
		if (!certh) {
553
			cert_free_subjects(n, id, len);
554
			log_error("x509_hash_enter: calloc (1, %lu) failed",
555
			    (unsigned long)sizeof *certh);
556
			return 0;
557
		}
558
		certh->cert = cert;
559
560
		bucket = x509_hash(id[i], len[i]);
561
562
		LIST_INSERT_HEAD(&x509_tab[bucket], certh, link);
563
		LOG_DBG((LOG_CRYPTO, 70,
564
		    "x509_hash_enter: cert %p added to bucket %d",
565
		    cert, bucket));
566
	}
567
	cert_free_subjects(n, id, len);
568
569
	return 1;
570
}
571
572
/* X509 Certificate Handling functions.  */
573
574
int
575
x509_read_from_dir(X509_STORE *ctx, char *name, int hash, int *pcount)
576
{
577
	FILE		*certfp;
578
	X509		*cert;
579
	struct stat	sb;
580
	char		fullname[PATH_MAX];
581
	char		file[PATH_MAX];
582
	int		fd;
583
584
	if (strlen(name) >= sizeof fullname - 1) {
585
		log_print("x509_read_from_dir: directory name too long");
586
		return 0;
587
	}
588
	LOG_DBG((LOG_CRYPTO, 40, "x509_read_from_dir: reading certs from %s",
589
	    name));
590
591
	if (monitor_req_readdir(name) == -1) {
592
		LOG_DBG((LOG_CRYPTO, 10,
593
		    "x509_read_from_dir: opendir (\"%s\") failed: %s",
594
		    name, strerror(errno)));
595
		return 0;
596
	}
597
598
	while ((fd = monitor_readdir(file, sizeof file)) != -1) {
599
		LOG_DBG((LOG_CRYPTO, 60,
600
		    "x509_read_from_dir: reading certificate %s",
601
		    file));
602
603
		if (fstat(fd, &sb) == -1) {
604
			log_error("x509_read_from_dir: fstat failed");
605
			close(fd);
606
			continue;
607
		}
608
609
		if (!S_ISREG(sb.st_mode)) {
610
			close(fd);
611
			continue;
612
		}
613
614
		if ((certfp = fdopen(fd, "r")) == NULL) {
615
			log_error("x509_read_from_dir: fdopen failed");
616
			close(fd);
617
			continue;
618
		}
619
620
#if SSLEAY_VERSION_NUMBER >= 0x00904100L
621
		cert = PEM_read_X509(certfp, NULL, NULL, NULL);
622
#else
623
		cert = PEM_read_X509(certfp, NULL, NULL);
624
#endif
625
		fclose(certfp);
626
627
		if (cert == NULL) {
628
			log_print("x509_read_from_dir: PEM_read_X509 "
629
			    "failed for %s", file);
630
			continue;
631
		}
632
633
		if (pcount != NULL)
634
			(*pcount)++;
635
636
		if (!X509_STORE_add_cert(ctx, cert)) {
637
			/*
638
			 * This is actually expected if we have several
639
			 * certificates only differing in subjectAltName,
640
			 * which is not an something that is strange.
641
			 * Consider multi-homed machines.
642
			*/
643
			LOG_DBG((LOG_CRYPTO, 50,
644
			    "x509_read_from_dir: X509_STORE_add_cert failed "
645
			    "for %s", file));
646
		}
647
		if (hash)
648
			if (!x509_hash_enter(cert))
649
				log_print("x509_read_from_dir: "
650
				    "x509_hash_enter (%s) failed",
651
				    file);
652
	}
653
654
	return 1;
655
}
656
657
/* XXX share code with x509_read_from_dir() ?  */
658
int
659
x509_read_crls_from_dir(X509_STORE *ctx, char *name)
660
{
661
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
662
	FILE		*crlfp;
663
	X509_CRL	*crl;
664
	struct stat	sb;
665
	char		fullname[PATH_MAX];
666
	char		file[PATH_MAX];
667
	int		fd, off, size;
668
669
	if (strlen(name) >= sizeof fullname - 1) {
670
		log_print("x509_read_crls_from_dir: directory name too long");
671
		return 0;
672
	}
673
	LOG_DBG((LOG_CRYPTO, 40, "x509_read_crls_from_dir: reading CRLs "
674
	    "from %s", name));
675
676
	if (monitor_req_readdir(name) == -1) {
677
		LOG_DBG((LOG_CRYPTO, 10, "x509_read_crls_from_dir: opendir "
678
		    "(\"%s\") failed: %s", name, strerror(errno)));
679
		return 0;
680
	}
681
	strlcpy(fullname, name, sizeof fullname);
682
	off = strlen(fullname);
683
	size = sizeof fullname - off;
684
685
	while ((fd = monitor_readdir(file, sizeof file)) != -1) {
686
		LOG_DBG((LOG_CRYPTO, 60, "x509_read_crls_from_dir: reading "
687
		    "CRL %s", file));
688
689
		if (fstat(fd, &sb) == -1) {
690
			log_error("x509_read_crls_from_dir: fstat failed");
691
			close(fd);
692
			continue;
693
		}
694
695
		if (!S_ISREG(sb.st_mode)) {
696
			close(fd);
697
			continue;
698
		}
699
700
		if ((crlfp = fdopen(fd, "r")) == NULL) {
701
			log_error("x509_read_crls_from_dir: fdopen failed");
702
			close(fd);
703
			continue;
704
		}
705
706
		crl = PEM_read_X509_CRL(crlfp, NULL, NULL, NULL);
707
708
		fclose(crlfp);
709
710
		if (crl == NULL) {
711
			log_print("x509_read_crls_from_dir: "
712
			    "PEM_read_X509_CRL failed for %s",
713
			    file);
714
			continue;
715
		}
716
		if (!X509_STORE_add_crl(ctx, crl)) {
717
			LOG_DBG((LOG_CRYPTO, 50, "x509_read_crls_from_dir: "
718
			    "X509_STORE_add_crl failed for %s", file));
719
			continue;
720
		}
721
		/*
722
		 * XXX This is to make x509_cert_validate set this (and
723
		 * XXX another) flag when validating certificates. Currently,
724
		 * XXX OpenSSL defaults to reject an otherwise valid
725
		 * XXX certificate (chain) if these flags are set but there
726
		 * XXX are no CRLs to check. The current workaround is to only
727
		 * XXX set the flags if we actually loaded some CRL data.
728
		 */
729
		X509_STORE_set_flags(ctx, X509_V_FLAG_CRL_CHECK);
730
	}
731
732
#endif				/* OPENSSL_VERSION_NUMBER >= 0x00907000L */
733
734
	return 1;
735
}
736
737
/* Initialize our databases and load our own certificates.  */
738
int
739
x509_cert_init(void)
740
{
741
	char	*dirname;
742
743
	x509_hash_init();
744
745
	/* Process CA certificates we will trust.  */
746
	dirname = conf_get_str("X509-certificates", "CA-directory");
747
	if (!dirname) {
748
		log_print("x509_cert_init: no CA-directory");
749
		return 0;
750
	}
751
	/* Free if already initialized.  */
752
	if (x509_cas)
753
		X509_STORE_free(x509_cas);
754
755
	x509_cas = X509_STORE_new();
756
	if (!x509_cas) {
757
		log_print("x509_cert_init: creating new X509_STORE failed");
758
		return 0;
759
	}
760
	if (!x509_read_from_dir(x509_cas, dirname, 0, &n_x509_cas)) {
761
		log_print("x509_cert_init: x509_read_from_dir failed");
762
		return 0;
763
	}
764
	/* Process client certificates we will accept.  */
765
	dirname = conf_get_str("X509-certificates", "Cert-directory");
766
	if (!dirname) {
767
		log_print("x509_cert_init: no Cert-directory");
768
		return 0;
769
	}
770
	/* Free if already initialized.  */
771
	if (x509_certs)
772
		X509_STORE_free(x509_certs);
773
774
	x509_certs = X509_STORE_new();
775
	if (!x509_certs) {
776
		log_print("x509_cert_init: creating new X509_STORE failed");
777
		return 0;
778
	}
779
	if (!x509_read_from_dir(x509_certs, dirname, 1, NULL)) {
780
		log_print("x509_cert_init: x509_read_from_dir failed");
781
		return 0;
782
	}
783
	return 1;
784
}
785
786
int
787
x509_crl_init(void)
788
{
789
	/*
790
	 * XXX I'm not sure if the method to use CRLs in certificate validation
791
	 * is valid for OpenSSL versions prior to 0.9.7. For now, simply do not
792
	 * support it.
793
	 */
794
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
795
	char	*dirname;
796
	dirname = conf_get_str("X509-certificates", "CRL-directory");
797
	if (!dirname) {
798
		log_print("x509_crl_init: no CRL-directory");
799
		return 0;
800
	}
801
	if (!x509_read_crls_from_dir(x509_cas, dirname)) {
802
		LOG_DBG((LOG_MISC, 10,
803
		    "x509_crl_init: x509_read_crls_from_dir failed"));
804
		return 0;
805
	}
806
#else
807
	LOG_DBG((LOG_CRYPTO, 10, "x509_crl_init: CRL support only "
808
	    "with OpenSSL v0.9.7 or later"));
809
#endif
810
811
	return 1;
812
}
813
814
void *
815
x509_cert_get(u_int8_t *asn, u_int32_t len)
816
{
817
	return x509_from_asn(asn, len);
818
}
819
820
int
821
x509_cert_validate(void *scert)
822
{
823
	X509_STORE_CTX	csc;
824
	X509_NAME	*issuer, *subject;
825
	X509		*cert = (X509 *) scert;
826
	EVP_PKEY	*key;
827
	int		res, err;
828
829
	/*
830
	 * Validate the peer certificate by checking with the CA certificates
831
	 * we trust.
832
	 */
833
	X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
834
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
835
	/* XXX See comment in x509_read_crls_from_dir.  */
836
	if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) {
837
		X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
838
		X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
839
	}
840
#elif OPENSSL_VERSION_NUMBER >= 0x00907000L
841
	/* XXX See comment in x509_read_crls_from_dir.  */
842
	if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) {
843
		X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
844
		X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
845
	}
846
#endif
847
	res = X509_verify_cert(&csc);
848
	err = csc.error;
849
	X509_STORE_CTX_cleanup(&csc);
850
851
	/*
852
	 * Return if validation succeeded or self-signed certs are not
853
	 * accepted.
854
	 *
855
	 * XXX X509_verify_cert seems to return -1 if the validation should be
856
	 * retried somehow.  We take this as an error and give up.
857
	 */
858
	if (res > 0)
859
		return 1;
860
	else if (res < 0 ||
861
	    (res == 0 && err != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
862
		if (err)
863
			log_print("x509_cert_validate: %.100s",
864
			    X509_verify_cert_error_string(err));
865
		return 0;
866
	} else if (!conf_get_str("X509-certificates", "Accept-self-signed")) {
867
		if (err)
868
			log_print("x509_cert_validate: %.100s",
869
			    X509_verify_cert_error_string(err));
870
		return 0;
871
	}
872
	issuer = X509_get_issuer_name(cert);
873
	subject = X509_get_subject_name(cert);
874
875
	if (!issuer || !subject || X509_name_cmp(issuer, subject))
876
		return 0;
877
878
	key = X509_get_pubkey(cert);
879
	if (!key) {
880
		log_print("x509_cert_validate: could not get public key from "
881
		    "self-signed cert");
882
		return 0;
883
	}
884
	if (X509_verify(cert, key) == -1) {
885
		log_print("x509_cert_validate: self-signed cert is bad");
886
		return 0;
887
	}
888
	return 1;
889
}
890
891
int
892
x509_cert_insert(int id, void *scert)
893
{
894
	X509	*cert;
895
	int	 res;
896
897
	cert = X509_dup((X509 *)scert);
898
	if (!cert) {
899
		log_print("x509_cert_insert: X509_dup failed");
900
		return 0;
901
	}
902
	if (x509_generate_kn(id, cert) == 0) {
903
		LOG_DBG((LOG_POLICY, 50,
904
		    "x509_cert_insert: x509_generate_kn failed"));
905
		X509_free(cert);
906
		return 0;
907
	}
908
909
	res = x509_hash_enter(cert);
910
	if (!res)
911
		X509_free(cert);
912
913
	return res;
914
}
915
916
static struct x509_hash *
917
x509_hash_lookup(X509 *cert)
918
{
919
	struct x509_hash *certh;
920
	int	i;
921
922
	for (i = 0; i <= bucket_mask; i++)
923
		for (certh = LIST_FIRST(&x509_tab[i]); certh;
924
		    certh = LIST_NEXT(certh, link))
925
			if (certh->cert == cert)
926
				return certh;
927
	return 0;
928
}
929
930
void
931
x509_cert_free(void *cert)
932
{
933
	struct x509_hash *certh = x509_hash_lookup((X509 *) cert);
934
935
	if (certh)
936
		LIST_REMOVE(certh, link);
937
	X509_free((X509 *) cert);
938
}
939
940
/* Validate the BER Encoding of a RDNSequence in the CERT_REQ payload.  */
941
int
942
x509_certreq_validate(u_int8_t *asn, u_int32_t len)
943
{
944
	int	res = 1;
945
#if 0
946
	struct norm_type name = SEQOF("issuer", RDNSequence);
947
948
	if (!asn_template_clone(&name, 1) ||
949
	    (asn = asn_decode_sequence(asn, len, &name)) == 0) {
950
		log_print("x509_certreq_validate: can not decode 'acceptable "
951
		    "CA' info");
952
		res = 0;
953
	}
954
	asn_free(&name);
955
#endif
956
957
	/* XXX - not supported directly in SSL - later.  */
958
959
	return res;
960
}
961
962
/* Decode the BER Encoding of a RDNSequence in the CERT_REQ payload.  */
963
int
964
x509_certreq_decode(void **pdata, u_int8_t *asn, u_int32_t len)
965
{
966
#if 0
967
	/* XXX This needs to be done later.  */
968
	struct norm_type aca = SEQOF("aca", RDNSequence);
969
	struct norm_type *tmp;
970
	struct x509_aca naca, *ret;
971
972
	if (!asn_template_clone(&aca, 1) ||
973
	    (asn = asn_decode_sequence(asn, len, &aca)) == 0) {
974
		log_print("x509_certreq_decode: can not decode 'acceptable "
975
		    "CA' info");
976
		goto fail;
977
	}
978
	bzero(&naca, sizeof(naca));
979
980
	tmp = asn_decompose("aca.RelativeDistinguishedName."
981
	    "AttributeValueAssertion", &aca);
982
	if (!tmp)
983
		goto fail;
984
	x509_get_attribval(tmp, &naca.name1);
985
986
	tmp = asn_decompose("aca.RelativeDistinguishedName[1]"
987
	    ".AttributeValueAssertion", &aca);
988
	if (tmp)
989
		x509_get_attribval(tmp, &naca.name2);
990
991
	asn_free(&aca);
992
993
	ret = malloc(sizeof(struct x509_aca));
994
	if (ret)
995
		memcpy(ret, &naca, sizeof(struct x509_aca));
996
	else {
997
		log_error("x509_certreq_decode: malloc (%lu) failed",
998
		    (unsigned long) sizeof(struct x509_aca));
999
		x509_free_aca(&aca);
1000
	}
1001
1002
	return ret;
1003
1004
fail:
1005
	asn_free(&aca);
1006
#endif
1007
	return 1;
1008
}
1009
1010
void
1011
x509_free_aca(void *blob)
1012
{
1013
	struct x509_aca *aca = blob;
1014
1015
	if (aca != NULL) {
1016
		free(aca->name1.type);
1017
		free(aca->name1.val);
1018
1019
		free(aca->name2.type);
1020
		free(aca->name2.val);
1021
	}
1022
}
1023
1024
X509 *
1025
x509_from_asn(u_char *asn, u_int len)
1026
{
1027
	BIO		*certh;
1028
	X509		*scert = 0;
1029
1030
	certh = BIO_new(BIO_s_mem());
1031
	if (!certh) {
1032
		log_error("x509_from_asn: BIO_new (BIO_s_mem ()) failed");
1033
		return 0;
1034
	}
1035
	if (BIO_write(certh, asn, len) == -1) {
1036
		log_error("x509_from_asn: BIO_write failed\n");
1037
		goto end;
1038
	}
1039
	scert = d2i_X509_bio(certh, NULL);
1040
	if (!scert) {
1041
		log_print("x509_from_asn: d2i_X509_bio failed\n");
1042
		goto end;
1043
	}
1044
end:
1045
	BIO_free(certh);
1046
	return scert;
1047
}
1048
1049
/*
1050
 * Obtain a certificate from an acceptable CA.
1051
 * XXX We don't check if the certificate we find is from an accepted CA.
1052
 */
1053
int
1054
x509_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert,
1055
    u_int32_t *certlen)
1056
{
1057
	struct x509_aca *aca = data;
1058
	X509		*scert;
1059
1060
	if (aca)
1061
		LOG_DBG((LOG_CRYPTO, 60, "x509_cert_obtain: "
1062
		    "acceptable certificate authorities here"));
1063
1064
	/* We need our ID to find a certificate.  */
1065
	if (!id) {
1066
		log_print("x509_cert_obtain: ID is missing");
1067
		return 0;
1068
	}
1069
	scert = x509_hash_find(id, id_len);
1070
	if (!scert)
1071
		return 0;
1072
1073
	x509_serialize(scert, cert, certlen);
1074
	if (!*cert)
1075
		return 0;
1076
	return 1;
1077
}
1078
1079
/* Returns a pointer to the subjectAltName information of X509 certificate.  */
1080
int
1081
x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len)
1082
{
1083
	X509_EXTENSION	*subjectaltname;
1084
	u_int8_t	*sandata;
1085
	int		extpos, santype, sanlen;
1086
1087
	extpos = X509_get_ext_by_NID(scert, NID_subject_alt_name, -1);
1088
	if (extpos == -1) {
1089
		log_print("x509_cert_subjectaltname: "
1090
		    "certificate does not contain subjectAltName");
1091
		return 0;
1092
	}
1093
	subjectaltname = X509_get_ext(scert, extpos);
1094
1095
	if (!subjectaltname || !subjectaltname->value ||
1096
	    !subjectaltname->value->data ||
1097
	    subjectaltname->value->length < 4) {
1098
		log_print("x509_cert_subjectaltname: invalid "
1099
		    "subjectaltname extension");
1100
		return 0;
1101
	}
1102
	/* SSL does not handle unknown ASN stuff well, do it by hand.  */
1103
	sandata = subjectaltname->value->data;
1104
	santype = sandata[2] & 0x3f;
1105
	sanlen = sandata[3];
1106
	sandata += 4;
1107
1108
	/*
1109
	 * The test here used to be !=, but some certificates can include
1110
	 * extra stuff in subjectAltName, so we will just take the first
1111
	 * salen bytes, and not worry about what follows.
1112
	 */
1113
	if (sanlen + 4 > subjectaltname->value->length) {
1114
		log_print("x509_cert_subjectaltname: subjectaltname invalid "
1115
		    "length");
1116
		return 0;
1117
	}
1118
	*len = sanlen;
1119
	*altname = sandata;
1120
	return santype;
1121
}
1122
1123
int
1124
x509_cert_get_subjects(void *scert, int *cnt, u_int8_t ***id,
1125
    u_int32_t **id_len)
1126
{
1127
	X509		*cert = scert;
1128
	X509_NAME	*subject;
1129
	int		type;
1130
	u_int8_t	*altname;
1131
	u_int32_t	altlen;
1132
	u_int8_t	*buf = 0;
1133
	unsigned char	*ubuf;
1134
	int		i;
1135
1136
	*id = 0;
1137
	*id_len = 0;
1138
1139
	/*
1140
	 * XXX There can be a collection of subjectAltNames, but for now I
1141
	 * only return the subjectName and a single subjectAltName, if
1142
	 * present.
1143
	 */
1144
	type = x509_cert_subjectaltname(cert, &altname, &altlen);
1145
	if (!type) {
1146
		*cnt = 1;
1147
		altlen = 0;
1148
	} else
1149
		*cnt = 2;
1150
1151
	*id = calloc(*cnt, sizeof **id);
1152
	if (!*id) {
1153
		log_print("x509_cert_get_subject: malloc (%lu) failed",
1154
		    *cnt * (unsigned long)sizeof **id);
1155
		*cnt = 0;
1156
		goto fail;
1157
	}
1158
	*id_len = calloc(*cnt, sizeof **id_len);
1159
	if (!*id_len) {
1160
		log_print("x509_cert_get_subject: malloc (%lu) failed",
1161
		    *cnt * (unsigned long)sizeof **id_len);
1162
		goto fail;
1163
	}
1164
	/* Stash the subjectName into the first slot.  */
1165
	subject = X509_get_subject_name(cert);
1166
	if (!subject)
1167
		goto fail;
1168
1169
	(*id_len)[0] =
1170
		ISAKMP_ID_DATA_OFF + i2d_X509_NAME(subject, NULL) -
1171
		    ISAKMP_GEN_SZ;
1172
	(*id)[0] = malloc((*id_len)[0]);
1173
	if (!(*id)[0]) {
1174
		log_print("x509_cert_get_subject: malloc (%d) failed",
1175
		    (*id_len)[0]);
1176
		goto fail;
1177
	}
1178
	SET_ISAKMP_ID_TYPE((*id)[0] - ISAKMP_GEN_SZ, IPSEC_ID_DER_ASN1_DN);
1179
	ubuf = (*id)[0] + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ;
1180
	i2d_X509_NAME(subject, &ubuf);
1181
1182
	if (altlen) {
1183
		/* Stash the subjectAltName into the second slot.  */
1184
		buf = malloc(altlen + ISAKMP_ID_DATA_OFF);
1185
		if (!buf) {
1186
			log_print("x509_cert_get_subject: malloc (%d) failed",
1187
			    altlen + ISAKMP_ID_DATA_OFF);
1188
			goto fail;
1189
		}
1190
		switch (type) {
1191
		case X509v3_DNS_NAME:
1192
			SET_ISAKMP_ID_TYPE(buf, IPSEC_ID_FQDN);
1193
			break;
1194
1195
		case X509v3_RFC_NAME:
1196
			SET_ISAKMP_ID_TYPE(buf, IPSEC_ID_USER_FQDN);
1197
			break;
1198
1199
		case X509v3_IP_ADDR:
1200
			/*
1201
			 * XXX I dislike the numeric constants, but I don't
1202
			 * know what we should use otherwise.
1203
			 */
1204
			switch (altlen) {
1205
			case 4:
1206
				SET_ISAKMP_ID_TYPE(buf, IPSEC_ID_IPV4_ADDR);
1207
				break;
1208
1209
			case 16:
1210
				SET_ISAKMP_ID_TYPE(buf, IPSEC_ID_IPV6_ADDR);
1211
				break;
1212
1213
			default:
1214
				log_print("x509_cert_get_subject: invalid "
1215
				    "subjectAltName IPaddress length %d ",
1216
				    altlen);
1217
				goto fail;
1218
			}
1219
			break;
1220
		}
1221
1222
		SET_IPSEC_ID_PROTO(buf + ISAKMP_ID_DOI_DATA_OFF, 0);
1223
		SET_IPSEC_ID_PORT(buf + ISAKMP_ID_DOI_DATA_OFF, 0);
1224
		memcpy(buf + ISAKMP_ID_DATA_OFF, altname, altlen);
1225
1226
		(*id_len)[1] = ISAKMP_ID_DATA_OFF + altlen - ISAKMP_GEN_SZ;
1227
		(*id)[1] = malloc((*id_len)[1]);
1228
		if (!(*id)[1]) {
1229
			log_print("x509_cert_get_subject: malloc (%d) failed",
1230
			    (*id_len)[1]);
1231
			goto fail;
1232
		}
1233
		memcpy((*id)[1], buf + ISAKMP_GEN_SZ, (*id_len)[1]);
1234
1235
		free(buf);
1236
		buf = 0;
1237
	}
1238
	return 1;
1239
1240
fail:
1241
	for (i = 0; i < *cnt; i++)
1242
		free((*id)[i]);
1243
	free(*id);
1244
	free(*id_len);
1245
	free(buf);
1246
	return 0;
1247
}
1248
1249
int
1250
x509_cert_get_key(void *scert, void *keyp)
1251
{
1252
	X509		*cert = scert;
1253
	EVP_PKEY	*key;
1254
1255
	key = X509_get_pubkey(cert);
1256
1257
	/* Check if we got the right key type.  */
1258
	if (key->type != EVP_PKEY_RSA) {
1259
		log_print("x509_cert_get_key: public key is not a RSA key");
1260
		X509_free(cert);
1261
		return 0;
1262
	}
1263
	*(RSA **)keyp = RSAPublicKey_dup(key->pkey.rsa);
1264
1265
	return *(RSA **)keyp == NULL ? 0 : 1;
1266
}
1267
1268
void *
1269
x509_cert_dup(void *scert)
1270
{
1271
	return X509_dup(scert);
1272
}
1273
1274
void
1275
x509_serialize(void *scert, u_int8_t **data, u_int32_t *datalen)
1276
{
1277
	u_int8_t	*p;
1278
1279
	*datalen = i2d_X509((X509 *)scert, NULL);
1280
	*data = p = malloc(*datalen);
1281
	if (!p) {
1282
		log_error("x509_serialize: malloc (%d) failed", *datalen);
1283
		return;
1284
	}
1285
	*datalen = i2d_X509((X509 *)scert, &p);
1286
}
1287
1288
/* From cert to printable */
1289
char *
1290
x509_printable(void *cert)
1291
{
1292
	char		*s;
1293
	u_int8_t	*data;
1294
	u_int32_t	datalen;
1295
1296
	x509_serialize(cert, &data, &datalen);
1297
	if (!data)
1298
		return 0;
1299
1300
	s = raw2hex(data, datalen);
1301
	free(data);
1302
	return s;
1303
}
1304
1305
/* From printable to cert */
1306
void *
1307
x509_from_printable(char *cert)
1308
{
1309
	u_int8_t	*buf;
1310
	int		plen, ret;
1311
	void		*foo;
1312
1313
	plen = (strlen(cert) + 1) / 2;
1314
	buf = malloc(plen);
1315
	if (!buf) {
1316
		log_error("x509_from_printable: malloc (%d) failed", plen);
1317
		return 0;
1318
	}
1319
	ret = hex2raw(cert, buf, plen);
1320
	if (ret == -1) {
1321
		free(buf);
1322
		log_print("x509_from_printable: badly formatted cert");
1323
		return 0;
1324
	}
1325
	foo = x509_cert_get(buf, plen);
1326
	free(buf);
1327
	if (!foo)
1328
		log_print("x509_from_printable: "
1329
		    "could not retrieve certificate");
1330
	return foo;
1331
}
1332
1333
char *
1334
x509_DN_string(u_int8_t *asn1, size_t sz)
1335
{
1336
	X509_NAME	*name;
1337
	const u_int8_t	*p = asn1;
1338
	char		buf[256];	/* XXX Just a guess at a maximum length.  */
1339
	long len = sz;
1340
1341
	name = d2i_X509_NAME(NULL, &p, len);
1342
	if (!name) {
1343
		log_print("x509_DN_string: d2i_X509_NAME failed");
1344
		return 0;
1345
	}
1346
	if (!X509_NAME_oneline(name, buf, sizeof buf - 1)) {
1347
		log_print("x509_DN_string: X509_NAME_oneline failed");
1348
		X509_NAME_free(name);
1349
		return 0;
1350
	}
1351
	X509_NAME_free(name);
1352
	buf[sizeof buf - 1] = '\0';
1353
	return strdup(buf);
1354
}
1355
1356
/* Number of CAs we trust (to decide whether we can send CERT_REQ) */
1357
int
1358
x509_ca_count(void)
1359
{
1360
	return n_x509_cas;
1361
}