OpenCoverage

x509_vfy.c

Absolute File Name:

/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/x509/x509_vfy.c

Source code

Switch to Preprocessed file

Line Source Count

1 /* -

3 * -

4 * Licensed under the OpenSSL license (the "License"). You may not use -

5 * this file except in compliance with the License. You can obtain a copy -

6 * in the file LICENSE in the source distribution or at -

7 * https://www.openssl.org/source/license.html -

8 */ -

9 -

10 #include <stdio.h> -

11 #include <time.h> -

12 #include <errno.h> -

13 #include <limits.h> -

14 -

15 #include "internal/ctype.h" -

16 #include "internal/cryptlib.h" -

17 #include <openssl/crypto.h> -

18 #include <openssl/buffer.h> -

19 #include <openssl/evp.h> -

20 #include <openssl/asn1.h> -

21 #include <openssl/x509.h> -

22 #include <openssl/x509v3.h> -

23 #include <openssl/objects.h> -

24 #include "internal/dane.h" -

25 #include "internal/x509_int.h" -

26 #include "x509_lcl.h" -

27 -

28 /* CRL score values */ -

29 -

30 /* No unhandled critical extensions */ -

31 -

32 #define CRL_SCORE_NOCRITICAL 0x100 -

33 -

34 /* certificate is within CRL scope */ -

35 -

36 #define CRL_SCORE_SCOPE 0x080 -

37 -

38 /* CRL times valid */ -

39 -

40 #define CRL_SCORE_TIME 0x040 -

41 -

42 /* Issuer name matches certificate */ -

43 -

44 #define CRL_SCORE_ISSUER_NAME 0x020 -

45 -

46 /* If this score or above CRL is probably valid */ -

47 -

48 #define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE) -

49 -

50 /* CRL issuer is certificate issuer */ -

51 -

52 #define CRL_SCORE_ISSUER_CERT 0x018 -

53 -

54 /* CRL issuer is on certificate path */ -

55 -

56 #define CRL_SCORE_SAME_PATH 0x008 -

57 -

58 /* CRL issuer matches CRL AKID */ -

59 -

60 #define CRL_SCORE_AKID 0x004 -

61 -

62 /* Have a delta CRL with valid times */ -

63 -

64 #define CRL_SCORE_TIME_DELTA 0x002 -

65 -

66 static int build_chain(X509_STORE_CTX *ctx); -

67 static int verify_chain(X509_STORE_CTX *ctx); -

68 static int dane_verify(X509_STORE_CTX *ctx); -

69 static int null_callback(int ok, X509_STORE_CTX *e); -

70 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); -

71 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); -

72 static int check_chain_extensions(X509_STORE_CTX *ctx); -

73 static int check_name_constraints(X509_STORE_CTX *ctx); -

74 static int check_id(X509_STORE_CTX *ctx); -

75 static int check_trust(X509_STORE_CTX *ctx, int num_untrusted); -

76 static int check_revocation(X509_STORE_CTX *ctx); -

77 static int check_cert(X509_STORE_CTX *ctx); -

78 static int check_policy(X509_STORE_CTX *ctx); -

79 static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); -

80 static int check_dane_issuer(X509_STORE_CTX *ctx, int depth); -

81 static int check_key_level(X509_STORE_CTX *ctx, X509 *cert); -

82 static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert); -

83 -

84 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, -

85 unsigned int *preasons, X509_CRL *crl, X509 *x); -

86 static int get_crl_delta(X509_STORE_CTX *ctx, -

87 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); -

88 static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, -

89 int *pcrl_score, X509_CRL *base, -

90 STACK_OF(X509_CRL) *crls); -

91 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, -

92 int *pcrl_score); -

93 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, -

94 unsigned int *preasons); -

95 static int check_crl_path(X509_STORE_CTX *ctx, X509 *x); -

96 static int check_crl_chain(X509_STORE_CTX *ctx, -

97 STACK_OF(X509) *cert_path, -

98 STACK_OF(X509) *crl_path); -

99 -

100 static int internal_verify(X509_STORE_CTX *ctx); -

101 -

102 static int null_callback(int ok, X509_STORE_CTX *e) -

103 { -

104

return ok;

executed 5718 times by 1 test: return ok;

Executed by:

libcrypto.so.1.1

5718

105 } -

106 -

107 /* Return 1 is a certificate is self signed */ -

108 static int cert_self_signed(X509 *x) -

109 { -

110 /* -

111 * FIXME: x509v3_cache_extensions() needs to detect more failures and not -

112 * set EXFLAG_SET when that happens. Especially, if the failures are -

113 * parse errors, rather than memory pressure! -

114 */ -

115 X509_check_purpose(x, -1, 0); -

116

if (x->ex_flags & EXFLAG_SS)

x->ex_flags & 0x2000	Description
TRUE	evaluated 2474 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 8506 times by 1 test Evaluated by: libcrypto.so.1.1

2474-8506

117

return 1;

executed 2474 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

2474

118 else -

119

return 0;

executed 8506 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

8506

120 } -

121 -

122 /* Given a certificate try and find an exact match in the store */ -

123 -

124 static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) -

125 { -

126 STACK_OF(X509) *certs; -

127 X509 *xtmp = NULL; -

128 int i; -

129 /* Lookup all certs with matching subject name */ -

130 certs = ctx->lookup_certs(ctx, X509_get_subject_name(x)); -

131

if (certs == NULL)

certs == ((void *)0)	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 12 times by 1 test Evaluated by: libcrypto.so.1.1

5-12

132

return NULL;

executed 5 times by 1 test: return ((void *)0) ;

Executed by:

libcrypto.so.1.1

133 /* Look for exact match */ -

134

for (i = 0; i < sk_X509_num(certs); i++) {

i < sk_X509_num(certs)	Description
TRUE	evaluated 12 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1-12

135 xtmp = sk_X509_value(certs, i); -

136

if (!X509_cmp(xtmp, x))

!X509_cmp(xtmp, x)	Description
TRUE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1-11

137

break;

executed 11 times by 1 test: break;

Executed by:

libcrypto.so.1.1

138

}

executed 1 time by 1 test: end of block

Executed by:

libcrypto.so.1.1

139

if (i < sk_X509_num(certs))

i < sk_X509_num(certs)	Description
TRUE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1-11

140

X509_up_ref(xtmp);

executed 11 times by 1 test: X509_up_ref(xtmp);

Executed by:

libcrypto.so.1.1

141 else -

142

xtmp = NULL;

executed 1 time by 1 test: xtmp = ((void *)0) ;

Executed by:

libcrypto.so.1.1

143 sk_X509_pop_free(certs, X509_free); -

144

return xtmp;

executed 12 times by 1 test: return xtmp;

Executed by:

libcrypto.so.1.1

145 } -

146 -

147 /*- -

148 * Inform the verify callback of an error. -

149 * If B<x> is not NULL it is the error cert, otherwise use the chain cert at -

150 * B<depth>. -

151 * If B<err> is not X509_V_OK, that's the error value, otherwise leave -

152 * unchanged (presumably set by the caller). -

153 * -

154 * Returns 0 to abort verification with an error, non-zero to continue. -

155 */ -

156 static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err) -

157 { -

158 ctx->error_depth = depth; -

159

ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth);

(x != ((void *)0) )	Description
TRUE	evaluated 361 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3598 times by 1 test Evaluated by: libcrypto.so.1.1

361-3598

160

if (err != X509_V_OK)

err != 0	Description
TRUE	evaluated 3949 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 10 times by 1 test Evaluated by: libcrypto.so.1.1

10-3949

161

ctx->error = err;

executed 3949 times by 1 test: ctx->error = err;

Executed by:

libcrypto.so.1.1

3949

162

return ctx->verify_cb(0, ctx);

executed 3959 times by 1 test: return ctx->verify_cb(0, ctx);

Executed by:

libcrypto.so.1.1

3959

163 } -

164 -

165 /*- -

166 * Inform the verify callback of an error, CRL-specific variant. Here, the -

167 * error depth and certificate are already set, we just specify the error -

168 * number. -

169 * -

170 * Returns 0 to abort verification with an error, non-zero to continue. -

171 */ -

172 static int verify_cb_crl(X509_STORE_CTX *ctx, int err) -

173 { -

174 ctx->error = err; -

175

return ctx->verify_cb(0, ctx);

executed 5 times by 1 test: return ctx->verify_cb(0, ctx);

Executed by:

libcrypto.so.1.1

176 } -

177 -

178 static int check_auth_level(X509_STORE_CTX *ctx) -

179 { -

180 int i; -

181 int num = sk_X509_num(ctx->chain); -

182 -

183

if (ctx->param->auth_level <= 0)

ctx->param->auth_level <= 0	Description
TRUE	evaluated 169 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1169 times by 1 test Evaluated by: libcrypto.so.1.1

169-1169

184

return 1;

executed 169 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

169

185 -

186

for (i = 0; i < num; ++i) {

i < num	Description
TRUE	evaluated 2304 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1164 times by 1 test Evaluated by: libcrypto.so.1.1

1164-2304

187 X509 *cert = sk_X509_value(ctx->chain, i); -

188 -

189 /* -

190 * We've already checked the security of the leaf key, so here we only -

191 * check the security of issuer keys. -

192 */ -

193

if (i > 0 && !check_key_level(ctx, cert) &&

i > 0	Description
TRUE	evaluated 1135 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1169 times by 1 test Evaluated by: libcrypto.so.1.1

!check_key_level(ctx, cert)	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1133 times by 1 test Evaluated by: libcrypto.so.1.1

2-1169

194

verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL) == 0)

verify_cb_cert...t, i, 67) == 0	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2

195

return 0;

executed 2 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

196 /* -

197 * We also check the signature algorithm security of all certificates -

198 * except those of the trust anchor at index num-1. -

199 */ -

200

if (i < num - 1 && !check_sig_level(ctx, cert) &&

i < num - 1	Description
TRUE	evaluated 1138 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1164 times by 1 test Evaluated by: libcrypto.so.1.1

!check_sig_level(ctx, cert)	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1135 times by 1 test Evaluated by: libcrypto.so.1.1

3-1164

201

verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK) == 0)

verify_cb_cert...t, i, 68) == 0	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-3

202

return 0;

executed 3 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

203

}

executed 2299 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2299

204

return 1;

executed 1164 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

1164

205 } -

206 -

207 static int verify_chain(X509_STORE_CTX *ctx) -

208 { -

209 int err; -

210 int ok; -

211 -

212 /* -

213 * Before either returning with an error, or continuing with CRL checks, -

214 * instantiate chain public key parameters. -

215 */ -

216

if ((ok = build_chain(ctx)) == 0 ||

(ok = build_chain(ctx)) == 0	Description
TRUE	evaluated 3503 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1343 times by 1 test Evaluated by: libcrypto.so.1.1

1343-3503

217

(ok = check_chain_extensions(ctx)) == 0 ||

(ok = check_ch...ons(ctx)) == 0	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1338 times by 1 test Evaluated by: libcrypto.so.1.1

5-1338

218

(ok = check_auth_level(ctx)) == 0 ||

(ok = check_au...vel(ctx)) == 0	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1333 times by 1 test Evaluated by: libcrypto.so.1.1

5-1333

219

(ok = check_id(ctx)) == 0 || 1)

(ok = check_id(ctx)) == 0	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1331 times by 1 test Evaluated by: libcrypto.so.1.1

1	Description
TRUE	evaluated 1331 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1331

220

X509_get_pubkey_parameters(NULL, ctx->chain);

executed 4846 times by 1 test: X509_get_pubkey_parameters( ((void *)0) , ctx->chain);

Executed by:

libcrypto.so.1.1

4846

221

if (ok == 0 || (ok = ctx->check_revocation(ctx)) == 0)

ok == 0	Description
TRUE	evaluated 3515 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1331 times by 1 test Evaluated by: libcrypto.so.1.1

(ok = ctx->che...ion(ctx)) == 0	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1326 times by 1 test Evaluated by: libcrypto.so.1.1

5-3515

222

return ok;

executed 3520 times by 1 test: return ok;

Executed by:

libcrypto.so.1.1

3520

223 -

224 err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain, -

225 ctx->param->flags); -

226

if (err != X509_V_OK) {

err != 0	Description
TRUE	never evaluated
FALSE	evaluated 1326 times by 1 test Evaluated by: libcrypto.so.1.1

0-1326

227

if ((ok = verify_cb_cert(ctx, NULL, ctx->error_depth, err)) == 0)

(ok = verify_c...th, err)) == 0	Description
TRUE	never evaluated
FALSE	never evaluated

228

return ok;

never executed: return ok;

229

}

never executed: end of block

230 -

231 /* Verify chain signatures and expiration times */ -

232

ok = (ctx->verify != NULL) ? ctx->verify(ctx) : internal_verify(ctx);

(ctx->verify != ((void *)0) )	Description
TRUE	evaluated 1326 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1326

233

if (!ok)

!ok	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1320 times by 1 test Evaluated by: libcrypto.so.1.1

6-1320

234

return ok;

executed 6 times by 1 test: return ok;

Executed by:

libcrypto.so.1.1

235 -

236

if ((ok = check_name_constraints(ctx)) == 0)

(ok = check_na...nts(ctx)) == 0	Description
TRUE	evaluated 15 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1305 times by 1 test Evaluated by: libcrypto.so.1.1

15-1305

237

return ok;

executed 15 times by 1 test: return ok;

Executed by:

libcrypto.so.1.1

238 -

239 #ifndef OPENSSL_NO_RFC3779 -

240 /* RFC 3779 path validation, now that CRL check has been done */ -

241

if ((ok = X509v3_asid_validate_path(ctx)) == 0)

(ok = X509v3_a...ath(ctx)) == 0	Description
TRUE	never evaluated
FALSE	evaluated 1305 times by 1 test Evaluated by: libcrypto.so.1.1

0-1305

242

return ok;

never executed: return ok;

243

if ((ok = X509v3_addr_validate_path(ctx)) == 0)

(ok = X509v3_a...ath(ctx)) == 0	Description
TRUE	never evaluated
FALSE	evaluated 1305 times by 1 test Evaluated by: libcrypto.so.1.1

0-1305

244

return ok;

never executed: return ok;

245 #endif -

246 -

247 /* If we get this far evaluate policies */ -

248

if (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)

ctx->param->flags & 0x80	Description
TRUE	never evaluated
FALSE	evaluated 1305 times by 1 test Evaluated by: libcrypto.so.1.1

0-1305

249

ok = ctx->check_policy(ctx);

never executed: ok = ctx->check_policy(ctx);

250

return ok;

executed 1305 times by 1 test: return ok;

Executed by:

libcrypto.so.1.1

1305

251 } -

252 -

253 int X509_verify_cert(X509_STORE_CTX *ctx) -

254 { -

255 SSL_DANE *dane = ctx->dane; -

256 int ret; -

257 -

258

if (ctx->cert == NULL) {

ctx->cert == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 5018 times by 1 test Evaluated by: libcrypto.so.1.1

0-5018

259 X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); -

260 ctx->error = X509_V_ERR_INVALID_CALL; -

261

return -1;

never executed: return -1;

262 } -

263 -

264

if (ctx->chain != NULL) {

ctx->chain != ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 5018 times by 1 test Evaluated by: libcrypto.so.1.1

0-5018

265 /* -

266 * This X509_STORE_CTX has already been used to verify a cert. We -

267 * cannot do another one. -

268 */ -

269 X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); -

270 ctx->error = X509_V_ERR_INVALID_CALL; -

271

return -1;

never executed: return -1;

272 } -

273 -

274 /* -

275 * first we make sure the chain we are going to build is present and that -

276 * the first entry is in place -

277 */ -

278

if (((ctx->chain = sk_X509_new_null()) == NULL) ||

((ctx->chain =... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 5018 times by 1 test Evaluated by: libcrypto.so.1.1

0-5018

279

(!sk_X509_push(ctx->chain, ctx->cert))) {

(!sk_X509_push...n, ctx->cert))	Description
TRUE	never evaluated
FALSE	evaluated 5018 times by 1 test Evaluated by: libcrypto.so.1.1

0-5018

280 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); -

281 ctx->error = X509_V_ERR_OUT_OF_MEM; -

282

return -1;

never executed: return -1;

283 } -

284 X509_up_ref(ctx->cert); -

285 ctx->num_untrusted = 1; -

286 -

287 /* If the peer's public key is too weak, we can stop early. */ -

288

if (!check_key_level(ctx, ctx->cert) &&

!check_key_lev...tx, ctx->cert)	Description
TRUE	evaluated 156 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4862 times by 1 test Evaluated by: libcrypto.so.1.1

156-4862

289

!verify_cb_cert(ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL))

!verify_cb_cer...->cert, 0, 66)	Description
TRUE	evaluated 156 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-156

290

return 0;

executed 156 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

156

291 -

292

if (DANETLS_ENABLED(dane))

(dane) != ((void *)0)	Description
TRUE	evaluated 49 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4813 times by 1 test Evaluated by: libcrypto.so.1.1

sk_danetls_rec...e)->trecs) > 0	Description
TRUE	evaluated 49 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-4813

293

ret = dane_verify(ctx);

executed 49 times by 1 test: ret = dane_verify(ctx);

Executed by:

libcrypto.so.1.1

294 else -

295

ret = verify_chain(ctx);

executed 4813 times by 1 test: ret = verify_chain(ctx);

Executed by:

libcrypto.so.1.1

4813

296 -

297 /* -

298 * Safety-net. If we are returning an error, we must also set ctx->error, -

299 * so that the chain is not considered verified should the error be ignored -

300 * (e.g. TLS with SSL_VERIFY_NONE). -

301 */ -

302

if (ret <= 0 && ctx->error == X509_V_OK)

ret <= 0	Description
TRUE	evaluated 3547 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1315 times by 1 test Evaluated by: libcrypto.so.1.1

ctx->error == 0	Description
TRUE	never evaluated
FALSE	evaluated 3547 times by 1 test Evaluated by: libcrypto.so.1.1

0-3547

303

ctx->error = X509_V_ERR_UNSPECIFIED;

never executed: ctx->error = 1;

304

return ret;

executed 4862 times by 1 test: return ret;

Executed by:

libcrypto.so.1.1

4862

305 } -

306 -

307 /* -

308 * Given a STACK_OF(X509) find the issuer of cert (if any) -

309 */ -

310 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) -

311 { -

312 int i; -

313 X509 *issuer, *rv = NULL; -

314 -

315

for (i = 0; i < sk_X509_num(sk); i++) {

i < sk_X509_num(sk)	Description
TRUE	evaluated 2824 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1684 times by 1 test Evaluated by: libcrypto.so.1.1

1684-2824

316 issuer = sk_X509_value(sk, i); -

317

if (ctx->check_issued(ctx, x, issuer)) {

ctx->check_iss...tx, x, issuer)	Description
TRUE	evaluated 549 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2275 times by 1 test Evaluated by: libcrypto.so.1.1

549-2275

318 rv = issuer; -

319

if (x509_check_cert_time(ctx, rv, -1))

x509_check_cer...e(ctx, rv, -1)	Description
TRUE	evaluated 369 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 180 times by 1 test Evaluated by: libcrypto.so.1.1

180-369

320

break;

executed 369 times by 1 test: break;

Executed by:

libcrypto.so.1.1

369

321

}

executed 180 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

180

322

}

executed 2455 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2455

323

return rv;

executed 2053 times by 1 test: return rv;

Executed by:

libcrypto.so.1.1

2053

324 } -

325 -

326 /* Given a possible certificate and issuer check them */ -

327 -

328 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) -

329 { -

330 int ret; -

331

if (x == issuer)

x == issuer	Description
TRUE	evaluated 2838 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2411 times by 1 test Evaluated by: libcrypto.so.1.1

2411-2838

332

return cert_self_signed(x);

executed 2838 times by 1 test: return cert_self_signed(x);

Executed by:

libcrypto.so.1.1

2838

333 ret = X509_check_issued(issuer, x); -

334

if (ret == X509_V_OK) {

ret == 0	Description
TRUE	evaluated 1651 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 760 times by 1 test Evaluated by: libcrypto.so.1.1

760-1651

335 int i; -

336 X509 *ch; -

337 /* Special case: single self signed certificate */ -

338

if (cert_self_signed(x) && sk_X509_num(ctx->chain) == 1)

cert_self_signed(x)	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1646 times by 1 test Evaluated by: libcrypto.so.1.1

sk_X509_num(ctx->chain) == 1	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-1646

339

return 1;

never executed: return 1;

340

for (i = 0; i < sk_X509_num(ctx->chain); i++) {

i < sk_X509_num(ctx->chain)	Description
TRUE	evaluated 517 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1650 times by 1 test Evaluated by: libcrypto.so.1.1

517-1650

341 ch = sk_X509_value(ctx->chain, i); -

342

if (ch == issuer || !X509_cmp(ch, issuer)) {

ch == issuer	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 516 times by 1 test Evaluated by: libcrypto.so.1.1

!X509_cmp(ch, issuer)	Description
TRUE	never evaluated
FALSE	evaluated 516 times by 1 test Evaluated by: libcrypto.so.1.1

0-516

343 ret = X509_V_ERR_PATH_LOOP; -

344

break;

executed 1 time by 1 test: break;

Executed by:

libcrypto.so.1.1

345 } -

346

}

executed 516 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

516

347

}

executed 1651 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1651

348 -

349

return (ret == X509_V_OK);

executed 2411 times by 1 test: return (ret == 0);

Executed by:

libcrypto.so.1.1

2411

350 } -

351 -

352 /* Alternative lookup method: look from a STACK stored in other_ctx */ -

353 -

354 static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) -

355 { -

356 *issuer = find_issuer(ctx, ctx->other_ctx, x); -

357

if (*issuer) {

*issuer	Description
TRUE	evaluated 130 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 107 times by 1 test Evaluated by: libcrypto.so.1.1

107-130

358 X509_up_ref(*issuer); -

359

return 1;

executed 130 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

130

360 } else -

361

return 0;

executed 107 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

107

362 } -

363 -

364 static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, X509_NAME *nm) -

365 { -

366 STACK_OF(X509) *sk = NULL; -

367 X509 *x; -

368 int i; -

369 -

370

for (i = 0; i < sk_X509_num(ctx->other_ctx); i++) {

i < sk_X509_nu...tx->other_ctx)	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

371 x = sk_X509_value(ctx->other_ctx, i); -

372

if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) {

X509_NAME_cmp(..._name(x)) == 0	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-7

373

if (sk == NULL)

sk == ((void *)0)	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-7

374

sk = sk_X509_new_null();

executed 7 times by 1 test: sk = sk_X509_new_null();

Executed by:

libcrypto.so.1.1

375

if (sk == NULL || sk_X509_push(sk, x) == 0) {

sk == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

sk_X509_push(sk, x) == 0	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

376 sk_X509_pop_free(sk, X509_free); -

377 X509err(X509_F_LOOKUP_CERTS_SK, ERR_R_MALLOC_FAILURE); -

378 ctx->error = X509_V_ERR_OUT_OF_MEM; -

379

return NULL;

never executed: return ((void *)0) ;

380 } -

381 X509_up_ref(x); -

382

}

executed 7 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

383

}

executed 7 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

384

return sk;

executed 7 times by 1 test: return sk;

Executed by:

libcrypto.so.1.1

385 } -

386 -

387 /* -

388 * Check EE or CA certificate purpose. For trusted certificates explicit local -

389 * auxiliary trust can be used to override EKU-restrictions. -

390 */ -

391 static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth, -

392 int must_be_ca) -

393 { -

394 int tr_ok = X509_TRUST_UNTRUSTED; -

395 -

396 /* -

397 * For trusted certificates we want to see whether any auxiliary trust -

398 * settings trump the purpose constraints. -

399 * -

400 * This is complicated by the fact that the trust ordinals in -

401 * ctx->param->trust are entirely independent of the purpose ordinals in -

402 * ctx->param->purpose! -

403 * -

404 * What connects them is their mutual initialization via calls from -

405 * X509_STORE_CTX_set_default() into X509_VERIFY_PARAM_lookup() which sets -

406 * related values of both param->trust and param->purpose. It is however -

407 * typically possible to infer associated trust values from a purpose value -

408 * via the X509_PURPOSE API. -

409 * -

410 * Therefore, we can only check for trust overrides when the purpose we're -

411 * checking is the same as ctx->param->purpose and ctx->param->trust is -

412 * also set. -

413 */ -

414

if (depth >= ctx->num_untrusted && purpose == ctx->param->purpose)

depth >= ctx->num_untrusted	Description
TRUE	evaluated 1218 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1411 times by 1 test Evaluated by: libcrypto.so.1.1

purpose == ctx->param->purpose	Description
TRUE	evaluated 1218 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1411

415

tr_ok = X509_check_trust(x, ctx->param->trust, X509_TRUST_NO_SS_COMPAT);

executed 1218 times by 1 test: tr_ok = X509_check_trust(x, ctx->param->trust, (1U << 2));

Executed by:

libcrypto.so.1.1

1218

416 -

417 switch (tr_ok) { -

418

case X509_TRUST_TRUSTED:

executed 24 times by 1 test: case 1:

Executed by:

libcrypto.so.1.1

419

return 1;

executed 24 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

420

case X509_TRUST_REJECTED:

never executed: case 2:

421

break;

never executed: break;

422

default:

executed 2605 times by 1 test: default:

Executed by:

libcrypto.so.1.1

2605

423 switch (X509_check_purpose(x, purpose, must_be_ca > 0)) { -

424

case 1:

executed 2594 times by 1 test: case 1:

Executed by:

libcrypto.so.1.1

2594

425

return 1;

executed 2594 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

2594

426

case 0:

executed 9 times by 1 test: case 0:

Executed by:

libcrypto.so.1.1

427

break;

executed 9 times by 1 test: break;

Executed by:

libcrypto.so.1.1

428

default:

executed 2 times by 1 test: default:

Executed by:

libcrypto.so.1.1

429

if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) == 0)

(ctx->param->f...s & 0x20) == 0	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2

430

return 1;

executed 2 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

431

}

never executed: end of block

432

break;

executed 9 times by 1 test: break;

Executed by:

libcrypto.so.1.1

433 } -

434 -

435

return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE);

executed 9 times by 1 test: return verify_cb_cert(ctx, x, depth, 26);

Executed by:

libcrypto.so.1.1

436 } -

437 -

438 /* -

439 * Check a certificate chains extensions for consistency with the supplied -

440 * purpose -

441 */ -

442 -

443 static int check_chain_extensions(X509_STORE_CTX *ctx) -

444 { -

445 int i, must_be_ca, plen = 0; -

446 X509 *x; -

447 int proxy_path_length = 0; -

448 int purpose; -

449 int allow_proxy_certs; -

450 int num = sk_X509_num(ctx->chain); -

451 -

452 /*- -

453 * must_be_ca can have 1 of 3 values: -

454 * -1: we accept both CA and non-CA certificates, to allow direct -

455 * use of self-signed certificates (which are marked as CA). -

456 * 0: we only accept non-CA certificates. This is currently not -

457 * used, but the possibility is present for future extensions. -

458 * 1: we only accept CA certificates. This is currently used for -

459 * all certificates in the chain except the leaf certificate. -

460 */ -

461 must_be_ca = -1; -

462 -

463 /* CRL path validation */ -

464

if (ctx->parent) {

ctx->parent	Description
TRUE	never evaluated
FALSE	evaluated 1343 times by 1 test Evaluated by: libcrypto.so.1.1

0-1343

465 allow_proxy_certs = 0; -

466 purpose = X509_PURPOSE_CRL_SIGN; -

467

} else {

never executed: end of block

468 allow_proxy_certs = -

469 ! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); -

470 purpose = ctx->param->purpose; -

471

}

executed 1343 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1343

472 -

473

for (i = 0; i < num; i++) {

i < num	Description
TRUE	evaluated 2671 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1338 times by 1 test Evaluated by: libcrypto.so.1.1

1338-2671

474 int ret; -

475 x = sk_X509_value(ctx->chain, i); -

476

if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)

!(ctx->param->flags & 0x10)	Description
TRUE	evaluated 2671 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2671

477

&& (x->ex_flags & EXFLAG_CRITICAL)) {

(x->ex_flags & 0x200)	Description
TRUE	never evaluated
FALSE	evaluated 2671 times by 1 test Evaluated by: libcrypto.so.1.1

0-2671

478

if (!verify_cb_cert(ctx, x, i,

!verify_cb_cert(ctx, x, i, 34)	Description
TRUE	never evaluated
FALSE	never evaluated

479

X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION))

!verify_cb_cert(ctx, x, i, 34)	Description
TRUE	never evaluated
FALSE	never evaluated

480

return 0;

never executed: return 0;

481

}

never executed: end of block

482

if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {

!allow_proxy_certs	Description
TRUE	evaluated 2650 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 21 times by 1 test Evaluated by: libcrypto.so.1.1

(x->ex_flags & 0x400)	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2647 times by 1 test Evaluated by: libcrypto.so.1.1

3-2650

483

if (!verify_cb_cert(ctx, x, i,

!verify_cb_cert(ctx, x, i, 40)	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-3

484

X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED))

!verify_cb_cert(ctx, x, i, 40)	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-3

485

return 0;

executed 3 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

486

}

never executed: end of block

487 ret = X509_check_ca(x); -

488 switch (must_be_ca) { -

489

case -1:

executed 1340 times by 1 test: case -1:

Executed by:

libcrypto.so.1.1

1340

490

if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)

(ctx->param->flags & 0x20)	Description
TRUE	never evaluated
FALSE	evaluated 1340 times by 1 test Evaluated by: libcrypto.so.1.1

0-1340

491

&& (ret != 1) && (ret != 0)) {

(ret != 1)	Description
TRUE	never evaluated
FALSE	never evaluated

(ret != 0)	Description
TRUE	never evaluated
FALSE	never evaluated

492 ret = 0; -

493 ctx->error = X509_V_ERR_INVALID_CA; -

494

} else

never executed: end of block

495

ret = 1;

executed 1340 times by 1 test: ret = 1;

Executed by:

libcrypto.so.1.1

1340

496

break;

executed 1340 times by 1 test: break;

Executed by:

libcrypto.so.1.1

1340

497

case 0:

executed 8 times by 1 test: case 0:

Executed by:

libcrypto.so.1.1

498

if (ret != 0) {

ret != 0	Description
TRUE	never evaluated
FALSE	evaluated 8 times by 1 test Evaluated by: libcrypto.so.1.1

0-8

499 ret = 0; -

500 ctx->error = X509_V_ERR_INVALID_NON_CA; -

501

} else

never executed: end of block

502

ret = 1;

executed 8 times by 1 test: ret = 1;

Executed by:

libcrypto.so.1.1

503

break;

executed 8 times by 1 test: break;

Executed by:

libcrypto.so.1.1

504

default:

executed 1320 times by 1 test: default:

Executed by:

libcrypto.so.1.1

1320

505 /* X509_V_FLAG_X509_STRICT is implicit for intermediate CAs */ -

506

if ((ret == 0)

(ret == 0)	Description
TRUE	evaluated 8 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1312 times by 1 test Evaluated by: libcrypto.so.1.1

8-1312

507

|| ((i + 1 < num || ctx->param->flags & X509_V_FLAG_X509_STRICT)

i + 1 < num	Description
TRUE	evaluated 115 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1197 times by 1 test Evaluated by: libcrypto.so.1.1

ctx->param->flags & 0x20	Description
TRUE	never evaluated
FALSE	evaluated 1197 times by 1 test Evaluated by: libcrypto.so.1.1

0-1197

508

&& (ret != 1))) {

(ret != 1)	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 113 times by 1 test Evaluated by: libcrypto.so.1.1

2-113

509 ret = 0; -

510 ctx->error = X509_V_ERR_INVALID_CA; -

511

} else

executed 10 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

512

ret = 1;

executed 1310 times by 1 test: ret = 1;

Executed by:

libcrypto.so.1.1

1310

513

break;

executed 1320 times by 1 test: break;

Executed by:

libcrypto.so.1.1

1320

514 } -

515

if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK))

ret == 0	Description
TRUE	evaluated 10 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2658 times by 1 test Evaluated by: libcrypto.so.1.1

!verify_cb_cert(ctx, x, i, 0)	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

1-2658

516

return 0;

executed 1 time by 1 test: return 0;

Executed by:

libcrypto.so.1.1

517 /* check_purpose() makes the callback as needed */ -

518

if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))

purpose > 0	Description
TRUE	evaluated 2629 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 38 times by 1 test Evaluated by: libcrypto.so.1.1

!check_purpose...i, must_be_ca)	Description
TRUE	never evaluated
FALSE	evaluated 2629 times by 1 test Evaluated by: libcrypto.so.1.1

0-2629

519

return 0;

never executed: return 0;

520 /* Check pathlen if not self issued */ -

521

if ((i > 1) && !(x->ex_flags & EXFLAG_SI)

(i > 1)	Description
TRUE	evaluated 124 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2543 times by 1 test Evaluated by: libcrypto.so.1.1

!(x->ex_flags & 0x20)	Description
TRUE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 113 times by 1 test Evaluated by: libcrypto.so.1.1

11-2543

522

&& (x->ex_pathlen != -1)

(x->ex_pathlen != -1)	Description
TRUE	never evaluated
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

0-11

523

&& (plen > (x->ex_pathlen + proxy_path_length + 1))) {

(plen > (x->ex...h_length + 1))	Description
TRUE	never evaluated
FALSE	never evaluated

524

if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))

!verify_cb_cert(ctx, x, i, 25)	Description
TRUE	never evaluated
FALSE	never evaluated

525

return 0;

never executed: return 0;

526

}

never executed: end of block

527 /* Increment path length if not self issued */ -

528

if (!(x->ex_flags & EXFLAG_SI))

!(x->ex_flags & 0x20)	Description
TRUE	evaluated 1488 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1179 times by 1 test Evaluated by: libcrypto.so.1.1

1179-1488

529

plen++;

executed 1488 times by 1 test: plen++;

Executed by:

libcrypto.so.1.1

1488

530 /* -

531 * If this certificate is a proxy certificate, the next certificate -

532 * must be another proxy certificate or a EE certificate. If not, -

533 * the next certificate must be a CA certificate. -

534 */ -

535

if (x->ex_flags & EXFLAG_PROXY) {

x->ex_flags & 0x400	Description
TRUE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2658 times by 1 test Evaluated by: libcrypto.so.1.1

9-2658

536 /* -

537 * RFC3820, 4.1.3 (b)(1) stipulates that if pCPathLengthConstraint -

538 * is less than max_path_length, the former should be copied to -

539 * the latter, and 4.1.4 (a) stipulates that max_path_length -

540 * should be verified to be larger than zero and decrement it. -

541 * -

542 * Because we're checking the certs in the reverse order, we start -

543 * with verifying that proxy_path_length isn't larger than pcPLC, -

544 * and copy the latter to the former if it is, and finally, -

545 * increment proxy_path_length. -

546 */ -

547

if (x->ex_pcpathlen != -1) {

x->ex_pcpathlen != -1	Description
TRUE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-9

548

if (proxy_path_length > x->ex_pcpathlen) {

proxy_path_len...->ex_pcpathlen	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 8 times by 1 test Evaluated by: libcrypto.so.1.1

1-8

549

if (!verify_cb_cert(ctx, x, i,

!verify_cb_cert(ctx, x, i, 38)	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1

550

X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED))

!verify_cb_cert(ctx, x, i, 38)	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1

551

return 0;

executed 1 time by 1 test: return 0;

Executed by:

libcrypto.so.1.1

552

}

never executed: end of block

553 proxy_path_length = x->ex_pcpathlen; -

554

}

executed 8 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

555 proxy_path_length++; -

556 must_be_ca = 0; -

557

} else

executed 8 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

558

must_be_ca = 1;

executed 2658 times by 1 test: must_be_ca = 1;

Executed by:

libcrypto.so.1.1

2658

559 } -

560

return 1;

executed 1338 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

1338

561 } -

562 -

563 static int has_san_id(X509 *x, int gtype) -

564 { -

565 int i; -

566 int ret = 0; -

567 GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); -

568 -

569

if (gs == NULL)

gs == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

570

return 0;

never executed: return 0;

571 -

572

for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) {

i < sk_GENERAL_NAME_num(gs)	Description
TRUE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1

4-17

573 GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i); -

574 -

575

if (g->type == gtype) {

g->type == gtype	Description
TRUE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 8 times by 1 test Evaluated by: libcrypto.so.1.1

8-9

576 ret = 1; -

577

break;

executed 9 times by 1 test: break;

Executed by:

libcrypto.so.1.1

578 } -

579

}

executed 8 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

580 GENERAL_NAMES_free(gs); -

581

return ret;

executed 13 times by 1 test: return ret;

Executed by:

libcrypto.so.1.1

582 } -

583 -

584 static int check_name_constraints(X509_STORE_CTX *ctx) -

585 { -

586 int i; -

587 -

588 /* Check name constraints for all certificates */ -

589

for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {

i >= 0	Description
TRUE	evaluated 2622 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1305 times by 1 test Evaluated by: libcrypto.so.1.1

1305-2622

590 X509 *x = sk_X509_value(ctx->chain, i); -

591 int j; -

592 -

593 /* Ignore self issued certs unless last in chain */ -

594

if (i && (x->ex_flags & EXFLAG_SI))

i	Description
TRUE	evaluated 1302 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1320 times by 1 test Evaluated by: libcrypto.so.1.1

(x->ex_flags & 0x20)	Description
TRUE	evaluated 1158 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 144 times by 1 test Evaluated by: libcrypto.so.1.1

144-1320

595

continue;

executed 1158 times by 1 test: continue;

Executed by:

libcrypto.so.1.1

1158

596 -

597 /* -

598 * Proxy certificates policy has an extra constraint, where the -

599 * certificate subject MUST be the issuer with a single CN entry -

600 * added. -

601 * (RFC 3820: 3.4, 4.1.3 (a)(4)) -

602 */ -

603

if (x->ex_flags & EXFLAG_PROXY) {

x->ex_flags & 0x400	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1457 times by 1 test Evaluated by: libcrypto.so.1.1

7-1457

604 X509_NAME *tmpsubject = X509_get_subject_name(x); -

605 X509_NAME *tmpissuer = X509_get_issuer_name(x); -

606 X509_NAME_ENTRY *tmpentry = NULL; -

607 int last_object_nid = 0; -

608 int err = X509_V_OK; -

609 int last_object_loc = X509_NAME_entry_count(tmpsubject) - 1; -

610 -

611 /* Check that there are at least two RDNs */ -

612

if (last_object_loc < 1) {

last_object_loc < 1	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

613 err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; -

614

goto proxy_name_done;

never executed: goto proxy_name_done;

615 } -

616 -

617 /* -

618 * Check that there is exactly one more RDN in subject as -

619 * there is in issuer. -

620 */ -

621

if (X509_NAME_entry_count(tmpsubject)

X509_NAME_entr...tmpissuer) + 1	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

1-6

622

!= X509_NAME_entry_count(tmpissuer) + 1) {

X509_NAME_entr...tmpissuer) + 1	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

1-6

623 err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; -

624

goto proxy_name_done;

executed 1 time by 1 test: goto proxy_name_done;

Executed by:

libcrypto.so.1.1

625 } -

626 -

627 /* -

628 * Check that the last subject component isn't part of a -

629 * multivalued RDN -

630 */ -

631

if (X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject,

X509_NAME_ENTR...ject_loc - 1))	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

632

last_object_loc))

X509_NAME_ENTR...ject_loc - 1))	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

633

== X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject,

X509_NAME_ENTR...ject_loc - 1))	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

634

last_object_loc - 1))) {

X509_NAME_ENTR...ject_loc - 1))	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

635 err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; -

636

goto proxy_name_done;

never executed: goto proxy_name_done;

637 } -

638 -

639 /* -

640 * Check that the last subject RDN is a commonName, and that -

641 * all the previous RDNs match the issuer exactly -

642 */ -

643 tmpsubject = X509_NAME_dup(tmpsubject); -

644

if (tmpsubject == NULL) {

tmpsubject == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

645 X509err(X509_F_CHECK_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE); -

646 ctx->error = X509_V_ERR_OUT_OF_MEM; -

647

return 0;

never executed: return 0;

648 } -

649 -

650 tmpentry = -

651 X509_NAME_delete_entry(tmpsubject, last_object_loc); -

652 last_object_nid = -

653 OBJ_obj2nid(X509_NAME_ENTRY_get_object(tmpentry)); -

654 -

655

if (last_object_nid != NID_commonName

last_object_nid != 13	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

656

|| X509_NAME_cmp(tmpsubject, tmpissuer) != 0) {

X509_NAME_cmp(...mpissuer) != 0	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

657 err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; -

658

}

never executed: end of block

659 -

660 X509_NAME_ENTRY_free(tmpentry); -

661 X509_NAME_free(tmpsubject); -

662 -

663

proxy_name_done:

code before this statement executed 6 times by 1 test: proxy_name_done:

Executed by:

libcrypto.so.1.1

664

if (err != X509_V_OK

err != 0	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

1-6

665

&& !verify_cb_cert(ctx, x, i, err))

!verify_cb_cer...tx, x, i, err)	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1

666

return 0;

executed 1 time by 1 test: return 0;

Executed by:

libcrypto.so.1.1

667

}

executed 6 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

668 -

669 /* -

670 * Check against constraints for all certificates higher in chain -

671 * including trust anchor. Trust anchor not strictly speaking needed -

672 * but if it includes constraints it is to be assumed it expects them -

673 * to be obeyed. -

674 */ -

675

for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {

j > i	Description
TRUE	evaluated 1429 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1449 times by 1 test Evaluated by: libcrypto.so.1.1

1429-1449

676 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; -

677 -

678

if (nc) {

nc	Description
TRUE	evaluated 28 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1401 times by 1 test Evaluated by: libcrypto.so.1.1

28-1401

679 int rv = NAME_CONSTRAINTS_check(x, nc); -

680 -

681 /* If EE certificate check commonName too */ -

682

if (rv == X509_V_OK && i == 0

rv == 0	Description
TRUE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

i == 0	Description
TRUE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1

4-17

683

&& (ctx->param->hostflags

(ctx->param->h...s & 0x20) == 0	Description
TRUE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-13

684

& X509_CHECK_FLAG_NEVER_CHECK_SUBJECT) == 0

(ctx->param->h...s & 0x20) == 0	Description
TRUE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-13

685

&& ((ctx->param->hostflags

(ctx->param->h...gs & 0x1) != 0	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

686

& X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT) != 0

(ctx->param->h...gs & 0x1) != 0	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

687

|| !has_san_id(x, GEN_DNS)))

!has_san_id(x, 2)	Description
TRUE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

4-9

688

rv = NAME_CONSTRAINTS_check_CN(x, nc);

executed 4 times by 1 test: rv = NAME_CONSTRAINTS_check_CN(x, nc);

Executed by:

libcrypto.so.1.1

689 -

690 switch (rv) { -

691

case X509_V_OK:

executed 14 times by 1 test: case 0:

Executed by:

libcrypto.so.1.1

692

break;

executed 14 times by 1 test: break;

Executed by:

libcrypto.so.1.1

693

case X509_V_ERR_OUT_OF_MEM:

never executed: case 17:

694

return 0;

never executed: return 0;

695

default:

executed 14 times by 1 test: default:

Executed by:

libcrypto.so.1.1

696

if (!verify_cb_cert(ctx, x, i, rv))

!verify_cb_cert(ctx, x, i, rv)	Description
TRUE	evaluated 14 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-14

697

return 0;

executed 14 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

698

break;

never executed: break;

699 } -

700 } -

701

}

executed 1415 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1415

702

}

executed 1449 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1449

703

return 1;

executed 1305 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

1305

704 } -

705 -

706 static int check_id_error(X509_STORE_CTX *ctx, int errcode) -

707 { -

708

return verify_cb_cert(ctx, ctx->cert, 0, errcode);

executed 3 times by 1 test: return verify_cb_cert(ctx, ctx->cert, 0, errcode);

Executed by:

libcrypto.so.1.1

709 } -

710 -

711 static int check_hosts(X509 *x, X509_VERIFY_PARAM *vpm) -

712 { -

713 int i; -

714 int n = sk_OPENSSL_STRING_num(vpm->hosts); -

715 char *name; -

716 -

717

if (vpm->peername != NULL) {

vpm->peername != ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 36 times by 1 test Evaluated by: libcrypto.so.1.1

0-36

718 OPENSSL_free(vpm->peername); -

719 vpm->peername = NULL; -

720

}

never executed: end of block

721

for (i = 0; i < n; ++i) {

i < n	Description
TRUE	evaluated 36 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1

3-36

722 name = sk_OPENSSL_STRING_value(vpm->hosts, i); -

723

if (X509_check_host(x, name, 0, vpm->hostflags, &vpm->peername) > 0)

X509_check_hos...>peername) > 0	Description
TRUE	evaluated 33 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1

3-33

724

return 1;

executed 33 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

725

}

executed 3 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

726

return n == 0;

executed 3 times by 1 test: return n == 0;

Executed by:

libcrypto.so.1.1

727 } -

728 -

729 static int check_id(X509_STORE_CTX *ctx) -

730 { -

731 X509_VERIFY_PARAM *vpm = ctx->param; -

732 X509 *x = ctx->cert; -

733

if (vpm->hosts && check_hosts(x, vpm) <= 0) {

vpm->hosts	Description
TRUE	evaluated 36 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1303 times by 1 test Evaluated by: libcrypto.so.1.1

check_hosts(x, vpm) <= 0	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 33 times by 1 test Evaluated by: libcrypto.so.1.1

3-1303

734

if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))

!check_id_error(ctx, 62)	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-3

735

return 0;

executed 3 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

736

}

never executed: end of block

737

if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {

vpm->email	Description
TRUE	never evaluated
FALSE	evaluated 1336 times by 1 test Evaluated by: libcrypto.so.1.1

X509_check_ema...illen, 0) <= 0	Description
TRUE	never evaluated
FALSE	never evaluated

0-1336

738

if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))

!check_id_error(ctx, 63)	Description
TRUE	never evaluated
FALSE	never evaluated

739

return 0;

never executed: return 0;

740

}

never executed: end of block

741

if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {

vpm->ip	Description
TRUE	never evaluated
FALSE	evaluated 1336 times by 1 test Evaluated by: libcrypto.so.1.1

X509_check_ip(...iplen, 0) <= 0	Description
TRUE	never evaluated
FALSE	never evaluated

0-1336

742

if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))

!check_id_error(ctx, 64)	Description
TRUE	never evaluated
FALSE	never evaluated

743

return 0;

never executed: return 0;

744

}

never executed: end of block

745

return 1;

executed 1336 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

1336

746 } -

747 -

748 static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) -

749 { -

750 int i; -

751 X509 *x = NULL; -

752 X509 *mx; -

753 SSL_DANE *dane = ctx->dane; -

754 int num = sk_X509_num(ctx->chain); -

755 int trust; -

756 -

757 /* -

758 * Check for a DANE issuer at depth 1 or greater, if it is a DANE-TA(2) -

759 * match, we're done, otherwise we'll merely record the match depth. -

760 */ -

761

if (DANETLS_HAS_TA(dane) && num_untrusted > 0 && num_untrusted < num) {

(dane)	Description
TRUE	evaluated 16 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4821 times by 1 test Evaluated by: libcrypto.so.1.1

((dane)->umask..._t)1) << 2))))	Description
TRUE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

num_untrusted > 0	Description
TRUE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

num_untrusted < num	Description
TRUE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-4821

762 switch (trust = check_dane_issuer(ctx, num_untrusted)) { -

763

case X509_TRUST_TRUSTED:

never executed: case 1:

764

case X509_TRUST_REJECTED:

never executed: case 2:

765

return trust;

never executed: return trust;

766 } -

767

}

executed 11 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

768 -

769 /* -

770 * Check trusted certificates in chain at depth num_untrusted and up. -

771 * Note, that depths 0..num_untrusted-1 may also contain trusted -

772 * certificates, but the caller is expected to have already checked those, -

773 * and wants to incrementally check just any added since. -

774 */ -

775

for (i = num_untrusted; i < num; i++) {

i < num	Description
TRUE	evaluated 1231 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3623 times by 1 test Evaluated by: libcrypto.so.1.1

1231-3623

776 x = sk_X509_value(ctx->chain, i); -

777 trust = X509_check_trust(x, ctx->param->trust, 0); -

778 /* If explicitly trusted return trusted */ -

779

if (trust == X509_TRUST_TRUSTED)

trust == 1	Description
TRUE	evaluated 1190 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 41 times by 1 test Evaluated by: libcrypto.so.1.1

41-1190

780

goto trusted;

executed 1190 times by 1 test: goto trusted;

Executed by:

libcrypto.so.1.1

1190

781

if (trust == X509_TRUST_REJECTED)

trust == 2	Description
TRUE	evaluated 24 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1

17-24

782

goto rejected;

executed 24 times by 1 test: goto rejected;

Executed by:

libcrypto.so.1.1

783

}

executed 17 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

784 -

785 /* -

786 * If we are looking at a trusted certificate, and accept partial chains, -

787 * the chain is PKIX trusted. -

788 */ -

789

if (num_untrusted < num) {

num_untrusted < num	Description
TRUE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3606 times by 1 test Evaluated by: libcrypto.so.1.1

17-3606

790

if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)

ctx->param->flags & 0x80000	Description
TRUE	evaluated 8 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

8-9

791

goto trusted;

executed 8 times by 1 test: goto trusted;

Executed by:

libcrypto.so.1.1

792

return X509_TRUST_UNTRUSTED;

executed 9 times by 1 test: return 3;

Executed by:

libcrypto.so.1.1

793 } -

794 -

795

if (num_untrusted == num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {

num_untrusted == num	Description
TRUE	evaluated 3606 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

ctx->param->flags & 0x80000	Description
TRUE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3589 times by 1 test Evaluated by: libcrypto.so.1.1

0-3606

796 /* -

797 * Last-resort call with no new trusted certificates, check the leaf -

798 * for a direct trust store match. -

799 */ -

800 i = 0; -

801 x = sk_X509_value(ctx->chain, i); -

802 mx = lookup_cert_match(ctx, x); -

803

if (!mx)

!mx	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

6-11

804

return X509_TRUST_UNTRUSTED;

executed 6 times by 1 test: return 3;

Executed by:

libcrypto.so.1.1

805 -

806 /* -

807 * Check explicit auxiliary trust/reject settings. If none are set, -

808 * we'll accept X509_TRUST_UNTRUSTED when not self-signed. -

809 */ -

810 trust = X509_check_trust(mx, ctx->param->trust, 0); -

811

if (trust == X509_TRUST_REJECTED) {

trust == 2	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

2-9

812 X509_free(mx); -

813

goto rejected;

executed 2 times by 1 test: goto rejected;

Executed by:

libcrypto.so.1.1

814 } -

815 -

816 /* Replace leaf with trusted match */ -

817 (void) sk_X509_set(ctx->chain, 0, mx); -

818 X509_free(x); -

819 ctx->num_untrusted = 0; -

820

goto trusted;

executed 9 times by 1 test: goto trusted;

Executed by:

libcrypto.so.1.1

821 } -

822 -

823 /* -

824 * If no trusted certs in chain at all return untrusted and allow -

825 * standard (no issuer cert) etc errors to be indicated. -

826 */ -

827

return X509_TRUST_UNTRUSTED;

executed 3589 times by 1 test: return 3;

Executed by:

libcrypto.so.1.1

3589

828 -

829 rejected: -

830

if (!verify_cb_cert(ctx, x, i, X509_V_ERR_CERT_REJECTED))

!verify_cb_cert(ctx, x, i, 28)	Description
TRUE	evaluated 26 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-26

831

return X509_TRUST_REJECTED;

executed 26 times by 1 test: return 2;

Executed by:

libcrypto.so.1.1

832

return X509_TRUST_UNTRUSTED;

never executed: return 3;

833 -

834 trusted: -

835

if (!DANETLS_ENABLED(dane))

(dane) != ((void *)0)	Description
TRUE	evaluated 15 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1192 times by 1 test Evaluated by: libcrypto.so.1.1

sk_danetls_rec...e)->trecs) > 0	Description
TRUE	evaluated 15 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1192

836

return X509_TRUST_TRUSTED;

executed 1192 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

1192

837

if (dane->pdpth < 0)

dane->pdpth < 0	Description
TRUE	evaluated 15 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-15

838

dane->pdpth = num_untrusted;

executed 15 times by 1 test: dane->pdpth = num_untrusted;

Executed by:

libcrypto.so.1.1

839 /* With DANE, PKIX alone is not trusted until we have both */ -

840

if (dane->mdpth >= 0)

dane->mdpth >= 0	Description
TRUE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2-13

841

return X509_TRUST_TRUSTED;

executed 13 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

842

return X509_TRUST_UNTRUSTED;

executed 2 times by 1 test: return 3;

Executed by:

libcrypto.so.1.1

843 } -

844 -

845 static int check_revocation(X509_STORE_CTX *ctx) -

846 { -

847 int i = 0, last = 0, ok = 0; -

848

if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))

!(ctx->param->flags & 0x4)	Description
TRUE	evaluated 1324 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

7-1324

849

return 1;

executed 1324 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

1324

850

if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)

ctx->param->flags & 0x8	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

851

last = sk_X509_num(ctx->chain) - 1;

never executed: last = sk_X509_num(ctx->chain) - 1;

852 else { -

853 /* If checking CRL paths this isn't the EE certificate */ -

854

if (ctx->parent)

ctx->parent	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

855

return 1;

never executed: return 1;

856 last = 0; -

857

}

executed 7 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

858

for (i = 0; i <= last; i++) {

i <= last	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2-7

859 ctx->error_depth = i; -

860 ok = check_cert(ctx); -

861

if (!ok)

!ok	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2-5

862

return ok;

executed 5 times by 1 test: return ok;

Executed by:

libcrypto.so.1.1

863

}

executed 2 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

864

return 1;

executed 2 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

865 } -

866 -

867 static int check_cert(X509_STORE_CTX *ctx) -

868 { -

869 X509_CRL *crl = NULL, *dcrl = NULL; -

870 int ok = 0; -

871 int cnum = ctx->error_depth; -

872 X509 *x = sk_X509_value(ctx->chain, cnum); -

873 -

874 ctx->current_cert = x; -

875 ctx->current_issuer = NULL; -

876 ctx->current_crl_score = 0; -

877 ctx->current_reasons = 0; -

878 -

879

if (x->ex_flags & EXFLAG_PROXY)

x->ex_flags & 0x400	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

880

return 1;

never executed: return 1;

881 -

882

while (ctx->current_reasons != CRLDP_ALL_REASONS) {

ctx->current_reasons != 0x807f	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2-7

883 unsigned int last_reasons = ctx->current_reasons; -

884 -

885 /* Try to retrieve relevant CRL */ -

886

if (ctx->get_crl)

ctx->get_crl	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

887

ok = ctx->get_crl(ctx, &crl, x);

never executed: ok = ctx->get_crl(ctx, &crl, x);

888 else -

889

ok = get_crl_delta(ctx, &crl, &dcrl, x);

executed 7 times by 1 test: ok = get_crl_delta(ctx, &crl, &dcrl, x);

Executed by:

libcrypto.so.1.1

890 /* -

891 * If error looking up CRL, nothing we can do except notify callback -

892 */ -

893

if (!ok) {

!ok	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

2-5

894 ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL); -

895

goto done;

executed 2 times by 1 test: goto done;

Executed by:

libcrypto.so.1.1

896 } -

897 ctx->current_crl = crl; -

898 ok = ctx->check_crl(ctx, crl); -

899

if (!ok)

!ok	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-5

900

goto done;

never executed: goto done;

901 -

902

if (dcrl) {

dcrl	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-5

903 ok = ctx->check_crl(ctx, dcrl); -

904

if (!ok)

!ok	Description
TRUE	never evaluated
FALSE	never evaluated

905

goto done;

never executed: goto done;

906 ok = ctx->cert_crl(ctx, dcrl, x); -

907

if (!ok)

!ok	Description
TRUE	never evaluated
FALSE	never evaluated

908

goto done;

never executed: goto done;

909

} else

never executed: end of block

910

ok = 1;

executed 5 times by 1 test: ok = 1;

Executed by:

libcrypto.so.1.1

911 -

912 /* Don't look in full CRL if delta reason is removefromCRL */ -

913

if (ok != 2) {

ok != 2	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-5

914 ok = ctx->cert_crl(ctx, crl, x); -

915

if (!ok)

!ok	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2-3

916

goto done;

executed 3 times by 1 test: goto done;

Executed by:

libcrypto.so.1.1

917

}

executed 2 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

918 -

919 X509_CRL_free(crl); -

920 X509_CRL_free(dcrl); -

921 crl = NULL; -

922 dcrl = NULL; -

923 /* -

924 * If reasons not updated we won't get anywhere by another iteration, -

925 * so exit loop. -

926 */ -

927

if (last_reasons == ctx->current_reasons) {

last_reasons =...urrent_reasons	Description
TRUE	never evaluated
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

0-2

928 ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL); -

929

goto done;

never executed: goto done;

930 } -

931

}

executed 2 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

932

done:

code before this statement executed 2 times by 1 test: done:

Executed by:

libcrypto.so.1.1

933 X509_CRL_free(crl); -

934 X509_CRL_free(dcrl); -

935 -

936 ctx->current_crl = NULL; -

937

return ok;

executed 7 times by 1 test: return ok;

Executed by:

libcrypto.so.1.1

938 } -

939 -

940 /* Check CRL times against values in X509_STORE_CTX */ -

941 -

942 static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) -

943 { -

944 time_t *ptime; -

945 int i; -

946 -

947

if (notify)

notify	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

948

ctx->current_crl = crl;

never executed: ctx->current_crl = crl;

949

if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)

ctx->param->flags & 0x2	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

950

ptime = &ctx->param->check_time;

executed 6 times by 1 test: ptime = &ctx->param->check_time;

Executed by:

libcrypto.so.1.1

951

else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)

ctx->param->flags & 0x200000	Description
TRUE	never evaluated
FALSE	never evaluated

952

return 1;

never executed: return 1;

953 else -

954

ptime = NULL;

never executed: ptime = ((void *)0) ;

955 -

956 i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime); -

957

if (i == 0) {

i == 0	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

958

if (!notify)

!notify	Description
TRUE	never evaluated
FALSE	never evaluated

959

return 0;

never executed: return 0;

960

if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD))

!verify_cb_crl(ctx, 15)	Description
TRUE	never evaluated
FALSE	never evaluated

961

return 0;

never executed: return 0;

962

}

never executed: end of block

963 -

964

if (i > 0) {

i > 0	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

965

if (!notify)

!notify	Description
TRUE	never evaluated
FALSE	never evaluated

966

return 0;

never executed: return 0;

967

if (!verify_cb_crl(ctx, X509_V_ERR_CRL_NOT_YET_VALID))

!verify_cb_crl(ctx, 11)	Description
TRUE	never evaluated
FALSE	never evaluated

968

return 0;

never executed: return 0;

969

}

never executed: end of block

970 -

971

if (X509_CRL_get0_nextUpdate(crl)) {

X509_CRL_get0_nextUpdate(crl)	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

972 i = X509_cmp_time(X509_CRL_get0_nextUpdate(crl), ptime); -

973 -

974

if (i == 0) {

i == 0	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

975

if (!notify)

!notify	Description
TRUE	never evaluated
FALSE	never evaluated

976

return 0;

never executed: return 0;

977

if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD))

!verify_cb_crl(ctx, 16)	Description
TRUE	never evaluated
FALSE	never evaluated

978

return 0;

never executed: return 0;

979

}

never executed: end of block

980 /* Ignore expiry of base CRL is delta is valid */ -

981

if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {

(i < 0)	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

!(ctx->current...score & 0x002)	Description
TRUE	never evaluated
FALSE	never evaluated

0-6

982

if (!notify)

!notify	Description
TRUE	never evaluated
FALSE	never evaluated

983

return 0;

never executed: return 0;

984

if (!verify_cb_crl(ctx, X509_V_ERR_CRL_HAS_EXPIRED))

!verify_cb_crl(ctx, 12)	Description
TRUE	never evaluated
FALSE	never evaluated

985

return 0;

never executed: return 0;

986

}

never executed: end of block

987

}

executed 6 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

988 -

989

if (notify)

notify	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

990

ctx->current_crl = NULL;

never executed: ctx->current_crl = ((void *)0) ;

991 -

992

return 1;

executed 6 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

993 } -

994 -

995 static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, -

996 X509 **pissuer, int *pscore, unsigned int *preasons, -

997 STACK_OF(X509_CRL) *crls) -

998 { -

999 int i, crl_score, best_score = *pscore; -

1000 unsigned int reasons, best_reasons = 0; -

1001 X509 *x = ctx->current_cert; -

1002 X509_CRL *crl, *best_crl = NULL; -

1003 X509 *crl_issuer = NULL, *best_crl_issuer = NULL; -

1004 -

1005

for (i = 0; i < sk_X509_CRL_num(crls); i++) {

i < sk_X509_CRL_num(crls)	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

7-9

1006 crl = sk_X509_CRL_value(crls, i); -

1007 reasons = *preasons; -

1008 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); -

1009

if (crl_score < best_score || crl_score == 0)

crl_score < best_score	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

crl_score == 0	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

1010

continue;

executed 1 time by 1 test: continue;

Executed by:

libcrypto.so.1.1

1011 /* If current CRL is equivalent use it if it is newer */ -

1012

if (crl_score == best_score && best_crl != NULL) {

crl_score == best_score	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

best_crl != ((void *)0)	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-5

1013 int day, sec; -

1014

if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),

ASN1_TIME_diff...ate(crl)) == 0	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-1

1015

X509_CRL_get0_lastUpdate(crl)) == 0)

ASN1_TIME_diff...ate(crl)) == 0	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-1

1016

continue;

never executed: continue;

1017 /* -

1018 * ASN1_TIME_diff never returns inconsistent signs for |day| -

1019 * and |sec|. -

1020 */ -

1021

if (day <= 0 && sec <= 0)

day <= 0	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

sec <= 0	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-1

1022

continue;

never executed: continue;

1023

}

executed 1 time by 1 test: end of block

Executed by:

libcrypto.so.1.1

1024 best_crl = crl; -

1025 best_crl_issuer = crl_issuer; -

1026 best_score = crl_score; -

1027 best_reasons = reasons; -

1028

}

executed 6 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1029 -

1030

if (best_crl) {

best_crl	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1

4-5

1031 X509_CRL_free(*pcrl); -

1032 *pcrl = best_crl; -

1033 *pissuer = best_crl_issuer; -

1034 *pscore = best_score; -

1035 *preasons = best_reasons; -

1036 X509_CRL_up_ref(best_crl); -

1037 X509_CRL_free(*pdcrl); -

1038 *pdcrl = NULL; -

1039 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); -

1040

}

executed 5 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1041 -

1042

if (best_score >= CRL_SCORE_VALID)

best_score >= ...0\|0x040\|0x080)	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

3-6

1043

return 1;

executed 3 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

1044 -

1045

return 0;

executed 6 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1046 } -

1047 -

1048 /* -

1049 * Compare two CRL extensions for delta checking purposes. They should be -

1050 * both present or both absent. If both present all fields must be identical. -

1051 */ -

1052 -

1053 static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) -

1054 { -

1055 ASN1_OCTET_STRING *exta, *extb; -

1056 int i; -

1057 i = X509_CRL_get_ext_by_NID(a, nid, -1); -

1058

if (i >= 0) {

i >= 0	Description
TRUE	never evaluated
FALSE	never evaluated

1059 /* Can't have multiple occurrences */ -

1060

if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)

X509_CRL_get_e... nid, i) != -1	Description
TRUE	never evaluated
FALSE	never evaluated

1061

return 0;

never executed: return 0;

1062 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); -

1063

} else

never executed: end of block

1064

exta = NULL;

never executed: exta = ((void *)0) ;

1065 -

1066 i = X509_CRL_get_ext_by_NID(b, nid, -1); -

1067 -

1068

if (i >= 0) {

i >= 0	Description
TRUE	never evaluated
FALSE	never evaluated

1069 -

1070

if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)

X509_CRL_get_e... nid, i) != -1	Description
TRUE	never evaluated
FALSE	never evaluated

1071

return 0;

never executed: return 0;

1072 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); -

1073

} else

never executed: end of block

1074

extb = NULL;

never executed: extb = ((void *)0) ;

1075 -

1076

if (!exta && !extb)

!exta	Description
TRUE	never evaluated
FALSE	never evaluated

!extb	Description
TRUE	never evaluated
FALSE	never evaluated

1077

return 1;

never executed: return 1;

1078 -

1079

if (!exta || !extb)

!exta	Description
TRUE	never evaluated
FALSE	never evaluated

!extb	Description
TRUE	never evaluated
FALSE	never evaluated

1080

return 0;

never executed: return 0;

1081 -

1082

if (ASN1_OCTET_STRING_cmp(exta, extb))

ASN1_OCTET_STR...mp(exta, extb)	Description
TRUE	never evaluated
FALSE	never evaluated

1083

return 0;

never executed: return 0;

1084 -

1085

return 1;

never executed: return 1;

1086 } -

1087 -

1088 /* See if a base and delta are compatible */ -

1089 -

1090 static int check_delta_base(X509_CRL *delta, X509_CRL *base) -

1091 { -

1092 /* Delta CRL must be a delta */ -

1093

if (!delta->base_crl_number)

!delta->base_crl_number	Description
TRUE	never evaluated
FALSE	never evaluated

1094

return 0;

never executed: return 0;

1095 /* Base must have a CRL number */ -

1096

if (!base->crl_number)

!base->crl_number	Description
TRUE	never evaluated
FALSE	never evaluated

1097

return 0;

never executed: return 0;

1098 /* Issuer names must match */ -

1099

if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta)))

X509_NAME_cmp(...issuer(delta))	Description
TRUE	never evaluated
FALSE	never evaluated

1100

return 0;

never executed: return 0;

1101 /* AKID and IDP must match */ -

1102

if (!crl_extension_match(delta, base, NID_authority_key_identifier))

!crl_extension...lta, base, 90)	Description
TRUE	never evaluated
FALSE	never evaluated

1103

return 0;

never executed: return 0;

1104

if (!crl_extension_match(delta, base, NID_issuing_distribution_point))

!crl_extension...ta, base, 770)	Description
TRUE	never evaluated
FALSE	never evaluated

1105

return 0;

never executed: return 0;

1106 /* Delta CRL base number must not exceed Full CRL number. */ -

1107

if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)

ASN1_INTEGER_c...rl_number) > 0	Description
TRUE	never evaluated
FALSE	never evaluated

1108

return 0;

never executed: return 0;

1109 /* Delta CRL number must exceed full CRL number */ -

1110

if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)

ASN1_INTEGER_c...rl_number) > 0	Description
TRUE	never evaluated
FALSE	never evaluated

1111

return 1;

never executed: return 1;

1112

return 0;

never executed: return 0;

1113 } -

1114 -

1115 /* -

1116 * For a given base CRL find a delta... maybe extend to delta scoring or -

1117 * retrieve a chain of deltas... -

1118 */ -

1119 -

1120 static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, -

1121 X509_CRL *base, STACK_OF(X509_CRL) *crls) -

1122 { -

1123 X509_CRL *delta; -

1124 int i; -

1125

if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))

!(ctx->param->flags & 0x2000)	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-5

1126

return;

executed 5 times by 1 test: return;

Executed by:

libcrypto.so.1.1

1127

if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))

!((ctx->curren...ags) & 0x1000)	Description
TRUE	never evaluated
FALSE	never evaluated

1128

return;

never executed: return;

1129

for (i = 0; i < sk_X509_CRL_num(crls); i++) {

i < sk_X509_CRL_num(crls)	Description
TRUE	never evaluated
FALSE	never evaluated

1130 delta = sk_X509_CRL_value(crls, i); -

1131

if (check_delta_base(delta, base)) {

check_delta_base(delta, base)	Description
TRUE	never evaluated
FALSE	never evaluated

1132

if (check_crl_time(ctx, delta, 0))

check_crl_time(ctx, delta, 0)	Description
TRUE	never evaluated
FALSE	never evaluated

1133

*pscore |= CRL_SCORE_TIME_DELTA;

never executed: *pscore |= 0x002;

1134 X509_CRL_up_ref(delta); -

1135 *dcrl = delta; -

1136

return;

never executed: return;

1137 } -

1138

}

never executed: end of block

1139 *dcrl = NULL; -

1140

}

never executed: end of block

1141 -

1142 /* -

1143 * For a given CRL return how suitable it is for the supplied certificate -

1144 * 'x'. The return value is a mask of several criteria. If the issuer is not -

1145 * the certificate issuer this is returned in *pissuer. The reasons mask is -

1146 * also used to determine if the CRL is suitable: if no new reasons the CRL -

1147 * is rejected, otherwise reasons is updated. -

1148 */ -

1149 -

1150 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, -

1151 unsigned int *preasons, X509_CRL *crl, X509 *x) -

1152 { -

1153 -

1154 int crl_score = 0; -

1155 unsigned int tmp_reasons = *preasons, crl_reasons; -

1156 -

1157 /* First see if we can reject CRL straight away */ -

1158 -

1159 /* Invalid IDP cannot be processed */ -

1160

if (crl->idp_flags & IDP_INVALID)

crl->idp_flags & 0x2	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

1161

return 0;

never executed: return 0;

1162 /* Reason codes or indirect CRLs need extended CRL support */ -

1163

if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {

!(ctx->param->flags & 0x1000)	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-7

1164

if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))

crl->idp_flags & (0x20 \| 0x40)	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

1165

return 0;

never executed: return 0;

1166

} else if (crl->idp_flags & IDP_REASONS) {

executed 7 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

crl->idp_flags & 0x40	Description
TRUE	never evaluated
FALSE	never evaluated

0-7

1167 /* If no new reasons reject */ -

1168

if (!(crl->idp_reasons & ~tmp_reasons))

!(crl->idp_rea... ~tmp_reasons)	Description
TRUE	never evaluated
FALSE	never evaluated

1169

return 0;

never executed: return 0;

1170

}

never executed: end of block

1171 /* Don't process deltas at this stage */ -

1172

else if (crl->base_crl_number)

crl->base_crl_number	Description
TRUE	never evaluated
FALSE	never evaluated

1173

return 0;

never executed: return 0;

1174 /* If issuer name doesn't match certificate need indirect CRL */ -

1175

if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {

X509_NAME_cmp(...t_issuer(crl))	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

1-6

1176

if (!(crl->idp_flags & IDP_INDIRECT))

!(crl->idp_flags & 0x20)	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1

1177

return 0;

executed 1 time by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1178

} else

never executed: end of block

1179

crl_score |= CRL_SCORE_ISSUER_NAME;

executed 6 times by 1 test: crl_score |= 0x020;

Executed by:

libcrypto.so.1.1

1180 -

1181

if (!(crl->flags & EXFLAG_CRITICAL))

!(crl->flags & 0x200)	Description
TRUE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2-4

1182

crl_score |= CRL_SCORE_NOCRITICAL;

executed 4 times by 1 test: crl_score |= 0x100;

Executed by:

libcrypto.so.1.1

1183 -

1184 /* Check expiry */ -

1185

if (check_crl_time(ctx, crl, 0))

check_crl_time(ctx, crl, 0)	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

1186

crl_score |= CRL_SCORE_TIME;

executed 6 times by 1 test: crl_score |= 0x040;

Executed by:

libcrypto.so.1.1

1187 -

1188 /* Check authority key ID and locate certificate issuer */ -

1189 crl_akid_check(ctx, crl, pissuer, &crl_score); -

1190 -

1191 /* If we can't locate certificate issuer at this point forget it */ -

1192 -

1193

if (!(crl_score & CRL_SCORE_AKID))

!(crl_score & 0x004)	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

1194

return 0;

never executed: return 0;

1195 -

1196 /* Check cert for matching CRL distribution points */ -

1197 -

1198

if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {

crl_crldp_chec... &crl_reasons)	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

1199 /* If no new reasons reject */ -

1200

if (!(crl_reasons & ~tmp_reasons))

!(crl_reasons & ~tmp_reasons)	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

1201

return 0;

never executed: return 0;

1202 tmp_reasons |= crl_reasons; -

1203 crl_score |= CRL_SCORE_SCOPE; -

1204

}

executed 6 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1205 -

1206 *preasons = tmp_reasons; -

1207 -

1208

return crl_score;

executed 6 times by 1 test: return crl_score;

Executed by:

libcrypto.so.1.1

1209 -

1210 } -

1211 -

1212 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, -

1213 X509 **pissuer, int *pcrl_score) -

1214 { -

1215 X509 *crl_issuer = NULL; -

1216 X509_NAME *cnm = X509_CRL_get_issuer(crl); -

1217 int cidx = ctx->error_depth; -

1218 int i; -

1219 -

1220

if (cidx != sk_X509_num(ctx->chain) - 1)

cidx != sk_X50...tx->chain) - 1	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

1221

cidx++;

executed 6 times by 1 test: cidx++;

Executed by:

libcrypto.so.1.1

1222 -

1223 crl_issuer = sk_X509_value(ctx->chain, cidx); -

1224 -

1225

if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {

X509_check_aki...rl->akid) == 0	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

1226

if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {

*pcrl_score & 0x020	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

1227 *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT; -

1228 *pissuer = crl_issuer; -

1229

return;

executed 6 times by 1 test: return;

Executed by:

libcrypto.so.1.1

1230 } -

1231

}

never executed: end of block

1232 -

1233

for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) {

cidx < sk_X509_num(ctx->chain)	Description
TRUE	never evaluated
FALSE	never evaluated

1234 crl_issuer = sk_X509_value(ctx->chain, cidx); -

1235

if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))

X509_NAME_cmp(..._issuer), cnm)	Description
TRUE	never evaluated
FALSE	never evaluated

1236

continue;

never executed: continue;

1237

if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {

X509_check_aki...rl->akid) == 0	Description
TRUE	never evaluated
FALSE	never evaluated

1238 *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH; -

1239 *pissuer = crl_issuer; -

1240

return;

never executed: return;

1241 } -

1242

}

never executed: end of block

1243 -

1244 /* Anything else needs extended CRL support */ -

1245 -

1246

if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))

!(ctx->param->flags & 0x1000)	Description
TRUE	never evaluated
FALSE	never evaluated

1247

return;

never executed: return;

1248 -

1249 /* -

1250 * Otherwise the CRL issuer is not on the path. Look for it in the set of -

1251 * untrusted certificates. -

1252 */ -

1253

for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {

i < sk_X509_nu...tx->untrusted)	Description
TRUE	never evaluated
FALSE	never evaluated

1254 crl_issuer = sk_X509_value(ctx->untrusted, i); -

1255

if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))

X509_NAME_cmp(..._issuer), cnm)	Description
TRUE	never evaluated
FALSE	never evaluated

1256

continue;

never executed: continue;

1257

if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {

X509_check_aki...rl->akid) == 0	Description
TRUE	never evaluated
FALSE	never evaluated

1258 *pissuer = crl_issuer; -

1259 *pcrl_score |= CRL_SCORE_AKID; -

1260

return;

never executed: return;

1261 } -

1262

}

never executed: end of block

1263

}

never executed: end of block

1264 -

1265 /* -

1266 * Check the path of a CRL issuer certificate. This creates a new -

1267 * X509_STORE_CTX and populates it with most of the parameters from the -

1268 * parent. This could be optimised somewhat since a lot of path checking will -

1269 * be duplicated by the parent, but this will rarely be used in practice. -

1270 */ -

1271 -

1272 static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) -

1273 { -

1274 X509_STORE_CTX crl_ctx; -

1275 int ret; -

1276 -

1277 /* Don't allow recursive CRL path validation */ -

1278

if (ctx->parent)

ctx->parent	Description
TRUE	never evaluated
FALSE	never evaluated

1279

return 0;

never executed: return 0;

1280

if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))

!X509_STORE_CT...tx->untrusted)	Description
TRUE	never evaluated
FALSE	never evaluated

1281

return -1;

never executed: return -1;

1282 -

1283 crl_ctx.crls = ctx->crls; -

1284 /* Copy verify params across */ -

1285 X509_STORE_CTX_set0_param(&crl_ctx, ctx->param); -

1286 -

1287 crl_ctx.parent = ctx; -

1288 crl_ctx.verify_cb = ctx->verify_cb; -

1289 -

1290 /* Verify CRL issuer */ -

1291 ret = X509_verify_cert(&crl_ctx); -

1292

if (ret <= 0)

ret <= 0	Description
TRUE	never evaluated
FALSE	never evaluated

1293

goto err;

never executed: goto err;

1294 -

1295 /* Check chain is acceptable */ -

1296 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); -

1297

err:

code before this statement never executed: err:

1298 X509_STORE_CTX_cleanup(&crl_ctx); -

1299

return ret;

never executed: return ret;

1300 } -

1301 -

1302 /* -

1303 * RFC3280 says nothing about the relationship between CRL path and -

1304 * certificate path, which could lead to situations where a certificate could -

1305 * be revoked or validated by a CA not authorised to do so. RFC5280 is more -

1306 * strict and states that the two paths must end in the same trust anchor, -

1307 * though some discussions remain... until this is resolved we use the -

1308 * RFC5280 version -

1309 */ -

1310 -

1311 static int check_crl_chain(X509_STORE_CTX *ctx, -

1312 STACK_OF(X509) *cert_path, -

1313 STACK_OF(X509) *crl_path) -

1314 { -

1315 X509 *cert_ta, *crl_ta; -

1316 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); -

1317 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); -

1318

if (!X509_cmp(cert_ta, crl_ta))

!X509_cmp(cert_ta, crl_ta)	Description
TRUE	never evaluated
FALSE	never evaluated

1319

return 1;

never executed: return 1;

1320

return 0;

never executed: return 0;

1321 } -

1322 -

1323 /*- -

1324 * Check for match between two dist point names: three separate cases. -

1325 * 1. Both are relative names and compare X509_NAME types. -

1326 * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES. -

1327 * 3. Both are full names and compare two GENERAL_NAMES. -

1328 * 4. One is NULL: automatic match. -

1329 */ -

1330 -

1331 static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) -

1332 { -

1333 X509_NAME *nm = NULL; -

1334 GENERAL_NAMES *gens = NULL; -

1335 GENERAL_NAME *gena, *genb; -

1336 int i, j; -

1337

if (!a || !b)

!a	Description
TRUE	never evaluated
FALSE	never evaluated

!b	Description
TRUE	never evaluated
FALSE	never evaluated

1338

return 1;

never executed: return 1;

1339

if (a->type == 1) {

a->type == 1	Description
TRUE	never evaluated
FALSE	never evaluated

1340

if (!a->dpname)

!a->dpname	Description
TRUE	never evaluated
FALSE	never evaluated

1341

return 0;

never executed: return 0;

1342 /* Case 1: two X509_NAME */ -

1343

if (b->type == 1) {

b->type == 1	Description
TRUE	never evaluated
FALSE	never evaluated

1344

if (!b->dpname)

!b->dpname	Description
TRUE	never evaluated
FALSE	never evaluated

1345

return 0;

never executed: return 0;

1346

if (!X509_NAME_cmp(a->dpname, b->dpname))

!X509_NAME_cmp...me, b->dpname)	Description
TRUE	never evaluated
FALSE	never evaluated

1347

return 1;

never executed: return 1;

1348 else -

1349

return 0;

never executed: return 0;

1350 } -

1351 /* Case 2: set name and GENERAL_NAMES appropriately */ -

1352 nm = a->dpname; -

1353 gens = b->name.fullname; -

1354

} else if (b->type == 1) {

never executed: end of block

b->type == 1	Description
TRUE	never evaluated
FALSE	never evaluated

1355

if (!b->dpname)

!b->dpname	Description
TRUE	never evaluated
FALSE	never evaluated

1356

return 0;

never executed: return 0;

1357 /* Case 2: set name and GENERAL_NAMES appropriately */ -

1358 gens = a->name.fullname; -

1359 nm = b->dpname; -

1360

}

never executed: end of block

1361 -

1362 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ -

1363

if (nm) {

nm	Description
TRUE	never evaluated
FALSE	never evaluated

1364

for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {

i < sk_GENERAL_NAME_num(gens)	Description
TRUE	never evaluated
FALSE	never evaluated

1365 gena = sk_GENERAL_NAME_value(gens, i); -

1366

if (gena->type != GEN_DIRNAME)

gena->type != 4	Description
TRUE	never evaluated
FALSE	never evaluated

1367

continue;

never executed: continue;

1368

if (!X509_NAME_cmp(nm, gena->d.directoryName))

!X509_NAME_cmp...directoryName)	Description
TRUE	never evaluated
FALSE	never evaluated

1369

return 1;

never executed: return 1;

1370

}

never executed: end of block

1371

return 0;

never executed: return 0;

1372 } -

1373 -

1374 /* Else case 3: two GENERAL_NAMES */ -

1375 -

1376

for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {

i < sk_GENERAL...name.fullname)	Description
TRUE	never evaluated
FALSE	never evaluated

1377 gena = sk_GENERAL_NAME_value(a->name.fullname, i); -

1378

for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {

j < sk_GENERAL...name.fullname)	Description
TRUE	never evaluated
FALSE	never evaluated

1379 genb = sk_GENERAL_NAME_value(b->name.fullname, j); -

1380

if (!GENERAL_NAME_cmp(gena, genb))

!GENERAL_NAME_cmp(gena, genb)	Description
TRUE	never evaluated
FALSE	never evaluated

1381

return 1;

never executed: return 1;

1382

}

never executed: end of block

1383

}

never executed: end of block

1384 -

1385

return 0;

never executed: return 0;

1386 -

1387 } -

1388 -

1389 static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) -

1390 { -

1391 int i; -

1392 X509_NAME *nm = X509_CRL_get_issuer(crl); -

1393 /* If no CRLissuer return is successful iff don't need a match */ -

1394

if (!dp->CRLissuer)

!dp->CRLissuer	Description
TRUE	never evaluated
FALSE	never evaluated

1395

return ! !(crl_score & CRL_SCORE_ISSUER_NAME);

never executed: return ! !(crl_score & 0x020);

1396

for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {

i < sk_GENERAL...dp->CRLissuer)	Description
TRUE	never evaluated
FALSE	never evaluated

1397 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); -

1398

if (gen->type != GEN_DIRNAME)

gen->type != 4	Description
TRUE	never evaluated
FALSE	never evaluated

1399

continue;

never executed: continue;

1400

if (!X509_NAME_cmp(gen->d.directoryName, nm))

!X509_NAME_cmp...ctoryName, nm)	Description
TRUE	never evaluated
FALSE	never evaluated

1401

return 1;

never executed: return 1;

1402

}

never executed: end of block

1403

return 0;

never executed: return 0;

1404 } -

1405 -

1406 /* Check CRLDP and IDP */ -

1407 -

1408 static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, -

1409 unsigned int *preasons) -

1410 { -

1411 int i; -

1412

if (crl->idp_flags & IDP_ONLYATTR)

crl->idp_flags & 0x10	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

1413

return 0;

never executed: return 0;

1414

if (x->ex_flags & EXFLAG_CA) {

x->ex_flags & 0x10	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

1415

if (crl->idp_flags & IDP_ONLYUSER)

crl->idp_flags & 0x4	Description
TRUE	never evaluated
FALSE	never evaluated

1416

return 0;

never executed: return 0;

1417

} else {

never executed: end of block

1418

if (crl->idp_flags & IDP_ONLYCA)

crl->idp_flags & 0x8	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

1419

return 0;

never executed: return 0;

1420

}

executed 6 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1421 *preasons = crl->idp_reasons; -

1422

for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {

i < sk_DIST_PO..._num(x->crldp)	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

1423 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); -

1424

if (crldp_check_crlissuer(dp, crl, crl_score)) {

crldp_check_cr...rl, crl_score)	Description
TRUE	never evaluated
FALSE	never evaluated

1425

if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) {

!crl->idp	Description
TRUE	never evaluated
FALSE	never evaluated

idp_check_dp(d...dp->distpoint)	Description
TRUE	never evaluated
FALSE	never evaluated

1426 *preasons &= dp->dp_reasons; -

1427

return 1;

never executed: return 1;

1428 } -

1429

}

never executed: end of block

1430

}

never executed: end of block

1431

if ((!crl->idp || !crl->idp->distpoint)

!crl->idp	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

!crl->idp->distpoint	Description
TRUE	never evaluated
FALSE	never evaluated

0-6

1432

&& (crl_score & CRL_SCORE_ISSUER_NAME))

(crl_score & 0x020)	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

1433

return 1;

executed 6 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

1434

return 0;

never executed: return 0;

1435 } -

1436 -

1437 /* -

1438 * Retrieve CRL corresponding to current certificate. If deltas enabled try -

1439 * to find a delta CRL too -

1440 */ -

1441 -

1442 static int get_crl_delta(X509_STORE_CTX *ctx, -

1443 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) -

1444 { -

1445 int ok; -

1446 X509 *issuer = NULL; -

1447 int crl_score = 0; -

1448 unsigned int reasons; -

1449 X509_CRL *crl = NULL, *dcrl = NULL; -

1450 STACK_OF(X509_CRL) *skcrl; -

1451 X509_NAME *nm = X509_get_issuer_name(x); -

1452 -

1453 reasons = ctx->current_reasons; -

1454 ok = get_crl_sk(ctx, &crl, &dcrl, -

1455 &issuer, &crl_score, &reasons, ctx->crls); -

1456

if (ok)

ok	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1

3-4

1457

goto done;

executed 3 times by 1 test: goto done;

Executed by:

libcrypto.so.1.1

1458 -

1459 /* Lookup CRLs from store */ -

1460 -

1461 skcrl = ctx->lookup_crls(ctx, nm); -

1462 -

1463 /* If no CRLs found and a near match from get_crl_sk use that */ -

1464

if (!skcrl && crl)

!skcrl	Description
TRUE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

crl	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

0-4

1465

goto done;

executed 2 times by 1 test: goto done;

Executed by:

libcrypto.so.1.1

1466 -

1467 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl); -

1468 -

1469 sk_X509_CRL_pop_free(skcrl, X509_CRL_free); -

1470 -

1471

done:

code before this statement executed 2 times by 1 test: done:

Executed by:

libcrypto.so.1.1

1472 /* If we got any kind of CRL use it and return success */ -

1473

if (crl) {

crl	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2-5

1474 ctx->current_issuer = issuer; -

1475 ctx->current_crl_score = crl_score; -

1476 ctx->current_reasons = reasons; -

1477 *pcrl = crl; -

1478 *pdcrl = dcrl; -

1479

return 1;

executed 5 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

1480 } -

1481

return 0;

executed 2 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1482 } -

1483 -

1484 /* Check CRL validity */ -

1485 static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) -

1486 { -

1487 X509 *issuer = NULL; -

1488 EVP_PKEY *ikey = NULL; -

1489 int cnum = ctx->error_depth; -

1490 int chnum = sk_X509_num(ctx->chain) - 1; -

1491 -

1492 /* if we have an alternative CRL issuer cert use that */ -

1493

if (ctx->current_issuer)

ctx->current_issuer	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-5

1494

issuer = ctx->current_issuer;

executed 5 times by 1 test: issuer = ctx->current_issuer;

Executed by:

libcrypto.so.1.1

1495 /* -

1496 * Else find CRL issuer: if not last certificate then issuer is next -

1497 * certificate in chain. -

1498 */ -

1499

else if (cnum < chnum)

cnum < chnum	Description
TRUE	never evaluated
FALSE	never evaluated

1500

issuer = sk_X509_value(ctx->chain, cnum + 1);

never executed: issuer = sk_X509_value(ctx->chain, cnum + 1);

1501 else { -

1502 issuer = sk_X509_value(ctx->chain, chnum); -

1503 /* If not self signed, can't check signature */ -

1504

if (!ctx->check_issued(ctx, issuer, issuer) &&

!ctx->check_is...ssuer, issuer)	Description
TRUE	never evaluated
FALSE	never evaluated

1505

!verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER))

!verify_cb_crl(ctx, 33)	Description
TRUE	never evaluated
FALSE	never evaluated

1506

return 0;

never executed: return 0;

1507

}

never executed: end of block

1508 -

1509

if (issuer == NULL)

issuer == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-5

1510

return 1;

never executed: return 1;

1511 -

1512 /* -

1513 * Skip most tests for deltas because they have already been done -

1514 */ -

1515

if (!crl->base_crl_number) {

!crl->base_crl_number	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-5

1516 /* Check for cRLSign bit if keyUsage present */ -

1517

if ((issuer->ex_flags & EXFLAG_KUSAGE) &&

(issuer->ex_flags & 0x2)	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-5

1518

!(issuer->ex_kusage & KU_CRL_SIGN) &&

!(issuer->ex_kusage & 0x0002)	Description
TRUE	never evaluated
FALSE	never evaluated

1519

!verify_cb_crl(ctx, X509_V_ERR_KEYUSAGE_NO_CRL_SIGN))

!verify_cb_crl(ctx, 35)	Description
TRUE	never evaluated
FALSE	never evaluated

1520

return 0;

never executed: return 0;

1521 -

1522

if (!(ctx->current_crl_score & CRL_SCORE_SCOPE) &&

!(ctx->current...score & 0x080)	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-5

1523

!verify_cb_crl(ctx, X509_V_ERR_DIFFERENT_CRL_SCOPE))

!verify_cb_crl(ctx, 44)	Description
TRUE	never evaluated
FALSE	never evaluated

1524

return 0;

never executed: return 0;

1525 -

1526

if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH) &&

!(ctx->current...score & 0x008)	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-5

1527

check_crl_path(ctx, ctx->current_issuer) <= 0 &&

check_crl_path...t_issuer) <= 0	Description
TRUE	never evaluated
FALSE	never evaluated

1528

!verify_cb_crl(ctx, X509_V_ERR_CRL_PATH_VALIDATION_ERROR))

!verify_cb_crl(ctx, 54)	Description
TRUE	never evaluated
FALSE	never evaluated

1529

return 0;

never executed: return 0;

1530 -

1531

if ((crl->idp_flags & IDP_INVALID) &&

(crl->idp_flags & 0x2)	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-5

1532

!verify_cb_crl(ctx, X509_V_ERR_INVALID_EXTENSION))

!verify_cb_crl(ctx, 41)	Description
TRUE	never evaluated
FALSE	never evaluated

1533

return 0;

never executed: return 0;

1534

}

executed 5 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1535 -

1536

if (!(ctx->current_crl_score & CRL_SCORE_TIME) &&

!(ctx->current...score & 0x040)	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-5

1537

!check_crl_time(ctx, crl, 1))

!check_crl_time(ctx, crl, 1)	Description
TRUE	never evaluated
FALSE	never evaluated

1538

return 0;

never executed: return 0;

1539 -

1540 /* Attempt to get issuer certificate public key */ -

1541 ikey = X509_get0_pubkey(issuer); -

1542 -

1543

if (!ikey &&

!ikey	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-5

1544

!verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))

!verify_cb_crl(ctx, 6)	Description
TRUE	never evaluated
FALSE	never evaluated

1545

return 0;

never executed: return 0;

1546 -

1547

if (ikey) {

ikey	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-5

1548 int rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags); -

1549 -

1550

if (rv != X509_V_OK && !verify_cb_crl(ctx, rv))

rv != 0	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

!verify_cb_crl(ctx, rv)	Description
TRUE	never evaluated
FALSE	never evaluated

0-5

1551

return 0;

never executed: return 0;

1552 /* Verify CRL signature */ -

1553

if (X509_CRL_verify(crl, ikey) <= 0 &&

X509_CRL_verif...rl, ikey) <= 0	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-5

1554

!verify_cb_crl(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE))

!verify_cb_crl(ctx, 8)	Description
TRUE	never evaluated
FALSE	never evaluated

1555

return 0;

never executed: return 0;

1556

}

executed 5 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1557

return 1;

executed 5 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

1558 } -

1559 -

1560 /* Check certificate against CRL */ -

1561 static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) -

1562 { -

1563 X509_REVOKED *rev; -

1564 -

1565 /* -

1566 * The rules changed for this... previously if a CRL contained unhandled -

1567 * critical extensions it could still be used to indicate a certificate -

1568 * was revoked. This has since been changed since critical extensions can -

1569 * change the meaning of CRL entries. -

1570 */ -

1571

if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)

!(ctx->param->flags & 0x10)	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-5

1572

&& (crl->flags & EXFLAG_CRITICAL) &&

(crl->flags & 0x200)	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1

2-3

1573

!verify_cb_crl(ctx, X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION))

!verify_cb_crl(ctx, 36)	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2

1574

return 0;

executed 2 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1575 /* -

1576 * Look for serial number of certificate in CRL. If found, make sure -

1577 * reason is not removeFromCRL. -

1578 */ -

1579

if (X509_CRL_get0_by_cert(crl, &rev, x)) {

X509_CRL_get0_...(crl, &rev, x)	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

1-2

1580

if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)

rev->reason == 8	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-1

1581

return 2;

never executed: return 2;

1582

if (!verify_cb_crl(ctx, X509_V_ERR_CERT_REVOKED))

!verify_cb_crl(ctx, 23)	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1

1583

return 0;

executed 1 time by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1584

}

never executed: end of block

1585 -

1586

return 1;

executed 2 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

1587 } -

1588 -

1589 static int check_policy(X509_STORE_CTX *ctx) -

1590 { -

1591 int ret; -

1592 -

1593

if (ctx->parent)

ctx->parent	Description
TRUE	never evaluated
FALSE	never evaluated

1594

return 1;

never executed: return 1;

1595 /* -

1596 * With DANE, the trust anchor might be a bare public key, not a -

1597 * certificate! In that case our chain does not have the trust anchor -

1598 * certificate as a top-most element. This comports well with RFC5280 -

1599 * chain verification, since there too, the trust anchor is not part of the -

1600 * chain to be verified. In particular, X509_policy_check() does not look -

1601 * at the TA cert, but assumes that it is present as the top-most chain -

1602 * element. We therefore temporarily push a NULL cert onto the chain if it -

1603 * was verified via a bare public key, and pop it off right after the -

1604 * X509_policy_check() call. -

1605 */ -

1606

if (ctx->bare_ta_signed && !sk_X509_push(ctx->chain, NULL)) {

ctx->bare_ta_signed	Description
TRUE	never evaluated
FALSE	never evaluated

!sk_X509_push(... ((void *)0) )	Description
TRUE	never evaluated
FALSE	never evaluated

1607 X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE); -

1608 ctx->error = X509_V_ERR_OUT_OF_MEM; -

1609

return 0;

never executed: return 0;

1610 } -

1611 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, -

1612 ctx->param->policies, ctx->param->flags); -

1613

if (ctx->bare_ta_signed)

ctx->bare_ta_signed	Description
TRUE	never evaluated
FALSE	never evaluated

1614

sk_X509_pop(ctx->chain);

never executed: sk_X509_pop(ctx->chain);

1615 -

1616

if (ret == X509_PCY_TREE_INTERNAL) {

ret == 0	Description
TRUE	never evaluated
FALSE	never evaluated

1617 X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE); -

1618 ctx->error = X509_V_ERR_OUT_OF_MEM; -

1619

return 0;

never executed: return 0;

1620 } -

1621 /* Invalid or inconsistent extensions */ -

1622

if (ret == X509_PCY_TREE_INVALID) {

ret == -1	Description
TRUE	never evaluated
FALSE	never evaluated

1623 int i; -

1624 -

1625 /* Locate certificates with bad extensions and notify callback. */ -

1626

for (i = 1; i < sk_X509_num(ctx->chain); i++) {

i < sk_X509_num(ctx->chain)	Description
TRUE	never evaluated
FALSE	never evaluated

1627 X509 *x = sk_X509_value(ctx->chain, i); -

1628 -

1629

if (!(x->ex_flags & EXFLAG_INVALID_POLICY))

!(x->ex_flags & 0x800)	Description
TRUE	never evaluated
FALSE	never evaluated

1630

continue;

never executed: continue;

1631

if (!verify_cb_cert(ctx, x, i,

!verify_cb_cert(ctx, x, i, 42)	Description
TRUE	never evaluated
FALSE	never evaluated

1632

X509_V_ERR_INVALID_POLICY_EXTENSION))

!verify_cb_cert(ctx, x, i, 42)	Description
TRUE	never evaluated
FALSE	never evaluated

1633

return 0;

never executed: return 0;

1634

}

never executed: end of block

1635

return 1;

never executed: return 1;

1636 } -

1637

if (ret == X509_PCY_TREE_FAILURE) {

ret == -2	Description
TRUE	never evaluated
FALSE	never evaluated

1638 ctx->current_cert = NULL; -

1639 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; -

1640

return ctx->verify_cb(0, ctx);

never executed: return ctx->verify_cb(0, ctx);

1641 } -

1642

if (ret != X509_PCY_TREE_VALID) {

ret != 1	Description
TRUE	never evaluated
FALSE	never evaluated

1643 X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR); -

1644

return 0;

never executed: return 0;

1645 } -

1646 -

1647

if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {

ctx->param->flags & 0x800	Description
TRUE	never evaluated
FALSE	never evaluated

1648 ctx->current_cert = NULL; -

1649 /* -

1650 * Verification errors need to be "sticky", a callback may have allowed -

1651 * an SSL handshake to continue despite an error, and we must then -

1652 * remain in an error state. Therefore, we MUST NOT clear earlier -

1653 * verification errors by setting the error to X509_V_OK. -

1654 */ -

1655

if (!ctx->verify_cb(2, ctx))

!ctx->verify_cb(2, ctx)	Description
TRUE	never evaluated
FALSE	never evaluated

1656

return 0;

never executed: return 0;

1657

}

never executed: end of block

1658 -

1659

return 1;

never executed: return 1;

1660 } -

1661 -

1662 /*- -

1663 * Check certificate validity times. -

1664 * If depth >= 0, invoke verification callbacks on error, otherwise just return -

1665 * the validation status. -

1666 * -

1667 * Return 1 on success, 0 otherwise. -

1668 */ -

1669 int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) -

1670 { -

1671 time_t *ptime; -

1672 int i; -

1673 -

1674

if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)

ctx->param->flags & 0x2	Description
TRUE	evaluated 59 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4082 times by 1 test Evaluated by: libcrypto.so.1.1

59-4082

1675

ptime = &ctx->param->check_time;

executed 59 times by 1 test: ptime = &ctx->param->check_time;

Executed by:

libcrypto.so.1.1

1676

else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)

ctx->param->flags & 0x200000	Description
TRUE	never evaluated
FALSE	evaluated 4082 times by 1 test Evaluated by: libcrypto.so.1.1

0-4082

1677

return 1;

never executed: return 1;

1678 else -

1679

ptime = NULL;

executed 4082 times by 1 test: ptime = ((void *)0) ;

Executed by:

libcrypto.so.1.1

4082

1680 -

1681 i = X509_cmp_time(X509_get0_notBefore(x), ptime); -

1682

if (i >= 0 && depth < 0)

i >= 0	Description
TRUE	evaluated 102 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4039 times by 1 test Evaluated by: libcrypto.so.1.1

depth < 0	Description
TRUE	evaluated 102 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-4039

1683

return 0;

executed 102 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

102

1684

if (i == 0 && !verify_cb_cert(ctx, x, depth,

i == 0	Description
TRUE	never evaluated
FALSE	evaluated 4039 times by 1 test Evaluated by: libcrypto.so.1.1

!verify_cb_cer... x, depth, 13)	Description
TRUE	never evaluated
FALSE	never evaluated

0-4039

1685

X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD))

!verify_cb_cer... x, depth, 13)	Description
TRUE	never evaluated
FALSE	never evaluated

1686

return 0;

never executed: return 0;

1687

if (i > 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID))

i > 0	Description
TRUE	never evaluated
FALSE	evaluated 4039 times by 1 test Evaluated by: libcrypto.so.1.1

!verify_cb_cer..., x, depth, 9)	Description
TRUE	never evaluated
FALSE	never evaluated

0-4039

1688

return 0;

never executed: return 0;

1689 -

1690 i = X509_cmp_time(X509_get0_notAfter(x), ptime); -

1691

if (i <= 0 && depth < 0)

i <= 0	Description
TRUE	evaluated 79 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3960 times by 1 test Evaluated by: libcrypto.so.1.1

depth < 0	Description
TRUE	evaluated 78 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1-3960

1692

return 0;

executed 78 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1693

if (i == 0 && !verify_cb_cert(ctx, x, depth,

i == 0	Description
TRUE	never evaluated
FALSE	evaluated 3961 times by 1 test Evaluated by: libcrypto.so.1.1

!verify_cb_cer... x, depth, 14)	Description
TRUE	never evaluated
FALSE	never evaluated

0-3961

1694

X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD))

!verify_cb_cer... x, depth, 14)	Description
TRUE	never evaluated
FALSE	never evaluated

1695

return 0;

never executed: return 0;

1696

if (i < 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_HAS_EXPIRED))

i < 0	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3960 times by 1 test Evaluated by: libcrypto.so.1.1

!verify_cb_cer... x, depth, 10)	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-3960

1697

return 0;

never executed: return 0;

1698

return 1;

executed 3961 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

3961

1699 } -

1700 -

1701 static int internal_verify(X509_STORE_CTX *ctx) -

1702 { -

1703 int n = sk_X509_num(ctx->chain) - 1; -

1704 X509 *xi = sk_X509_value(ctx->chain, n); -

1705 X509 *xs; -

1706 -

1707 /* -

1708 * With DANE-verified bare public key TA signatures, it remains only to -

1709 * check the timestamps of the top certificate. We report the issuer as -

1710 * NULL, since all we have is a bare key. -

1711 */ -

1712

if (ctx->bare_ta_signed) {

ctx->bare_ta_signed	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1324 times by 1 test Evaluated by: libcrypto.so.1.1

2-1324

1713 xs = xi; -

1714 xi = NULL; -

1715

goto check_cert;

executed 2 times by 1 test: goto check_cert;

Executed by:

libcrypto.so.1.1

1716 } -

1717 -

1718

if (ctx->check_issued(ctx, xi, xi))

ctx->check_issued(ctx, xi, xi)	Description
TRUE	evaluated 1167 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 157 times by 1 test Evaluated by: libcrypto.so.1.1

157-1167

1719

xs = xi;

executed 1167 times by 1 test: xs = xi;

Executed by:

libcrypto.so.1.1

1167

1720 else { -

1721

if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {

ctx->param->flags & 0x80000	Description
TRUE	evaluated 20 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 137 times by 1 test Evaluated by: libcrypto.so.1.1

20-137

1722 xs = xi; -

1723

goto check_cert;

executed 20 times by 1 test: goto check_cert;

Executed by:

libcrypto.so.1.1

1724 } -

1725

if (n <= 0)

n <= 0	Description
TRUE	evaluated 121 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 16 times by 1 test Evaluated by: libcrypto.so.1.1

16-121

1726

return verify_cb_cert(ctx, xi, 0,

executed 121 times by 1 test: return verify_cb_cert(ctx, xi, 0, 21);

Executed by:

libcrypto.so.1.1

121

1727

X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE);

executed 121 times by 1 test: return verify_cb_cert(ctx, xi, 0, 21);

Executed by:

libcrypto.so.1.1

121

1728 n--; -

1729 ctx->error_depth = n; -

1730 xs = sk_X509_value(ctx->chain, n); -

1731

}

executed 16 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1732 -

1733 /* -

1734 * Do not clear ctx->error=0, it must be "sticky", only the user's callback -

1735 * is allowed to reset errors (at its own peril). -

1736 */ -

1737

while (n >= 0) {

n >= 0	Description
TRUE	evaluated 2475 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1199 times by 1 test Evaluated by: libcrypto.so.1.1

1199-2475

1738 EVP_PKEY *pkey; -

1739 -

1740 /* -

1741 * Skip signature check for self signed certificates unless explicitly -

1742 * asked for. It doesn't add any security and just wastes time. If -

1743 * the issuer's public key is unusable, report the issuer certificate -

1744 * and its depth (rather than the depth of the subject). -

1745 */ -

1746

if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {

xs != xi	Description
TRUE	evaluated 1308 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1167 times by 1 test Evaluated by: libcrypto.so.1.1

(ctx->param->flags & 0x4000)	Description
TRUE	never evaluated
FALSE	evaluated 1167 times by 1 test Evaluated by: libcrypto.so.1.1

0-1308

1747

if ((pkey = X509_get0_pubkey(xi)) == NULL) {

(pkey = X509_g...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 1308 times by 1 test Evaluated by: libcrypto.so.1.1

0-1308

1748

if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,

!verify_cb_cer... ? n+1 : n, 6)	Description
TRUE	never evaluated
FALSE	never evaluated

1749

X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))

!verify_cb_cer... ? n+1 : n, 6)	Description
TRUE	never evaluated
FALSE	never evaluated

1750

return 0;

never executed: return 0;

1751

} else if (X509_verify(xs, pkey) <= 0) {

never executed: end of block

X509_verify(xs, pkey) <= 0	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1302 times by 1 test Evaluated by: libcrypto.so.1.1

0-1302

1752

if (!verify_cb_cert(ctx, xs, n,

!verify_cb_cert(ctx, xs, n, 7)	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

1753

X509_V_ERR_CERT_SIGNATURE_FAILURE))

!verify_cb_cert(ctx, xs, n, 7)	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

1754

return 0;

executed 6 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1755

}

never executed: end of block

1756

}

executed 1302 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1302

1757 -

1758

check_cert:

code before this statement executed 2469 times by 1 test: check_cert:

Executed by:

libcrypto.so.1.1

2469

1759 /* Calls verify callback as needed */ -

1760

if (!x509_check_cert_time(ctx, xs, n))

!x509_check_ce...me(ctx, xs, n)	Description
TRUE	never evaluated
FALSE	evaluated 2491 times by 1 test Evaluated by: libcrypto.so.1.1

0-2491

1761

return 0;

never executed: return 0;

1762 -

1763 /* -

1764 * Signal success at this depth. However, the previous error (if any) -

1765 * is retained. -

1766 */ -

1767 ctx->current_issuer = xi; -

1768 ctx->current_cert = xs; -

1769 ctx->error_depth = n; -

1770

if (!ctx->verify_cb(1, ctx))

!ctx->verify_cb(1, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 2491 times by 1 test Evaluated by: libcrypto.so.1.1

0-2491

1771

return 0;

never executed: return 0;

1772 -

1773

if (--n >= 0) {

--n >= 0	Description
TRUE	evaluated 1292 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1199 times by 1 test Evaluated by: libcrypto.so.1.1

1199-1292

1774 xi = xs; -

1775 xs = sk_X509_value(ctx->chain, n); -

1776

}

executed 1292 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1292

1777

}

executed 2491 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2491

1778

return 1;

executed 1199 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

1199

1779 } -

1780 -

1781 int X509_cmp_current_time(const ASN1_TIME *ctm) -

1782 { -

1783

return X509_cmp_time(ctm, NULL);

never executed: return X509_cmp_time(ctm, ((void *)0) );

1784 } -

1785 -

1786 int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) -

1787 { -

1788 static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1; -

1789 static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1; -

1790 ASN1_TIME *asn1_cmp_time = NULL; -

1791 int i, day, sec, ret = 0; -

1792 -

1793 /* -

1794 * Note that ASN.1 allows much more slack in the time format than RFC5280. -

1795 * In RFC5280, the representation is fixed: -

1796 * UTCTime: YYMMDDHHMMSSZ -

1797 * GeneralizedTime: YYYYMMDDHHMMSSZ -

1798 * -

1799 * We do NOT currently enforce the following RFC 5280 requirement: -

1800 * "CAs conforming to this profile MUST always encode certificate -

1801 * validity dates through the year 2049 as UTCTime; certificate validity -

1802 * dates in 2050 or later MUST be encoded as GeneralizedTime." -

1803 */ -

1804 switch (ctm->type) { -

1805

case V_ASN1_UTCTIME:

executed 4699 times by 1 test: case 23:

Executed by:

libcrypto.so.1.1

4699

1806

if (ctm->length != (int)(utctime_length))

ctm->length !=...tctime_length)	Description
TRUE	evaluated 10 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4689 times by 1 test Evaluated by: libcrypto.so.1.1

10-4689

1807

return 0;

executed 10 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1808

break;

executed 4689 times by 1 test: break;

Executed by:

libcrypto.so.1.1

4689

1809

case V_ASN1_GENERALIZEDTIME:

executed 3520 times by 1 test: case 24:

Executed by:

libcrypto.so.1.1

3520

1810

if (ctm->length != (int)(generalizedtime_length))

ctm->length !=...edtime_length)	Description
TRUE	evaluated 23 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3497 times by 1 test Evaluated by: libcrypto.so.1.1

23-3497

1811

return 0;

executed 23 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1812

break;

executed 3497 times by 1 test: break;

Executed by:

libcrypto.so.1.1

3497

1813

default:

executed 1 time by 1 test: default:

Executed by:

libcrypto.so.1.1

1814

return 0;

executed 1 time by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1815 } -

1816 -

1817 /** -

1818 * Verify the format: the ASN.1 functions we use below allow a more -

1819 * flexible format than what's mandated by RFC 5280. -

1820 * Digit and date ranges will be verified in the conversion methods. -

1821 */ -

1822

for (i = 0; i < ctm->length - 1; i++) {

i < ctm->length - 1	Description
TRUE	evaluated 104760 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 8117 times by 1 test Evaluated by: libcrypto.so.1.1

8117-104760

1823

if (!ossl_isdigit(ctm->data[i]))

!(ossl_ctype_c...ata[i]), 0x4))	Description
TRUE	evaluated 69 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 104691 times by 1 test Evaluated by: libcrypto.so.1.1

69-104691

1824

return 0;

executed 69 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1825

}

executed 104691 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

104691

1826

if (ctm->data[ctm->length - 1] != 'Z')

ctm->data[ctm-...th - 1] != 'Z'	Description
TRUE	evaluated 12 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 8105 times by 1 test Evaluated by: libcrypto.so.1.1

12-8105

1827

return 0;

executed 12 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1828 -

1829 /* -

1830 * There is ASN1_UTCTIME_cmp_time_t but no -

1831 * ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t, -

1832 * so we go through ASN.1 -

1833 */ -

1834 asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time); -

1835

if (asn1_cmp_time == NULL)

asn1_cmp_time == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 8105 times by 1 test Evaluated by: libcrypto.so.1.1

0-8105

1836

goto err;

never executed: goto err;

1837

if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time))

!ASN1_TIME_dif...asn1_cmp_time)	Description
TRUE	evaluated 53 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 8052 times by 1 test Evaluated by: libcrypto.so.1.1

53-8052

1838

goto err;

executed 53 times by 1 test: goto err;

Executed by:

libcrypto.so.1.1

1839 -

1840 /* -

1841 * X509_cmp_time comparison is <=. -

1842 * The return value 0 is reserved for errors. -

1843 */ -

1844

ret = (day >= 0 && sec >= 0) ? -1 : 1;

day >= 0	Description
TRUE	evaluated 4085 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3967 times by 1 test Evaluated by: libcrypto.so.1.1

sec >= 0	Description
TRUE	evaluated 4080 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

5-4085

1845 -

1846

err:

code before this statement executed 8052 times by 1 test: err:

Executed by:

libcrypto.so.1.1

8052

1847 ASN1_TIME_free(asn1_cmp_time); -

1848

return ret;

executed 8105 times by 1 test: return ret;

Executed by:

libcrypto.so.1.1

8105

1849 } -

1850 -

1851 ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) -

1852 { -

1853

return X509_time_adj(s, adj, NULL);

executed 88 times by 1 test: return X509_time_adj(s, adj, ((void *)0) );

Executed by:

libcrypto.so.1.1

1854 } -

1855 -

1856 ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) -

1857 { -

1858

return X509_time_adj_ex(s, 0, offset_sec, in_tm);

executed 8193 times by 1 test: return X509_time_adj_ex(s, 0, offset_sec, in_tm);

Executed by:

libcrypto.so.1.1

8193

1859 } -

1860 -

1861 ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, -

1862 int offset_day, long offset_sec, time_t *in_tm) -

1863 { -

1864 time_t t; -

1865 -

1866

if (in_tm)

in_tm	Description
TRUE	evaluated 139 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 8069 times by 1 test Evaluated by: libcrypto.so.1.1

139-8069

1867

t = *in_tm;

executed 139 times by 1 test: t = *in_tm;

Executed by:

libcrypto.so.1.1

139

1868 else -

1869

time(&t);

executed 8069 times by 1 test: time(&t);

Executed by:

libcrypto.so.1.1

8069

1870 -

1871

if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {

s	Description
TRUE	evaluated 32 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 8176 times by 1 test Evaluated by: libcrypto.so.1.1

!(s->flags & 0x040)	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 30 times by 1 test Evaluated by: libcrypto.so.1.1

2-8176

1872

if (s->type == V_ASN1_UTCTIME)

s->type == 23	Description
TRUE	never evaluated
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

0-2

1873

return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec);

never executed: return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec);

1874

if (s->type == V_ASN1_GENERALIZEDTIME)

s->type == 24	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2

1875

return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec);

executed 2 times by 1 test: return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec);

Executed by:

libcrypto.so.1.1

1876

}

never executed: end of block

1877

return ASN1_TIME_adj(s, t, offset_day, offset_sec);

executed 8206 times by 1 test: return ASN1_TIME_adj(s, t, offset_day, offset_sec);

Executed by:

libcrypto.so.1.1

8206

1878 } -

1879 -

1880 int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) -

1881 { -

1882 EVP_PKEY *ktmp = NULL, *ktmp2; -

1883 int i, j; -

1884 -

1885

if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey))

(pkey != ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4862 times by 1 test Evaluated by: libcrypto.so.1.1

!EVP_PKEY_miss...rameters(pkey)	Description
TRUE	never evaluated
FALSE	never evaluated

0-4862

1886

return 1;

never executed: return 1;

1887 -

1888

for (i = 0; i < sk_X509_num(chain); i++) {

i < sk_X509_num(chain)	Description
TRUE	evaluated 4862 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-4862

1889 ktmp = X509_get0_pubkey(sk_X509_value(chain, i)); -

1890

if (ktmp == NULL) {

ktmp == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 4862 times by 1 test Evaluated by: libcrypto.so.1.1

0-4862

1891 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS, -

1892 X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); -

1893

return 0;

never executed: return 0;

1894 } -

1895

if (!EVP_PKEY_missing_parameters(ktmp))

!EVP_PKEY_miss...rameters(ktmp)	Description
TRUE	evaluated 4862 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-4862

1896

break;

executed 4862 times by 1 test: break;

Executed by:

libcrypto.so.1.1

4862

1897

}

never executed: end of block

1898

if (ktmp == NULL) {

ktmp == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 4862 times by 1 test Evaluated by: libcrypto.so.1.1

0-4862

1899 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS, -

1900 X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); -

1901

return 0;

never executed: return 0;

1902 } -

1903 -

1904 /* first, populate the other certs */ -

1905

for (j = i - 1; j >= 0; j--) {

j >= 0	Description
TRUE	never evaluated
FALSE	evaluated 4862 times by 1 test Evaluated by: libcrypto.so.1.1

0-4862

1906 ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j)); -

1907 EVP_PKEY_copy_parameters(ktmp2, ktmp); -

1908

}

never executed: end of block

1909 -

1910

if (pkey != NULL)

pkey != ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 4862 times by 1 test Evaluated by: libcrypto.so.1.1

0-4862

1911

EVP_PKEY_copy_parameters(pkey, ktmp);

never executed: EVP_PKEY_copy_parameters(pkey, ktmp);

1912

return 1;

executed 4862 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

4862

1913 } -

1914 -

1915 /* Make a delta CRL as the diff between two full CRLs */ -

1916 -

1917 X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, -

1918 EVP_PKEY *skey, const EVP_MD *md, unsigned int flags) -

1919 { -

1920 X509_CRL *crl = NULL; -

1921 int i; -

1922 STACK_OF(X509_REVOKED) *revs = NULL; -

1923 /* CRLs can't be delta already */ -

1924

if (base->base_crl_number || newer->base_crl_number) {

base->base_crl_number	Description
TRUE	never evaluated
FALSE	never evaluated

newer->base_crl_number	Description
TRUE	never evaluated
FALSE	never evaluated

1925 X509err(X509_F_X509_CRL_DIFF, X509_R_CRL_ALREADY_DELTA); -

1926

return NULL;

never executed: return ((void *)0) ;

1927 } -

1928 /* Base and new CRL must have a CRL number */ -

1929

if (!base->crl_number || !newer->crl_number) {

!base->crl_number	Description
TRUE	never evaluated
FALSE	never evaluated

!newer->crl_number	Description
TRUE	never evaluated
FALSE	never evaluated

1930 X509err(X509_F_X509_CRL_DIFF, X509_R_NO_CRL_NUMBER); -

1931

return NULL;

never executed: return ((void *)0) ;

1932 } -

1933 /* Issuer names must match */ -

1934

if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {

X509_NAME_cmp(...issuer(newer))	Description
TRUE	never evaluated
FALSE	never evaluated

1935 X509err(X509_F_X509_CRL_DIFF, X509_R_ISSUER_MISMATCH); -

1936

return NULL;

never executed: return ((void *)0) ;

1937 } -

1938 /* AKID and IDP must match */ -

1939

if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {

!crl_extension...se, newer, 90)	Description
TRUE	never evaluated
FALSE	never evaluated

1940 X509err(X509_F_X509_CRL_DIFF, X509_R_AKID_MISMATCH); -

1941

return NULL;

never executed: return ((void *)0) ;

1942 } -

1943

if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {

!crl_extension...e, newer, 770)	Description
TRUE	never evaluated
FALSE	never evaluated

1944 X509err(X509_F_X509_CRL_DIFF, X509_R_IDP_MISMATCH); -

1945

return NULL;

never executed: return ((void *)0) ;

1946 } -

1947 /* Newer CRL number must exceed full CRL number */ -

1948

if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {

ASN1_INTEGER_c...l_number) <= 0	Description
TRUE	never evaluated
FALSE	never evaluated

1949 X509err(X509_F_X509_CRL_DIFF, X509_R_NEWER_CRL_NOT_NEWER); -

1950

return NULL;

never executed: return ((void *)0) ;

1951 } -

1952 /* CRLs must verify */ -

1953

if (skey && (X509_CRL_verify(base, skey) <= 0 ||

skey	Description
TRUE	never evaluated
FALSE	never evaluated

X509_CRL_verif...se, skey) <= 0	Description
TRUE	never evaluated
FALSE	never evaluated

1954

X509_CRL_verify(newer, skey) <= 0)) {

X509_CRL_verif...er, skey) <= 0	Description
TRUE	never evaluated
FALSE	never evaluated

1955 X509err(X509_F_X509_CRL_DIFF, X509_R_CRL_VERIFY_FAILURE); -

1956

return NULL;

never executed: return ((void *)0) ;

1957 } -

1958 /* Create new CRL */ -

1959 crl = X509_CRL_new(); -

1960

if (crl == NULL || !X509_CRL_set_version(crl, 1))

crl == ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

!X509_CRL_set_version(crl, 1)	Description
TRUE	never evaluated
FALSE	never evaluated

1961

goto memerr;

never executed: goto memerr;

1962 /* Set issuer name */ -

1963

if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))

!X509_CRL_set_...issuer(newer))	Description
TRUE	never evaluated
FALSE	never evaluated

1964

goto memerr;

never executed: goto memerr;

1965 -

1966

if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer)))

!X509_CRL_set1...Update(newer))	Description
TRUE	never evaluated
FALSE	never evaluated

1967

goto memerr;

never executed: goto memerr;

1968

if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer)))

!X509_CRL_set1...Update(newer))	Description
TRUE	never evaluated
FALSE	never evaluated

1969

goto memerr;

never executed: goto memerr;

1970 -

1971 /* Set base CRL number: must be critical */ -

1972 -

1973

if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0))

!X509_CRL_add1..._number, 1, 0)	Description
TRUE	never evaluated
FALSE	never evaluated

1974

goto memerr;

never executed: goto memerr;

1975 -

1976 /* -

1977 * Copy extensions across from newest CRL to delta: this will set CRL -

1978 * number to correct value too. -

1979 */ -

1980 -

1981

for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {

i < X509_CRL_g...t_count(newer)	Description
TRUE	never evaluated
FALSE	never evaluated

1982 X509_EXTENSION *ext; -

1983 ext = X509_CRL_get_ext(newer, i); -

1984

if (!X509_CRL_add_ext(crl, ext, -1))

!X509_CRL_add_...(crl, ext, -1)	Description
TRUE	never evaluated
FALSE	never evaluated

1985

goto memerr;

never executed: goto memerr;

1986

}

never executed: end of block

1987 -

1988 /* Go through revoked entries, copying as needed */ -

1989 -

1990 revs = X509_CRL_get_REVOKED(newer); -

1991 -

1992

for (i = 0; i < sk_X509_REVOKED_num(revs); i++) {

i < sk_X509_REVOKED_num(revs)	Description
TRUE	never evaluated
FALSE	never evaluated

1993 X509_REVOKED *rvn, *rvtmp; -

1994 rvn = sk_X509_REVOKED_value(revs, i); -

1995 /* -

1996 * Add only if not also in base. TODO: need something cleverer here -

1997 * for some more complex CRLs covering multiple CAs. -

1998 */ -

1999

if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) {

!X509_CRL_get0...>serialNumber)	Description
TRUE	never evaluated
FALSE	never evaluated

2000 rvtmp = X509_REVOKED_dup(rvn); -

2001

if (!rvtmp)

!rvtmp	Description
TRUE	never evaluated
FALSE	never evaluated

2002

goto memerr;

never executed: goto memerr;

2003

if (!X509_CRL_add0_revoked(crl, rvtmp)) {

!X509_CRL_add0...ed(crl, rvtmp)	Description
TRUE	never evaluated
FALSE	never evaluated

2004 X509_REVOKED_free(rvtmp); -

2005

goto memerr;

never executed: goto memerr;

2006 } -

2007

}

never executed: end of block

2008

}

never executed: end of block

2009 /* TODO: optionally prune deleted entries */ -

2010 -

2011

if (skey && md && !X509_CRL_sign(crl, skey, md))

skey	Description
TRUE	never evaluated
FALSE	never evaluated

md	Description
TRUE	never evaluated
FALSE	never evaluated

!X509_CRL_sign(crl, skey, md)	Description
TRUE	never evaluated
FALSE	never evaluated

2012

goto memerr;

never executed: goto memerr;

2013 -

2014

return crl;

never executed: return crl;

2015 -

2016 memerr: -

2017 X509err(X509_F_X509_CRL_DIFF, ERR_R_MALLOC_FAILURE); -

2018 X509_CRL_free(crl); -

2019

return NULL;

never executed: return ((void *)0) ;

2020 } -

2021 -

2022 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) -

2023 { -

2024

return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);

executed 2660 times by 1 test: return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);

Executed by:

libcrypto.so.1.1

2660

2025 } -

2026 -

2027 void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) -

2028 { -

2029

return CRYPTO_get_ex_data(&ctx->ex_data, idx);

never executed: return CRYPTO_get_ex_data(&ctx->ex_data, idx);

2030 } -

2031 -

2032 int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) -

2033 { -

2034

return ctx->error;

executed 3491 times by 1 test: return ctx->error;

Executed by:

libcrypto.so.1.1

3491

2035 } -

2036 -

2037 void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) -

2038 { -

2039 ctx->error = err; -

2040

}

executed 3 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2041 -

2042 int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) -

2043 { -

2044

return ctx->error_depth;

executed 334 times by 1 test: return ctx->error_depth;

Executed by:

libcrypto.so.1.1

334

2045 } -

2046 -

2047 void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth) -

2048 { -

2049 ctx->error_depth = depth; -

2050

}

never executed: end of block

2051 -

2052 X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) -

2053 { -

2054

return ctx->current_cert;

executed 571 times by 1 test: return ctx->current_cert;

Executed by:

libcrypto.so.1.1

571

2055 } -

2056 -

2057 void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x) -

2058 { -

2059 ctx->current_cert = x; -

2060

}

never executed: end of block

2061 -

2062 STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx) -

2063 { -

2064

return ctx->chain;

executed 4715 times by 1 test: return ctx->chain;

Executed by:

libcrypto.so.1.1

4715

2065 } -

2066 -

2067 STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) -

2068 { -

2069

if (!ctx->chain)

!ctx->chain	Description
TRUE	never evaluated
FALSE	evaluated 2628 times by 1 test Evaluated by: libcrypto.so.1.1

0-2628

2070

return NULL;

never executed: return ((void *)0) ;

2071

return X509_chain_up_ref(ctx->chain);

executed 2628 times by 1 test: return X509_chain_up_ref(ctx->chain);

Executed by:

libcrypto.so.1.1

2628

2072 } -

2073 -

2074 X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) -

2075 { -

2076

return ctx->current_issuer;

never executed: return ctx->current_issuer;

2077 } -

2078 -

2079 X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) -

2080 { -

2081

return ctx->current_crl;

never executed: return ctx->current_crl;

2082 } -

2083 -

2084 X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) -

2085 { -

2086

return ctx->parent;

executed 82 times by 1 test: return ctx->parent;

Executed by:

libcrypto.so.1.1

2087 } -

2088 -

2089 void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) -

2090 { -

2091 ctx->cert = x; -

2092

}

executed 5 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2093 -

2094 void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) -

2095 { -

2096 ctx->crls = sk; -

2097

}

executed 32 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2098 -

2099 int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) -

2100 { -

2101 /* -

2102 * XXX: Why isn't this function always used to set the associated trust? -

2103 * Should there even be a VPM->trust field at all? Or should the trust -

2104 * always be inferred from the purpose by X509_STORE_CTX_init(). -

2105 */ -

2106

return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);

executed 25 times by 1 test: return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);

Executed by:

libcrypto.so.1.1

2107 } -

2108 -

2109 int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) -

2110 { -

2111 /* -

2112 * XXX: See above, this function would only be needed when the default -

2113 * trust for the purpose needs an override in a corner case. -

2114 */ -

2115

return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);

never executed: return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);

2116 } -

2117 -

2118 /* -

2119 * This function is used to set the X509_STORE_CTX purpose and trust values. -

2120 * This is intended to be used when another structure has its own trust and -

2121 * purpose values which (if set) will be inherited by the ctx. If they aren't -

2122 * set then we will usually have a default purpose in mind which should then -

2123 * be used to set the trust value. An example of this is SSL use: an SSL -

2124 * structure will have its own purpose and trust settings which the -

2125 * application can set: if they aren't set then we use the default of SSL -

2126 * client/server. -

2127 */ -

2128 -

2129 int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, -

2130 int purpose, int trust) -

2131 { -

2132 int idx; -

2133 /* If purpose not set use default */ -

2134

if (!purpose)

!purpose	Description
TRUE	never evaluated
FALSE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1

0-25

2135

purpose = def_purpose;

never executed: purpose = def_purpose;

2136 /* If we have a purpose then check it is valid */ -

2137

if (purpose) {

purpose	Description
TRUE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-25

2138 X509_PURPOSE *ptmp; -

2139 idx = X509_PURPOSE_get_by_id(purpose); -

2140

if (idx == -1) {

idx == -1	Description
TRUE	never evaluated
FALSE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1

0-25

2141 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, -

2142 X509_R_UNKNOWN_PURPOSE_ID); -

2143

return 0;

never executed: return 0;

2144 } -

2145 ptmp = X509_PURPOSE_get0(idx); -

2146

if (ptmp->trust == X509_TRUST_DEFAULT) {

ptmp->trust == 0	Description
TRUE	never evaluated
FALSE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1

0-25

2147 idx = X509_PURPOSE_get_by_id(def_purpose); -

2148 /* -

2149 * XXX: In the two callers above def_purpose is always 0, which is -

2150 * not a known value, so idx will always be -1. How is the -

2151 * X509_TRUST_DEFAULT case actually supposed to be handled? -

2152 */ -

2153

if (idx == -1) {

idx == -1	Description
TRUE	never evaluated
FALSE	never evaluated

2154 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, -

2155 X509_R_UNKNOWN_PURPOSE_ID); -

2156

return 0;

never executed: return 0;

2157 } -

2158 ptmp = X509_PURPOSE_get0(idx); -

2159

}

never executed: end of block

2160 /* If trust not set then get from purpose default */ -

2161

if (!trust)

!trust	Description
TRUE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-25

2162

trust = ptmp->trust;

executed 25 times by 1 test: trust = ptmp->trust;

Executed by:

libcrypto.so.1.1

2163

}

executed 25 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2164

if (trust) {

trust	Description
TRUE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-25

2165 idx = X509_TRUST_get_by_id(trust); -

2166

if (idx == -1) {

idx == -1	Description
TRUE	never evaluated
FALSE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1

0-25

2167 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, -

2168 X509_R_UNKNOWN_TRUST_ID); -

2169

return 0;

never executed: return 0;

2170 } -

2171

}

executed 25 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2172 -

2173

if (purpose && !ctx->param->purpose)

purpose	Description
TRUE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

!ctx->param->purpose	Description
TRUE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-25

2174

ctx->param->purpose = purpose;

executed 25 times by 1 test: ctx->param->purpose = purpose;

Executed by:

libcrypto.so.1.1

2175

if (trust && !ctx->param->trust)

trust	Description
TRUE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

!ctx->param->trust	Description
TRUE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-25

2176

ctx->param->trust = trust;

executed 25 times by 1 test: ctx->param->trust = trust;

Executed by:

libcrypto.so.1.1

2177

return 1;

executed 25 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

2178 } -

2179 -

2180 X509_STORE_CTX *X509_STORE_CTX_new(void) -

2181 { -

2182 X509_STORE_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); -

2183 -

2184

if (ctx == NULL) {

ctx == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 5037 times by 1 test Evaluated by: libcrypto.so.1.1

0-5037

2185 X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE); -

2186

return NULL;

never executed: return ((void *)0) ;

2187 } -

2188

return ctx;

executed 5037 times by 1 test: return ctx;

Executed by:

libcrypto.so.1.1

5037

2189 } -

2190 -

2191 void X509_STORE_CTX_free(X509_STORE_CTX *ctx) -

2192 { -

2193

if (ctx == NULL)

ctx == ((void *)0)	Description
TRUE	evaluated 21 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 5037 times by 1 test Evaluated by: libcrypto.so.1.1

21-5037

2194

return;

executed 21 times by 1 test: return;

Executed by:

libcrypto.so.1.1

2195 -

2196 X509_STORE_CTX_cleanup(ctx); -

2197 OPENSSL_free(ctx); -

2198

}

executed 5037 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

5037

2199 -

2200 int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, -

2201 STACK_OF(X509) *chain) -

2202 { -

2203 int ret = 1; -

2204 -

2205 ctx->ctx = store; -

2206 ctx->cert = x509; -

2207 ctx->untrusted = chain; -

2208 ctx->crls = NULL; -

2209 ctx->num_untrusted = 0; -

2210 ctx->other_ctx = NULL; -

2211 ctx->valid = 0; -

2212 ctx->chain = NULL; -

2213 ctx->error = 0; -

2214 ctx->explicit_policy = 0; -

2215 ctx->error_depth = 0; -

2216 ctx->current_cert = NULL; -

2217 ctx->current_issuer = NULL; -

2218 ctx->current_crl = NULL; -

2219 ctx->current_crl_score = 0; -

2220 ctx->current_reasons = 0; -

2221 ctx->tree = NULL; -

2222 ctx->parent = NULL; -

2223 ctx->dane = NULL; -

2224 ctx->bare_ta_signed = 0; -

2225 /* Zero ex_data to make sure we're cleanup-safe */ -

2226 memset(&ctx->ex_data, 0, sizeof(ctx->ex_data)); -

2227 -

2228 /* store->cleanup is always 0 in OpenSSL, if set must be idempotent */ -

2229

if (store)

store	Description
TRUE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1-5030

2230

ctx->cleanup = store->cleanup;

executed 5030 times by 1 test: ctx->cleanup = store->cleanup;

Executed by:

libcrypto.so.1.1

5030

2231 else -

2232

ctx->cleanup = 0;

executed 1 time by 1 test: ctx->cleanup = 0;

Executed by:

libcrypto.so.1.1

2233 -

2234

if (store && store->check_issued)

store	Description
TRUE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

store->check_issued	Description
TRUE	never evaluated
FALSE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1

0-5030

2235

ctx->check_issued = store->check_issued;

never executed: ctx->check_issued = store->check_issued;

2236 else -

2237

ctx->check_issued = check_issued;

executed 5031 times by 1 test: ctx->check_issued = check_issued;

Executed by:

libcrypto.so.1.1

5031

2238 -

2239

if (store && store->get_issuer)

store	Description
TRUE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

store->get_issuer	Description
TRUE	never evaluated
FALSE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1

0-5030

2240

ctx->get_issuer = store->get_issuer;

never executed: ctx->get_issuer = store->get_issuer;

2241 else -

2242

ctx->get_issuer = X509_STORE_CTX_get1_issuer;

executed 5031 times by 1 test: ctx->get_issuer = X509_STORE_CTX_get1_issuer;

Executed by:

libcrypto.so.1.1

5031

2243 -

2244

if (store && store->verify_cb)

store	Description
TRUE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

store->verify_cb	Description
TRUE	evaluated 233 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4797 times by 1 test Evaluated by: libcrypto.so.1.1

1-5030

2245

ctx->verify_cb = store->verify_cb;

executed 233 times by 1 test: ctx->verify_cb = store->verify_cb;

Executed by:

libcrypto.so.1.1

233

2246 else -

2247

ctx->verify_cb = null_callback;

executed 4798 times by 1 test: ctx->verify_cb = null_callback;

Executed by:

libcrypto.so.1.1

4798

2248 -

2249

if (store && store->verify)

store	Description
TRUE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

store->verify	Description
TRUE	never evaluated
FALSE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1

0-5030

2250

ctx->verify = store->verify;

never executed: ctx->verify = store->verify;

2251 else -

2252

ctx->verify = internal_verify;

executed 5031 times by 1 test: ctx->verify = internal_verify;

Executed by:

libcrypto.so.1.1

5031

2253 -

2254

if (store && store->check_revocation)

store	Description
TRUE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

store->check_revocation	Description
TRUE	never evaluated
FALSE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1

0-5030

2255

ctx->check_revocation = store->check_revocation;

never executed: ctx->check_revocation = store->check_revocation;

2256 else -

2257

ctx->check_revocation = check_revocation;

executed 5031 times by 1 test: ctx->check_revocation = check_revocation;

Executed by:

libcrypto.so.1.1

5031

2258 -

2259

if (store && store->get_crl)

store	Description
TRUE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

store->get_crl	Description
TRUE	never evaluated
FALSE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1

0-5030

2260

ctx->get_crl = store->get_crl;

never executed: ctx->get_crl = store->get_crl;

2261 else -

2262

ctx->get_crl = NULL;

executed 5031 times by 1 test: ctx->get_crl = ((void *)0) ;

Executed by:

libcrypto.so.1.1

5031

2263 -

2264

if (store && store->check_crl)

store	Description
TRUE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

store->check_crl	Description
TRUE	never evaluated
FALSE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1

0-5030

2265

ctx->check_crl = store->check_crl;

never executed: ctx->check_crl = store->check_crl;

2266 else -

2267

ctx->check_crl = check_crl;

executed 5031 times by 1 test: ctx->check_crl = check_crl;

Executed by:

libcrypto.so.1.1

5031

2268 -

2269

if (store && store->cert_crl)

store	Description
TRUE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

store->cert_crl	Description
TRUE	never evaluated
FALSE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1

0-5030

2270

ctx->cert_crl = store->cert_crl;

never executed: ctx->cert_crl = store->cert_crl;

2271 else -

2272

ctx->cert_crl = cert_crl;

executed 5031 times by 1 test: ctx->cert_crl = cert_crl;

Executed by:

libcrypto.so.1.1

5031

2273 -

2274

if (store && store->check_policy)

store	Description
TRUE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

store->check_policy	Description
TRUE	never evaluated
FALSE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1

0-5030

2275

ctx->check_policy = store->check_policy;

never executed: ctx->check_policy = store->check_policy;

2276 else -

2277

ctx->check_policy = check_policy;

executed 5031 times by 1 test: ctx->check_policy = check_policy;

Executed by:

libcrypto.so.1.1

5031

2278 -

2279

if (store && store->lookup_certs)

store	Description
TRUE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

store->lookup_certs	Description
TRUE	never evaluated
FALSE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1

0-5030

2280

ctx->lookup_certs = store->lookup_certs;

never executed: ctx->lookup_certs = store->lookup_certs;

2281 else -

2282

ctx->lookup_certs = X509_STORE_CTX_get1_certs;

executed 5031 times by 1 test: ctx->lookup_certs = X509_STORE_CTX_get1_certs;

Executed by:

libcrypto.so.1.1

5031

2283 -

2284

if (store && store->lookup_crls)

store	Description
TRUE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

store->lookup_crls	Description
TRUE	never evaluated
FALSE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1

0-5030

2285

ctx->lookup_crls = store->lookup_crls;

never executed: ctx->lookup_crls = store->lookup_crls;

2286 else -

2287

ctx->lookup_crls = X509_STORE_CTX_get1_crls;

executed 5031 times by 1 test: ctx->lookup_crls = X509_STORE_CTX_get1_crls;

Executed by:

libcrypto.so.1.1

5031

2288 -

2289 ctx->param = X509_VERIFY_PARAM_new(); -

2290

if (ctx->param == NULL) {

ctx->param == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 5031 times by 1 test Evaluated by: libcrypto.so.1.1

0-5031

2291 X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); -

2292

goto err;

never executed: goto err;

2293 } -

2294 -

2295 /* -

2296 * Inherit callbacks and flags from X509_STORE if not set use defaults. -

2297 */ -

2298

if (store)

store	Description
TRUE	evaluated 5030 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1-5030

2299

ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);

executed 5030 times by 1 test: ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);

Executed by:

libcrypto.so.1.1

5030

2300 else -

2301

ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE;

executed 1 time by 1 test: ctx->param->inh_flags |= 0x1 | 0x10;

Executed by:

libcrypto.so.1.1

2302 -

2303

if (ret)

ret	Description
TRUE	evaluated 5031 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-5031

2304

ret = X509_VERIFY_PARAM_inherit(ctx->param,

executed 5031 times by 1 test: ret = X509_VERIFY_PARAM_inherit(ctx->param, X509_VERIFY_PARAM_lookup("default"));

Executed by:

libcrypto.so.1.1

5031

2305

X509_VERIFY_PARAM_lookup("default"));

executed 5031 times by 1 test: ret = X509_VERIFY_PARAM_inherit(ctx->param, X509_VERIFY_PARAM_lookup("default"));

Executed by:

libcrypto.so.1.1

5031

2306 -

2307

if (ret == 0) {

ret == 0	Description
TRUE	never evaluated
FALSE	evaluated 5031 times by 1 test Evaluated by: libcrypto.so.1.1

0-5031

2308 X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); -

2309

goto err;

never executed: goto err;

2310 } -

2311 -

2312 /* -

2313 * XXX: For now, continue to inherit trust from VPM, but infer from the -

2314 * purpose if this still yields the default value. -

2315 */ -

2316

if (ctx->param->trust == X509_TRUST_DEFAULT) {

ctx->param->trust == 0	Description
TRUE	evaluated 5031 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-5031

2317 int idx = X509_PURPOSE_get_by_id(ctx->param->purpose); -

2318 X509_PURPOSE *xp = X509_PURPOSE_get0(idx); -

2319 -

2320

if (xp != NULL)

xp != ((void *)0)	Description
TRUE	evaluated 133 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4898 times by 1 test Evaluated by: libcrypto.so.1.1

133-4898

2321

ctx->param->trust = X509_PURPOSE_get_trust(xp);

executed 133 times by 1 test: ctx->param->trust = X509_PURPOSE_get_trust(xp);

Executed by:

libcrypto.so.1.1

133

2322

}

executed 5031 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

5031

2323 -

2324

if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,

CRYPTO_new_ex_...&ctx->ex_data)	Description
TRUE	evaluated 5031 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-5031

2325

&ctx->ex_data))

CRYPTO_new_ex_...&ctx->ex_data)	Description
TRUE	evaluated 5031 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-5031

2326

return 1;

executed 5031 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

5031

2327 X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); -

2328 -

2329

err:

code before this statement never executed: err:

2330 /* -

2331 * On error clean up allocated storage, if the store context was not -

2332 * allocated with X509_STORE_CTX_new() this is our last chance to do so. -

2333 */ -

2334 X509_STORE_CTX_cleanup(ctx); -

2335

return 0;

never executed: return 0;

2336 } -

2337 -

2338 /* -

2339 * Set alternative lookup method: just a STACK of trusted certificates. This -

2340 * avoids X509_STORE nastiness where it isn't needed. -

2341 */ -

2342 void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) -

2343 { -

2344 ctx->other_ctx = sk; -

2345 ctx->get_issuer = get_issuer_sk; -

2346 ctx->lookup_certs = lookup_certs_sk; -

2347

}

executed 138 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

138

2348 -

2349 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) -

2350 { -

2351 /* -

2352 * We need to be idempotent because, unfortunately, free() also calls -

2353 * cleanup(), so the natural call sequence new(), init(), cleanup(), free() -

2354 * calls cleanup() for the same object twice! Thus we must zero the -

2355 * pointers below after they're freed! -

2356 */ -

2357 /* Seems to always be 0 in OpenSSL, do this at most once. */ -

2358

if (ctx->cleanup != NULL) {

ctx->cleanup != ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 5111 times by 1 test Evaluated by: libcrypto.so.1.1

0-5111

2359 ctx->cleanup(ctx); -

2360 ctx->cleanup = NULL; -

2361

}

never executed: end of block

2362

if (ctx->param != NULL) {

ctx->param != ((void *)0)	Description
TRUE	evaluated 5031 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 80 times by 1 test Evaluated by: libcrypto.so.1.1

80-5031

2363

if (ctx->parent == NULL)

ctx->parent == ((void *)0)	Description
TRUE	evaluated 5031 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-5031

2364

X509_VERIFY_PARAM_free(ctx->param);

executed 5031 times by 1 test: X509_VERIFY_PARAM_free(ctx->param);

Executed by:

libcrypto.so.1.1

5031

2365 ctx->param = NULL; -

2366

}

executed 5031 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

5031

2367 X509_policy_tree_free(ctx->tree); -

2368 ctx->tree = NULL; -

2369 sk_X509_pop_free(ctx->chain, X509_free); -

2370 ctx->chain = NULL; -

2371 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); -

2372 memset(&ctx->ex_data, 0, sizeof(ctx->ex_data)); -

2373

}

executed 5111 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

5111

2374 -

2375 void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) -

2376 { -

2377 X509_VERIFY_PARAM_set_depth(ctx->param, depth); -

2378

}

never executed: end of block

2379 -

2380 void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) -

2381 { -

2382 X509_VERIFY_PARAM_set_flags(ctx->param, flags); -

2383

}

executed 2616 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2616

2384 -

2385 void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, -

2386 time_t t) -

2387 { -

2388 X509_VERIFY_PARAM_set_time(ctx->param, t); -

2389

}

never executed: end of block

2390 -

2391 X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) -

2392 { -

2393

return ctx->cert;

executed 2 times by 1 test: return ctx->cert;

Executed by:

libcrypto.so.1.1

2394 } -

2395 -

2396 STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) -

2397 { -

2398

return ctx->untrusted;

never executed: return ctx->untrusted;

2399 } -

2400 -

2401 void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) -

2402 { -

2403 ctx->untrusted = sk; -

2404

}

never executed: end of block

2405 -

2406 void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) -

2407 { -

2408 sk_X509_pop_free(ctx->chain, X509_free); -

2409 ctx->chain = sk; -

2410

}

never executed: end of block

2411 -

2412 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, -

2413 X509_STORE_CTX_verify_cb verify_cb) -

2414 { -

2415 ctx->verify_cb = verify_cb; -

2416

}

executed 127 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

127

2417 -

2418 X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx) -

2419 { -

2420

return ctx->verify_cb;

never executed: return ctx->verify_cb;

2421 } -

2422 -

2423 void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, -

2424 X509_STORE_CTX_verify_fn verify) -

2425 { -

2426 ctx->verify = verify; -

2427

}

never executed: end of block

2428 -

2429 X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx) -

2430 { -

2431

return ctx->verify;

never executed: return ctx->verify;

2432 } -

2433 -

2434 X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx) -

2435 { -

2436

return ctx->get_issuer;

never executed: return ctx->get_issuer;

2437 } -

2438 -

2439 X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx) -

2440 { -

2441

return ctx->check_issued;

never executed: return ctx->check_issued;

2442 } -

2443 -

2444 X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx) -

2445 { -

2446

return ctx->check_revocation;

never executed: return ctx->check_revocation;

2447 } -

2448 -

2449 X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx) -

2450 { -

2451

return ctx->get_crl;

never executed: return ctx->get_crl;

2452 } -

2453 -

2454 X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx) -

2455 { -

2456

return ctx->check_crl;

never executed: return ctx->check_crl;

2457 } -

2458 -

2459 X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx) -

2460 { -

2461

return ctx->cert_crl;

never executed: return ctx->cert_crl;

2462 } -

2463 -

2464 X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx) -

2465 { -

2466

return ctx->check_policy;

never executed: return ctx->check_policy;

2467 } -

2468 -

2469 X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx) -

2470 { -

2471

return ctx->lookup_certs;

never executed: return ctx->lookup_certs;

2472 } -

2473 -

2474 X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx) -

2475 { -

2476

return ctx->lookup_crls;

never executed: return ctx->lookup_crls;

2477 } -

2478 -

2479 X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx) -

2480 { -

2481

return ctx->cleanup;

never executed: return ctx->cleanup;

2482 } -

2483 -

2484 X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) -

2485 { -

2486

return ctx->tree;

never executed: return ctx->tree;

2487 } -

2488 -

2489 int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) -

2490 { -

2491

return ctx->explicit_policy;

never executed: return ctx->explicit_policy;

2492 } -

2493 -

2494 int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx) -

2495 { -

2496

return ctx->num_untrusted;

never executed: return ctx->num_untrusted;

2497 } -

2498 -

2499 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) -

2500 { -

2501 const X509_VERIFY_PARAM *param; -

2502 param = X509_VERIFY_PARAM_lookup(name); -

2503

if (!param)

!param	Description
TRUE	never evaluated
FALSE	evaluated 2748 times by 1 test Evaluated by: libcrypto.so.1.1

0-2748

2504

return 0;

never executed: return 0;

2505

return X509_VERIFY_PARAM_inherit(ctx->param, param);

executed 2748 times by 1 test: return X509_VERIFY_PARAM_inherit(ctx->param, param);

Executed by:

libcrypto.so.1.1

2748

2506 } -

2507 -

2508 X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) -

2509 { -

2510

return ctx->param;

executed 2660 times by 1 test: return ctx->param;

Executed by:

libcrypto.so.1.1

2660

2511 } -

2512 -

2513 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) -

2514 { -

2515 X509_VERIFY_PARAM_free(ctx->param); -

2516 ctx->param = param; -

2517

}

executed 7 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2518 -

2519 void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane) -

2520 { -

2521 ctx->dane = dane; -

2522

}

executed 49 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2523 -

2524 static unsigned char *dane_i2d( -

2525 X509 *cert, -

2526 uint8_t selector, -

2527 unsigned int *i2dlen) -

2528 { -

2529 unsigned char *buf = NULL; -

2530 int len; -

2531 -

2532 /* -

2533 * Extract ASN.1 DER form of certificate or public key. -

2534 */ -

2535 switch (selector) { -

2536

case DANETLS_SELECTOR_CERT:

executed 33 times by 1 test: case 0:

Executed by:

libcrypto.so.1.1

2537 len = i2d_X509(cert, &buf); -

2538

break;

executed 33 times by 1 test: break;

Executed by:

libcrypto.so.1.1

2539

case DANETLS_SELECTOR_SPKI:

executed 29 times by 1 test: case 1:

Executed by:

libcrypto.so.1.1

2540 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf); -

2541

break;

executed 29 times by 1 test: break;

Executed by:

libcrypto.so.1.1

2542

default:

never executed: default:

2543 X509err(X509_F_DANE_I2D, X509_R_BAD_SELECTOR); -

2544

return NULL;

never executed: return ((void *)0) ;

2545 } -

2546 -

2547

if (len < 0 || buf == NULL) {

len < 0	Description
TRUE	never evaluated
FALSE	evaluated 62 times by 1 test Evaluated by: libcrypto.so.1.1

buf == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 62 times by 1 test Evaluated by: libcrypto.so.1.1

0-62

2548 X509err(X509_F_DANE_I2D, ERR_R_MALLOC_FAILURE); -

2549

return NULL;

never executed: return ((void *)0) ;

2550 } -

2551 -

2552 *i2dlen = (unsigned int)len; -

2553

return buf;

executed 62 times by 1 test: return buf;

Executed by:

libcrypto.so.1.1

2554 } -

2555 -

2556 #define DANETLS_NONE 256 /* impossible uint8_t */ -

2557 -

2558 static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth) -

2559 { -

2560 SSL_DANE *dane = ctx->dane; -

2561 unsigned usage = DANETLS_NONE; -

2562 unsigned selector = DANETLS_NONE; -

2563 unsigned ordinal = DANETLS_NONE; -

2564 unsigned mtype = DANETLS_NONE; -

2565 unsigned char *i2dbuf = NULL; -

2566 unsigned int i2dlen = 0; -

2567 unsigned char mdbuf[EVP_MAX_MD_SIZE]; -

2568 unsigned char *cmpbuf = NULL; -

2569 unsigned int cmplen = 0; -

2570 int i; -

2571 int recnum; -

2572 int matched = 0; -

2573 danetls_record *t = NULL; -

2574 uint32_t mask; -

2575 -

2576

mask = (depth == 0) ? DANETLS_EE_MASK : DANETLS_TA_MASK;

(depth == 0)	Description
TRUE	evaluated 49 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 46 times by 1 test Evaluated by: libcrypto.so.1.1

46-49

2577 -

2578 /* -

2579 * The trust store is not applicable with DANE-TA(2) -

2580 */ -

2581

if (depth >= ctx->num_untrusted)

depth >= ctx->num_untrusted	Description
TRUE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 84 times by 1 test Evaluated by: libcrypto.so.1.1

11-84

2582

mask &= DANETLS_PKIX_MASK;

executed 11 times by 1 test: mask &= (((((uint32_t)1) << 0)) | ((((uint32_t)1) << 1)));

Executed by:

libcrypto.so.1.1

2583 -

2584 /* -

2585 * If we've previously matched a PKIX-?? record, no need to test any -

2586 * further PKIX-?? records, it remains to just build the PKIX chain. -

2587 * Had the match been a DANE-?? record, we'd be done already. -

2588 */ -

2589

if (dane->mdpth >= 0)

dane->mdpth >= 0	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 89 times by 1 test Evaluated by: libcrypto.so.1.1

6-89

2590

mask &= ~DANETLS_PKIX_MASK;

executed 6 times by 1 test: mask &= ~(((((uint32_t)1) << 0)) | ((((uint32_t)1) << 1)));

Executed by:

libcrypto.so.1.1

2591 -

2592 /*- -

2593 * https://tools.ietf.org/html/rfc7671#section-5.1 -

2594 * https://tools.ietf.org/html/rfc7671#section-5.2 -

2595 * https://tools.ietf.org/html/rfc7671#section-5.3 -

2596 * https://tools.ietf.org/html/rfc7671#section-5.4 -

2597 * -

2598 * We handle DANE-EE(3) records first as they require no chain building -

2599 * and no expiration or hostname checks. We also process digests with -

2600 * higher ordinals first and ignore lower priorities except Full(0) which -

2601 * is always processed (last). If none match, we then process PKIX-EE(1). -

2602 * -

2603 * NOTE: This relies on DANE usages sorting before the corresponding PKIX -

2604 * usages in SSL_dane_tlsa_add(), and also on descending sorting of digest -

2605 * priorities. See twin comment in ssl/ssl_lib.c. -

2606 * -

2607 * We expect that most TLSA RRsets will have just a single usage, so we -

2608 * don't go out of our way to cache multiple selector-specific i2d buffers -

2609 * across usages, but if the selector happens to remain the same as switch -

2610 * usages, that's OK. Thus, a set of "3 1 1", "3 0 1", "1 1 1", "1 0 1", -

2611 * records would result in us generating each of the certificate and public -

2612 * key DER forms twice, but more typically we'd just see multiple "3 1 1" -

2613 * or multiple "3 0 1" records. -

2614 * -

2615 * As soon as we find a match at any given depth, we stop, because either -

2616 * we've matched a DANE-?? record and the peer is authenticated, or, after -

2617 * exhausting all DANE-?? records, we've matched a PKIX-?? record, which is -

2618 * sufficient for DANE, and what remains to do is ordinary PKIX validation. -

2619 */ -

2620

recnum = (dane->umask & mask) ? sk_danetls_record_num(dane->trecs) : 0;

(dane->umask & mask)	Description
TRUE	evaluated 62 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 33 times by 1 test Evaluated by: libcrypto.so.1.1

33-62

2621

for (i = 0; matched == 0 && i < recnum; ++i) {

matched == 0	Description
TRUE	evaluated 117 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

i < recnum	Description
TRUE	evaluated 62 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 55 times by 1 test Evaluated by: libcrypto.so.1.1

0-117

2622 t = sk_danetls_record_value(dane->trecs, i); -

2623

if ((DANETLS_USAGE_BIT(t->usage) & mask) == 0)

((((uint32_t)1...) & mask) == 0	Description
TRUE	never evaluated
FALSE	evaluated 62 times by 1 test Evaluated by: libcrypto.so.1.1

0-62

2624

continue;

never executed: continue;

2625

if (t->usage != usage) {

t->usage != usage	Description
TRUE	evaluated 62 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-62

2626 usage = t->usage; -

2627 -

2628 /* Reset digest agility for each usage/selector pair */ -

2629 mtype = DANETLS_NONE; -

2630 ordinal = dane->dctx->mdord[t->mtype]; -

2631

}

executed 62 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2632

if (t->selector != selector) {

t->selector != selector	Description
TRUE	evaluated 62 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-62

2633 selector = t->selector; -

2634 -

2635 /* Update per-selector state */ -

2636 OPENSSL_free(i2dbuf); -

2637 i2dbuf = dane_i2d(cert, selector, &i2dlen); -

2638

if (i2dbuf == NULL)

i2dbuf == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 62 times by 1 test Evaluated by: libcrypto.so.1.1

0-62

2639

return -1;

never executed: return -1;

2640 -

2641 /* Reset digest agility for each usage/selector pair */ -

2642 mtype = DANETLS_NONE; -

2643 ordinal = dane->dctx->mdord[t->mtype]; -

2644

} else if (t->mtype != DANETLS_MATCHING_FULL) {

executed 62 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

t->mtype != 0	Description
TRUE	never evaluated
FALSE	never evaluated

0-62

2645 /*- -

2646 * Digest agility: -

2647 * -

2648 * <https://tools.ietf.org/html/rfc7671#section-9> -

2649 * -

2650 * For a fixed selector, after processing all records with the -

2651 * highest mtype ordinal, ignore all mtypes with lower ordinals -

2652 * other than "Full". -

2653 */ -

2654

if (dane->dctx->mdord[t->mtype] < ordinal)

dane->dctx->md...ype] < ordinal	Description
TRUE	never evaluated
FALSE	never evaluated

2655

continue;

never executed: continue;

2656

}

never executed: end of block

2657 -

2658 /* -

2659 * Each time we hit a (new selector or) mtype, re-compute the relevant -

2660 * digest, more complex caching is not worth the code space. -

2661 */ -

2662

if (t->mtype != mtype) {

t->mtype != mtype	Description
TRUE	evaluated 62 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-62

2663 const EVP_MD *md = dane->dctx->mdevp[mtype = t->mtype]; -

2664 cmpbuf = i2dbuf; -

2665 cmplen = i2dlen; -

2666 -

2667

if (md != NULL) {

md != ((void *)0)	Description
TRUE	evaluated 58 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1

4-58

2668 cmpbuf = mdbuf; -

2669

if (!EVP_Digest(i2dbuf, i2dlen, cmpbuf, &cmplen, md, 0)) {

!EVP_Digest(i2...cmplen, md, 0)	Description
TRUE	never evaluated
FALSE	evaluated 58 times by 1 test Evaluated by: libcrypto.so.1.1

0-58

2670 matched = -1; -

2671

break;

never executed: break;

2672 } -

2673

}

executed 58 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2674

}

executed 62 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2675 -

2676 /* -

2677 * Squirrel away the certificate and depth if we have a match. Any -

2678 * DANE match is dispositive, but with PKIX we still need to build a -

2679 * full chain. -

2680 */ -

2681

if (cmplen == t->dlen &&

cmplen == t->dlen	Description
TRUE	evaluated 61 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1-61

2682

memcmp(cmpbuf, t->data, cmplen) == 0) {

memcmp(cmpbuf,..., cmplen) == 0	Description
TRUE	evaluated 40 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 21 times by 1 test Evaluated by: libcrypto.so.1.1

21-40

2683

if (DANETLS_USAGE_BIT(usage) & DANETLS_DANE_MASK)

(((uint32_t)1)...2_t)1) << 3)))	Description
TRUE	evaluated 26 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 14 times by 1 test Evaluated by: libcrypto.so.1.1

14-26

2684

matched = 1;

executed 26 times by 1 test: matched = 1;

Executed by:

libcrypto.so.1.1

2685

if (matched || dane->mdpth < 0) {

matched	Description
TRUE	evaluated 26 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 14 times by 1 test Evaluated by: libcrypto.so.1.1

dane->mdpth < 0	Description
TRUE	evaluated 14 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-26

2686 dane->mdpth = depth; -

2687 dane->mtlsa = t; -

2688 OPENSSL_free(dane->mcert); -

2689 dane->mcert = cert; -

2690 X509_up_ref(cert); -

2691

}

executed 40 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2692

break;

executed 40 times by 1 test: break;

Executed by:

libcrypto.so.1.1

2693 } -

2694

}

executed 22 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2695 -

2696 /* Clear the one-element DER cache */ -

2697 OPENSSL_free(i2dbuf); -

2698

return matched;

executed 95 times by 1 test: return matched;

Executed by:

libcrypto.so.1.1

2699 } -

2700 -

2701 static int check_dane_issuer(X509_STORE_CTX *ctx, int depth) -

2702 { -

2703 SSL_DANE *dane = ctx->dane; -

2704 int matched = 0; -

2705 X509 *cert; -

2706 -

2707

if (!DANETLS_HAS_TA(dane) || depth == 0)

(dane)	Description
TRUE	evaluated 50 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 380 times by 1 test Evaluated by: libcrypto.so.1.1

((dane)->umask..._t)1) << 2))))	Description
TRUE	evaluated 46 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1

depth == 0	Description
TRUE	never evaluated
FALSE	evaluated 46 times by 1 test Evaluated by: libcrypto.so.1.1

0-380

2708

return X509_TRUST_UNTRUSTED;

executed 384 times by 1 test: return 3;

Executed by:

libcrypto.so.1.1

384

2709 -

2710 /* -

2711 * Record any DANE trust-anchor matches, for the first depth to test, if -

2712 * there's one at that depth. (This'll be false for length 1 chains looking -

2713 * for an exact match for the leaf certificate). -

2714 */ -

2715 cert = sk_X509_value(ctx->chain, depth); -

2716

if (cert != NULL && (matched = dane_match(ctx, cert, depth)) < 0)

cert != ((void *)0)	Description
TRUE	evaluated 46 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

(matched = dan...t, depth)) < 0	Description
TRUE	never evaluated
FALSE	evaluated 46 times by 1 test Evaluated by: libcrypto.so.1.1

0-46

2717

return X509_TRUST_REJECTED;

never executed: return 2;

2718

if (matched > 0) {

matched > 0	Description
TRUE	evaluated 15 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 31 times by 1 test Evaluated by: libcrypto.so.1.1

15-31

2719 ctx->num_untrusted = depth - 1; -

2720

return X509_TRUST_TRUSTED;

executed 15 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

2721 } -

2722 -

2723

return X509_TRUST_UNTRUSTED;

executed 31 times by 1 test: return 3;

Executed by:

libcrypto.so.1.1

2724 } -

2725 -

2726 static int check_dane_pkeys(X509_STORE_CTX *ctx) -

2727 { -

2728 SSL_DANE *dane = ctx->dane; -

2729 danetls_record *t; -

2730 int num = ctx->num_untrusted; -

2731 X509 *cert = sk_X509_value(ctx->chain, num - 1); -

2732 int recnum = sk_danetls_record_num(dane->trecs); -

2733 int i; -

2734 -

2735

for (i = 0; i < recnum; ++i) {

i < recnum	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2

2736 t = sk_danetls_record_value(dane->trecs, i); -

2737

if (t->usage != DANETLS_USAGE_DANE_TA ||

t->usage != 2	Description
TRUE	never evaluated
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

0-2

2738

t->selector != DANETLS_SELECTOR_SPKI ||

t->selector != 1	Description
TRUE	never evaluated
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

0-2

2739

t->mtype != DANETLS_MATCHING_FULL ||

t->mtype != 0	Description
TRUE	never evaluated
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

0-2

2740

X509_verify(cert, t->spki) <= 0)

X509_verify(ce... t->spki) <= 0	Description
TRUE	never evaluated
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

0-2

2741

continue;

never executed: continue;

2742 -

2743 /* Clear any PKIX-?? matches that failed to extend to a full chain */ -

2744 X509_free(dane->mcert); -

2745 dane->mcert = NULL; -

2746 -

2747 /* Record match via a bare TA public key */ -

2748 ctx->bare_ta_signed = 1; -

2749 dane->mdpth = num - 1; -

2750 dane->mtlsa = t; -

2751 -

2752 /* Prune any excess chain certificates */ -

2753 num = sk_X509_num(ctx->chain); -

2754

for (; num > ctx->num_untrusted; --num)

num > ctx->num_untrusted	Description
TRUE	never evaluated
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

0-2

2755

X509_free(sk_X509_pop(ctx->chain));

never executed: X509_free(sk_X509_pop(ctx->chain));

2756 -

2757

return X509_TRUST_TRUSTED;

executed 2 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

2758 } -

2759 -

2760

return X509_TRUST_UNTRUSTED;

never executed: return 3;

2761 } -

2762 -

2763 static void dane_reset(SSL_DANE *dane) -

2764 { -

2765 /* -

2766 * Reset state to verify another chain, or clear after failure. -

2767 */ -

2768 X509_free(dane->mcert); -

2769 dane->mcert = NULL; -

2770 dane->mtlsa = NULL; -

2771 dane->mdpth = -1; -

2772 dane->pdpth = -1; -

2773

}

executed 49 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2774 -

2775 static int check_leaf_suiteb(X509_STORE_CTX *ctx, X509 *cert) -

2776 { -

2777 int err = X509_chain_check_suiteb(NULL, cert, NULL, ctx->param->flags); -

2778 -

2779

if (err == X509_V_OK)

err == 0	Description
TRUE	evaluated 16 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-16

2780

return 1;

executed 16 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

2781

return verify_cb_cert(ctx, cert, 0, err);

never executed: return verify_cb_cert(ctx, cert, 0, err);

2782 } -

2783 -

2784 static int dane_verify(X509_STORE_CTX *ctx) -

2785 { -

2786 X509 *cert = ctx->cert; -

2787 SSL_DANE *dane = ctx->dane; -

2788 int matched; -

2789 int done; -

2790 -

2791 dane_reset(dane); -

2792 -

2793 /*- -

2794 * When testing the leaf certificate, if we match a DANE-EE(3) record, -

2795 * dane_match() returns 1 and we're done. If however we match a PKIX-EE(1) -

2796 * record, the match depth and matching TLSA record are recorded, but the -

2797 * return value is 0, because we still need to find a PKIX trust-anchor. -

2798 * Therefore, when DANE authentication is enabled (required), we're done -

2799 * if: -

2800 * + matched < 0, internal error. -

2801 * + matched == 1, we matched a DANE-EE(3) record -

2802 * + matched == 0, mdepth < 0 (no PKIX-EE match) and there are no -

2803 * DANE-TA(2) or PKIX-TA(0) to test. -

2804 */ -

2805 matched = dane_match(ctx, ctx->cert, 0); -

2806

done = matched != 0 || (!DANETLS_HAS_TA(dane) && dane->mdpth < 0);

matched != 0	Description
TRUE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 38 times by 1 test Evaluated by: libcrypto.so.1.1

(dane)	Description
TRUE	evaluated 38 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

((dane)->umask..._t)1) << 2))))	Description
TRUE	evaluated 28 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 10 times by 1 test Evaluated by: libcrypto.so.1.1

dane->mdpth < 0	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-38

2807 -

2808

if (done)

done	Description
TRUE	evaluated 16 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 33 times by 1 test Evaluated by: libcrypto.so.1.1

16-33

2809

X509_get_pubkey_parameters(NULL, ctx->chain);

executed 16 times by 1 test: X509_get_pubkey_parameters( ((void *)0) , ctx->chain);

Executed by:

libcrypto.so.1.1

2810 -

2811

if (matched > 0) {

matched > 0	Description
TRUE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 38 times by 1 test Evaluated by: libcrypto.so.1.1

11-38

2812 /* Callback invoked as needed */ -

2813

if (!check_leaf_suiteb(ctx, cert))

!check_leaf_suiteb(ctx, cert)	Description
TRUE	never evaluated
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

0-11

2814

return 0;

never executed: return 0;

2815 /* Callback invoked as needed */ -

2816

if ((dane->flags & DANE_FLAG_NO_DANE_EE_NAMECHECKS) == 0 &&

(dane->flags & (1L << 0)) == 0	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

5-6

2817

!check_id(ctx))

!check_id(ctx)	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

1-5

2818

return 0;

executed 1 time by 1 test: return 0;

Executed by:

libcrypto.so.1.1

2819 /* Bypass internal_verify(), issue depth 0 success callback */ -

2820 ctx->error_depth = 0; -

2821 ctx->current_cert = cert; -

2822

return ctx->verify_cb(1, ctx);

executed 10 times by 1 test: return ctx->verify_cb(1, ctx);

Executed by:

libcrypto.so.1.1

2823 } -

2824 -

2825

if (matched < 0) {

matched < 0	Description
TRUE	never evaluated
FALSE	evaluated 38 times by 1 test Evaluated by: libcrypto.so.1.1

0-38

2826 ctx->error_depth = 0; -

2827 ctx->current_cert = cert; -

2828 ctx->error = X509_V_ERR_OUT_OF_MEM; -

2829

return -1;

never executed: return -1;

2830 } -

2831 -

2832

if (done) {

done	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 33 times by 1 test Evaluated by: libcrypto.so.1.1

5-33

2833 /* Fail early, TA-based success is not possible */ -

2834

if (!check_leaf_suiteb(ctx, cert))

!check_leaf_suiteb(ctx, cert)	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-5

2835

return 0;

never executed: return 0;

2836

return verify_cb_cert(ctx, cert, 0, X509_V_ERR_DANE_NO_MATCH);

executed 5 times by 1 test: return verify_cb_cert(ctx, cert, 0, 65);

Executed by:

libcrypto.so.1.1

2837 } -

2838 -

2839 /* -

2840 * Chain verification for usages 0/1/2. TLSA record matching of depth > 0 -

2841 * certificates happens in-line with building the rest of the chain. -

2842 */ -

2843

return verify_chain(ctx);

executed 33 times by 1 test: return verify_chain(ctx);

Executed by:

libcrypto.so.1.1

2844 } -

2845 -

2846 /* Get issuer, without duplicate suppression */ -

2847 static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert) -

2848 { -

2849 STACK_OF(X509) *saved_chain = ctx->chain; -

2850 int ok; -

2851 -

2852 ctx->chain = NULL; -

2853 ok = ctx->get_issuer(issuer, ctx, cert); -

2854 ctx->chain = saved_chain; -

2855 -

2856

return ok;

executed 6733 times by 1 test: return ok;

Executed by:

libcrypto.so.1.1

6733

2857 } -

2858 -

2859 static int build_chain(X509_STORE_CTX *ctx) -

2860 { -

2861 SSL_DANE *dane = ctx->dane; -

2862 int num = sk_X509_num(ctx->chain); -

2863 X509 *cert = sk_X509_value(ctx->chain, num - 1); -

2864 int ss = cert_self_signed(cert); -

2865 STACK_OF(X509) *sktmp = NULL; -

2866 unsigned int search; -

2867 int may_trusted = 0; -

2868 int may_alternate = 0; -

2869 int trust = X509_TRUST_UNTRUSTED; -

2870 int alt_untrusted = 0; -

2871 int depth; -

2872 int ok = 0; -

2873 int i; -

2874 -

2875 /* Our chain starts with a single untrusted element. */ -

2876

if (!ossl_assert(num == 1 && ctx->num_untrusted == num)) {

!((num == 1 &&... == num) != 0)	Description
TRUE	never evaluated
FALSE	evaluated 4846 times by 1 test Evaluated by: libcrypto.so.1.1

num == 1	Description
TRUE	evaluated 4846 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

ctx->num_untrusted == num	Description
TRUE	evaluated 4846 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-4846

2877 X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR); -

2878 ctx->error = X509_V_ERR_UNSPECIFIED; -

2879

return 0;

never executed: return 0;

2880 } -

2881 -

2882 #define S_DOUNTRUSTED (1 << 0) /* Search untrusted chain */ -

2883 #define S_DOTRUSTED (1 << 1) /* Search trusted store */ -

2884 #define S_DOALTERNATE (1 << 2) /* Retry with pruned alternate chain */ -

2885 /* -

2886 * Set up search policy, untrusted if possible, trusted-first if enabled. -

2887 * If we're doing DANE and not doing PKIX-TA/PKIX-EE, we never look in the -

2888 * trust_store, otherwise we might look there first. If not trusted-first, -

2889 * and alternate chains are not disabled, try building an alternate chain -

2890 * if no luck with untrusted first. -

2891 */ -

2892

search = (ctx->untrusted != NULL) ? S_DOUNTRUSTED : 0;

(ctx->untruste... ((void *)0) )	Description
TRUE	evaluated 2705 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2141 times by 1 test Evaluated by: libcrypto.so.1.1

2141-2705

2893

if (DANETLS_HAS_PKIX(dane) || !DANETLS_HAS_DANE(dane)) {

(dane)	Description
TRUE	evaluated 33 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4813 times by 1 test Evaluated by: libcrypto.so.1.1

((dane)->umask..._t)1) << 1))))	Description
TRUE	evaluated 16 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1

(dane)	Description
TRUE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4813 times by 1 test Evaluated by: libcrypto.so.1.1

((dane)->umask..._t)1) << 3))))	Description
TRUE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-4813

2894

if (search == 0 || ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)

search == 0	Description
TRUE	evaluated 2141 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2688 times by 1 test Evaluated by: libcrypto.so.1.1

ctx->param->flags & 0x8000	Description
TRUE	evaluated 2688 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2688

2895

search |= S_DOTRUSTED;

executed 4829 times by 1 test: search |= (1 << 1);

Executed by:

libcrypto.so.1.1

4829

2896

else if (!(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS))

!(ctx->param->...gs & 0x100000)	Description
TRUE	never evaluated
FALSE	never evaluated

2897

may_alternate = 1;

never executed: may_alternate = 1;

2898 may_trusted = 1; -

2899

}

executed 4829 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

4829

2900 -

2901 /* -

2902 * Shallow-copy the stack of untrusted certificates (with TLS, this is -

2903 * typically the content of the peer's certificate message) so can make -

2904 * multiple passes over it, while free to remove elements as we go. -

2905 */ -

2906

if (ctx->untrusted && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {

ctx->untrusted	Description
TRUE	evaluated 2705 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2141 times by 1 test Evaluated by: libcrypto.so.1.1

(sktmp = sk_X5...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 2705 times by 1 test Evaluated by: libcrypto.so.1.1

0-2705

2907 X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); -

2908 ctx->error = X509_V_ERR_OUT_OF_MEM; -

2909

return 0;

never executed: return 0;

2910 } -

2911 -

2912 /* -

2913 * If we got any "DANE-TA(2) Cert(0) Full(0)" trust-anchors from DNS, add -

2914 * them to our working copy of the untrusted certificate stack. Since the -

2915 * caller of X509_STORE_CTX_init() may have provided only a leaf cert with -

2916 * no corresponding stack of untrusted certificates, we may need to create -

2917 * an empty stack first. [ At present only the ssl library provides DANE -

2918 * support, and ssl_verify_cert_chain() always provides a non-null stack -

2919 * containing at least the leaf certificate, but we must be prepared for -

2920 * this to change. ] -

2921 */ -

2922

if (DANETLS_ENABLED(dane) && dane->certs != NULL) {

(dane) != ((void *)0)	Description
TRUE	evaluated 33 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4813 times by 1 test Evaluated by: libcrypto.so.1.1

sk_danetls_rec...e)->trecs) > 0	Description
TRUE	evaluated 33 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

dane->certs != ((void *)0)	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 30 times by 1 test Evaluated by: libcrypto.so.1.1

0-4813

2923

if (sktmp == NULL && (sktmp = sk_X509_new_null()) == NULL) {

sktmp == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1

(sktmp = sk_X5...== ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

0-3

2924 X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); -

2925 ctx->error = X509_V_ERR_OUT_OF_MEM; -

2926

return 0;

never executed: return 0;

2927 } -

2928

for (i = 0; i < sk_X509_num(dane->certs); ++i) {

i < sk_X509_num(dane->certs)	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1

2929

if (!sk_X509_push(sktmp, sk_X509_value(dane->certs, i))) {

!sk_X509_push(...ne->certs, i))	Description
TRUE	never evaluated
FALSE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1

0-3

2930 sk_X509_free(sktmp); -

2931 X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); -

2932 ctx->error = X509_V_ERR_OUT_OF_MEM; -

2933

return 0;

never executed: return 0;

2934 } -

2935

}

executed 3 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2936

}

executed 3 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

2937 -

2938 /* -

2939 * Still absurdly large, but arithmetically safe, a lower hard upper bound -

2940 * might be reasonable. -

2941 */ -

2942

if (ctx->param->depth > INT_MAX/2)

ctx->param->de...> 0x7fffffff/2	Description
TRUE	never evaluated
FALSE	evaluated 4846 times by 1 test Evaluated by: libcrypto.so.1.1

0-4846

2943

ctx->param->depth = INT_MAX/2;

never executed: ctx->param->depth = 0x7fffffff/2;

2944 -

2945 /* -

2946 * Try to Extend the chain until we reach an ultimately trusted issuer. -

2947 * Build chains up to one longer the limit, later fail if we hit the limit, -

2948 * with an X509_V_ERR_CERT_CHAIN_TOO_LONG error code. -

2949 */ -

2950 depth = ctx->param->depth + 1; -

2951 -

2952

while (search != 0) {

search != 0	Description
TRUE	evaluated 6761 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1237 times by 1 test Evaluated by: libcrypto.so.1.1

1237-6761

2953 X509 *x; -

2954 X509 *xtmp = NULL; -

2955 -

2956 /* -

2957 * Look in the trust store if enabled for first lookup, or we've run -

2958 * out of untrusted issuers and search here is not disabled. When we -

2959 * reach the depth limit, we stop extending the chain, if by that point -

2960 * we've not found a trust-anchor, any trusted chain would be too long. -

2961 * -

2962 * The error reported to the application verify callback is at the -

2963 * maximal valid depth with the current certificate equal to the last -

2964 * not ultimately-trusted issuer. For example, with verify_depth = 0, -

2965 * the callback will report errors at depth=1 when the immediate issuer -

2966 * of the leaf certificate is not a trust anchor. No attempt will be -

2967 * made to locate an issuer for that certificate, since such a chain -

2968 * would be a-priori too long. -

2969 */ -

2970

if ((search & S_DOTRUSTED) != 0) {

(search & (1 << 1)) != 0	Description
TRUE	evaluated 6735 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 26 times by 1 test Evaluated by: libcrypto.so.1.1

26-6735

2971 i = num = sk_X509_num(ctx->chain); -

2972

if ((search & S_DOALTERNATE) != 0) {

(search & (1 << 2)) != 0	Description
TRUE	never evaluated
FALSE	evaluated 6735 times by 1 test Evaluated by: libcrypto.so.1.1

0-6735

2973 /* -

2974 * As high up the chain as we can, look for an alternative -

2975 * trusted issuer of an untrusted certificate that currently -

2976 * has an untrusted issuer. We use the alt_untrusted variable -

2977 * to track how far up the chain we find the first match. It -

2978 * is only if and when we find a match, that we prune the chain -

2979 * and reset ctx->num_untrusted to the reduced count of -

2980 * untrusted certificates. While we're searching for such a -

2981 * match (which may never be found), it is neither safe nor -

2982 * wise to preemptively modify either the chain or -

2983 * ctx->num_untrusted. -

2984 * -

2985 * Note, like ctx->num_untrusted, alt_untrusted is a count of -

2986 * untrusted certificates, not a "depth". -

2987 */ -

2988 i = alt_untrusted; -

2989

}

never executed: end of block

2990 x = sk_X509_value(ctx->chain, i-1); -

2991 -

2992

ok = (depth < num) ? 0 : get_issuer(&xtmp, ctx, x);

(depth < num)	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 6733 times by 1 test Evaluated by: libcrypto.so.1.1

2-6733

2993 -

2994

if (ok < 0) {

ok < 0	Description
TRUE	never evaluated
FALSE	evaluated 6735 times by 1 test Evaluated by: libcrypto.so.1.1

0-6735

2995 trust = X509_TRUST_REJECTED; -

2996 ctx->error = X509_V_ERR_STORE_LOOKUP; -

2997 search = 0; -

2998

continue;

never executed: continue;

2999 } -

3000 -

3001

if (ok > 0) {

ok > 0	Description
TRUE	evaluated 1231 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 5504 times by 1 test Evaluated by: libcrypto.so.1.1

1231-5504

3002 /* -

3003 * Alternative trusted issuer for a mid-chain untrusted cert? -

3004 * Pop the untrusted cert's successors and retry. We might now -

3005 * be able to complete a valid chain via the trust store. Note -

3006 * that despite the current trust-store match we might still -

3007 * fail complete the chain to a suitable trust-anchor, in which -

3008 * case we may prune some more untrusted certificates and try -

3009 * again. Thus the S_DOALTERNATE bit may yet be turned on -

3010 * again with an even shorter untrusted chain! -

3011 * -

3012 * If in the process we threw away our matching PKIX-TA trust -

3013 * anchor, reset DANE trust. We might find a suitable trusted -

3014 * certificate among the ones from the trust store. -

3015 */ -

3016

if ((search & S_DOALTERNATE) != 0) {

(search & (1 << 2)) != 0	Description
TRUE	never evaluated
FALSE	evaluated 1231 times by 1 test Evaluated by: libcrypto.so.1.1

0-1231

3017

if (!ossl_assert(num > i && i > 0 && ss == 0)) {

!((num > i && ...ss == 0) != 0)	Description
TRUE	never evaluated
FALSE	never evaluated

num > i	Description
TRUE	never evaluated
FALSE	never evaluated

i > 0	Description
TRUE	never evaluated
FALSE	never evaluated

ss == 0	Description
TRUE	never evaluated
FALSE	never evaluated

3018 X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR); -

3019 X509_free(xtmp); -

3020 trust = X509_TRUST_REJECTED; -

3021 ctx->error = X509_V_ERR_UNSPECIFIED; -

3022 search = 0; -

3023

continue;

never executed: continue;

3024 } -

3025 search &= ~S_DOALTERNATE; -

3026

for (; num > i; --num)

num > i	Description
TRUE	never evaluated
FALSE	never evaluated

3027

X509_free(sk_X509_pop(ctx->chain));

never executed: X509_free(sk_X509_pop(ctx->chain));

3028 ctx->num_untrusted = num; -

3029 -

3030

if (DANETLS_ENABLED(dane) &&

(dane) != ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

sk_danetls_rec...e)->trecs) > 0	Description
TRUE	never evaluated
FALSE	never evaluated

3031

dane->mdpth >= ctx->num_untrusted) {

dane->mdpth >=...>num_untrusted	Description
TRUE	never evaluated
FALSE	never evaluated

3032 dane->mdpth = -1; -

3033 X509_free(dane->mcert); -

3034 dane->mcert = NULL; -

3035

}

never executed: end of block

3036

if (DANETLS_ENABLED(dane) &&

(dane) != ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

sk_danetls_rec...e)->trecs) > 0	Description
TRUE	never evaluated
FALSE	never evaluated

3037

dane->pdpth >= ctx->num_untrusted)

dane->pdpth >=...>num_untrusted	Description
TRUE	never evaluated
FALSE	never evaluated

3038

dane->pdpth = -1;

never executed: dane->pdpth = -1;

3039

}

never executed: end of block

3040 -

3041 /* -

3042 * Self-signed untrusted certificates get replaced by their -

3043 * trusted matching issuer. Otherwise, grow the chain. -

3044 */ -

3045

if (ss == 0) {

ss == 0	Description
TRUE	evaluated 1226 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

5-1226

3046

if (!sk_X509_push(ctx->chain, x = xtmp)) {

!sk_X509_push(...ain, x = xtmp)	Description
TRUE	never evaluated
FALSE	evaluated 1226 times by 1 test Evaluated by: libcrypto.so.1.1

0-1226

3047 X509_free(xtmp); -

3048 X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); -

3049 trust = X509_TRUST_REJECTED; -

3050 ctx->error = X509_V_ERR_OUT_OF_MEM; -

3051 search = 0; -

3052

continue;

never executed: continue;

3053 } -

3054 ss = cert_self_signed(x); -

3055

} else if (num == ctx->num_untrusted) {

executed 1226 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

num == ctx->num_untrusted	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1226

3056 /* -

3057 * We have a self-signed certificate that has the same -

3058 * subject name (and perhaps keyid and/or serial number) as -

3059 * a trust-anchor. We must have an exact match to avoid -

3060 * possible impersonation via key substitution etc. -

3061 */ -

3062

if (X509_cmp(x, xtmp) != 0) {

X509_cmp(x, xtmp) != 0	Description
TRUE	never evaluated
FALSE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1

0-5

3063 /* Self-signed untrusted mimic. */ -

3064 X509_free(xtmp); -

3065 ok = 0; -

3066

} else {

never executed: end of block

3067 X509_free(x); -

3068 ctx->num_untrusted = --num; -

3069 (void) sk_X509_set(ctx->chain, num, x = xtmp); -

3070

}

executed 5 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

3071 } -

3072 -

3073 /* -

3074 * We've added a new trusted certificate to the chain, recheck -

3075 * trust. If not done, and not self-signed look deeper. -

3076 * Whether or not we're doing "trusted first", we no longer -

3077 * look for untrusted certificates from the peer's chain. -

3078 * -

3079 * At this point ctx->num_trusted and num must reflect the -

3080 * correct number of untrusted certificates, since the DANE -

3081 * logic in check_trust() depends on distinguishing CAs from -

3082 * "the wire" from CAs from the trust store. In particular, the -

3083 * certificate at depth "num" should be the new trusted -

3084 * certificate with ctx->num_untrusted <= num. -

3085 */ -

3086

if (ok) {

ok	Description
TRUE	evaluated 1231 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1231

3087

if (!ossl_assert(ctx->num_untrusted <= num)) {

!((ctx->num_un... <= num) != 0)	Description
TRUE	never evaluated
FALSE	evaluated 1231 times by 1 test Evaluated by: libcrypto.so.1.1

0-1231

3088 X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR); -

3089 trust = X509_TRUST_REJECTED; -

3090 ctx->error = X509_V_ERR_UNSPECIFIED; -

3091 search = 0; -

3092

continue;

never executed: continue;

3093 } -

3094 search &= ~S_DOUNTRUSTED; -

3095 switch (trust = check_trust(ctx, num)) { -

3096

case X509_TRUST_TRUSTED:

executed 1196 times by 1 test: case 1:

Executed by:

libcrypto.so.1.1

1196

3097

case X509_TRUST_REJECTED:

executed 24 times by 1 test: case 2:

Executed by:

libcrypto.so.1.1

3098 search = 0; -

3099

continue;

executed 1220 times by 1 test: continue;

Executed by:

libcrypto.so.1.1

1220

3100 } -

3101

if (ss == 0)

ss == 0	Description
TRUE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2-9

3102

continue;

executed 9 times by 1 test: continue;

Executed by:

libcrypto.so.1.1

3103

}

executed 2 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

3104

}

executed 2 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

3105 -

3106 /* -

3107 * No dispositive decision, and either self-signed or no match, if -

3108 * we were doing untrusted-first, and alt-chains are not disabled, -

3109 * do that, by repeatedly losing one untrusted element at a time, -

3110 * and trying to extend the shorted chain. -

3111 */ -

3112

if ((search & S_DOUNTRUSTED) == 0) {

(search & (1 << 0)) == 0	Description
TRUE	evaluated 3609 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1897 times by 1 test Evaluated by: libcrypto.so.1.1

1897-3609

3113 /* Continue search for a trusted issuer of a shorter chain? */ -

3114

if ((search & S_DOALTERNATE) != 0 && --alt_untrusted > 0)

(search & (1 << 2)) != 0	Description
TRUE	never evaluated
FALSE	evaluated 3609 times by 1 test Evaluated by: libcrypto.so.1.1

--alt_untrusted > 0	Description
TRUE	never evaluated
FALSE	never evaluated

0-3609

3115

continue;

never executed: continue;

3116 /* Still no luck and no fallbacks left? */ -

3117

if (!may_alternate || (search & S_DOALTERNATE) != 0 ||

!may_alternate	Description
TRUE	evaluated 3609 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

(search & (1 << 2)) != 0	Description
TRUE	never evaluated
FALSE	never evaluated

0-3609

3118

ctx->num_untrusted < 2)

ctx->num_untrusted < 2	Description
TRUE	never evaluated
FALSE	never evaluated

3119

break;

executed 3609 times by 1 test: break;

Executed by:

libcrypto.so.1.1

3609

3120 /* Search for a trusted issuer of a shorter chain */ -

3121 search |= S_DOALTERNATE; -

3122 alt_untrusted = ctx->num_untrusted - 1; -

3123 ss = 0; -

3124

}

never executed: end of block

3125

}

executed 1897 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1897

3126 -

3127 /* -

3128 * Extend chain with peer-provided certificates -

3129 */ -

3130

if ((search & S_DOUNTRUSTED) != 0) {

(search & (1 << 0)) != 0	Description
TRUE	evaluated 1923 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1923

3131 num = sk_X509_num(ctx->chain); -

3132

if (!ossl_assert(num == ctx->num_untrusted)) {

!((num == ctx-...trusted) != 0)	Description
TRUE	never evaluated
FALSE	evaluated 1923 times by 1 test Evaluated by: libcrypto.so.1.1

0-1923

3133 X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR); -

3134 trust = X509_TRUST_REJECTED; -

3135 ctx->error = X509_V_ERR_UNSPECIFIED; -

3136 search = 0; -

3137

continue;

never executed: continue;

3138 } -

3139 x = sk_X509_value(ctx->chain, num-1); -

3140 -

3141 /* -

3142 * Once we run out of untrusted issuers, we stop looking for more -

3143 * and start looking only in the trust store if enabled. -

3144 */ -

3145

xtmp = (ss || depth < num) ? NULL : find_issuer(ctx, sktmp, x);

ss	Description
TRUE	evaluated 106 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1817 times by 1 test Evaluated by: libcrypto.so.1.1

depth < num	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1816 times by 1 test Evaluated by: libcrypto.so.1.1

1-1817

3146

if (xtmp == NULL) {

xtmp == ((void *)0)	Description
TRUE	evaluated 1504 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 419 times by 1 test Evaluated by: libcrypto.so.1.1

419-1504

3147 search &= ~S_DOUNTRUSTED; -

3148

if (may_trusted)

may_trusted	Description
TRUE	evaluated 1502 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2-1502

3149

search |= S_DOTRUSTED;

executed 1502 times by 1 test: search |= (1 << 1);

Executed by:

libcrypto.so.1.1

1502

3150

continue;

executed 1504 times by 1 test: continue;

Executed by:

libcrypto.so.1.1

1504

3151 } -

3152 -

3153 /* Drop this issuer from future consideration */ -

3154 (void) sk_X509_delete_ptr(sktmp, xtmp); -

3155 -

3156

if (!sk_X509_push(ctx->chain, xtmp)) {

!sk_X509_push(...->chain, xtmp)	Description
TRUE	never evaluated
FALSE	evaluated 419 times by 1 test Evaluated by: libcrypto.so.1.1

0-419

3157 X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); -

3158 trust = X509_TRUST_REJECTED; -

3159 ctx->error = X509_V_ERR_OUT_OF_MEM; -

3160 search = 0; -

3161

continue;

never executed: continue;

3162 } -

3163 -

3164 X509_up_ref(x = xtmp); -

3165 ++ctx->num_untrusted; -

3166 ss = cert_self_signed(xtmp); -

3167 -

3168 /* -

3169 * Check for DANE-TA trust of the topmost untrusted certificate. -

3170 */ -

3171 switch (trust = check_dane_issuer(ctx, ctx->num_untrusted - 1)) { -

3172

case X509_TRUST_TRUSTED:

executed 15 times by 1 test: case 1:

Executed by:

libcrypto.so.1.1

3173

case X509_TRUST_REJECTED:

never executed: case 2:

3174 search = 0; -

3175

continue;

executed 15 times by 1 test: continue;

Executed by:

libcrypto.so.1.1

3176 } -

3177

}

executed 404 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

404

3178

}

executed 404 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

404

3179 sk_X509_free(sktmp); -

3180 -

3181 /* -

3182 * Last chance to make a trusted chain, either bare DANE-TA public-key -

3183 * signers, or else direct leaf PKIX trust. -

3184 */ -

3185 num = sk_X509_num(ctx->chain); -

3186

if (num <= depth) {

num <= depth	Description
TRUE	evaluated 4843 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1

3-4843

3187

if (trust == X509_TRUST_UNTRUSTED && DANETLS_HAS_DANE_TA(dane))

trust == 3	Description
TRUE	evaluated 3610 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1233 times by 1 test Evaluated by: libcrypto.so.1.1

(dane)	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3605 times by 1 test Evaluated by: libcrypto.so.1.1

((dane)->umask...2_t)1) << 2)))	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1

2-3610

3188

trust = check_dane_pkeys(ctx);

executed 2 times by 1 test: trust = check_dane_pkeys(ctx);

Executed by:

libcrypto.so.1.1

3189

if (trust == X509_TRUST_UNTRUSTED && num == ctx->num_untrusted)

trust == 3	Description
TRUE	evaluated 3608 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1235 times by 1 test Evaluated by: libcrypto.so.1.1

num == ctx->num_untrusted	Description
TRUE	evaluated 3606 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2-3608

3190

trust = check_trust(ctx, num);

executed 3606 times by 1 test: trust = check_trust(ctx, num);

Executed by:

libcrypto.so.1.1

3606

3191

}

executed 4843 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

4843

3192 -

3193 switch (trust) { -

3194

case X509_TRUST_TRUSTED:

executed 1222 times by 1 test: case 1:

Executed by:

libcrypto.so.1.1

1222

3195

return 1;

executed 1222 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

1222

3196

case X509_TRUST_REJECTED:

executed 26 times by 1 test: case 2:

Executed by:

libcrypto.so.1.1

3197 /* Callback already issued */ -

3198

return 0;

executed 26 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

3199

case X509_TRUST_UNTRUSTED:

executed 3598 times by 1 test: case 3:

Executed by:

libcrypto.so.1.1

3598

3200

default:

never executed: default:

3201 num = sk_X509_num(ctx->chain); -

3202

if (num > depth)

num > depth	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3597 times by 1 test Evaluated by: libcrypto.so.1.1

1-3597

3203

return verify_cb_cert(ctx, NULL, num-1,

executed 1 time by 1 test: return verify_cb_cert(ctx, ((void *)0) , num-1, 22);

Executed by:

libcrypto.so.1.1

3204

X509_V_ERR_CERT_CHAIN_TOO_LONG);

executed 1 time by 1 test: return verify_cb_cert(ctx, ((void *)0) , num-1, 22);

Executed by:

libcrypto.so.1.1

3205

if (DANETLS_ENABLED(dane) &&

(dane) != ((void *)0)	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3594 times by 1 test Evaluated by: libcrypto.so.1.1

sk_danetls_rec...e)->trecs) > 0	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-3594

3206

(!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0))

(dane)	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

((dane)->umask..._t)1) << 1))))	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

dane->pdpth >= 0	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-3

3207

return verify_cb_cert(ctx, NULL, num-1, X509_V_ERR_DANE_NO_MATCH);

executed 2 times by 1 test: return verify_cb_cert(ctx, ((void *)0) , num-1, 65);

Executed by:

libcrypto.so.1.1

3208

if (ss && sk_X509_num(ctx->chain) == 1)

ss	Description
TRUE	evaluated 106 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3489 times by 1 test Evaluated by: libcrypto.so.1.1

sk_X509_num(ctx->chain) == 1	Description
TRUE	evaluated 38 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 68 times by 1 test Evaluated by: libcrypto.so.1.1

38-3489

3209

return verify_cb_cert(ctx, NULL, num-1,

executed 38 times by 1 test: return verify_cb_cert(ctx, ((void *)0) , num-1, 18);

Executed by:

libcrypto.so.1.1

3210

X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);

executed 38 times by 1 test: return verify_cb_cert(ctx, ((void *)0) , num-1, 18);

Executed by:

libcrypto.so.1.1

3211

if (ss)

ss	Description
TRUE	evaluated 68 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3489 times by 1 test Evaluated by: libcrypto.so.1.1

68-3489

3212

return verify_cb_cert(ctx, NULL, num-1,

executed 68 times by 1 test: return verify_cb_cert(ctx, ((void *)0) , num-1, 19);

Executed by:

libcrypto.so.1.1

3213

X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN);

executed 68 times by 1 test: return verify_cb_cert(ctx, ((void *)0) , num-1, 19);

Executed by:

libcrypto.so.1.1

3214

if (ctx->num_untrusted < num)

ctx->num_untrusted < num	Description
TRUE	never evaluated
FALSE	evaluated 3489 times by 1 test Evaluated by: libcrypto.so.1.1

0-3489

3215

return verify_cb_cert(ctx, NULL, num-1,

never executed: return verify_cb_cert(ctx, ((void *)0) , num-1, 2);

3216

X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT);

never executed: return verify_cb_cert(ctx, ((void *)0) , num-1, 2);

3217

return verify_cb_cert(ctx, NULL, num-1,

executed 3489 times by 1 test: return verify_cb_cert(ctx, ((void *)0) , num-1, 20);

Executed by:

libcrypto.so.1.1

3489

3218

X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY);

executed 3489 times by 1 test: return verify_cb_cert(ctx, ((void *)0) , num-1, 20);

Executed by:

libcrypto.so.1.1

3489

3219 } -

3220 } -

3221 -

3222 static const int minbits_table[] = { 80, 112, 128, 192, 256 }; -

3223 static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table); -

3224 -

3225 /* -

3226 * Check whether the public key of ``cert`` meets the security level of -

3227 * ``ctx``. -

3228 * -

3229 * Returns 1 on success, 0 otherwise. -

3230 */ -

3231 static int check_key_level(X509_STORE_CTX *ctx, X509 *cert) -

3232 { -

3233 EVP_PKEY *pkey = X509_get0_pubkey(cert); -

3234 int level = ctx->param->auth_level; -

3235 -

3236 /* Unsupported or malformed keys are not secure */ -

3237

if (pkey == NULL)

pkey == ((void *)0)	Description
TRUE	evaluated 154 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 5999 times by 1 test Evaluated by: libcrypto.so.1.1

154-5999

3238

return 0;

executed 154 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

154

3239 -

3240

if (level <= 0)

level <= 0	Description
TRUE	evaluated 3396 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2603 times by 1 test Evaluated by: libcrypto.so.1.1

2603-3396

3241

return 1;

executed 3396 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

3396

3242

if (level > NUM_AUTH_LEVELS)

level > NUM_AUTH_LEVELS	Description
TRUE	never evaluated
FALSE	evaluated 2603 times by 1 test Evaluated by: libcrypto.so.1.1

0-2603

3243

level = NUM_AUTH_LEVELS;

never executed: level = NUM_AUTH_LEVELS;

3244 -

3245

return EVP_PKEY_security_bits(pkey) >= minbits_table[level - 1];

executed 2603 times by 1 test: return EVP_PKEY_security_bits(pkey) >= minbits_table[level - 1];

Executed by:

libcrypto.so.1.1

2603

3246 } -

3247 -

3248 /* -

3249 * Check whether the signature digest algorithm of ``cert`` meets the security -

3250 * level of ``ctx``. Should not be checked for trust anchors (whether -

3251 * self-signed or otherwise). -

3252 * -

3253 * Returns 1 on success, 0 otherwise. -

3254 */ -

3255 static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) -

3256 { -

3257 int secbits = -1; -

3258 int level = ctx->param->auth_level; -

3259 -

3260

if (level <= 0)

level <= 0	Description
TRUE	never evaluated
FALSE	evaluated 1138 times by 1 test Evaluated by: libcrypto.so.1.1

0-1138

3261

return 1;

never executed: return 1;

3262

if (level > NUM_AUTH_LEVELS)

level > NUM_AUTH_LEVELS	Description
TRUE	never evaluated
FALSE	evaluated 1138 times by 1 test Evaluated by: libcrypto.so.1.1

0-1138

3263

level = NUM_AUTH_LEVELS;

never executed: level = NUM_AUTH_LEVELS;

3264 -

3265

if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))

!X509_get_sign... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 1138 times by 1 test Evaluated by: libcrypto.so.1.1

0-1138

3266

return 0;

never executed: return 0;

3267 -

3268

return secbits >= minbits_table[level - 1];

executed 1138 times by 1 test: return secbits >= minbits_table[level - 1];

Executed by:

libcrypto.so.1.1

1138

3269 } -

Source code

Switch to Preprocessed file

Generated by Squish Coco 4.2.2