x509_cmp.c

Line

Source

Count

1

/*

-

2

-

3

*

-

4

* Licensed under the OpenSSL license (the "License"). You may not use

-

5

* this file except in compliance with the License. You can obtain a copy

-

6

* in the file LICENSE in the source distribution or at

-

7

* https://www.openssl.org/source/license.html

-

8

*/

-

9

-

10

#include <stdio.h>

-

11

#include "internal/cryptlib.h"

-

12

#include <openssl/asn1.h>

-

13

#include <openssl/objects.h>

-

14

#include <openssl/x509.h>

-

15

#include <openssl/x509v3.h>

-

16

#include "internal/x509_int.h"

-

17

-

18

int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)

-

19

{

-

20

int i;

-

21

const X509_CINF *ai, *bi;

-

22

-

23

ai = &a->cert_info;

-

24

bi = &b->cert_info;

-

25

i = ASN1_INTEGER_cmp(&ai->serialNumber, &bi->serialNumber);

-

26

if (i)

i	Description
TRUE	evaluated 50 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 50 times by 1 test Evaluated by: libcrypto.so.1.1

50

27

return i;

executed 50 times by 1 test: return i;

Executed by:

libcrypto.so.1.1

50

28

return X509_NAME_cmp(ai->issuer, bi->issuer);

executed 50 times by 1 test: return X509_NAME_cmp(ai->issuer, bi->issuer);

Executed by:

libcrypto.so.1.1

50

29

}

-

30

-

31

#ifndef OPENSSL_NO_MD5

-

32

unsigned long X509_issuer_and_serial_hash(X509 *a)

-

33

{

-

34

unsigned long ret = 0;

-

35

EVP_MD_CTX *ctx = EVP_MD_CTX_new();

-

36

unsigned char md[16];

-

37

char *f;

-

38

-

39

if (ctx == NULL)

ctx == ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

0

40

goto err;

never executed: goto err;

0

41

f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);

-

42

if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))

!EVP_DigestIni... ((void *)0) )	Description
TRUE	never evaluated
FALSE	never evaluated

0

43

goto err;

never executed: goto err;

0

44

if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f)))

!EVP_DigestUpd...)f, strlen(f))	Description
TRUE	never evaluated
FALSE	never evaluated

0

45

goto err;

never executed: goto err;

0

46

OPENSSL_free(f);

-

47

if (!EVP_DigestUpdate

!EVP_DigestUpd...Number.length)	Description
TRUE	never evaluated
FALSE	never evaluated

0

48

(ctx, (unsigned char *)a->cert_info.serialNumber.data,

!EVP_DigestUpd...Number.length)	Description
TRUE	never evaluated
FALSE	never evaluated

0

49

(unsigned long)a->cert_info.serialNumber.length))

!EVP_DigestUpd...Number.length)	Description
TRUE	never evaluated
FALSE	never evaluated

0

50

goto err;

never executed: goto err;

0

51

if (!EVP_DigestFinal_ex(ctx, &(md[0]), NULL))

!EVP_DigestFin... ((void *)0) )	Description
TRUE	never evaluated
FALSE	never evaluated

0

52

goto err;

never executed: goto err;

0

53

ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |

-

54

((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)

-

55

) & 0xffffffffL;

-

56

err:

code before this statement never executed: err:

0

57

EVP_MD_CTX_free(ctx);

-

58

return ret;

never executed: return ret;

0

59

}

-

60

#endif

-

61

-

62

int X509_issuer_name_cmp(const X509 *a, const X509 *b)

-

63

{

-

64

return X509_NAME_cmp(a->cert_info.issuer, b->cert_info.issuer);

never executed: return X509_NAME_cmp(a->cert_info.issuer, b->cert_info.issuer);

0

65

}

-

66

-

67

int X509_subject_name_cmp(const X509 *a, const X509 *b)

-

68

{

-

69

return X509_NAME_cmp(a->cert_info.subject, b->cert_info.subject);

executed 1197 times by 1 test: return X509_NAME_cmp(a->cert_info.subject, b->cert_info.subject);

Executed by:

libcrypto.so.1.1

1197

70

}

-

71

-

72

int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)

-

73

{

-

74

return X509_NAME_cmp(a->crl.issuer, b->crl.issuer);

never executed: return X509_NAME_cmp(a->crl.issuer, b->crl.issuer);

0

75

}

-

76

-

77

int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)

-

78

{

-

79

return memcmp(a->sha1_hash, b->sha1_hash, 20);

never executed: return memcmp(a->sha1_hash, b->sha1_hash, 20);

0

80

}

-

81

-

82

X509_NAME *X509_get_issuer_name(const X509 *a)

-

83

{

-

84

return a->cert_info.issuer;

executed 23517 times by 1 test: return a->cert_info.issuer;

Executed by:

libcrypto.so.1.1

23517

85

}

-

86

-

87

unsigned long X509_issuer_name_hash(X509 *x)

-

88

{

-

89

return X509_NAME_hash(x->cert_info.issuer);

never executed: return X509_NAME_hash(x->cert_info.issuer);

0

90

}

-

91

-

92

#ifndef OPENSSL_NO_MD5

-

93

unsigned long X509_issuer_name_hash_old(X509 *x)

-

94

{

-

95

return X509_NAME_hash_old(x->cert_info.issuer);

never executed: return X509_NAME_hash_old(x->cert_info.issuer);

0

96

}

-

97

#endif

-

98

-

99

X509_NAME *X509_get_subject_name(const X509 *a)

-

100

{

-

101

return a->cert_info.subject;

executed 87226 times by 1 test: return a->cert_info.subject;

Executed by:

libcrypto.so.1.1

87226

102

}

-

103

-

104

ASN1_INTEGER *X509_get_serialNumber(X509 *a)

-

105

{

-

106

return &a->cert_info.serialNumber;

executed 1854 times by 1 test: return &a->cert_info.serialNumber;

Executed by:

libcrypto.so.1.1

1854

107

}

-

108

-

109

const ASN1_INTEGER *X509_get0_serialNumber(const X509 *a)

-

110

{

-

111

return &a->cert_info.serialNumber;

never executed: return &a->cert_info.serialNumber;

0

112

}

-

113

-

114

unsigned long X509_subject_name_hash(X509 *x)

-

115

{

-

116

return X509_NAME_hash(x->cert_info.subject);

never executed: return X509_NAME_hash(x->cert_info.subject);

0

117

}

-

118

-

119

#ifndef OPENSSL_NO_MD5

-

120

unsigned long X509_subject_name_hash_old(X509 *x)

-

121

{

-

122

return X509_NAME_hash_old(x->cert_info.subject);

never executed: return X509_NAME_hash_old(x->cert_info.subject);

0

123

}

-

124

#endif

-

125

-

126

/*

-

127

* Compare two certificates: they must be identical for this to work. NB:

-

128

* Although "cmp" operations are generally prototyped to take "const"

-

129

* arguments (eg. for use in STACKs), the way X509 handling is - these

-

130

* operations may involve ensuring the hashes are up-to-date and ensuring

-

131

* certain cert information is cached. So this is the point where the

-

132

* "depth-first" constification tree has to halt with an evil cast.

-

133

*/

-

134

int X509_cmp(const X509 *a, const X509 *b)

-

135

{

-

136

int rv;

-

137

/* ensure hash is valid */

-

138

X509_check_purpose((X509 *)a, -1, 0);

-

139

X509_check_purpose((X509 *)b, -1, 0);

-

140

-

141

rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);

-

142

if (rv)

rv	Description
TRUE	evaluated 583 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 19 times by 1 test Evaluated by: libcrypto.so.1.1

19-583

143

return rv;

executed 583 times by 1 test: return rv;

Executed by:

libcrypto.so.1.1

583

144

/* Check for match against stored encoding too */

-

145

if (!a->cert_info.enc.modified && !b->cert_info.enc.modified) {

!a->cert_info.enc.modified	Description
TRUE	evaluated 19 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

!b->cert_info.enc.modified	Description
TRUE	evaluated 19 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-19

146

if (a->cert_info.enc.len < b->cert_info.enc.len)

a->cert_info.e...t_info.enc.len	Description
TRUE	never evaluated
FALSE	evaluated 19 times by 1 test Evaluated by: libcrypto.so.1.1

0-19

147

return -1;

never executed: return -1;

0

148

if (a->cert_info.enc.len > b->cert_info.enc.len)

a->cert_info.e...t_info.enc.len	Description
TRUE	never evaluated
FALSE	evaluated 19 times by 1 test Evaluated by: libcrypto.so.1.1

0-19

149

return 1;

never executed: return 1;

0

150

return memcmp(a->cert_info.enc.enc, b->cert_info.enc.enc,

executed 19 times by 1 test: return memcmp(a->cert_info.enc.enc, b->cert_info.enc.enc, a->cert_info.enc.len);

Executed by:

libcrypto.so.1.1

19

151

a->cert_info.enc.len);

executed 19 times by 1 test: return memcmp(a->cert_info.enc.enc, b->cert_info.enc.enc, a->cert_info.enc.len);

Executed by:

libcrypto.so.1.1

19

152

}

-

153

return rv;

never executed: return rv;

0

154

}

-

155

-

156

int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)

-

157

{

-

158

int ret;

-

159

-

160

/* Ensure canonical encoding is present and up to date */

-

161

-

162

if (!a->canon_enc || a->modified) {

!a->canon_enc	Description
TRUE	never evaluated
FALSE	evaluated 16426 times by 1 test Evaluated by: libcrypto.so.1.1

a->modified	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 16420 times by 1 test Evaluated by: libcrypto.so.1.1

0-16426

163

ret = i2d_X509_NAME((X509_NAME *)a, NULL);

-

164

if (ret < 0)

ret < 0	Description
TRUE	never evaluated
FALSE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1

0-6

165

return -2;

never executed: return -2;

0

166

}

executed 6 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

6

167

-

168

if (!b->canon_enc || b->modified) {

!b->canon_enc	Description
TRUE	never evaluated
FALSE	evaluated 16426 times by 1 test Evaluated by: libcrypto.so.1.1

b->modified	Description
TRUE	never evaluated
FALSE	evaluated 16426 times by 1 test Evaluated by: libcrypto.so.1.1

0-16426

169

ret = i2d_X509_NAME((X509_NAME *)b, NULL);

-

170

if (ret < 0)

ret < 0	Description
TRUE	never evaluated
FALSE	never evaluated

0

171

return -2;

never executed: return -2;

0

172

}

never executed: end of block

0

173

-

174

ret = a->canon_enclen - b->canon_enclen;

-

175

-

176

if (ret != 0 || a->canon_enclen == 0)

ret != 0	Description
TRUE	evaluated 5984 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 10442 times by 1 test Evaluated by: libcrypto.so.1.1

a->canon_enclen == 0	Description
TRUE	never evaluated
FALSE	evaluated 10442 times by 1 test Evaluated by: libcrypto.so.1.1

0-10442

177

return ret;

executed 5984 times by 1 test: return ret;

Executed by:

libcrypto.so.1.1

5984

178

-

179

return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);

executed 10442 times by 1 test: return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);

Executed by:

libcrypto.so.1.1

10442

180

-

181

}

-

182

-

183

unsigned long X509_NAME_hash(X509_NAME *x)

-

184

{

-

185

unsigned long ret = 0;

-

186

unsigned char md[SHA_DIGEST_LENGTH];

-

187

-

188

/* Make sure X509_NAME structure contains valid cached encoding */

-

189

i2d_X509_NAME(x, NULL);

-

190

if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(),

!EVP_Digest(x-... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 416 times by 1 test Evaluated by: libcrypto.so.1.1

0-416

191

NULL))

!EVP_Digest(x-... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 416 times by 1 test Evaluated by: libcrypto.so.1.1

0-416

192

return 0;

never executed: return 0;

0

193

-

194

ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |

-

195

((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)

-

196

) & 0xffffffffL;

-

197

return ret;

executed 416 times by 1 test: return ret;

Executed by:

libcrypto.so.1.1

416

198

}

-

199

-

200

#ifndef OPENSSL_NO_MD5

-

201

/*

-

202

* I now DER encode the name and hash it. Since I cache the DER encoding,

-

203

* this is reasonably efficient.

-

204

*/

-

205

-

206

unsigned long X509_NAME_hash_old(X509_NAME *x)

-

207

{

-

208

EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();

-

209

unsigned long ret = 0;

-

210

unsigned char md[16];

-

211

-

212

if (md_ctx == NULL)

md_ctx == ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

0

213

return ret;

never executed: return ret;

0

214

-

215

/* Make sure X509_NAME structure contains valid cached encoding */

-

216

i2d_X509_NAME(x, NULL);

-

217

EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);

-

218

if (EVP_DigestInit_ex(md_ctx, EVP_md5(), NULL)

EVP_DigestInit... ((void *)0) )	Description
TRUE	never evaluated
FALSE	never evaluated

0

219

&& EVP_DigestUpdate(md_ctx, x->bytes->data, x->bytes->length)

EVP_DigestUpda...bytes->length)	Description
TRUE	never evaluated
FALSE	never evaluated

0

220

&& EVP_DigestFinal_ex(md_ctx, md, NULL))

EVP_DigestFina... ((void *)0) )	Description
TRUE	never evaluated
FALSE	never evaluated

0

221

ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |

never executed:

ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) ) & 0xffffffffL;

0

222

((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)

never executed:

ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) ) & 0xffffffffL;

0

223

) & 0xffffffffL;

never executed:

ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) ) & 0xffffffffL;

0

224

EVP_MD_CTX_free(md_ctx);

-

225

-

226

return ret;

never executed: return ret;

0

227

}

-

228

#endif

-

229

-

230

/* Search a stack of X509 for a match */

-

231

X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,

-

232

ASN1_INTEGER *serial)

-

233

{

-

234

int i;

-

235

X509 x, *x509 = NULL;

-

236

-

237

if (!sk)

!sk	Description
TRUE	never evaluated
FALSE	evaluated 50 times by 1 test Evaluated by: libcrypto.so.1.1

0-50

238

return NULL;

never executed: return ((void *)0) ;

0

239

-

240

x.cert_info.serialNumber = *serial;

-

241

x.cert_info.issuer = name;

-

242

-

243

for (i = 0; i < sk_X509_num(sk); i++) {

i < sk_X509_num(sk)	Description
TRUE	evaluated 100 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-100

244

x509 = sk_X509_value(sk, i);

-

245

if (X509_issuer_and_serial_cmp(x509, &x) == 0)

X509_issuer_an...x509, &x) == 0	Description
TRUE	evaluated 50 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 50 times by 1 test Evaluated by: libcrypto.so.1.1

50

246

return x509;

executed 50 times by 1 test: return x509;

Executed by:

libcrypto.so.1.1

50

247

}

executed 50 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

50

248

return NULL;

never executed: return ((void *)0) ;

0

249

}

-

250

-

251

X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)

-

252

{

-

253

X509 *x509;

-

254

int i;

-

255

-

256

for (i = 0; i < sk_X509_num(sk); i++) {

i < sk_X509_num(sk)	Description
TRUE	evaluated 29 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 12 times by 1 test Evaluated by: libcrypto.so.1.1

12-29

257

x509 = sk_X509_value(sk, i);

-

258

if (X509_NAME_cmp(X509_get_subject_name(x509), name) == 0)

X509_NAME_cmp(...9), name) == 0	Description
TRUE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 18 times by 1 test Evaluated by: libcrypto.so.1.1

11-18

259

return x509;

executed 11 times by 1 test: return x509;

Executed by:

libcrypto.so.1.1

11

260

}

executed 18 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

18

261

return NULL;

executed 12 times by 1 test: return ((void *)0) ;

Executed by:

libcrypto.so.1.1

12

262

}

-

263

-

264

EVP_PKEY *X509_get0_pubkey(const X509 *x)

-

265

{

-

266

if (x == NULL)

x == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 53470 times by 1 test Evaluated by: libcrypto.so.1.1

0-53470

267

return NULL;

never executed: return ((void *)0) ;

0

268

return X509_PUBKEY_get0(x->cert_info.key);

executed 53470 times by 1 test: return X509_PUBKEY_get0(x->cert_info.key);

Executed by:

libcrypto.so.1.1

53470

269

}

-

270

-

271

EVP_PKEY *X509_get_pubkey(X509 *x)

-

272

{

-

273

if (x == NULL)

x == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 63 times by 1 test Evaluated by: libcrypto.so.1.1

0-63

274

return NULL;

never executed: return ((void *)0) ;

0

275

return X509_PUBKEY_get(x->cert_info.key);

executed 63 times by 1 test: return X509_PUBKEY_get(x->cert_info.key);

Executed by:

libcrypto.so.1.1

63

276

}

-

277

-

278

int X509_check_private_key(const X509 *x, const EVP_PKEY *k)

-

279

{

-

280

const EVP_PKEY *xk;

-

281

int ret;

-

282

-

283

xk = X509_get0_pubkey(x);

-

284

-

285

if (xk)

xk	Description
TRUE	evaluated 8648 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-8648

286

ret = EVP_PKEY_cmp(xk, k);

executed 8648 times by 1 test: ret = EVP_PKEY_cmp(xk, k);

Executed by:

libcrypto.so.1.1

8648

287

else

-

288

ret = -2;

never executed: ret = -2;

0

289

-

290

switch (ret) {

-

291

case 1:

executed 8647 times by 1 test: case 1:

Executed by:

libcrypto.so.1.1

8647

292

break;

executed 8647 times by 1 test: break;

Executed by:

libcrypto.so.1.1

8647

293

case 0:

executed 1 time by 1 test: case 0:

Executed by:

libcrypto.so.1.1

1

294

X509err(X509_F_X509_CHECK_PRIVATE_KEY, X509_R_KEY_VALUES_MISMATCH);

-

295

break;

executed 1 time by 1 test: break;

Executed by:

libcrypto.so.1.1

1

296

case -1:

never executed: case -1:

0

297

X509err(X509_F_X509_CHECK_PRIVATE_KEY, X509_R_KEY_TYPE_MISMATCH);

-

298

break;

never executed: break;

0

299

case -2:

never executed: case -2:

0

300

X509err(X509_F_X509_CHECK_PRIVATE_KEY, X509_R_UNKNOWN_KEY_TYPE);

-

301

}

never executed: end of block

0

302

if (ret > 0)

ret > 0	Description
TRUE	evaluated 8647 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1-8647

303

return 1;

executed 8647 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

8647

304

return 0;

executed 1 time by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1

305

}

-

306

-

307

/*

-

308

* Check a suite B algorithm is permitted: pass in a public key and the NID

-

309

* of its signature (or 0 if no signature). The pflags is a pointer to a

-

310

* flags field which must contain the suite B verification flags.

-

311

*/

-

312

-

313

#ifndef OPENSSL_NO_EC

-

314

-

315

static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags)

-

316

{

-

317

const EC_GROUP *grp = NULL;

-

318

int curve_nid;

-

319

if (pkey && EVP_PKEY_id(pkey) == EVP_PKEY_EC)

pkey	Description
TRUE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

EVP_PKEY_id(pkey) == 408	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

0-4

320

grp = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey));

executed 2 times by 1 test: grp = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey));

Executed by:

libcrypto.so.1.1

2

321

if (!grp)

!grp	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2

322

return X509_V_ERR_SUITE_B_INVALID_ALGORITHM;

executed 2 times by 1 test: return 57;

Executed by:

libcrypto.so.1.1

2

323

curve_nid = EC_GROUP_get_curve_name(grp);

-

324

/* Check curve is consistent with LOS */

-

325

if (curve_nid == NID_secp384r1) { /* P-384 */

curve_nid == 715	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1

326

/*

-

327

* Check signature algorithm is consistent with curve.

-

328

*/

-

329

if (sign_nid != -1 && sign_nid != NID_ecdsa_with_SHA384)

sign_nid != -1	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

sign_nid != 795	Description
TRUE	never evaluated
FALSE	never evaluated

0-1

330

return X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM;

never executed: return 59;

0

331

if (!(*pflags & X509_V_FLAG_SUITEB_192_LOS))

!(*pflags & 0x20000)	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-1

332

return X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED;

never executed: return 60;

0

333

/* If we encounter P-384 we cannot use P-256 later */

-

334

*pflags &= ~X509_V_FLAG_SUITEB_128_LOS_ONLY;

-

335

} else if (curve_nid == NID_X9_62_prime256v1) { /* P-256 */

executed 1 time by 1 test: end of block

Executed by:

libcrypto.so.1.1

curve_nid == 415	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1

336

if (sign_nid != -1 && sign_nid != NID_ecdsa_with_SHA256)

sign_nid != -1	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

sign_nid != 794	Description
TRUE	never evaluated
FALSE	never evaluated

0-1

337

return X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM;

never executed: return 59;

0

338

if (!(*pflags & X509_V_FLAG_SUITEB_128_LOS_ONLY))

!(*pflags & 0x10000)	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-1

339

return X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED;

never executed: return 60;

0

340

} else

executed 1 time by 1 test: end of block

Executed by:

libcrypto.so.1.1

1

341

return X509_V_ERR_SUITE_B_INVALID_CURVE;

never executed: return 58;

0

342

-

343

return X509_V_OK;

executed 2 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

2

344

}

-

345

-

346

int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,

-

347

unsigned long flags)

-

348

{

-

349

int rv, i, sign_nid;

-

350

EVP_PKEY *pk;

-

351

unsigned long tflags = flags;

-

352

-

353

if (!(flags & X509_V_FLAG_SUITEB_128_LOS))

!(flags & 0x30000)	Description
TRUE	evaluated 1342 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1

4-1342

354

return X509_V_OK;

executed 1342 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

1342

355

-

356

/* If no EE certificate passed in must be first in chain */

-

357

if (x == NULL) {

x == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1

0-4

358

x = sk_X509_value(chain, 0);

-

359

i = 1;

-

360

} else

never executed: end of block

0

361

i = 0;

executed 4 times by 1 test: i = 0;

Executed by:

libcrypto.so.1.1

4

362

-

363

pk = X509_get0_pubkey(x);

-

364

-

365

/*

-

366

* With DANE-EE(3) success, or DANE-EE(3)/PKIX-EE(1) failure we don't build

-

367

* a chain all, just report trust success or failure, but must also report

-

368

* Suite-B errors if applicable. This is indicated via a NULL chain

-

369

* pointer. All we need to do is check the leaf key algorithm.

-

370

*/

-

371

if (chain == NULL)

chain == ((void *)0)	Description
TRUE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-4

372

return check_suite_b(pk, -1, &tflags);

executed 4 times by 1 test: return check_suite_b(pk, -1, &tflags);

Executed by:

libcrypto.so.1.1

4

373

-

374

if (X509_get_version(x) != 2) {

X509_get_version(x) != 2	Description
TRUE	never evaluated
FALSE	never evaluated

0

375

rv = X509_V_ERR_SUITE_B_INVALID_VERSION;

-

376

/* Correct error depth */

-

377

i = 0;

-

378

goto end;

never executed: goto end;

0

379

}

-

380

-

381

/* Check EE key only */

-

382

rv = check_suite_b(pk, -1, &tflags);

-

383

if (rv != X509_V_OK) {

rv != 0	Description
TRUE	never evaluated
FALSE	never evaluated

0

384

/* Correct error depth */

-

385

i = 0;

-

386

goto end;

never executed: goto end;

0

387

}

-

388

for (; i < sk_X509_num(chain); i++) {

i < sk_X509_num(chain)	Description
TRUE	never evaluated
FALSE	never evaluated

0

389

sign_nid = X509_get_signature_nid(x);

-

390

x = sk_X509_value(chain, i);

-

391

if (X509_get_version(x) != 2) {

X509_get_version(x) != 2	Description
TRUE	never evaluated
FALSE	never evaluated

0

392

rv = X509_V_ERR_SUITE_B_INVALID_VERSION;

-

393

goto end;

never executed: goto end;

0

394

}

-

395

pk = X509_get0_pubkey(x);

-

396

rv = check_suite_b(pk, sign_nid, &tflags);

-

397

if (rv != X509_V_OK)

rv != 0	Description
TRUE	never evaluated
FALSE	never evaluated

0

398

goto end;

never executed: goto end;

0

399

}

never executed: end of block

0

400

-

401

/* Final check: root CA signature */

-

402

rv = check_suite_b(pk, X509_get_signature_nid(x), &tflags);

-

403

end:

code before this statement never executed: end:

0

404

if (rv != X509_V_OK) {

rv != 0	Description
TRUE	never evaluated
FALSE	never evaluated

0

405

/* Invalid signature or LOS errors are for previous cert */

-

406

if ((rv == X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM

rv == 59	Description
TRUE	never evaluated
FALSE	never evaluated

0

407

|| rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED) && i)

rv == 60	Description
TRUE	never evaluated
FALSE	never evaluated

i	Description
TRUE	never evaluated
FALSE	never evaluated

0

408

i--;

never executed: i--;

0

409

/*

-

410

* If we have LOS error and flags changed then we are signing P-384

-

411

* with P-256. Use more meaningful error.

-

412

*/

-

413

if (rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED && flags != tflags)

rv == 60	Description
TRUE	never evaluated
FALSE	never evaluated

flags != tflags	Description
TRUE	never evaluated
FALSE	never evaluated

0

414

rv = X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256;

never executed: rv = 61;

0

415

if (perror_depth)

perror_depth	Description
TRUE	never evaluated
FALSE	never evaluated

0

416

*perror_depth = i;

never executed: *perror_depth = i;

0

417

}

never executed: end of block

0

418

return rv;

never executed: return rv;

0

419

}

-

420

-

421

int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags)

-

422

{

-

423

int sign_nid;

-

424

if (!(flags & X509_V_FLAG_SUITEB_128_LOS))

!(flags & 0x30000)	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-5

425

return X509_V_OK;

executed 5 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

5

426

sign_nid = OBJ_obj2nid(crl->crl.sig_alg.algorithm);

-

427

return check_suite_b(pk, sign_nid, &flags);

never executed: return check_suite_b(pk, sign_nid, &flags);

0

428

}

-

429

-

430

#else

-

431

int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,

-

432

unsigned long flags)

-

433

{

-

434

return 0;

-

435

}

-

436

-

437

int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags)

-

438

{

-

439

return 0;

-

440

}

-

441

-

442

#endif

-

443

/*

-

444

* Not strictly speaking an "up_ref" as a STACK doesn't have a reference

-

445

* count but it has the same effect by duping the STACK and upping the ref of

-

446

* each X509 structure.

-

447

*/

-

448

STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain)

-

449

{

-

450

STACK_OF(X509) *ret;

-

451

int i;

-

452

ret = sk_X509_dup(chain);

-

453

for (i = 0; i < sk_X509_num(ret); i++) {

i < sk_X509_num(ret)	Description
TRUE	evaluated 5071 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3673 times by 1 test Evaluated by: libcrypto.so.1.1

3673-5071

454

X509 *x = sk_X509_value(ret, i);

-

455

X509_up_ref(x);

-

456

}

executed 5071 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

5071

457

return ret;

executed 3673 times by 1 test: return ret;

Executed by:

libcrypto.so.1.1

3673

458

}

-