blob: ed11e6c89aa06205b70911f82e5b4c9b76a4fc83 [file] [log] [blame]
William Lallemand6a66a5e2020-05-15 12:01:17 +02001/*
2 * Utility functions for SSL:
3 * Mostly generic functions that retrieve information from certificates
4 *
5 * Copyright (C) 2012 EXCELIANCE, Emeric Brun <ebrun@exceliance.fr>
6 * Copyright (C) 2020 HAProxy Technologies, William Lallemand <wlallemand@haproxy.com>
7 *
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version
11 * 2 of the License, or (at your option) any later version.
12 */
13
14
Willy Tarreau2741c8c2020-06-02 11:28:02 +020015#include <haproxy/api.h>
16#include <haproxy/buf-t.h>
Willy Tarreaucb72b7e2021-05-08 12:52:56 +020017#include <haproxy/chunk.h>
Willy Tarreau6019fab2020-05-27 16:26:00 +020018#include <haproxy/openssl-compat.h>
Willy Tarreau209108d2020-06-04 20:30:20 +020019#include <haproxy/ssl_sock.h>
Tim Duesterhus2a0688a2022-05-14 22:15:26 +020020#include <haproxy/ssl_utils.h>
William Lallemand6a66a5e2020-05-15 12:01:17 +020021
22/* fill a buffer with the algorithm and size of a public key */
23int cert_get_pkey_algo(X509 *crt, struct buffer *out)
24{
25 int bits = 0;
26 int sig = TLSEXT_signature_anonymous;
27 int len = -1;
28 EVP_PKEY *pkey;
29
30 pkey = X509_get_pubkey(crt);
31 if (pkey) {
32 bits = EVP_PKEY_bits(pkey);
33 switch(EVP_PKEY_base_id(pkey)) {
34 case EVP_PKEY_RSA:
35 sig = TLSEXT_signature_rsa;
36 break;
37 case EVP_PKEY_EC:
38 sig = TLSEXT_signature_ecdsa;
39 break;
40 case EVP_PKEY_DSA:
41 sig = TLSEXT_signature_dsa;
42 break;
43 }
44 EVP_PKEY_free(pkey);
45 }
46
47 switch(sig) {
48 case TLSEXT_signature_rsa:
49 len = chunk_printf(out, "RSA%d", bits);
50 break;
51 case TLSEXT_signature_ecdsa:
52 len = chunk_printf(out, "EC%d", bits);
53 break;
54 case TLSEXT_signature_dsa:
55 len = chunk_printf(out, "DSA%d", bits);
56 break;
57 default:
58 return 0;
59 }
60 if (len < 0)
61 return 0;
62 return 1;
63}
64
65/* Extract a serial from a cert, and copy it to a chunk.
66 * Returns 1 if serial is found and copied, 0 if no serial found and
67 * -1 if output is not large enough.
68 */
69int ssl_sock_get_serial(X509 *crt, struct buffer *out)
70{
71 ASN1_INTEGER *serial;
72
73 serial = X509_get_serialNumber(crt);
74 if (!serial)
75 return 0;
76
77 if (out->size < serial->length)
78 return -1;
79
80 memcpy(out->area, serial->data, serial->length);
81 out->data = serial->length;
82 return 1;
83}
84
85/* Extract a cert to der, and copy it to a chunk.
86 * Returns 1 if the cert is found and copied, 0 on der conversion failure
87 * and -1 if the output is not large enough.
88 */
89int ssl_sock_crt2der(X509 *crt, struct buffer *out)
90{
91 int len;
William Dauchy98c35042020-08-06 18:11:37 +020092 unsigned char *p = (unsigned char *) out->area;
William Lallemand6a66a5e2020-05-15 12:01:17 +020093
William Dauchy98c35042020-08-06 18:11:37 +020094 len = i2d_X509(crt, NULL);
William Lallemand6a66a5e2020-05-15 12:01:17 +020095 if (len <= 0)
96 return 1;
97
98 if (out->size < len)
99 return -1;
100
William Dauchy98c35042020-08-06 18:11:37 +0200101 i2d_X509(crt, &p);
William Lallemand6a66a5e2020-05-15 12:01:17 +0200102 out->data = len;
103 return 1;
104}
105
106
107/* Copy Date in ASN1_UTCTIME format in struct buffer out.
108 * Returns 1 if serial is found and copied, 0 if no valid time found
109 * and -1 if output is not large enough.
110 */
111int ssl_sock_get_time(ASN1_TIME *tm, struct buffer *out)
112{
113 if (tm->type == V_ASN1_GENERALIZEDTIME) {
114 ASN1_GENERALIZEDTIME *gentm = (ASN1_GENERALIZEDTIME *)tm;
115
116 if (gentm->length < 12)
117 return 0;
118 if (gentm->data[0] != 0x32 || gentm->data[1] != 0x30)
119 return 0;
120 if (out->size < gentm->length-2)
121 return -1;
122
123 memcpy(out->area, gentm->data+2, gentm->length-2);
124 out->data = gentm->length-2;
125 return 1;
126 }
127 else if (tm->type == V_ASN1_UTCTIME) {
128 ASN1_UTCTIME *utctm = (ASN1_UTCTIME *)tm;
129
130 if (utctm->length < 10)
131 return 0;
132 if (utctm->data[0] >= 0x35)
133 return 0;
134 if (out->size < utctm->length)
135 return -1;
136
137 memcpy(out->area, utctm->data, utctm->length);
138 out->data = utctm->length;
139 return 1;
140 }
141
142 return 0;
143}
144
145/* Extract an entry from a X509_NAME and copy its value to an output chunk.
146 * Returns 1 if entry found, 0 if entry not found, or -1 if output not large enough.
147 */
148int ssl_sock_get_dn_entry(X509_NAME *a, const struct buffer *entry, int pos,
149 struct buffer *out)
150{
151 X509_NAME_ENTRY *ne;
152 ASN1_OBJECT *obj;
153 ASN1_STRING *data;
154 const unsigned char *data_ptr;
155 int data_len;
156 int i, j, n;
157 int cur = 0;
158 const char *s;
159 char tmp[128];
160 int name_count;
161
162 name_count = X509_NAME_entry_count(a);
163
164 out->data = 0;
165 for (i = 0; i < name_count; i++) {
166 if (pos < 0)
167 j = (name_count-1) - i;
168 else
169 j = i;
170
171 ne = X509_NAME_get_entry(a, j);
172 obj = X509_NAME_ENTRY_get_object(ne);
173 data = X509_NAME_ENTRY_get_data(ne);
174 data_ptr = ASN1_STRING_get0_data(data);
175 data_len = ASN1_STRING_length(data);
176 n = OBJ_obj2nid(obj);
177 if ((n == NID_undef) || ((s = OBJ_nid2sn(n)) == NULL)) {
178 i2t_ASN1_OBJECT(tmp, sizeof(tmp), obj);
179 s = tmp;
180 }
181
182 if (chunk_strcasecmp(entry, s) != 0)
183 continue;
184
185 if (pos < 0)
186 cur--;
187 else
188 cur++;
189
190 if (cur != pos)
191 continue;
192
193 if (data_len > out->size)
194 return -1;
195
196 memcpy(out->area, data_ptr, data_len);
197 out->data = data_len;
198 return 1;
199 }
200
201 return 0;
202
203}
204
205/*
206 * Extract the DN in the specified format from the X509_NAME and copy result to a chunk.
207 * Currently supports rfc2253 for returning LDAP V3 DNs.
208 * Returns 1 if dn entries exist, 0 if no dn entry was found.
209 */
210int ssl_sock_get_dn_formatted(X509_NAME *a, const struct buffer *format, struct buffer *out)
211{
212 BIO *bio = NULL;
213 int ret = 0;
214 int data_len = 0;
215
216 if (chunk_strcmp(format, "rfc2253") == 0) {
217 bio = BIO_new(BIO_s_mem());
218 if (bio == NULL)
219 goto out;
220
221 if (X509_NAME_print_ex(bio, a, 0, XN_FLAG_RFC2253) < 0)
222 goto out;
223
224 if ((data_len = BIO_read(bio, out->area, out->size)) <= 0)
225 goto out;
226
227 out->data = data_len;
228
229 ret = 1;
230 }
231out:
232 if (bio)
233 BIO_free(bio);
234 return ret;
235}
236
237/* Extract and format full DN from a X509_NAME and copy result into a chunk
238 * Returns 1 if dn entries exits, 0 if no dn entry found or -1 if output is not large enough.
239 */
240int ssl_sock_get_dn_oneline(X509_NAME *a, struct buffer *out)
241{
242 X509_NAME_ENTRY *ne;
243 ASN1_OBJECT *obj;
244 ASN1_STRING *data;
245 const unsigned char *data_ptr;
246 int data_len;
247 int i, n, ln;
248 int l = 0;
249 const char *s;
250 char *p;
251 char tmp[128];
252 int name_count;
253
254
255 name_count = X509_NAME_entry_count(a);
256
257 out->data = 0;
258 p = out->area;
259 for (i = 0; i < name_count; i++) {
260 ne = X509_NAME_get_entry(a, i);
261 obj = X509_NAME_ENTRY_get_object(ne);
262 data = X509_NAME_ENTRY_get_data(ne);
263 data_ptr = ASN1_STRING_get0_data(data);
264 data_len = ASN1_STRING_length(data);
265 n = OBJ_obj2nid(obj);
266 if ((n == NID_undef) || ((s = OBJ_nid2sn(n)) == NULL)) {
267 i2t_ASN1_OBJECT(tmp, sizeof(tmp), obj);
268 s = tmp;
269 }
270 ln = strlen(s);
271
272 l += 1 + ln + 1 + data_len;
273 if (l > out->size)
274 return -1;
275 out->data = l;
276
277 *(p++)='/';
278 memcpy(p, s, ln);
279 p += ln;
280 *(p++)='=';
281 memcpy(p, data_ptr, data_len);
282 p += data_len;
283 }
284
285 if (!out->data)
286 return 0;
287
288 return 1;
289}
290
Remi Tricot-Le Breton74f6ab62021-08-19 18:06:30 +0200291
292extern int ssl_client_crt_ref_index;
293
294/*
295 * This function fetches the SSL certificate for a specific connection (either
296 * client certificate or server certificate depending on the cert_peer
297 * parameter).
298 * When trying to get the peer certificate from the server side, we first try to
299 * use the dedicated SSL_get_peer_certificate function, but we fall back to
300 * trying to get the client certificate reference that might have been stored in
301 * the SSL structure's ex_data during the verification process.
302 * Returns NULL in case of failure.
303 */
304X509* ssl_sock_get_peer_certificate(SSL *ssl)
305{
306 X509* cert;
307
308 cert = SSL_get_peer_certificate(ssl);
309 /* Get the client certificate reference stored in the SSL
310 * structure's ex_data during the verification process. */
311 if (!cert) {
312 cert = SSL_get_ex_data(ssl, ssl_client_crt_ref_index);
313 if (cert)
314 X509_up_ref(cert);
315 }
316
317 return cert;
318}
William Lallemand44d862d2021-08-21 23:16:06 +0200319
320/*
321 * Take an OpenSSL version in text format and return a numeric openssl version
322 * Return 0 if it failed to parse the version
323 *
324 * https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_VERSION_NUMBER.html
325 *
326 * MNNFFPPS: major minor fix patch status
327 *
328 * The status nibble has one of the values 0 for development, 1 to e for betas
329 * 1 to 14, and f for release.
330 *
331 * for example
332 *
333 * 0x0090821f 0.9.8zh
334 * 0x1000215f 1.0.2u
335 * 0x30000000 3.0.0-alpha17
336 * 0x30000002 3.0.0-beta2
337 * 0x3000000e 3.0.0-beta14
338 * 0x3000000f 3.0.0
339 */
340unsigned int openssl_version_parser(const char *version)
341{
342 unsigned int numversion;
343 unsigned int major = 0, minor = 0, fix = 0, patch = 0, status = 0;
344 char *p, *end;
345
346 p = (char *)version;
347
348 if (!p || !*p)
349 return 0;
350
351 major = strtol(p, &end, 10);
352 if (*end != '.' || major > 0xf)
353 goto error;
354 p = end + 1;
355
356 minor = strtol(p, &end, 10);
357 if (*end != '.' || minor > 0xff)
358 goto error;
359 p = end + 1;
360
361 fix = strtol(p, &end, 10);
362 if (fix > 0xff)
363 goto error;
364 p = end;
365
366 if (!*p) {
367 /* end of the string, that's a release */
368 status = 0xf;
369 } else if (*p == '-') {
370 /* after the hyphen, only the beta will increment the status
371 * counter, all others versions will be considered as "dev" and
372 * does not increment anything */
373 p++;
374
375 if (!strncmp(p, "beta", 4)) {
376 p += 4;
William Lallemand8b673f02021-08-22 13:36:11 +0200377 status = strtol(p, &end, 10);
378 if (status > 14)
379 goto error;
William Lallemand44d862d2021-08-21 23:16:06 +0200380 }
381 } else {
382 /* that's a patch release */
383 patch = 1;
384
385 /* add the value of each letter */
386 while (*p) {
387 patch += (*p & ~0x20) - 'A';
388 p++;
389 }
390 status = 0xf;
391 }
392
393end:
394 numversion = ((major & 0xf) << 28) | ((minor & 0xff) << 20) | ((fix & 0xff) << 12) | ((patch & 0xff) << 4) | (status & 0xf);
395 return numversion;
396
397error:
398 return 0;
399
400}
Marcin Deranek959a48c2021-07-13 15:14:21 +0200401
402/* Exclude GREASE (RFC8701) values from input buffer */
403void exclude_tls_grease(char *input, int len, struct buffer *output)
404{
405 int ptr = 0;
406
407 while (ptr < len - 1) {
408 if (input[ptr] != input[ptr+1] || (input[ptr] & 0x0f) != 0x0a) {
409 if (output->data <= output->size - 2) {
410 memcpy(output->area + output->data, input + ptr, 2);
411 output->data += 2;
412 } else
413 break;
414 }
415 ptr += 2;
416 }
417 if (output->size - output->data > 0 && len - ptr > 0)
418 output->area[output->data++] = input[ptr];
419}
William Lallemand960fb742022-11-03 16:31:50 +0100420
421/*
422 * The following generates an array <x509_v_codes> in which the X509_V_ERR_*
423 * codes are populated with there string equivalent. Depending on the version
424 * of the SSL library, some code does not exist, these will be populated as
425 * "-1" in the array.
426 *
427 * The list was taken from
428 * https://github.com/openssl/openssl/blob/master/include/openssl/x509_vfy.h.in
429 * and must be updated when new constant are introduced.
430 */
431
William Lallemand960fb742022-11-03 16:31:50 +0100432#undef _Q
Willy Tarreaua8a83bc2022-11-14 08:11:32 +0100433#define _Q(x) (#x)
William Lallemand960fb742022-11-03 16:31:50 +0100434#undef V
Willy Tarreaua8a83bc2022-11-14 08:11:32 +0100435#define V(x) { .code = -1, .value = _Q(x), .string = #x }
William Lallemand960fb742022-11-03 16:31:50 +0100436
Willy Tarreaua8a83bc2022-11-14 08:11:32 +0100437static struct x509_v_codes {
438 int code; // integer value of the code or -1 if undefined
439 const char *value; // value of the macro as a string or its name
440 const char *string; // name of the macro
William Lallemand960fb742022-11-03 16:31:50 +0100441} x509_v_codes[] = {
442 V(X509_V_OK),
443 V(X509_V_ERR_UNSPECIFIED),
444 V(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT),
445 V(X509_V_ERR_UNABLE_TO_GET_CRL),
446 V(X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE),
447 V(X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE),
448 V(X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY),
449 V(X509_V_ERR_CERT_SIGNATURE_FAILURE),
450 V(X509_V_ERR_CRL_SIGNATURE_FAILURE),
451 V(X509_V_ERR_CERT_NOT_YET_VALID),
452 V(X509_V_ERR_CERT_HAS_EXPIRED),
453 V(X509_V_ERR_CRL_NOT_YET_VALID),
454 V(X509_V_ERR_CRL_HAS_EXPIRED),
455 V(X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD),
456 V(X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD),
457 V(X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD),
458 V(X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD),
459 V(X509_V_ERR_OUT_OF_MEM),
460 V(X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT),
461 V(X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN),
462 V(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY),
463 V(X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE),
464 V(X509_V_ERR_CERT_CHAIN_TOO_LONG),
465 V(X509_V_ERR_CERT_REVOKED),
466 V(X509_V_ERR_NO_ISSUER_PUBLIC_KEY),
467 V(X509_V_ERR_PATH_LENGTH_EXCEEDED),
468 V(X509_V_ERR_INVALID_PURPOSE),
469 V(X509_V_ERR_CERT_UNTRUSTED),
470 V(X509_V_ERR_CERT_REJECTED),
471 V(X509_V_ERR_SUBJECT_ISSUER_MISMATCH),
472 V(X509_V_ERR_AKID_SKID_MISMATCH),
473 V(X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH),
474 V(X509_V_ERR_KEYUSAGE_NO_CERTSIGN),
475 V(X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER),
476 V(X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION),
477 V(X509_V_ERR_KEYUSAGE_NO_CRL_SIGN),
478 V(X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION),
479 V(X509_V_ERR_INVALID_NON_CA),
480 V(X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED),
481 V(X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE),
482 V(X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED),
483 V(X509_V_ERR_INVALID_EXTENSION),
484 V(X509_V_ERR_INVALID_POLICY_EXTENSION),
485 V(X509_V_ERR_NO_EXPLICIT_POLICY),
486 V(X509_V_ERR_DIFFERENT_CRL_SCOPE),
487 V(X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE),
488 V(X509_V_ERR_UNNESTED_RESOURCE),
489 V(X509_V_ERR_PERMITTED_VIOLATION),
490 V(X509_V_ERR_EXCLUDED_VIOLATION),
491 V(X509_V_ERR_SUBTREE_MINMAX),
492 V(X509_V_ERR_APPLICATION_VERIFICATION),
493 V(X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE),
494 V(X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX),
495 V(X509_V_ERR_UNSUPPORTED_NAME_SYNTAX),
496 V(X509_V_ERR_CRL_PATH_VALIDATION_ERROR),
497 V(X509_V_ERR_PATH_LOOP),
498 V(X509_V_ERR_SUITE_B_INVALID_VERSION),
499 V(X509_V_ERR_SUITE_B_INVALID_ALGORITHM),
500 V(X509_V_ERR_SUITE_B_INVALID_CURVE),
501 V(X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM),
502 V(X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED),
503 V(X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256),
504 V(X509_V_ERR_HOSTNAME_MISMATCH),
505 V(X509_V_ERR_EMAIL_MISMATCH),
506 V(X509_V_ERR_IP_ADDRESS_MISMATCH),
507 V(X509_V_ERR_DANE_NO_MATCH),
508 V(X509_V_ERR_EE_KEY_TOO_SMALL),
509 V(X509_V_ERR_CA_KEY_TOO_SMALL),
510 V(X509_V_ERR_CA_MD_TOO_WEAK),
511 V(X509_V_ERR_INVALID_CALL),
512 V(X509_V_ERR_STORE_LOOKUP),
513 V(X509_V_ERR_NO_VALID_SCTS),
514 V(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION),
515 V(X509_V_ERR_OCSP_VERIFY_NEEDED),
516 V(X509_V_ERR_OCSP_VERIFY_FAILED),
517 V(X509_V_ERR_OCSP_CERT_UNKNOWN),
518 V(X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM),
519 V(X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH),
520 V(X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY),
521 V(X509_V_ERR_INVALID_CA),
522 V(X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA),
523 V(X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN),
524 V(X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA),
525 V(X509_V_ERR_ISSUER_NAME_EMPTY),
526 V(X509_V_ERR_SUBJECT_NAME_EMPTY),
527 V(X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER),
528 V(X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER),
529 V(X509_V_ERR_EMPTY_SUBJECT_ALT_NAME),
530 V(X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL),
531 V(X509_V_ERR_CA_BCONS_NOT_CRITICAL),
532 V(X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL),
533 V(X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL),
534 V(X509_V_ERR_CA_CERT_MISSING_KEY_USAGE),
535 V(X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3),
536 V(X509_V_ERR_EC_KEY_EXPLICIT_PARAMS),
Willy Tarreaua8a83bc2022-11-14 08:11:32 +0100537 { 0, NULL, NULL },
William Lallemand960fb742022-11-03 16:31:50 +0100538};
539
540/*
541 * Return the X509_V_ERR code corresponding to the name of the constant.
542 * See https://github.com/openssl/openssl/blob/master/include/openssl/x509_vfy.h.in
543 * If not found, return -1
544 */
545int x509_v_err_str_to_int(const char *str)
546{
547 int i;
548
549 for (i = 0; x509_v_codes[i].string; i++) {
550 if (strcmp(str, x509_v_codes[i].string) == 0) {
551 return x509_v_codes[i].code;
552 }
553 }
554
555 return -1;
556}
557
558/*
559 * Return the constant name corresponding to the X509_V_ERR code
560 * See https://github.com/openssl/openssl/blob/master/include/openssl/x509_vfy.h.in
561 * If not found, return NULL;
562 */
563const char *x509_v_err_int_to_str(int code)
564{
565 int i;
566
567 if (code == -1)
568 return NULL;
569
570 for (i = 0; x509_v_codes[i].string; i++) {
571 if (x509_v_codes[i].code == code) {
572 return x509_v_codes[i].string;
573 }
574 }
575 return NULL;
576}
Willy Tarreaua8a83bc2022-11-14 08:11:32 +0100577
578void init_x509_v_err_tab(void)
579{
580 int i;
581
582 for (i = 0; x509_v_codes[i].string; i++) {
583 /* either the macro exists or it's equal to its own name */
584 if (strcmp(x509_v_codes[i].string, x509_v_codes[i].value) == 0)
585 continue;
586 x509_v_codes[i].code = atoi(x509_v_codes[i].value);
587 }
588}
589
590INITCALL0(STG_REGISTER, init_x509_v_err_tab);