summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_cert.c
diff options
context:
space:
mode:
authorjsing <>2014-04-14 13:10:35 +0000
committerjsing <>2014-04-14 13:10:35 +0000
commitb12a89b75a526f5ae9bbd6bfff6053e21295fd2a (patch)
tree7ee2ebf15684ee99e649ef8b3b2dd289398f6325 /src/lib/libssl/ssl_cert.c
parentabb7d374248574dba5fd92eb363fdf180c877abc (diff)
downloadopenbsd-b12a89b75a526f5ae9bbd6bfff6053e21295fd2a.tar.gz
openbsd-b12a89b75a526f5ae9bbd6bfff6053e21295fd2a.tar.bz2
openbsd-b12a89b75a526f5ae9bbd6bfff6053e21295fd2a.zip
First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using tr and md5.
Diffstat (limited to 'src/lib/libssl/ssl_cert.c')
-rw-r--r--src/lib/libssl/ssl_cert.c649
1 files changed, 320 insertions, 329 deletions
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 1aaddc351f..79eb4ee031 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -132,36 +132,36 @@
132#include <openssl/bn.h> 132#include <openssl/bn.h>
133#include "ssl_locl.h" 133#include "ssl_locl.h"
134 134
135int SSL_get_ex_data_X509_STORE_CTX_idx(void) 135int
136 { 136SSL_get_ex_data_X509_STORE_CTX_idx(void)
137 static volatile int ssl_x509_store_ctx_idx= -1; 137{
138 static volatile int ssl_x509_store_ctx_idx = -1;
138 int got_write_lock = 0; 139 int got_write_lock = 0;
139 140
140 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); 141 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
141 142
142 if (ssl_x509_store_ctx_idx < 0) 143 if (ssl_x509_store_ctx_idx < 0) {
143 {
144 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); 144 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
145 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 145 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
146 got_write_lock = 1; 146 got_write_lock = 1;
147 147
148 if (ssl_x509_store_ctx_idx < 0) 148 if (ssl_x509_store_ctx_idx < 0) {
149 { 149 ssl_x509_store_ctx_idx = X509_STORE_CTX_get_ex_new_index(
150 ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index( 150 0, "SSL for verify callback", NULL, NULL, NULL);
151 0,"SSL for verify callback",NULL,NULL,NULL);
152 }
153 } 151 }
152 }
154 153
155 if (got_write_lock) 154 if (got_write_lock)
156 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 155 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
157 else 156 else
158 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); 157 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
159 158
160 return ssl_x509_store_ctx_idx; 159 return ssl_x509_store_ctx_idx;
161 } 160}
162 161
163static void ssl_cert_set_default_md(CERT *cert) 162static void
164 { 163ssl_cert_set_default_md(CERT *cert)
164{
165 /* Set digest values to defaults */ 165 /* Set digest values to defaults */
166#ifndef OPENSSL_NO_DSA 166#ifndef OPENSSL_NO_DSA
167 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 167 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
@@ -173,37 +173,37 @@ static void ssl_cert_set_default_md(CERT *cert)
173#ifndef OPENSSL_NO_ECDSA 173#ifndef OPENSSL_NO_ECDSA
174 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 174 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
175#endif 175#endif
176 } 176}
177 177
178CERT *ssl_cert_new(void) 178CERT
179 { 179*ssl_cert_new(void)
180{
180 CERT *ret; 181 CERT *ret;
181 182
182 ret=(CERT *)OPENSSL_malloc(sizeof(CERT)); 183 ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
183 if (ret == NULL) 184 if (ret == NULL) {
184 { 185 SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE);
185 SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE); 186 return (NULL);
186 return(NULL); 187 }
187 } 188 memset(ret, 0, sizeof(CERT));
188 memset(ret,0,sizeof(CERT));
189 189
190 ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]); 190 ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);
191 ret->references=1; 191 ret->references = 1;
192 ssl_cert_set_default_md(ret); 192 ssl_cert_set_default_md(ret);
193 return(ret); 193 return (ret);
194 } 194}
195 195
196CERT *ssl_cert_dup(CERT *cert) 196CERT
197 { 197*ssl_cert_dup(CERT *cert)
198{
198 CERT *ret; 199 CERT *ret;
199 int i; 200 int i;
200 201
201 ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); 202 ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
202 if (ret == NULL) 203 if (ret == NULL) {
203 {
204 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); 204 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
205 return(NULL); 205 return (NULL);
206 } 206 }
207 207
208 memset(ret, 0, sizeof(CERT)); 208 memset(ret, 0, sizeof(CERT));
209 209
@@ -218,77 +218,64 @@ CERT *ssl_cert_dup(CERT *cert)
218 ret->export_mask_a = cert->export_mask_a; 218 ret->export_mask_a = cert->export_mask_a;
219 219
220#ifndef OPENSSL_NO_RSA 220#ifndef OPENSSL_NO_RSA
221 if (cert->rsa_tmp != NULL) 221 if (cert->rsa_tmp != NULL) {
222 {
223 RSA_up_ref(cert->rsa_tmp); 222 RSA_up_ref(cert->rsa_tmp);
224 ret->rsa_tmp = cert->rsa_tmp; 223 ret->rsa_tmp = cert->rsa_tmp;
225 } 224 }
226 ret->rsa_tmp_cb = cert->rsa_tmp_cb; 225 ret->rsa_tmp_cb = cert->rsa_tmp_cb;
227#endif 226#endif
228 227
229#ifndef OPENSSL_NO_DH 228#ifndef OPENSSL_NO_DH
230 if (cert->dh_tmp != NULL) 229 if (cert->dh_tmp != NULL) {
231 {
232 ret->dh_tmp = DHparams_dup(cert->dh_tmp); 230 ret->dh_tmp = DHparams_dup(cert->dh_tmp);
233 if (ret->dh_tmp == NULL) 231 if (ret->dh_tmp == NULL) {
234 {
235 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB); 232 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
236 goto err; 233 goto err;
237 } 234 }
238 if (cert->dh_tmp->priv_key) 235 if (cert->dh_tmp->priv_key) {
239 {
240 BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); 236 BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
241 if (!b) 237 if (!b) {
242 {
243 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); 238 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
244 goto err; 239 goto err;
245 }
246 ret->dh_tmp->priv_key = b;
247 } 240 }
248 if (cert->dh_tmp->pub_key) 241 ret->dh_tmp->priv_key = b;
249 { 242 }
243 if (cert->dh_tmp->pub_key) {
250 BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); 244 BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
251 if (!b) 245 if (!b) {
252 {
253 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); 246 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
254 goto err; 247 goto err;
255 }
256 ret->dh_tmp->pub_key = b;
257 } 248 }
249 ret->dh_tmp->pub_key = b;
258 } 250 }
251 }
259 ret->dh_tmp_cb = cert->dh_tmp_cb; 252 ret->dh_tmp_cb = cert->dh_tmp_cb;
260#endif 253#endif
261 254
262#ifndef OPENSSL_NO_ECDH 255#ifndef OPENSSL_NO_ECDH
263 if (cert->ecdh_tmp) 256 if (cert->ecdh_tmp) {
264 {
265 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); 257 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
266 if (ret->ecdh_tmp == NULL) 258 if (ret->ecdh_tmp == NULL) {
267 {
268 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB); 259 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
269 goto err; 260 goto err;
270 }
271 } 261 }
262 }
272 ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; 263 ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
273#endif 264#endif
274 265
275 for (i = 0; i < SSL_PKEY_NUM; i++) 266 for (i = 0; i < SSL_PKEY_NUM; i++) {
276 { 267 if (cert->pkeys[i].x509 != NULL) {
277 if (cert->pkeys[i].x509 != NULL)
278 {
279 ret->pkeys[i].x509 = cert->pkeys[i].x509; 268 ret->pkeys[i].x509 = cert->pkeys[i].x509;
280 CRYPTO_add(&ret->pkeys[i].x509->references, 1, 269 CRYPTO_add(&ret->pkeys[i].x509->references, 1,
281 CRYPTO_LOCK_X509); 270 CRYPTO_LOCK_X509);
282 } 271 }
283 272
284 if (cert->pkeys[i].privatekey != NULL) 273 if (cert->pkeys[i].privatekey != NULL) {
285 {
286 ret->pkeys[i].privatekey = cert->pkeys[i].privatekey; 274 ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
287 CRYPTO_add(&ret->pkeys[i].privatekey->references, 1, 275 CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
288 CRYPTO_LOCK_EVP_PKEY); 276 CRYPTO_LOCK_EVP_PKEY);
289 277
290 switch(i) 278 switch (i) {
291 {
292 /* If there was anything special to do for 279 /* If there was anything special to do for
293 * certain types of keys, we'd do it here. 280 * certain types of keys, we'd do it here.
294 * (Nothing at the moment, I think.) */ 281 * (Nothing at the moment, I think.) */
@@ -297,11 +284,11 @@ CERT *ssl_cert_dup(CERT *cert)
297 case SSL_PKEY_RSA_SIGN: 284 case SSL_PKEY_RSA_SIGN:
298 /* We have an RSA key. */ 285 /* We have an RSA key. */
299 break; 286 break;
300 287
301 case SSL_PKEY_DSA_SIGN: 288 case SSL_PKEY_DSA_SIGN:
302 /* We have a DSA key. */ 289 /* We have a DSA key. */
303 break; 290 break;
304 291
305 case SSL_PKEY_DH_RSA: 292 case SSL_PKEY_DH_RSA:
306 case SSL_PKEY_DH_DSA: 293 case SSL_PKEY_DH_DSA:
307 /* We have a DH key. */ 294 /* We have a DH key. */
@@ -314,21 +301,21 @@ CERT *ssl_cert_dup(CERT *cert)
314 default: 301 default:
315 /* Can't happen. */ 302 /* Can't happen. */
316 SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG); 303 SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
317 }
318 } 304 }
319 } 305 }
320 306 }
307
321 /* ret->extra_certs *should* exist, but currently the own certificate 308 /* ret->extra_certs *should* exist, but currently the own certificate
322 * chain is held inside SSL_CTX */ 309 * chain is held inside SSL_CTX */
323 310
324 ret->references=1; 311 ret->references = 1;
325 /* Set digests to defaults. NB: we don't copy existing values as they 312 /* Set digests to defaults. NB: we don't copy existing values as they
326 * will be set during handshake. 313 * will be set during handshake.
327 */ 314 */
328 ssl_cert_set_default_md(ret); 315 ssl_cert_set_default_md(ret);
329 316
330 return(ret); 317 return (ret);
331 318
332#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH) 319#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
333err: 320err:
334#endif 321#endif
@@ -345,50 +332,52 @@ err:
345 EC_KEY_free(ret->ecdh_tmp); 332 EC_KEY_free(ret->ecdh_tmp);
346#endif 333#endif
347 334
348 for (i = 0; i < SSL_PKEY_NUM; i++) 335 for (i = 0; i < SSL_PKEY_NUM; i++) {
349 {
350 if (ret->pkeys[i].x509 != NULL) 336 if (ret->pkeys[i].x509 != NULL)
351 X509_free(ret->pkeys[i].x509); 337 X509_free(ret->pkeys[i].x509);
352 if (ret->pkeys[i].privatekey != NULL) 338 if (ret->pkeys[i].privatekey != NULL)
353 EVP_PKEY_free(ret->pkeys[i].privatekey); 339 EVP_PKEY_free(ret->pkeys[i].privatekey);
354 } 340 }
355 341
356 return NULL; 342 return NULL;
357 } 343}
358 344
359 345
360void ssl_cert_free(CERT *c) 346void
361 { 347ssl_cert_free(CERT *c)
348{
362 int i; 349 int i;
363 350
364 if(c == NULL) 351 if (c == NULL)
365 return; 352 return;
366 353
367 i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT); 354 i = CRYPTO_add(&c->references, -1, CRYPTO_LOCK_SSL_CERT);
368#ifdef REF_PRINT 355#ifdef REF_PRINT
369 REF_PRINT("CERT",c); 356 REF_PRINT("CERT", c);
370#endif 357#endif
371 if (i > 0) return; 358 if (i > 0)
359 return;
372#ifdef REF_CHECK 360#ifdef REF_CHECK
373 if (i < 0) 361 if (i < 0) {
374 { 362 fprintf(stderr, "ssl_cert_free, bad reference count\n");
375 fprintf(stderr,"ssl_cert_free, bad reference count\n");
376 abort(); /* ok */ 363 abort(); /* ok */
377 } 364 }
378#endif 365#endif
379 366
380#ifndef OPENSSL_NO_RSA 367#ifndef OPENSSL_NO_RSA
381 if (c->rsa_tmp) RSA_free(c->rsa_tmp); 368 if (c->rsa_tmp)
369 RSA_free(c->rsa_tmp);
382#endif 370#endif
383#ifndef OPENSSL_NO_DH 371#ifndef OPENSSL_NO_DH
384 if (c->dh_tmp) DH_free(c->dh_tmp); 372 if (c->dh_tmp)
373 DH_free(c->dh_tmp);
385#endif 374#endif
386#ifndef OPENSSL_NO_ECDH 375#ifndef OPENSSL_NO_ECDH
387 if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp); 376 if (c->ecdh_tmp)
377 EC_KEY_free(c->ecdh_tmp);
388#endif 378#endif
389 379
390 for (i=0; i<SSL_PKEY_NUM; i++) 380 for (i = 0; i < SSL_PKEY_NUM; i++) {
391 {
392 if (c->pkeys[i].x509 != NULL) 381 if (c->pkeys[i].x509 != NULL)
393 X509_free(c->pkeys[i].x509); 382 X509_free(c->pkeys[i].x509);
394 if (c->pkeys[i].privatekey != NULL) 383 if (c->pkeys[i].privatekey != NULL)
@@ -397,12 +386,13 @@ void ssl_cert_free(CERT *c)
397 if (c->pkeys[i].publickey != NULL) 386 if (c->pkeys[i].publickey != NULL)
398 EVP_PKEY_free(c->pkeys[i].publickey); 387 EVP_PKEY_free(c->pkeys[i].publickey);
399#endif 388#endif
400 }
401 OPENSSL_free(c);
402 } 389 }
390 OPENSSL_free(c);
391}
403 392
404int ssl_cert_inst(CERT **o) 393int
405 { 394ssl_cert_inst(CERT **o)
395{
406 /* Create a CERT if there isn't already one 396 /* Create a CERT if there isn't already one
407 * (which cannot really happen, as it is initially created in 397 * (which cannot really happen, as it is initially created in
408 * SSL_CTX_new; but the earlier code usually allows for that one 398 * SSL_CTX_new; but the earlier code usually allows for that one
@@ -412,44 +402,42 @@ int ssl_cert_inst(CERT **o)
412 * s->cert being NULL, otherwise we could do without the 402 * s->cert being NULL, otherwise we could do without the
413 * initialization in SSL_CTX_new). 403 * initialization in SSL_CTX_new).
414 */ 404 */
415 405
416 if (o == NULL) 406 if (o == NULL) {
417 {
418 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER); 407 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
419 return(0); 408 return (0);
420 } 409 }
421 if (*o == NULL) 410 if (*o == NULL) {
422 { 411 if ((*o = ssl_cert_new()) == NULL) {
423 if ((*o = ssl_cert_new()) == NULL)
424 {
425 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE); 412 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
426 return(0); 413 return (0);
427 }
428 } 414 }
429 return(1);
430 } 415 }
416 return (1);
417}
431 418
432 419
433SESS_CERT *ssl_sess_cert_new(void) 420SESS_CERT
434 { 421*ssl_sess_cert_new(void)
422{
435 SESS_CERT *ret; 423 SESS_CERT *ret;
436 424
437 ret = OPENSSL_malloc(sizeof *ret); 425 ret = OPENSSL_malloc(sizeof *ret);
438 if (ret == NULL) 426 if (ret == NULL) {
439 {
440 SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE); 427 SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
441 return NULL; 428 return NULL;
442 } 429 }
443 430
444 memset(ret, 0 ,sizeof *ret); 431 memset(ret, 0 , sizeof *ret);
445 ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]); 432 ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
446 ret->references = 1; 433 ret->references = 1;
447 434
448 return ret; 435 return ret;
449 } 436}
450 437
451void ssl_sess_cert_free(SESS_CERT *sc) 438void
452 { 439ssl_sess_cert_free(SESS_CERT *sc)
440{
453 int i; 441 int i;
454 442
455 if (sc == NULL) 443 if (sc == NULL)
@@ -462,27 +450,25 @@ void ssl_sess_cert_free(SESS_CERT *sc)
462 if (i > 0) 450 if (i > 0)
463 return; 451 return;
464#ifdef REF_CHECK 452#ifdef REF_CHECK
465 if (i < 0) 453 if (i < 0) {
466 { 454 fprintf(stderr, "ssl_sess_cert_free, bad reference count\n");
467 fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
468 abort(); /* ok */ 455 abort(); /* ok */
469 } 456 }
470#endif 457#endif
471 458
472 /* i == 0 */ 459 /* i == 0 */
473 if (sc->cert_chain != NULL) 460 if (sc->cert_chain != NULL)
474 sk_X509_pop_free(sc->cert_chain, X509_free); 461 sk_X509_pop_free(sc->cert_chain, X509_free);
475 for (i = 0; i < SSL_PKEY_NUM; i++) 462 for (i = 0; i < SSL_PKEY_NUM; i++) {
476 {
477 if (sc->peer_pkeys[i].x509 != NULL) 463 if (sc->peer_pkeys[i].x509 != NULL)
478 X509_free(sc->peer_pkeys[i].x509); 464 X509_free(sc->peer_pkeys[i].x509);
479#if 0 /* We don't have the peer's private key. These lines are just 465#if 0 /* We don't have the peer's private key. These lines are just
480 * here as a reminder that we're still using a not-quite-appropriate 466 * here as a reminder that we're still using a not-quite-appropriate
481 * data structure. */ 467 * data structure. */
482 if (sc->peer_pkeys[i].privatekey != NULL) 468 if (sc->peer_pkeys[i].privatekey != NULL)
483 EVP_PKEY_free(sc->peer_pkeys[i].privatekey); 469 EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
484#endif 470#endif
485 } 471 }
486 472
487#ifndef OPENSSL_NO_RSA 473#ifndef OPENSSL_NO_RSA
488 if (sc->peer_rsa_tmp != NULL) 474 if (sc->peer_rsa_tmp != NULL)
@@ -498,34 +484,35 @@ void ssl_sess_cert_free(SESS_CERT *sc)
498#endif 484#endif
499 485
500 OPENSSL_free(sc); 486 OPENSSL_free(sc);
501 } 487}
502 488
503int ssl_set_peer_cert_type(SESS_CERT *sc,int type) 489int
504 { 490ssl_set_peer_cert_type(SESS_CERT *sc, int type)
491{
505 sc->peer_cert_type = type; 492 sc->peer_cert_type = type;
506 return(1); 493 return (1);
507 } 494}
508 495
509int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) 496int
510 { 497ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
498{
511 X509 *x; 499 X509 *x;
512 int i; 500 int i;
513 X509_STORE_CTX ctx; 501 X509_STORE_CTX ctx;
514 502
515 if ((sk == NULL) || (sk_X509_num(sk) == 0)) 503 if ((sk == NULL) || (sk_X509_num(sk) == 0))
516 return(0); 504 return (0);
517 505
518 x=sk_X509_value(sk,0); 506 x = sk_X509_value(sk, 0);
519 if(!X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk)) 507 if (!X509_STORE_CTX_init(&ctx, s->ctx->cert_store, x, sk)) {
520 { 508 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_X509_LIB);
521 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB); 509 return (0);
522 return(0); 510 }
523 }
524#if 0 511#if 0
525 if (SSL_get_verify_depth(s) >= 0) 512 if (SSL_get_verify_depth(s) >= 0)
526 X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s)); 513 X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
527#endif 514#endif
528 X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s); 515 X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s);
529 516
530 /* We need to inherit the verify parameters. These can be determined by 517 /* We need to inherit the verify parameters. These can be determined by
531 * the context: if its a server it will verify SSL client certificates 518 * the context: if its a server it will verify SSL client certificates
@@ -533,7 +520,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
533 */ 520 */
534 521
535 X509_STORE_CTX_set_default(&ctx, 522 X509_STORE_CTX_set_default(&ctx,
536 s->server ? "ssl_client" : "ssl_server"); 523 s->server ? "ssl_client" : "ssl_server");
537 /* Anything non-default in "param" should overwrite anything in the 524 /* Anything non-default in "param" should overwrite anything in the
538 * ctx. 525 * ctx.
539 */ 526 */
@@ -544,121 +531,127 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
544 531
545 if (s->ctx->app_verify_callback != NULL) 532 if (s->ctx->app_verify_callback != NULL)
546#if 1 /* new with OpenSSL 0.9.7 */ 533#if 1 /* new with OpenSSL 0.9.7 */
547 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); 534 i = s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
535
548#else 536#else
549 i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */ 537 i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
550#endif 538#endif
551 else 539 else {
552 {
553#ifndef OPENSSL_NO_X509_VERIFY 540#ifndef OPENSSL_NO_X509_VERIFY
554 i=X509_verify_cert(&ctx); 541 i = X509_verify_cert(&ctx);
555#else 542#else
556 i=0; 543 i = 0;
557 ctx.error=X509_V_ERR_APPLICATION_VERIFICATION; 544 ctx.error = X509_V_ERR_APPLICATION_VERIFICATION;
558 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK); 545 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, SSL_R_NO_VERIFY_CALLBACK);
559#endif 546#endif
560 } 547 }
561 548
562 s->verify_result=ctx.error; 549 s->verify_result = ctx.error;
563 X509_STORE_CTX_cleanup(&ctx); 550 X509_STORE_CTX_cleanup(&ctx);
564 551
565 return(i); 552 return (i);
566 } 553}
567 554
568static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list) 555static void
569 { 556set_client_CA_list(STACK_OF(X509_NAME) **ca_list, STACK_OF(X509_NAME) *name_list)
557{
570 if (*ca_list != NULL) 558 if (*ca_list != NULL)
571 sk_X509_NAME_pop_free(*ca_list,X509_NAME_free); 559 sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
572 560
573 *ca_list=name_list; 561 *ca_list = name_list;
574 } 562}
575 563
576STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) 564STACK_OF(X509_NAME)
577 { 565*SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
566{
578 int i; 567 int i;
579 STACK_OF(X509_NAME) *ret; 568 STACK_OF(X509_NAME) *ret;
580 X509_NAME *name; 569 X509_NAME *name;
581 570
582 ret=sk_X509_NAME_new_null(); 571 ret = sk_X509_NAME_new_null();
583 for (i=0; i<sk_X509_NAME_num(sk); i++) 572 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
584 { 573 name = X509_NAME_dup(sk_X509_NAME_value(sk, i));
585 name=X509_NAME_dup(sk_X509_NAME_value(sk,i)); 574 if ((name == NULL) || !sk_X509_NAME_push(ret, name)) {
586 if ((name == NULL) || !sk_X509_NAME_push(ret,name)) 575 sk_X509_NAME_pop_free(ret, X509_NAME_free);
587 { 576 return (NULL);
588 sk_X509_NAME_pop_free(ret,X509_NAME_free);
589 return(NULL);
590 }
591 } 577 }
592 return(ret);
593 } 578 }
594 579 return (ret);
595void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list) 580}
596 { 581
597 set_client_CA_list(&(s->client_CA),name_list); 582void
598 } 583SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
599 584{
600void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list) 585 set_client_CA_list(&(s->client_CA), name_list);
601 { 586}
602 set_client_CA_list(&(ctx->client_CA),name_list); 587
603 } 588void
604 589SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
605STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) 590{
606 { 591 set_client_CA_list(&(ctx->client_CA), name_list);
607 return(ctx->client_CA); 592}
608 } 593
609 594STACK_OF(X509_NAME)
610STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) 595*SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
611 { 596{
597 return (ctx->client_CA);
598}
599
600STACK_OF(X509_NAME)
601*SSL_get_client_CA_list(const SSL *s)
602{
612 if (s->type == SSL_ST_CONNECT) 603 if (s->type == SSL_ST_CONNECT)
613 { /* we are in the client */ 604 { /* we are in the client */
614 if (((s->version>>8) == SSL3_VERSION_MAJOR) && 605 if (((s->version >> 8) == SSL3_VERSION_MAJOR) &&
615 (s->s3 != NULL)) 606 (s->s3 != NULL))
616 return(s->s3->tmp.ca_names); 607 return (s->s3->tmp.ca_names);
617 else 608 else
618 return(NULL); 609 return (NULL);
619 } 610 } else {
620 else
621 {
622 if (s->client_CA != NULL) 611 if (s->client_CA != NULL)
623 return(s->client_CA); 612 return (s->client_CA);
624 else 613 else
625 return(s->ctx->client_CA); 614 return (s->ctx->client_CA);
626 }
627 } 615 }
616}
628 617
629static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x) 618static int
630 { 619add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x)
620{
631 X509_NAME *name; 621 X509_NAME *name;
632 622
633 if (x == NULL) return(0); 623 if (x == NULL)
634 if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL)) 624 return (0);
635 return(0); 625 if ((*sk == NULL) && ((*sk = sk_X509_NAME_new_null()) == NULL))
636 626 return (0);
637 if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)
638 return(0);
639
640 if (!sk_X509_NAME_push(*sk,name))
641 {
642 X509_NAME_free(name);
643 return(0);
644 }
645 return(1);
646 }
647 627
648int SSL_add_client_CA(SSL *ssl,X509 *x) 628 if ((name = X509_NAME_dup(X509_get_subject_name(x))) == NULL)
649 { 629 return (0);
650 return(add_client_CA(&(ssl->client_CA),x));
651 }
652 630
653int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x) 631 if (!sk_X509_NAME_push(*sk, name)) {
654 { 632 X509_NAME_free(name);
655 return(add_client_CA(&(ctx->client_CA),x)); 633 return (0);
656 }
657
658static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
659 {
660 return(X509_NAME_cmp(*a,*b));
661 } 634 }
635 return (1);
636}
637
638int
639SSL_add_client_CA(SSL *ssl, X509 *x)
640{
641 return (add_client_CA(&(ssl->client_CA), x));
642}
643
644int
645SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
646{
647 return (add_client_CA(&(ctx->client_CA), x));
648}
649
650static int
651xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
652{
653 return (X509_NAME_cmp(*a, *b));
654}
662 655
663#ifndef OPENSSL_NO_STDIO 656#ifndef OPENSSL_NO_STDIO
664/*! 657/*!
@@ -669,65 +662,65 @@ static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
669 * \param file the file containing one or more certs. 662 * \param file the file containing one or more certs.
670 * \return a ::STACK containing the certs. 663 * \return a ::STACK containing the certs.
671 */ 664 */
672STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) 665STACK_OF(X509_NAME)
673 { 666*SSL_load_client_CA_file(const char *file)
667{
674 BIO *in; 668 BIO *in;
675 X509 *x=NULL; 669 X509 *x = NULL;
676 X509_NAME *xn=NULL; 670 X509_NAME *xn = NULL;
677 STACK_OF(X509_NAME) *ret = NULL,*sk; 671 STACK_OF(X509_NAME) *ret = NULL, *sk;
678 672
679 sk=sk_X509_NAME_new(xname_cmp); 673 sk = sk_X509_NAME_new(xname_cmp);
680 674
681 in=BIO_new(BIO_s_file_internal()); 675 in = BIO_new(BIO_s_file_internal());
682 676
683 if ((sk == NULL) || (in == NULL)) 677 if ((sk == NULL) || (in == NULL)) {
684 { 678 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
685 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
686 goto err; 679 goto err;
687 } 680 }
688 681
689 if (!BIO_read_filename(in,file)) 682 if (!BIO_read_filename(in, file))
690 goto err; 683 goto err;
691 684
692 for (;;) 685 for (;;) {
693 { 686 if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
694 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
695 break; 687 break;
696 if (ret == NULL) 688 if (ret == NULL) {
697 {
698 ret = sk_X509_NAME_new_null(); 689 ret = sk_X509_NAME_new_null();
699 if (ret == NULL) 690 if (ret == NULL) {
700 { 691 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
701 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
702 goto err; 692 goto err;
703 }
704 } 693 }
705 if ((xn=X509_get_subject_name(x)) == NULL) goto err; 694 }
706 /* check for duplicates */ 695 if ((xn = X509_get_subject_name(x)) == NULL) goto err;
707 xn=X509_NAME_dup(xn); 696 /* check for duplicates */
708 if (xn == NULL) goto err; 697 xn = X509_NAME_dup(xn);
709 if (sk_X509_NAME_find(sk,xn) >= 0) 698 if (xn == NULL)
699 goto err;
700 if (sk_X509_NAME_find(sk, xn) >= 0)
710 X509_NAME_free(xn); 701 X509_NAME_free(xn);
711 else 702 else {
712 { 703 sk_X509_NAME_push(sk, xn);
713 sk_X509_NAME_push(sk,xn); 704 sk_X509_NAME_push(ret, xn);
714 sk_X509_NAME_push(ret,xn);
715 }
716 } 705 }
706 }
717 707
718 if (0) 708 if (0) {
719 {
720err: 709err:
721 if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free); 710 if (ret != NULL)
722 ret=NULL; 711 sk_X509_NAME_pop_free(ret, X509_NAME_free);
723 } 712 ret = NULL;
724 if (sk != NULL) sk_X509_NAME_free(sk); 713 }
725 if (in != NULL) BIO_free(in); 714 if (sk != NULL)
726 if (x != NULL) X509_free(x); 715 sk_X509_NAME_free(sk);
716 if (in != NULL)
717 BIO_free(in);
718 if (x != NULL)
719 X509_free(x);
727 if (ret != NULL) 720 if (ret != NULL)
728 ERR_clear_error(); 721 ERR_clear_error();
729 return(ret); 722 return (ret);
730 } 723}
731#endif 724#endif
732 725
733/*! 726/*!
@@ -739,57 +732,56 @@ err:
739 * certs may have been added to \c stack. 732 * certs may have been added to \c stack.
740 */ 733 */
741 734
742int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 735int
743 const char *file) 736SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
744 { 737 const char *file)
738{
745 BIO *in; 739 BIO *in;
746 X509 *x=NULL; 740 X509 *x = NULL;
747 X509_NAME *xn=NULL; 741 X509_NAME *xn = NULL;
748 int ret=1; 742 int ret = 1;
749 int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b); 743 int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b);
750 744
751 oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp); 745 oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_cmp);
752 746
753 in=BIO_new(BIO_s_file_internal()); 747 in = BIO_new(BIO_s_file_internal());
754 748
755 if (in == NULL) 749 if (in == NULL) {
756 { 750 SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK, ERR_R_MALLOC_FAILURE);
757 SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
758 goto err; 751 goto err;
759 } 752 }
760 753
761 if (!BIO_read_filename(in,file)) 754 if (!BIO_read_filename(in, file))
762 goto err; 755 goto err;
763 756
764 for (;;) 757 for (;;) {
765 { 758 if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
766 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
767 break; 759 break;
768 if ((xn=X509_get_subject_name(x)) == NULL) goto err; 760 if ((xn = X509_get_subject_name(x)) == NULL) goto err;
769 xn=X509_NAME_dup(xn); 761 xn = X509_NAME_dup(xn);
770 if (xn == NULL) goto err; 762 if (xn == NULL)
771 if (sk_X509_NAME_find(stack,xn) >= 0) 763 goto err;
764 if (sk_X509_NAME_find(stack, xn) >= 0)
772 X509_NAME_free(xn); 765 X509_NAME_free(xn);
773 else 766 else
774 sk_X509_NAME_push(stack,xn); 767 sk_X509_NAME_push(stack, xn);
775 } 768 }
776 769
777 ERR_clear_error(); 770 ERR_clear_error();
778 771
779 if (0) 772 if (0) {
780 {
781err: 773err:
782 ret=0; 774 ret = 0;
783 } 775 }
784 if(in != NULL) 776 if (in != NULL)
785 BIO_free(in); 777 BIO_free(in);
786 if(x != NULL) 778 if (x != NULL)
787 X509_free(x); 779 X509_free(x);
788 780
789 (void)sk_X509_NAME_set_cmp_func(stack,oldcmp); 781 (void)sk_X509_NAME_set_cmp_func(stack, oldcmp);
790 782
791 return ret; 783 return ret;
792 } 784}
793 785
794/*! 786/*!
795 * Add a directory of certs to a stack. 787 * Add a directory of certs to a stack.
@@ -802,9 +794,10 @@ err:
802 * certs may have been added to \c stack. 794 * certs may have been added to \c stack.
803 */ 795 */
804 796
805int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 797int
806 const char *dir) 798SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
807 { 799 const char *dir)
800{
808 OPENSSL_DIR_CTX *d = NULL; 801 OPENSSL_DIR_CTX *d = NULL;
809 const char *filename; 802 const char *filename;
810 int ret = 0; 803 int ret = 0;
@@ -813,36 +806,34 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
813 806
814 /* Note that a side effect is that the CAs will be sorted by name */ 807 /* Note that a side effect is that the CAs will be sorted by name */
815 808
816 while((filename = OPENSSL_DIR_read(&d, dir))) 809 while ((filename = OPENSSL_DIR_read(&d, dir))) {
817 {
818 char buf[1024]; 810 char buf[1024];
819 int r; 811 int r;
820 812
821 if(strlen(dir)+strlen(filename)+2 > sizeof buf) 813 if (strlen(dir) + strlen(filename) + 2 > sizeof buf) {
822 { 814 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, SSL_R_PATH_TOO_LONG);
823 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
824 goto err; 815 goto err;
825 } 816 }
826 r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,filename); 817 r = BIO_snprintf(buf, sizeof buf, "%s/%s", dir, filename);
827 if (r <= 0 || r >= (int)sizeof(buf)) 818 if (r <= 0 || r >= (int)sizeof(buf))
828 goto err; 819 goto err;
829 if(!SSL_add_file_cert_subjects_to_stack(stack,buf)) 820 if (!SSL_add_file_cert_subjects_to_stack(stack, buf))
830 goto err; 821 goto err;
831 } 822 }
832 823
833 if (errno) 824 if (errno) {
834 {
835 SYSerr(SYS_F_OPENDIR, errno); 825 SYSerr(SYS_F_OPENDIR, errno);
836 ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')"); 826 ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");
837 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB); 827 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
838 goto err; 828 goto err;
839 } 829 }
840 830
841 ret = 1; 831 ret = 1;
842 832
843err: 833err:
844 if (d) OPENSSL_DIR_end(&d); 834 if (d)
835 OPENSSL_DIR_end(&d);
845 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR); 836 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
846 return ret; 837 return ret;
847 } 838}
848 839
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-15 04:46:30 +0000