summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_cert.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl_cert.c649
1 files changed, 320 insertions, 329 deletions
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 1aaddc351f..79eb4ee031 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -132,36 +132,36 @@
132#include <openssl/bn.h> 132#include <openssl/bn.h>
133#include "ssl_locl.h" 133#include "ssl_locl.h"
134 134
135int SSL_get_ex_data_X509_STORE_CTX_idx(void) 135int
136 { 136SSL_get_ex_data_X509_STORE_CTX_idx(void)
137 static volatile int ssl_x509_store_ctx_idx= -1; 137{
138 static volatile int ssl_x509_store_ctx_idx = -1;
138 int got_write_lock = 0; 139 int got_write_lock = 0;
139 140
140 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); 141 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
141 142
142 if (ssl_x509_store_ctx_idx < 0) 143 if (ssl_x509_store_ctx_idx < 0) {
143 {
144 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); 144 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
145 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 145 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
146 got_write_lock = 1; 146 got_write_lock = 1;
147 147
148 if (ssl_x509_store_ctx_idx < 0) 148 if (ssl_x509_store_ctx_idx < 0) {
149 { 149 ssl_x509_store_ctx_idx = X509_STORE_CTX_get_ex_new_index(
150 ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index( 150 0, "SSL for verify callback", NULL, NULL, NULL);
151 0,"SSL for verify callback",NULL,NULL,NULL);
152 }
153 } 151 }
152 }
154 153
155 if (got_write_lock) 154 if (got_write_lock)
156 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 155 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
157 else 156 else
158 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); 157 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
159 158
160 return ssl_x509_store_ctx_idx; 159 return ssl_x509_store_ctx_idx;
161 } 160}
162 161
163static void ssl_cert_set_default_md(CERT *cert) 162static void
164 { 163ssl_cert_set_default_md(CERT *cert)
164{
165 /* Set digest values to defaults */ 165 /* Set digest values to defaults */
166#ifndef OPENSSL_NO_DSA 166#ifndef OPENSSL_NO_DSA
167 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 167 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
@@ -173,37 +173,37 @@ static void ssl_cert_set_default_md(CERT *cert)
173#ifndef OPENSSL_NO_ECDSA 173#ifndef OPENSSL_NO_ECDSA
174 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 174 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
175#endif 175#endif
176 } 176}
177 177
178CERT *ssl_cert_new(void) 178CERT
179 { 179*ssl_cert_new(void)
180{
180 CERT *ret; 181 CERT *ret;
181 182
182 ret=(CERT *)OPENSSL_malloc(sizeof(CERT)); 183 ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
183 if (ret == NULL) 184 if (ret == NULL) {
184 { 185 SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE);
185 SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE); 186 return (NULL);
186 return(NULL); 187 }
187 } 188 memset(ret, 0, sizeof(CERT));
188 memset(ret,0,sizeof(CERT));
189 189
190 ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]); 190 ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);
191 ret->references=1; 191 ret->references = 1;
192 ssl_cert_set_default_md(ret); 192 ssl_cert_set_default_md(ret);
193 return(ret); 193 return (ret);
194 } 194}
195 195
196CERT *ssl_cert_dup(CERT *cert) 196CERT
197 { 197*ssl_cert_dup(CERT *cert)
198{
198 CERT *ret; 199 CERT *ret;
199 int i; 200 int i;
200 201
201 ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); 202 ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
202 if (ret == NULL) 203 if (ret == NULL) {
203 {
204 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); 204 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
205 return(NULL); 205 return (NULL);
206 } 206 }
207 207
208 memset(ret, 0, sizeof(CERT)); 208 memset(ret, 0, sizeof(CERT));
209 209
@@ -218,77 +218,64 @@ CERT *ssl_cert_dup(CERT *cert)
218 ret->export_mask_a = cert->export_mask_a; 218 ret->export_mask_a = cert->export_mask_a;
219 219
220#ifndef OPENSSL_NO_RSA 220#ifndef OPENSSL_NO_RSA
221 if (cert->rsa_tmp != NULL) 221 if (cert->rsa_tmp != NULL) {
222 {
223 RSA_up_ref(cert->rsa_tmp); 222 RSA_up_ref(cert->rsa_tmp);
224 ret->rsa_tmp = cert->rsa_tmp; 223 ret->rsa_tmp = cert->rsa_tmp;
225 } 224 }
226 ret->rsa_tmp_cb = cert->rsa_tmp_cb; 225 ret->rsa_tmp_cb = cert->rsa_tmp_cb;
227#endif 226#endif
228 227
229#ifndef OPENSSL_NO_DH 228#ifndef OPENSSL_NO_DH
230 if (cert->dh_tmp != NULL) 229 if (cert->dh_tmp != NULL) {
231 {
232 ret->dh_tmp = DHparams_dup(cert->dh_tmp); 230 ret->dh_tmp = DHparams_dup(cert->dh_tmp);
233 if (ret->dh_tmp == NULL) 231 if (ret->dh_tmp == NULL) {
234 {
235 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB); 232 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
236 goto err; 233 goto err;
237 } 234 }
238 if (cert->dh_tmp->priv_key) 235 if (cert->dh_tmp->priv_key) {
239 {
240 BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); 236 BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
241 if (!b) 237 if (!b) {
242 {
243 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); 238 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
244 goto err; 239 goto err;
245 }
246 ret->dh_tmp->priv_key = b;
247 } 240 }
248 if (cert->dh_tmp->pub_key) 241 ret->dh_tmp->priv_key = b;
249 { 242 }
243 if (cert->dh_tmp->pub_key) {
250 BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); 244 BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
251 if (!b) 245 if (!b) {
252 {
253 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); 246 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
254 goto err; 247 goto err;
255 }
256 ret->dh_tmp->pub_key = b;
257 } 248 }
249 ret->dh_tmp->pub_key = b;
258 } 250 }
251 }
259 ret->dh_tmp_cb = cert->dh_tmp_cb; 252 ret->dh_tmp_cb = cert->dh_tmp_cb;
260#endif 253#endif
261 254
262#ifndef OPENSSL_NO_ECDH 255#ifndef OPENSSL_NO_ECDH
263 if (cert->ecdh_tmp) 256 if (cert->ecdh_tmp) {
264 {
265 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); 257 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
266 if (ret->ecdh_tmp == NULL) 258 if (ret->ecdh_tmp == NULL) {
267 {
268 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB); 259 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
269 goto err; 260 goto err;
270 }
271 } 261 }
262 }
272 ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; 263 ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
273#endif 264#endif
274 265
275 for (i = 0; i < SSL_PKEY_NUM; i++) 266 for (i = 0; i < SSL_PKEY_NUM; i++) {
276 { 267 if (cert->pkeys[i].x509 != NULL) {
277 if (cert->pkeys[i].x509 != NULL)
278 {
279 ret->pkeys[i].x509 = cert->pkeys[i].x509; 268 ret->pkeys[i].x509 = cert->pkeys[i].x509;
280 CRYPTO_add(&ret->pkeys[i].x509->references, 1, 269 CRYPTO_add(&ret->pkeys[i].x509->references, 1,
281 CRYPTO_LOCK_X509); 270 CRYPTO_LOCK_X509);
282 } 271 }
283 272
284 if (cert->pkeys[i].privatekey != NULL) 273 if (cert->pkeys[i].privatekey != NULL) {
285 {
286 ret->pkeys[i].privatekey = cert->pkeys[i].privatekey; 274 ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
287 CRYPTO_add(&ret->pkeys[i].privatekey->references, 1, 275 CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
288 CRYPTO_LOCK_EVP_PKEY); 276 CRYPTO_LOCK_EVP_PKEY);
289 277
290 switch(i) 278 switch (i) {
291 {
292 /* If there was anything special to do for 279 /* If there was anything special to do for
293 * certain types of keys, we'd do it here. 280 * certain types of keys, we'd do it here.
294 * (Nothing at the moment, I think.) */ 281 * (Nothing at the moment, I think.) */
@@ -297,11 +284,11 @@ CERT *ssl_cert_dup(CERT *cert)
297 case SSL_PKEY_RSA_SIGN: 284 case SSL_PKEY_RSA_SIGN:
298 /* We have an RSA key. */ 285 /* We have an RSA key. */
299 break; 286 break;
300 287
301 case SSL_PKEY_DSA_SIGN: 288 case SSL_PKEY_DSA_SIGN:
302 /* We have a DSA key. */ 289 /* We have a DSA key. */
303 break; 290 break;
304 291
305 case SSL_PKEY_DH_RSA: 292 case SSL_PKEY_DH_RSA:
306 case SSL_PKEY_DH_DSA: 293 case SSL_PKEY_DH_DSA:
307 /* We have a DH key. */ 294 /* We have a DH key. */
@@ -314,21 +301,21 @@ CERT *ssl_cert_dup(CERT *cert)
314 default: 301 default:
315 /* Can't happen. */ 302 /* Can't happen. */
316 SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG); 303 SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
317 }
318 } 304 }
319 } 305 }
320 306 }
307
321 /* ret->extra_certs *should* exist, but currently the own certificate 308 /* ret->extra_certs *should* exist, but currently the own certificate
322 * chain is held inside SSL_CTX */ 309 * chain is held inside SSL_CTX */
323 310
324 ret->references=1; 311 ret->references = 1;
325 /* Set digests to defaults. NB: we don't copy existing values as they 312 /* Set digests to defaults. NB: we don't copy existing values as they
326 * will be set during handshake. 313 * will be set during handshake.
327 */ 314 */
328 ssl_cert_set_default_md(ret); 315 ssl_cert_set_default_md(ret);
329 316
330 return(ret); 317 return (ret);
331 318
332#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH) 319#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
333err: 320err:
334#endif 321#endif
@@ -345,50 +332,52 @@ err:
345 EC_KEY_free(ret->ecdh_tmp); 332 EC_KEY_free(ret->ecdh_tmp);
346#endif 333#endif
347 334
348 for (i = 0; i < SSL_PKEY_NUM; i++) 335 for (i = 0; i < SSL_PKEY_NUM; i++) {
349 {
350 if (ret->pkeys[i].x509 != NULL) 336 if (ret->pkeys[i].x509 != NULL)
351 X509_free(ret->pkeys[i].x509); 337 X509_free(ret->pkeys[i].x509);
352 if (ret->pkeys[i].privatekey != NULL) 338 if (ret->pkeys[i].privatekey != NULL)
353 EVP_PKEY_free(ret->pkeys[i].privatekey); 339 EVP_PKEY_free(ret->pkeys[i].privatekey);
354 } 340 }
355 341
356 return NULL; 342 return NULL;
357 } 343}
358 344
359 345
360void ssl_cert_free(CERT *c) 346void
361 { 347ssl_cert_free(CERT *c)
348{
362 int i; 349 int i;
363 350
364 if(c == NULL) 351 if (c == NULL)
365 return; 352 return;
366 353
367 i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT); 354 i = CRYPTO_add(&c->references, -1, CRYPTO_LOCK_SSL_CERT);
368#ifdef REF_PRINT 355#ifdef REF_PRINT
369 REF_PRINT("CERT",c); 356 REF_PRINT("CERT", c);
370#endif 357#endif
371 if (i > 0) return; 358 if (i > 0)
359 return;
372#ifdef REF_CHECK 360#ifdef REF_CHECK
373 if (i < 0) 361 if (i < 0) {
374 { 362 fprintf(stderr, "ssl_cert_free, bad reference count\n");
375 fprintf(stderr,"ssl_cert_free, bad reference count\n");
376 abort(); /* ok */ 363 abort(); /* ok */
377 } 364 }
378#endif 365#endif
379 366
380#ifndef OPENSSL_NO_RSA 367#ifndef OPENSSL_NO_RSA
381 if (c->rsa_tmp) RSA_free(c->rsa_tmp); 368 if (c->rsa_tmp)
369 RSA_free(c->rsa_tmp);
382#endif 370#endif
383#ifndef OPENSSL_NO_DH 371#ifndef OPENSSL_NO_DH
384 if (c->dh_tmp) DH_free(c->dh_tmp); 372 if (c->dh_tmp)
373 DH_free(c->dh_tmp);
385#endif 374#endif
386#ifndef OPENSSL_NO_ECDH 375#ifndef OPENSSL_NO_ECDH
387 if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp); 376 if (c->ecdh_tmp)
377 EC_KEY_free(c->ecdh_tmp);
388#endif 378#endif
389 379
390 for (i=0; i<SSL_PKEY_NUM; i++) 380 for (i = 0; i < SSL_PKEY_NUM; i++) {
391 {
392 if (c->pkeys[i].x509 != NULL) 381 if (c->pkeys[i].x509 != NULL)
393 X509_free(c->pkeys[i].x509); 382 X509_free(c->pkeys[i].x509);
394 if (c->pkeys[i].privatekey != NULL) 383 if (c->pkeys[i].privatekey != NULL)
@@ -397,12 +386,13 @@ void ssl_cert_free(CERT *c)
397 if (c->pkeys[i].publickey != NULL) 386 if (c->pkeys[i].publickey != NULL)
398 EVP_PKEY_free(c->pkeys[i].publickey); 387 EVP_PKEY_free(c->pkeys[i].publickey);
399#endif 388#endif
400 }
401 OPENSSL_free(c);
402 } 389 }
390 OPENSSL_free(c);
391}
403 392
404int ssl_cert_inst(CERT **o) 393int
405 { 394ssl_cert_inst(CERT **o)
395{
406 /* Create a CERT if there isn't already one 396 /* Create a CERT if there isn't already one
407 * (which cannot really happen, as it is initially created in 397 * (which cannot really happen, as it is initially created in
408 * SSL_CTX_new; but the earlier code usually allows for that one 398 * SSL_CTX_new; but the earlier code usually allows for that one
@@ -412,44 +402,42 @@ int ssl_cert_inst(CERT **o)
412 * s->cert being NULL, otherwise we could do without the 402 * s->cert being NULL, otherwise we could do without the
413 * initialization in SSL_CTX_new). 403 * initialization in SSL_CTX_new).
414 */ 404 */
415 405
416 if (o == NULL) 406 if (o == NULL) {
417 {
418 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER); 407 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
419 return(0); 408 return (0);
420 } 409 }
421 if (*o == NULL) 410 if (*o == NULL) {
422 { 411 if ((*o = ssl_cert_new()) == NULL) {
423 if ((*o = ssl_cert_new()) == NULL)
424 {
425 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE); 412 SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
426 return(0); 413 return (0);
427 }
428 } 414 }
429 return(1);
430 } 415 }
416 return (1);
417}
431 418
432 419
433SESS_CERT *ssl_sess_cert_new(void) 420SESS_CERT
434 { 421*ssl_sess_cert_new(void)
422{
435 SESS_CERT *ret; 423 SESS_CERT *ret;
436 424
437 ret = OPENSSL_malloc(sizeof *ret); 425 ret = OPENSSL_malloc(sizeof *ret);
438 if (ret == NULL) 426 if (ret == NULL) {
439 {
440 SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE); 427 SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
441 return NULL; 428 return NULL;
442 } 429 }
443 430
444 memset(ret, 0 ,sizeof *ret); 431 memset(ret, 0 , sizeof *ret);
445 ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]); 432 ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
446 ret->references = 1; 433 ret->references = 1;
447 434
448 return ret; 435 return ret;
449 } 436}
450 437
451void ssl_sess_cert_free(SESS_CERT *sc) 438void
452 { 439ssl_sess_cert_free(SESS_CERT *sc)
440{
453 int i; 441 int i;
454 442
455 if (sc == NULL) 443 if (sc == NULL)
@@ -462,27 +450,25 @@ void ssl_sess_cert_free(SESS_CERT *sc)
462 if (i > 0) 450 if (i > 0)
463 return; 451 return;
464#ifdef REF_CHECK 452#ifdef REF_CHECK
465 if (i < 0) 453 if (i < 0) {
466 { 454 fprintf(stderr, "ssl_sess_cert_free, bad reference count\n");
467 fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
468 abort(); /* ok */ 455 abort(); /* ok */
469 } 456 }
470#endif 457#endif
471 458
472 /* i == 0 */ 459 /* i == 0 */
473 if (sc->cert_chain != NULL) 460 if (sc->cert_chain != NULL)
474 sk_X509_pop_free(sc->cert_chain, X509_free); 461 sk_X509_pop_free(sc->cert_chain, X509_free);
475 for (i = 0; i < SSL_PKEY_NUM; i++) 462 for (i = 0; i < SSL_PKEY_NUM; i++) {
476 {
477 if (sc->peer_pkeys[i].x509 != NULL) 463 if (sc->peer_pkeys[i].x509 != NULL)
478 X509_free(sc->peer_pkeys[i].x509); 464 X509_free(sc->peer_pkeys[i].x509);
479#if 0 /* We don't have the peer's private key. These lines are just 465#if 0 /* We don't have the peer's private key. These lines are just
480 * here as a reminder that we're still using a not-quite-appropriate 466 * here as a reminder that we're still using a not-quite-appropriate
481 * data structure. */ 467 * data structure. */
482 if (sc->peer_pkeys[i].privatekey != NULL) 468 if (sc->peer_pkeys[i].privatekey != NULL)
483 EVP_PKEY_free(sc->peer_pkeys[i].privatekey); 469 EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
484#endif 470#endif
485 } 471 }
486 472
487#ifndef OPENSSL_NO_RSA 473#ifndef OPENSSL_NO_RSA
488 if (sc->peer_rsa_tmp != NULL) 474 if (sc->peer_rsa_tmp != NULL)
@@ -498,34 +484,35 @@ void ssl_sess_cert_free(SESS_CERT *sc)
498#endif 484#endif
499 485
500 OPENSSL_free(sc); 486 OPENSSL_free(sc);
501 } 487}
502 488
503int ssl_set_peer_cert_type(SESS_CERT *sc,int type) 489int
504 { 490ssl_set_peer_cert_type(SESS_CERT *sc, int type)
491{
505 sc->peer_cert_type = type; 492 sc->peer_cert_type = type;
506 return(1); 493 return (1);
507 } 494}
508 495
509int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) 496int
510 { 497ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
498{
511 X509 *x; 499 X509 *x;
512 int i; 500 int i;
513 X509_STORE_CTX ctx; 501 X509_STORE_CTX ctx;
514 502
515 if ((sk == NULL) || (sk_X509_num(sk) == 0)) 503 if ((sk == NULL) || (sk_X509_num(sk) == 0))
516 return(0); 504 return (0);
517 505
518 x=sk_X509_value(sk,0); 506 x = sk_X509_value(sk, 0);
519 if(!X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk)) 507 if (!X509_STORE_CTX_init(&ctx, s->ctx->cert_store, x, sk)) {
520 { 508 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_X509_LIB);
521 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB); 509 return (0);
522 return(0); 510 }
523 }
524#if 0 511#if 0
525 if (SSL_get_verify_depth(s) >= 0) 512 if (SSL_get_verify_depth(s) >= 0)
526 X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s)); 513 X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
527#endif 514#endif
528 X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s); 515 X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s);
529 516
530 /* We need to inherit the verify parameters. These can be determined by 517 /* We need to inherit the verify parameters. These can be determined by
531 * the context: if its a server it will verify SSL client certificates 518 * the context: if its a server it will verify SSL client certificates
@@ -533,7 +520,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
533 */ 520 */
534 521
535 X509_STORE_CTX_set_default(&ctx, 522 X509_STORE_CTX_set_default(&ctx,
536 s->server ? "ssl_client" : "ssl_server"); 523 s->server ? "ssl_client" : "ssl_server");
537 /* Anything non-default in "param" should overwrite anything in the 524 /* Anything non-default in "param" should overwrite anything in the
538 * ctx. 525 * ctx.
539 */ 526 */
@@ -544,121 +531,127 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
544 531
545 if (s->ctx->app_verify_callback != NULL) 532 if (s->ctx->app_verify_callback != NULL)
546#if 1 /* new with OpenSSL 0.9.7 */ 533#if 1 /* new with OpenSSL 0.9.7 */
547 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); 534 i = s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
535
548#else 536#else
549 i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */ 537 i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
550#endif 538#endif
551 else 539 else {
552 {
553#ifndef OPENSSL_NO_X509_VERIFY 540#ifndef OPENSSL_NO_X509_VERIFY
554 i=X509_verify_cert(&ctx); 541 i = X509_verify_cert(&ctx);
555#else 542#else
556 i=0; 543 i = 0;
557 ctx.error=X509_V_ERR_APPLICATION_VERIFICATION; 544 ctx.error = X509_V_ERR_APPLICATION_VERIFICATION;
558 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK); 545 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, SSL_R_NO_VERIFY_CALLBACK);
559#endif 546#endif
560 } 547 }
561 548
562 s->verify_result=ctx.error; 549 s->verify_result = ctx.error;
563 X509_STORE_CTX_cleanup(&ctx); 550 X509_STORE_CTX_cleanup(&ctx);
564 551
565 return(i); 552 return (i);
566 } 553}
567 554
568static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list) 555static void
569 { 556set_client_CA_list(STACK_OF(X509_NAME) **ca_list, STACK_OF(X509_NAME) *name_list)
557{
570 if (*ca_list != NULL) 558 if (*ca_list != NULL)
571 sk_X509_NAME_pop_free(*ca_list,X509_NAME_free); 559 sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
572 560
573 *ca_list=name_list; 561 *ca_list = name_list;
574 } 562}
575 563
576STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) 564STACK_OF(X509_NAME)
577 { 565*SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
566{
578 int i; 567 int i;
579 STACK_OF(X509_NAME) *ret; 568 STACK_OF(X509_NAME) *ret;
580 X509_NAME *name; 569 X509_NAME *name;
581 570
582 ret=sk_X509_NAME_new_null(); 571 ret = sk_X509_NAME_new_null();
583 for (i=0; i<sk_X509_NAME_num(sk); i++) 572 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
584 { 573 name = X509_NAME_dup(sk_X509_NAME_value(sk, i));
585 name=X509_NAME_dup(sk_X509_NAME_value(sk,i)); 574 if ((name == NULL) || !sk_X509_NAME_push(ret, name)) {
586 if ((name == NULL) || !sk_X509_NAME_push(ret,name)) 575 sk_X509_NAME_pop_free(ret, X509_NAME_free);
587 { 576 return (NULL);
588 sk_X509_NAME_pop_free(ret,X509_NAME_free);
589 return(NULL);
590 }
591 } 577 }
592 return(ret);
593 } 578 }
594 579 return (ret);
595void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list) 580}
596 { 581
597 set_client_CA_list(&(s->client_CA),name_list); 582void
598 } 583SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
599 584{
600void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list) 585 set_client_CA_list(&(s->client_CA), name_list);
601 { 586}
602 set_client_CA_list(&(ctx->client_CA),name_list); 587
603 } 588void
604 589SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
605STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) 590{
606 { 591 set_client_CA_list(&(ctx->client_CA), name_list);
607 return(ctx->client_CA); 592}
608 } 593
609 594STACK_OF(X509_NAME)
610STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) 595*SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
611 { 596{
597 return (ctx->client_CA);
598}
599
600STACK_OF(X509_NAME)
601*SSL_get_client_CA_list(const SSL *s)
602{
612 if (s->type == SSL_ST_CONNECT) 603 if (s->type == SSL_ST_CONNECT)
613 { /* we are in the client */ 604 { /* we are in the client */
614 if (((s->version>>8) == SSL3_VERSION_MAJOR) && 605 if (((s->version >> 8) == SSL3_VERSION_MAJOR) &&
615 (s->s3 != NULL)) 606 (s->s3 != NULL))
616 return(s->s3->tmp.ca_names); 607 return (s->s3->tmp.ca_names);
617 else 608 else
618 return(NULL); 609 return (NULL);
619 } 610 } else {
620 else
621 {
622 if (s->client_CA != NULL) 611 if (s->client_CA != NULL)
623 return(s->client_CA); 612 return (s->client_CA);
624 else 613 else
625 return(s->ctx->client_CA); 614 return (s->ctx->client_CA);
626 }
627 } 615 }
616}
628 617
629static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x) 618static int
630 { 619add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x)
620{
631 X509_NAME *name; 621 X509_NAME *name;
632 622
633 if (x == NULL) return(0); 623 if (x == NULL)
634 if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL)) 624 return (0);
635 return(0); 625 if ((*sk == NULL) && ((*sk = sk_X509_NAME_new_null()) == NULL))
636 626 return (0);
637 if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)
638 return(0);
639
640 if (!sk_X509_NAME_push(*sk,name))
641 {
642 X509_NAME_free(name);
643 return(0);
644 }
645 return(1);
646 }
647 627
648int SSL_add_client_CA(SSL *ssl,X509 *x) 628 if ((name = X509_NAME_dup(X509_get_subject_name(x))) == NULL)
649 { 629 return (0);
650 return(add_client_CA(&(ssl->client_CA),x));
651 }
652 630
653int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x) 631 if (!sk_X509_NAME_push(*sk, name)) {
654 { 632 X509_NAME_free(name);
655 return(add_client_CA(&(ctx->client_CA),x)); 633 return (0);
656 }
657
658static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
659 {
660 return(X509_NAME_cmp(*a,*b));
661 } 634 }
635 return (1);
636}
637
638int
639SSL_add_client_CA(SSL *ssl, X509 *x)
640{
641 return (add_client_CA(&(ssl->client_CA), x));
642}
643
644int
645SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
646{
647 return (add_client_CA(&(ctx->client_CA), x));
648}
649
650static int
651xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
652{
653 return (X509_NAME_cmp(*a, *b));
654}
662 655
663#ifndef OPENSSL_NO_STDIO 656#ifndef OPENSSL_NO_STDIO
664/*! 657/*!
@@ -669,65 +662,65 @@ static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
669 * \param file the file containing one or more certs. 662 * \param file the file containing one or more certs.
670 * \return a ::STACK containing the certs. 663 * \return a ::STACK containing the certs.
671 */ 664 */
672STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) 665STACK_OF(X509_NAME)
673 { 666*SSL_load_client_CA_file(const char *file)
667{
674 BIO *in; 668 BIO *in;
675 X509 *x=NULL; 669 X509 *x = NULL;
676 X509_NAME *xn=NULL; 670 X509_NAME *xn = NULL;
677 STACK_OF(X509_NAME) *ret = NULL,*sk; 671 STACK_OF(X509_NAME) *ret = NULL, *sk;
678 672
679 sk=sk_X509_NAME_new(xname_cmp); 673 sk = sk_X509_NAME_new(xname_cmp);
680 674
681 in=BIO_new(BIO_s_file_internal()); 675 in = BIO_new(BIO_s_file_internal());
682 676
683 if ((sk == NULL) || (in == NULL)) 677 if ((sk == NULL) || (in == NULL)) {
684 { 678 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
685 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
686 goto err; 679 goto err;
687 } 680 }
688 681
689 if (!BIO_read_filename(in,file)) 682 if (!BIO_read_filename(in, file))
690 goto err; 683 goto err;
691 684
692 for (;;) 685 for (;;) {
693 { 686 if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
694 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
695 break; 687 break;
696 if (ret == NULL) 688 if (ret == NULL) {
697 {
698 ret = sk_X509_NAME_new_null(); 689 ret = sk_X509_NAME_new_null();
699 if (ret == NULL) 690 if (ret == NULL) {
700 { 691 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
701 SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
702 goto err; 692 goto err;
703 }
704 } 693 }
705 if ((xn=X509_get_subject_name(x)) == NULL) goto err; 694 }
706 /* check for duplicates */ 695 if ((xn = X509_get_subject_name(x)) == NULL) goto err;
707 xn=X509_NAME_dup(xn); 696 /* check for duplicates */
708 if (xn == NULL) goto err; 697 xn = X509_NAME_dup(xn);
709 if (sk_X509_NAME_find(sk,xn) >= 0) 698 if (xn == NULL)
699 goto err;
700 if (sk_X509_NAME_find(sk, xn) >= 0)
710 X509_NAME_free(xn); 701 X509_NAME_free(xn);
711 else 702 else {
712 { 703 sk_X509_NAME_push(sk, xn);
713 sk_X509_NAME_push(sk,xn); 704 sk_X509_NAME_push(ret, xn);
714 sk_X509_NAME_push(ret,xn);
715 }
716 } 705 }
706 }
717 707
718 if (0) 708 if (0) {
719 {
720err: 709err:
721 if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free); 710 if (ret != NULL)
722 ret=NULL; 711 sk_X509_NAME_pop_free(ret, X509_NAME_free);
723 } 712 ret = NULL;
724 if (sk != NULL) sk_X509_NAME_free(sk); 713 }
725 if (in != NULL) BIO_free(in); 714 if (sk != NULL)
726 if (x != NULL) X509_free(x); 715 sk_X509_NAME_free(sk);
716 if (in != NULL)
717 BIO_free(in);
718 if (x != NULL)
719 X509_free(x);
727 if (ret != NULL) 720 if (ret != NULL)
728 ERR_clear_error(); 721 ERR_clear_error();
729 return(ret); 722 return (ret);
730 } 723}
731#endif 724#endif
732 725
733/*! 726/*!
@@ -739,57 +732,56 @@ err:
739 * certs may have been added to \c stack. 732 * certs may have been added to \c stack.
740 */ 733 */
741 734
742int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 735int
743 const char *file) 736SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
744 { 737 const char *file)
738{
745 BIO *in; 739 BIO *in;
746 X509 *x=NULL; 740 X509 *x = NULL;
747 X509_NAME *xn=NULL; 741 X509_NAME *xn = NULL;
748 int ret=1; 742 int ret = 1;
749 int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b); 743 int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b);
750 744
751 oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp); 745 oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_cmp);
752 746
753 in=BIO_new(BIO_s_file_internal()); 747 in = BIO_new(BIO_s_file_internal());
754 748
755 if (in == NULL) 749 if (in == NULL) {
756 { 750 SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK, ERR_R_MALLOC_FAILURE);
757 SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
758 goto err; 751 goto err;
759 } 752 }
760 753
761 if (!BIO_read_filename(in,file)) 754 if (!BIO_read_filename(in, file))
762 goto err; 755 goto err;
763 756
764 for (;;) 757 for (;;) {
765 { 758 if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
766 if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
767 break; 759 break;
768 if ((xn=X509_get_subject_name(x)) == NULL) goto err; 760 if ((xn = X509_get_subject_name(x)) == NULL) goto err;
769 xn=X509_NAME_dup(xn); 761 xn = X509_NAME_dup(xn);
770 if (xn == NULL) goto err; 762 if (xn == NULL)
771 if (sk_X509_NAME_find(stack,xn) >= 0) 763 goto err;
764 if (sk_X509_NAME_find(stack, xn) >= 0)
772 X509_NAME_free(xn); 765 X509_NAME_free(xn);
773 else 766 else
774 sk_X509_NAME_push(stack,xn); 767 sk_X509_NAME_push(stack, xn);
775 } 768 }
776 769
777 ERR_clear_error(); 770 ERR_clear_error();
778 771
779 if (0) 772 if (0) {
780 {
781err: 773err:
782 ret=0; 774 ret = 0;
783 } 775 }
784 if(in != NULL) 776 if (in != NULL)
785 BIO_free(in); 777 BIO_free(in);
786 if(x != NULL) 778 if (x != NULL)
787 X509_free(x); 779 X509_free(x);
788 780
789 (void)sk_X509_NAME_set_cmp_func(stack,oldcmp); 781 (void)sk_X509_NAME_set_cmp_func(stack, oldcmp);
790 782
791 return ret; 783 return ret;
792 } 784}
793 785
794/*! 786/*!
795 * Add a directory of certs to a stack. 787 * Add a directory of certs to a stack.
@@ -802,9 +794,10 @@ err:
802 * certs may have been added to \c stack. 794 * certs may have been added to \c stack.
803 */ 795 */
804 796
805int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, 797int
806 const char *dir) 798SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
807 { 799 const char *dir)
800{
808 OPENSSL_DIR_CTX *d = NULL; 801 OPENSSL_DIR_CTX *d = NULL;
809 const char *filename; 802 const char *filename;
810 int ret = 0; 803 int ret = 0;
@@ -813,36 +806,34 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
813 806
814 /* Note that a side effect is that the CAs will be sorted by name */ 807 /* Note that a side effect is that the CAs will be sorted by name */
815 808
816 while((filename = OPENSSL_DIR_read(&d, dir))) 809 while ((filename = OPENSSL_DIR_read(&d, dir))) {
817 {
818 char buf[1024]; 810 char buf[1024];
819 int r; 811 int r;
820 812
821 if(strlen(dir)+strlen(filename)+2 > sizeof buf) 813 if (strlen(dir) + strlen(filename) + 2 > sizeof buf) {
822 { 814 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, SSL_R_PATH_TOO_LONG);
823 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
824 goto err; 815 goto err;
825 } 816 }
826 r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,filename); 817 r = BIO_snprintf(buf, sizeof buf, "%s/%s", dir, filename);
827 if (r <= 0 || r >= (int)sizeof(buf)) 818 if (r <= 0 || r >= (int)sizeof(buf))
828 goto err; 819 goto err;
829 if(!SSL_add_file_cert_subjects_to_stack(stack,buf)) 820 if (!SSL_add_file_cert_subjects_to_stack(stack, buf))
830 goto err; 821 goto err;
831 } 822 }
832 823
833 if (errno) 824 if (errno) {
834 {
835 SYSerr(SYS_F_OPENDIR, errno); 825 SYSerr(SYS_F_OPENDIR, errno);
836 ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')"); 826 ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");
837 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB); 827 SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
838 goto err; 828 goto err;
839 } 829 }
840 830
841 ret = 1; 831 ret = 1;
842 832
843err: 833err:
844 if (d) OPENSSL_DIR_end(&d); 834 if (d)
835 OPENSSL_DIR_end(&d);
845 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR); 836 CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
846 return ret; 837 return ret;
847 } 838}
848 839
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-27 19:27:20 +0000