1 files changed, 156 insertions, 87 deletions
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index a32b2d4446..b779e6bb4d 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -56,7 +56,7 @@
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -73,12 +73,12 @@
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
+ *    openssl-core@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
@@ -87,7 +87,7 @@
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -102,16 +102,6 @@
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * ECC cipher suite support in OpenSSL originally developed by 
- * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
 */
 #include <stdio.h>
@@ -121,42 +111,45 @@
 # include <sys/types.h>
 #endif
-#include "o_dir.h"
+#if !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) && !defined(NeXT) && !defined(MAC_OS_pre_X)
+#include <dirent.h>
+#endif
+#if defined(WIN32)
+#include <windows.h>
+#include <tchar.h>
+#endif
+#ifdef NeXT
+#include <sys/dir.h>
+#define dirent direct
+#endif
 #include <openssl/objects.h>
 #include <openssl/bio.h>
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
-#ifndef OPENSSL_NO_DH
-#include <openssl/dh.h>
-#endif
-#include <openssl/bn.h>
 #include "ssl_locl.h"
+#include <openssl/fips.h>
 int SSL_get_ex_data_X509_STORE_CTX_idx(void)
        {
        static volatile int ssl_x509_store_ctx_idx= -1;
-        int got_write_lock = 0;
-        CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
        if (ssl_x509_store_ctx_idx < 0)
                {
-                CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
+                /* any write lock will do; usually this branch
+                 * will only be taken once anyway */
                CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-                got_write_lock = 1;
                
                if (ssl_x509_store_ctx_idx < 0)
                        {
                        ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
                                0,"SSL for verify callback",NULL,NULL,NULL);
                        }
-                }
+                
-        if (got_write_lock)
                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
-        else
+                }
-                CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
-        
        return ssl_x509_store_ctx_idx;
        }
@@ -212,6 +205,7 @@ CERT *ssl_cert_dup(CERT *cert)
 #ifndef OPENSSL_NO_DH
        if (cert->dh_tmp != NULL)
                {
+                /* DH parameters don't have a reference count */
                ret->dh_tmp = DHparams_dup(cert->dh_tmp);
                if (ret->dh_tmp == NULL)
                        {
@@ -242,19 +236,6 @@ CERT *ssl_cert_dup(CERT *cert)
        ret->dh_tmp_cb = cert->dh_tmp_cb;
 #endif
-#ifndef OPENSSL_NO_ECDH
-        if (cert->ecdh_tmp)
-                {
-                ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
-                if (ret->ecdh_tmp == NULL)
-                        {
-                        SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
-                        goto err;
-                        }
-                }
-        ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
-#endif
        for (i = 0; i < SSL_PKEY_NUM; i++)
                {
                if (cert->pkeys[i].x509 != NULL)
@@ -289,11 +270,7 @@ CERT *ssl_cert_dup(CERT *cert)
                        case SSL_PKEY_DH_DSA:
                                /* We have a DH key. */
                                break;
+                                
-                        case SSL_PKEY_ECC:
-                                /* We have an ECC key */
-                                break;
                        default:
                                /* Can't happen. */
                                SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
@@ -308,7 +285,7 @@ CERT *ssl_cert_dup(CERT *cert)
        return(ret);
        
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
+#ifndef OPENSSL_NO_DH /* avoid 'unreferenced label' warning if OPENSSL_NO_DH is defined */
 err:
 #endif
 #ifndef OPENSSL_NO_RSA
@@ -319,10 +296,6 @@ err:
        if (ret->dh_tmp != NULL)
                DH_free(ret->dh_tmp);
 #endif
-#ifndef OPENSSL_NO_ECDH
-        if (ret->ecdh_tmp != NULL)
-                EC_KEY_free(ret->ecdh_tmp);
-#endif
        for (i = 0; i < SSL_PKEY_NUM; i++)
                {
@@ -362,9 +335,6 @@ void ssl_cert_free(CERT *c)
 #ifndef OPENSSL_NO_DH
        if (c->dh_tmp) DH_free(c->dh_tmp);
 #endif
-#ifndef OPENSSL_NO_ECDH
-        if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp);
-#endif
        for (i=0; i<SSL_PKEY_NUM; i++)
                {
@@ -471,10 +441,6 @@ void ssl_sess_cert_free(SESS_CERT *sc)
        if (sc->peer_dh_tmp != NULL)
                DH_free(sc->peer_dh_tmp);
 #endif
-#ifndef OPENSSL_NO_ECDH
-        if (sc->peer_ecdh_tmp != NULL)
-                EC_KEY_free(sc->peer_ecdh_tmp);
-#endif
        OPENSSL_free(sc);
        }
@@ -500,22 +466,20 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
                SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
                return(0);
                }
-        if (s->param)
-                X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx),
-                                                s->param);
-#if 0
        if (SSL_get_verify_depth(s) >= 0)
                X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
-#endif
        X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
-        /* We need to inherit the verify parameters. These can be determined by
+        /* We need to set the verify purpose. The purpose can be determined by
         * the context: if its a server it will verify SSL client certificates
         * or vice versa.
         */
+        if (s->server)
+                i = X509_PURPOSE_SSL_CLIENT;
+        else
+                i = X509_PURPOSE_SSL_SERVER;
-        X509_STORE_CTX_set_default(&ctx,
+        X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
-                                s->server ? "ssl_client" : "ssl_server");
        if (s->verify_callback)
                X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
@@ -762,7 +726,7 @@ err:
        if(x != NULL)
                X509_free(x);
        
-        (void)sk_X509_NAME_set_cmp_func(stack,oldcmp);
+        sk_X509_NAME_set_cmp_func(stack,oldcmp);
        return ret;
        }
@@ -778,52 +742,157 @@ err:
 * certs may have been added to \c stack.
 */
+#ifndef OPENSSL_SYS_WIN32
+#ifndef OPENSSL_SYS_VMS         /* XXXX This may be fixed in the future */
+#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! */
 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                                       const char *dir)
        {
-        OPENSSL_DIR_CTX *d = NULL;
+        DIR *d;
-        const char *filename;
+        struct dirent *dstruct;
        int ret = 0;
        CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
+        d = opendir(dir);
        /* Note that a side effect is that the CAs will be sorted by name */
+        if(!d)
-        while((filename = OPENSSL_DIR_read(&d, dir)))
+                {
+                SYSerr(SYS_F_OPENDIR, get_last_sys_error());
+                ERR_add_error_data(3, "opendir('", dir, "')");
+                SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
+                goto err;
+                }
+        
+        while((dstruct=readdir(d)))
                {
                char buf[1024];
                int r;
+                
-                if(strlen(dir)+strlen(filename)+2 > sizeof buf)
+                if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf)
                        {
                        SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
                        goto err;
                        }
+                
-#ifdef OPENSSL_SYS_VMS
+                r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,dstruct->d_name);
-                r = BIO_snprintf(buf,sizeof buf,"%s%s",dir,filename);
+                if (r <= 0 || r >= sizeof buf)
-#else
-                r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,filename);
-#endif
-                if (r <= 0 || r >= (int)sizeof(buf))
                        goto err;
                if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
                        goto err;
                }
+        ret = 1;
+err:    
+        if (d) closedir(d);
+        CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
+        return ret;
+        }
+#endif
+#endif
+#else /* OPENSSL_SYS_WIN32 */
+#if defined(_WIN32_WCE)
+# ifndef UNICODE
+#  error "WinCE comes in UNICODE flavor only..."
+# endif
+# if _WIN32_WCE<101 && !defined(OPENSSL_NO_MULTIBYTE)
+#  define OPENSSL_NO_MULTIBYTE
+# endif
+# ifndef  FindFirstFile
+#  define FindFirstFile FindFirstFileW
+# endif
+# ifndef  FindNextFile
+#  define FindNextFile FindNextFileW
+# endif
+#endif
+int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+                                       const char *dir)
+        {
+        WIN32_FIND_DATA FindFileData;
+        HANDLE hFind;
+        int    ret = 0;
+        TCHAR *wdir = NULL;
+        size_t i,len_0 = strlen(dir)+1; /* len_0 accounts for trailing 0 */
+        char   buf[1024],*slash;
+        if (len_0 > (sizeof(buf)-14))   /* 14 is just some value... */
+                {
+                SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
+                return ret;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
+        if (sizeof(TCHAR) != sizeof(char))
+                {
+                wdir = (TCHAR *)malloc(len_0*sizeof(TCHAR));
+                if (wdir == NULL)
+                        goto err_noclose;
+#ifndef OPENSSL_NO_MULTIBYTE
+                if (!MultiByteToWideChar(CP_ACP,0,dir,len_0,
+                                        (WCHAR *)wdir,len_0))
+#endif
+                        for (i=0;i<len_0;i++) wdir[i]=(TCHAR)dir[i];
+                hFind = FindFirstFile(wdir, &FindFileData);
+                }
+        else    hFind = FindFirstFile((const TCHAR *)dir, &FindFileData);
-        if (errno)
+        /* Note that a side effect is that the CAs will be sorted by name */
+        if(hFind == INVALID_HANDLE_VALUE)
                {
                SYSerr(SYS_F_OPENDIR, get_last_sys_error());
-                ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");
+                ERR_add_error_data(3, "opendir('", dir, "')");
                SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
-                goto err;
+                goto err_noclose;
                }
+        strncpy(buf,dir,sizeof(buf));   /* strcpy is safe too... */
+        buf[len_0-1]='/';               /* no trailing zero!     */
+        slash=buf+len_0;
+        do      {
+                const TCHAR *fnam=FindFileData.cFileName;
+                size_t flen_0=_tcslen(fnam)+1;
+                if (flen_0 > (sizeof(buf)-len_0))
+                        {
+                        SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
+                        goto err;
+                        }
+                /* else strcpy would be safe too... */
+                if (sizeof(TCHAR) != sizeof(char))
+                        {
+#ifndef OPENSSL_NO_MULTIBYTE
+                        if (!WideCharToMultiByte(CP_ACP,0,
+                                                (WCHAR *)fnam,flen_0,
+                                                slash,sizeof(buf)-len_0,
+                                                NULL,0))
+#endif
+                                for (i=0;i<flen_0;i++) slash[i]=(char)fnam[i];
+                        }
+                else    strncpy(slash,(const char *)fnam,sizeof(buf)-len_0);
+                if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
+                        goto err;
+                }
+        while (FindNextFile(hFind, &FindFileData) != FALSE);
        ret = 1;
-err:
+err:    
-        if (d) OPENSSL_DIR_end(&d);
+        FindClose(hFind);
+err_noclose:
+        if (wdir != NULL)
+                free(wdir);
        CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
        return ret;
        }
+#endif

diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index a32b2d4446..b779e6bb4d 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c
@@ -56,7 +56,7 @@
56	* [including the GNU Public Licence.]	56	* [including the GNU Public Licence.]
57	*/	57	*/
58	/* ====================================================================	58	/* ====================================================================
59	* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.	59	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
60	*	60	*
61	* Redistribution and use in source and binary forms, with or without	61	* Redistribution and use in source and binary forms, with or without
62	* modification, are permitted provided that the following conditions	62	* modification, are permitted provided that the following conditions
@@ -73,12 +73,12 @@
73	* 3. All advertising materials mentioning features or use of this	73	* 3. All advertising materials mentioning features or use of this
74	* software must display the following acknowledgment:	74	* software must display the following acknowledgment:
75	* "This product includes software developed by the OpenSSL Project	75	* "This product includes software developed by the OpenSSL Project
76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"	76	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
77	*	77	*
78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to	78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79	* endorse or promote products derived from this software without	79	* endorse or promote products derived from this software without
80	* prior written permission. For written permission, please contact	80	* prior written permission. For written permission, please contact
81	* openssl-core@openssl.org.	81	* openssl-core@OpenSSL.org.
82	*	82	*
83	* 5. Products derived from this software may not be called "OpenSSL"	83	* 5. Products derived from this software may not be called "OpenSSL"
84	* nor may "OpenSSL" appear in their names without prior written	84	* nor may "OpenSSL" appear in their names without prior written
@@ -87,7 +87,7 @@
87	* 6. Redistributions of any form whatsoever must retain the following	87	* 6. Redistributions of any form whatsoever must retain the following
88	* acknowledgment:	88	* acknowledgment:
89	* "This product includes software developed by the OpenSSL Project	89	* "This product includes software developed by the OpenSSL Project
90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"	90	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
91	*	91	*
92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY	92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE	93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -102,16 +102,6 @@
102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103	* OF THE POSSIBILITY OF SUCH DAMAGE.	103	* OF THE POSSIBILITY OF SUCH DAMAGE.
104	* ====================================================================	104	* ====================================================================
105	*
106	* This product includes cryptographic software written by Eric Young
107	* (eay@cryptsoft.com). This product includes software written by Tim
108	* Hudson (tjh@cryptsoft.com).
109	*
110	*/
111	/* ====================================================================
112	* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113	* ECC cipher suite support in OpenSSL originally developed by
114	* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115	*/	105	*/
116		106
117	#include <stdio.h>	107	#include <stdio.h>
@@ -121,42 +111,45 @@
121	# include <sys/types.h>	111	# include <sys/types.h>
122	#endif	112	#endif
123		113
124	#include "o_dir.h"	114	#if !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) && !defined(NeXT) && !defined(MAC_OS_pre_X)
		115	#include <dirent.h>
		116	#endif
		117
		118	#if defined(WIN32)
		119	#include <windows.h>
		120	#include <tchar.h>
		121	#endif
		122
		123	#ifdef NeXT
		124	#include <sys/dir.h>
		125	#define dirent direct
		126	#endif
		127
125	#include <openssl/objects.h>	128	#include <openssl/objects.h>
126	#include <openssl/bio.h>	129	#include <openssl/bio.h>
127	#include <openssl/pem.h>	130	#include <openssl/pem.h>
128	#include <openssl/x509v3.h>	131	#include <openssl/x509v3.h>
129	#ifndef OPENSSL_NO_DH
130	#include <openssl/dh.h>
131	#endif
132	#include <openssl/bn.h>
133	#include "ssl_locl.h"	132	#include "ssl_locl.h"
		133	#include <openssl/fips.h>
134		134
135	int SSL_get_ex_data_X509_STORE_CTX_idx(void)	135	int SSL_get_ex_data_X509_STORE_CTX_idx(void)
136	{	136	{
137	static volatile int ssl_x509_store_ctx_idx= -1;	137	static volatile int ssl_x509_store_ctx_idx= -1;
138	int got_write_lock = 0;
139
140	CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
141		138
142	if (ssl_x509_store_ctx_idx < 0)	139	if (ssl_x509_store_ctx_idx < 0)
143	{	140	{
144	CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);	141	/* any write lock will do; usually this branch
		142	* will only be taken once anyway */
145	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);	143	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
146	got_write_lock = 1;
147		144
148	if (ssl_x509_store_ctx_idx < 0)	145	if (ssl_x509_store_ctx_idx < 0)
149	{	146	{
150	ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(	147	ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
151	0,"SSL for verify callback",NULL,NULL,NULL);	148	0,"SSL for verify callback",NULL,NULL,NULL);
152	}	149	}
153	}	150
154
155	if (got_write_lock)
156	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);	151	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
157	else	152	}
158	CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
159
160	return ssl_x509_store_ctx_idx;	153	return ssl_x509_store_ctx_idx;
161	}	154	}
162		155
@@ -212,6 +205,7 @@ CERT ssl_cert_dup(CERT cert)
212	#ifndef OPENSSL_NO_DH	205	#ifndef OPENSSL_NO_DH
213	if (cert->dh_tmp != NULL)	206	if (cert->dh_tmp != NULL)
214	{	207	{
		208	/* DH parameters don't have a reference count */
215	ret->dh_tmp = DHparams_dup(cert->dh_tmp);	209	ret->dh_tmp = DHparams_dup(cert->dh_tmp);
216	if (ret->dh_tmp == NULL)	210	if (ret->dh_tmp == NULL)
217	{	211	{
@@ -242,19 +236,6 @@ CERT ssl_cert_dup(CERT cert)
242	ret->dh_tmp_cb = cert->dh_tmp_cb;	236	ret->dh_tmp_cb = cert->dh_tmp_cb;
243	#endif	237	#endif
244		238
245	#ifndef OPENSSL_NO_ECDH
246	if (cert->ecdh_tmp)
247	{
248	ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
249	if (ret->ecdh_tmp == NULL)
250	{
251	SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
252	goto err;
253	}
254	}
255	ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
256	#endif
257
258	for (i = 0; i < SSL_PKEY_NUM; i++)	239	for (i = 0; i < SSL_PKEY_NUM; i++)
259	{	240	{
260	if (cert->pkeys[i].x509 != NULL)	241	if (cert->pkeys[i].x509 != NULL)
@@ -289,11 +270,7 @@ CERT ssl_cert_dup(CERT cert)
289	case SSL_PKEY_DH_DSA:	270	case SSL_PKEY_DH_DSA:
290	/* We have a DH key. */	271	/* We have a DH key. */
291	break;	272	break;
292		273
293	case SSL_PKEY_ECC:
294	/* We have an ECC key */
295	break;
296
297	default:	274	default:
298	/* Can't happen. */	275	/* Can't happen. */
299	SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);	276	SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
@@ -308,7 +285,7 @@ CERT ssl_cert_dup(CERT cert)
308		285
309	return(ret);	286	return(ret);
310		287
311	#if !defined(OPENSSL_NO_DH) \|\| !defined(OPENSSL_NO_ECDH)	288	#ifndef OPENSSL_NO_DH /* avoid 'unreferenced label' warning if OPENSSL_NO_DH is defined */
312	err:	289	err:
313	#endif	290	#endif
314	#ifndef OPENSSL_NO_RSA	291	#ifndef OPENSSL_NO_RSA
@@ -319,10 +296,6 @@ err:
319	if (ret->dh_tmp != NULL)	296	if (ret->dh_tmp != NULL)
320	DH_free(ret->dh_tmp);	297	DH_free(ret->dh_tmp);
321	#endif	298	#endif
322	#ifndef OPENSSL_NO_ECDH
323	if (ret->ecdh_tmp != NULL)
324	EC_KEY_free(ret->ecdh_tmp);
325	#endif
326		299
327	for (i = 0; i < SSL_PKEY_NUM; i++)	300	for (i = 0; i < SSL_PKEY_NUM; i++)
328	{	301	{
@@ -362,9 +335,6 @@ void ssl_cert_free(CERT *c)
362	#ifndef OPENSSL_NO_DH	335	#ifndef OPENSSL_NO_DH
363	if (c->dh_tmp) DH_free(c->dh_tmp);	336	if (c->dh_tmp) DH_free(c->dh_tmp);
364	#endif	337	#endif
365	#ifndef OPENSSL_NO_ECDH
366	if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp);
367	#endif
368		338
369	for (i=0; i<SSL_PKEY_NUM; i++)	339	for (i=0; i<SSL_PKEY_NUM; i++)
370	{	340	{
@@ -471,10 +441,6 @@ void ssl_sess_cert_free(SESS_CERT *sc)
471	if (sc->peer_dh_tmp != NULL)	441	if (sc->peer_dh_tmp != NULL)
472	DH_free(sc->peer_dh_tmp);	442	DH_free(sc->peer_dh_tmp);
473	#endif	443	#endif
474	#ifndef OPENSSL_NO_ECDH
475	if (sc->peer_ecdh_tmp != NULL)
476	EC_KEY_free(sc->peer_ecdh_tmp);
477	#endif
478		444
479	OPENSSL_free(sc);	445	OPENSSL_free(sc);
480	}	446	}
@@ -500,22 +466,20 @@ int ssl_verify_cert_chain(SSL s,STACK_OF(X509) sk)
500	SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);	466	SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
501	return(0);	467	return(0);
502	}	468	}
503	if (s->param)
504	X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx),
505	s->param);
506	#if 0
507	if (SSL_get_verify_depth(s) >= 0)	469	if (SSL_get_verify_depth(s) >= 0)
508	X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));	470	X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
509	#endif
510	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);	471	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
511		472
512	/* We need to inherit the verify parameters. These can be determined by	473	/* We need to set the verify purpose. The purpose can be determined by
513	* the context: if its a server it will verify SSL client certificates	474	* the context: if its a server it will verify SSL client certificates
514	* or vice versa.	475	* or vice versa.
515	*/	476	*/
		477	if (s->server)
		478	i = X509_PURPOSE_SSL_CLIENT;
		479	else
		480	i = X509_PURPOSE_SSL_SERVER;
516		481
517	X509_STORE_CTX_set_default(&ctx,	482	X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
518	s->server ? "ssl_client" : "ssl_server");
519		483
520	if (s->verify_callback)	484	if (s->verify_callback)
521	X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);	485	X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
@@ -762,7 +726,7 @@ err:
762	if(x != NULL)	726	if(x != NULL)
763	X509_free(x);	727	X509_free(x);
764		728
765	(void)sk_X509_NAME_set_cmp_func(stack,oldcmp);	729	sk_X509_NAME_set_cmp_func(stack,oldcmp);
766		730
767	return ret;	731	return ret;
768	}	732	}
@@ -778,52 +742,157 @@ err:
778	* certs may have been added to \c stack.	742	* certs may have been added to \c stack.
779	*/	743	*/
780		744
		745	#ifndef OPENSSL_SYS_WIN32
		746	#ifndef OPENSSL_SYS_VMS /* XXXX This may be fixed in the future */
		747	#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! */
		748
781	int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,	749	int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
782	const char *dir)	750	const char *dir)
783	{	751	{
784	OPENSSL_DIR_CTX *d = NULL;	752	DIR *d;
785	const char *filename;	753	struct dirent *dstruct;
786	int ret = 0;	754	int ret = 0;
787		755
788	CRYPTO_w_lock(CRYPTO_LOCK_READDIR);	756	CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
		757	d = opendir(dir);
789		758
790	/* Note that a side effect is that the CAs will be sorted by name */	759	/* Note that a side effect is that the CAs will be sorted by name */
791		760	if(!d)
792	while((filename = OPENSSL_DIR_read(&d, dir)))	761	{
		762	SYSerr(SYS_F_OPENDIR, get_last_sys_error());
		763	ERR_add_error_data(3, "opendir('", dir, "')");
		764	SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
		765	goto err;
		766	}
		767
		768	while((dstruct=readdir(d)))
793	{	769	{
794	char buf[1024];	770	char buf[1024];
795	int r;	771	int r;
796		772
797	if(strlen(dir)+strlen(filename)+2 > sizeof buf)	773	if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf)
798	{	774	{
799	SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);	775	SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
800	goto err;	776	goto err;
801	}	777	}
802		778
803	#ifdef OPENSSL_SYS_VMS	779	r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,dstruct->d_name);
804	r = BIO_snprintf(buf,sizeof buf,"%s%s",dir,filename);	780	if (r <= 0 \|\| r >= sizeof buf)
805	#else
806	r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,filename);
807	#endif
808	if (r <= 0 \|\| r >= (int)sizeof(buf))
809	goto err;	781	goto err;
810	if(!SSL_add_file_cert_subjects_to_stack(stack,buf))	782	if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
811	goto err;	783	goto err;
812	}	784	}
		785	ret = 1;
		786
		787	err:
		788	if (d) closedir(d);
		789	CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
		790	return ret;
		791	}
		792
		793	#endif
		794	#endif
		795
		796	#else /* OPENSSL_SYS_WIN32 */
		797
		798	#if defined(_WIN32_WCE)
		799	# ifndef UNICODE
		800	# error "WinCE comes in UNICODE flavor only..."
		801	# endif
		802	# if _WIN32_WCE<101 && !defined(OPENSSL_NO_MULTIBYTE)
		803	# define OPENSSL_NO_MULTIBYTE
		804	# endif
		805	# ifndef FindFirstFile
		806	# define FindFirstFile FindFirstFileW
		807	# endif
		808	# ifndef FindNextFile
		809	# define FindNextFile FindNextFileW
		810	# endif
		811	#endif
		812
		813	int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
		814	const char *dir)
		815	{
		816	WIN32_FIND_DATA FindFileData;
		817	HANDLE hFind;
		818	int ret = 0;
		819	TCHAR *wdir = NULL;
		820	size_t i,len_0 = strlen(dir)+1; /* len_0 accounts for trailing 0 */
		821	char buf[1024],*slash;
		822
		823	if (len_0 > (sizeof(buf)-14)) /* 14 is just some value... */
		824	{
		825	SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
		826	return ret;
		827	}
		828
		829	CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
		830
		831	if (sizeof(TCHAR) != sizeof(char))
		832	{
		833	wdir = (TCHAR )malloc(len_0sizeof(TCHAR));
		834	if (wdir == NULL)
		835	goto err_noclose;
		836	#ifndef OPENSSL_NO_MULTIBYTE
		837	if (!MultiByteToWideChar(CP_ACP,0,dir,len_0,
		838	(WCHAR *)wdir,len_0))
		839	#endif
		840	for (i=0;i<len_0;i++) wdir[i]=(TCHAR)dir[i];
		841
		842	hFind = FindFirstFile(wdir, &FindFileData);
		843	}
		844	else hFind = FindFirstFile((const TCHAR *)dir, &FindFileData);
813		845
814	if (errno)	846	/* Note that a side effect is that the CAs will be sorted by name */
		847	if(hFind == INVALID_HANDLE_VALUE)
815	{	848	{
816	SYSerr(SYS_F_OPENDIR, get_last_sys_error());	849	SYSerr(SYS_F_OPENDIR, get_last_sys_error());
817	ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");	850	ERR_add_error_data(3, "opendir('", dir, "')");
818	SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);	851	SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
819	goto err;	852	goto err_noclose;
820	}	853	}
821		854
		855	strncpy(buf,dir,sizeof(buf)); /* strcpy is safe too... */
		856	buf[len_0-1]='/'; /* no trailing zero! */
		857	slash=buf+len_0;
		858
		859	do {
		860	const TCHAR *fnam=FindFileData.cFileName;
		861	size_t flen_0=_tcslen(fnam)+1;
		862
		863	if (flen_0 > (sizeof(buf)-len_0))
		864	{
		865	SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
		866	goto err;
		867	}
		868	/* else strcpy would be safe too... */
		869
		870	if (sizeof(TCHAR) != sizeof(char))
		871	{
		872	#ifndef OPENSSL_NO_MULTIBYTE
		873	if (!WideCharToMultiByte(CP_ACP,0,
		874	(WCHAR *)fnam,flen_0,
		875	slash,sizeof(buf)-len_0,
		876	NULL,0))
		877	#endif
		878	for (i=0;i<flen_0;i++) slash[i]=(char)fnam[i];
		879	}
		880	else strncpy(slash,(const char *)fnam,sizeof(buf)-len_0);
		881
		882	if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
		883	goto err;
		884	}
		885	while (FindNextFile(hFind, &FindFileData) != FALSE);
822	ret = 1;	886	ret = 1;
823		887
824	err:	888	err:
825	if (d) OPENSSL_DIR_end(&d);	889	FindClose(hFind);
		890	err_noclose:
		891	if (wdir != NULL)
		892	free(wdir);
		893
826	CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);	894	CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
827	return ret;	895	return ret;
828	}	896	}
829		897
		898	#endif