summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_cert.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/ssl_cert.c')
-rw-r--r--src/lib/libssl/ssl_cert.c41
1 files changed, 25 insertions, 16 deletions
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 5b5ffac06f..6aae59e310 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.40 2014/07/09 11:25:42 jsing Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.41 2014/07/10 08:25:00 guenther Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -195,9 +195,11 @@ ssl_cert_dup(CERT *cert)
195 return (NULL); 195 return (NULL);
196 } 196 }
197 197
198 /*
199 * same as ret->key = ret->pkeys + (cert->key - cert->pkeys),
200 * if you find that more readable
201 */
198 ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]]; 202 ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
199 /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
200 * if you find that more readable */
201 203
202 ret->valid = cert->valid; 204 ret->valid = cert->valid;
203 ret->mask_k = cert->mask_k; 205 ret->mask_k = cert->mask_k;
@@ -256,9 +258,11 @@ ssl_cert_dup(CERT *cert)
256 CRYPTO_LOCK_EVP_PKEY); 258 CRYPTO_LOCK_EVP_PKEY);
257 259
258 switch (i) { 260 switch (i) {
259 /* If there was anything special to do for 261 /*
262 * If there was anything special to do for
260 * certain types of keys, we'd do it here. 263 * certain types of keys, we'd do it here.
261 * (Nothing at the moment, I think.) */ 264 * (Nothing at the moment, I think.)
265 */
262 266
263 case SSL_PKEY_RSA_ENC: 267 case SSL_PKEY_RSA_ENC:
264 case SSL_PKEY_RSA_SIGN: 268 case SSL_PKEY_RSA_SIGN:
@@ -285,12 +289,15 @@ ssl_cert_dup(CERT *cert)
285 } 289 }
286 } 290 }
287 291
288 /* ret->extra_certs *should* exist, but currently the own certificate 292 /*
289 * chain is held inside SSL_CTX */ 293 * ret->extra_certs *should* exist, but currently the own certificate
294 * chain is held inside SSL_CTX
295 */
290 296
291 ret->references = 1; 297 ret->references = 1;
292 /* Set digests to defaults. NB: we don't copy existing values as they 298 /*
293 * will be set during handshake. 299 * Set digests to defaults. NB: we don't copy existing values
300 * as they will be set during handshake.
294 */ 301 */
295 ssl_cert_set_default_md(ret); 302 ssl_cert_set_default_md(ret);
296 303
@@ -339,7 +346,8 @@ ssl_cert_free(CERT *c)
339int 346int
340ssl_cert_inst(CERT **o) 347ssl_cert_inst(CERT **o)
341{ 348{
342 /* Create a CERT if there isn't already one 349 /*
350 * Create a CERT if there isn't already one
343 * (which cannot really happen, as it is initially created in 351 * (which cannot really happen, as it is initially created in
344 * SSL_CTX_new; but the earlier code usually allows for that one 352 * SSL_CTX_new; but the earlier code usually allows for that one
345 * being non-existant, so we follow that behaviour, as it might 353 * being non-existant, so we follow that behaviour, as it might
@@ -431,16 +439,17 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
431 X509_STORE_CTX_set_ex_data(&ctx, 439 X509_STORE_CTX_set_ex_data(&ctx,
432 SSL_get_ex_data_X509_STORE_CTX_idx(), s); 440 SSL_get_ex_data_X509_STORE_CTX_idx(), s);
433 441
434 /* We need to inherit the verify parameters. These can be determined by 442 /*
435 * the context: if its a server it will verify SSL client certificates 443 * We need to inherit the verify parameters. These can be
436 * or vice versa. 444 * determined by the context: if its a server it will verify
445 * SSL client certificates or vice versa.
437 */ 446 */
438
439 X509_STORE_CTX_set_default(&ctx, 447 X509_STORE_CTX_set_default(&ctx,
440 s->server ? "ssl_client" : "ssl_server"); 448 s->server ? "ssl_client" : "ssl_server");
441 449
442 /* Anything non-default in "param" should overwrite anything in the 450 /*
443 * ctx. 451 * Anything non-default in "param" should overwrite anything
452 * in the ctx.
444 */ 453 */
445 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param); 454 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
446 455