kris
/
boringssl
1
0
Forka 0
Codice Problemi 0 Pull Requests 0 Rilasci 0 Wiki Attività
Non puoi selezionare più di 25 argomenti Gli argomenti devono iniziare con una lettera o un numero, possono includere trattini ('-') e possono essere lunghi fino a 35 caratteri.
640 Commit
12 Rami (Branch)
38 MiB
Albero (Tree): ce5be4bd5c
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da 'ce5be4bd5c'
${ noResults }
boringssl/ssl/ssl_cert.c

ssl_cert.c 28 KiB
Originale Vista normale Cronologia

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Separate client and server certificate_types. This is the first of reorganizing state between connection state and handshake state. The existing set are retained in cert_st for the server; they are server configuration. The client gets a copy in s->s3->tmp alongside other handshake state. With other handshake state moved there, hopefully we can reset that state in one go and possibly not even maintain it when there is no handshake in progress. Rather than currently where we sometimes confused connection state and handshake state and have to reset as appropriate on renegotiate. While I'm here, document the fields and name them something more useful than 'ctypes'. Change-Id: Ib927579f0004fc5c6854fce2127625df669b2b6d Reviewed-on: https://boringssl-review.googlesource.com/1113 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Add X509_up_ref and use it internally. Avoid needing to manually increment the reference count and using the right lock, both here and in Chromium. Change-Id: If116ebc224cfb1c4711f7e2c06f1fd2c97af21dd Reviewed-on: https://boringssl-review.googlesource.com/1415 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Separate client and server certificate_types. This is the first of reorganizing state between connection state and handshake state. The existing set are retained in cert_st for the server; they are server configuration. The client gets a copy in s->s3->tmp alongside other handshake state. With other handshake state moved there, hopefully we can reset that state in one go and possibly not even maintain it when there is no handshake in progress. Rather than currently where we sometimes confused connection state and handshake state and have to reset as appropriate on renegotiate. While I'm here, document the fields and name them something more useful than 'ctypes'. Change-Id: Ib927579f0004fc5c6854fce2127625df669b2b6d Reviewed-on: https://boringssl-review.googlesource.com/1113 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Separate client and server certificate_types. This is the first of reorganizing state between connection state and handshake state. The existing set are retained in cert_st for the server; they are server configuration. The client gets a copy in s->s3->tmp alongside other handshake state. With other handshake state moved there, hopefully we can reset that state in one go and possibly not even maintain it when there is no handshake in progress. Rather than currently where we sometimes confused connection state and handshake state and have to reset as appropriate on renegotiate. While I'm here, document the fields and name them something more useful than 'ctypes'. Change-Id: Ib927579f0004fc5c6854fce2127625df669b2b6d Reviewed-on: https://boringssl-review.googlesource.com/1113 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Separate client and server certificate_types. This is the first of reorganizing state between connection state and handshake state. The existing set are retained in cert_st for the server; they are server configuration. The client gets a copy in s->s3->tmp alongside other handshake state. With other handshake state moved there, hopefully we can reset that state in one go and possibly not even maintain it when there is no handshake in progress. Rather than currently where we sometimes confused connection state and handshake state and have to reset as appropriate on renegotiate. While I'm here, document the fields and name them something more useful than 'ctypes'. Change-Id: Ib927579f0004fc5c6854fce2127625df669b2b6d Reviewed-on: https://boringssl-review.googlesource.com/1113 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Don't X509_up_ref X509_STOREs. Change-Id: Ic78bec93aedcc06c1496fe374e1c1c77ef70ea4b Reviewed-on: https://boringssl-review.googlesource.com/1416 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Don't X509_up_ref X509_STOREs. Change-Id: Ic78bec93aedcc06c1496fe374e1c1c77ef70ea4b Reviewed-on: https://boringssl-review.googlesource.com/1416 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Properly clean up on ssl_cert_dup failure. Caught by scan-build. Change-Id: I7c09b176d6a9e5d4fcd6e4fba184ac0679983cff Reviewed-on: https://boringssl-review.googlesource.com/2200 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Separate client and server certificate_types. This is the first of reorganizing state between connection state and handshake state. The existing set are retained in cert_st for the server; they are server configuration. The client gets a copy in s->s3->tmp alongside other handshake state. With other handshake state moved there, hopefully we can reset that state in one go and possibly not even maintain it when there is no handshake in progress. Rather than currently where we sometimes confused connection state and handshake state and have to reset as appropriate on renegotiate. While I'm here, document the fields and name them something more useful than 'ctypes'. Change-Id: Ib927579f0004fc5c6854fce2127625df669b2b6d Reviewed-on: https://boringssl-review.googlesource.com/1113 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Add X509_up_ref and use it internally. Avoid needing to manually increment the reference count and using the right lock, both here and in Chromium. Change-Id: If116ebc224cfb1c4711f7e2c06f1fd2c97af21dd Reviewed-on: https://boringssl-review.googlesource.com/1415 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Don't compare signed vs. unsigned. This resolves a pile of MSVC warnings in Chromium. Change-Id: Ib9a29cb88d8ed8ec4118d153260f775be059a803 Reviewed-on: https://boringssl-review.googlesource.com/1865 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Don't compare signed vs. unsigned. This resolves a pile of MSVC warnings in Chromium. Change-Id: Ib9a29cb88d8ed8ec4118d153260f775be059a803 Reviewed-on: https://boringssl-review.googlesource.com/1865 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Allow duplicate certs in ssl_build_cert_chain (Imported from upstream's 662239183da08d687dc939211ac09d0a5c3a5b93)
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Don't compare signed vs. unsigned. This resolves a pile of MSVC warnings in Chromium. Change-Id: Ib9a29cb88d8ed8ec4118d153260f775be059a803 Reviewed-on: https://boringssl-review.googlesource.com/1865 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Don't compare signed vs. unsigned. This resolves a pile of MSVC warnings in Chromium. Change-Id: Ib9a29cb88d8ed8ec4118d153260f775be059a803 Reviewed-on: https://boringssl-review.googlesource.com/1865 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Don't compare signed vs. unsigned. This resolves a pile of MSVC warnings in Chromium. Change-Id: Ib9a29cb88d8ed8ec4118d153260f775be059a803 Reviewed-on: https://boringssl-review.googlesource.com/1865 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Allow duplicate certs in ssl_build_cert_chain (Imported from upstream's 662239183da08d687dc939211ac09d0a5c3a5b93)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Allow duplicate certs in ssl_build_cert_chain (Imported from upstream's 662239183da08d687dc939211ac09d0a5c3a5b93)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Update chain building function. Don't clear verification errors from the error queue unless SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set. If errors occur during verification and SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR is set return 2 so applications can issue warnings. (Imported from upstream's 2dd6976f6d02f98b30c376951ac38f780a86b3b5)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Update chain building function. Don't clear verification errors from the error queue unless SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set. If errors occur during verification and SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR is set return 2 so applications can issue warnings. (Imported from upstream's 2dd6976f6d02f98b30c376951ac38f780a86b3b5)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Update chain building function. Don't clear verification errors from the error queue unless SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set. If errors occur during verification and SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR is set return 2 so applications can issue warnings. (Imported from upstream's 2dd6976f6d02f98b30c376951ac38f780a86b3b5)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. (Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
Don't X509_up_ref X509_STOREs. Change-Id: Ic78bec93aedcc06c1496fe374e1c1c77ef70ea4b Reviewed-on: https://boringssl-review.googlesource.com/1416 Reviewed-by: Adam Langley <agl@google.com>
10 anni fa
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 anni fa
 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160 
  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com).

  108.  *

  109.  */

  110. /* ====================================================================

  111.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  112.  * ECC cipher suite support in OpenSSL originally developed by

  113.  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */

  114. 

  115. #include <stdio.h>

  116. 

  117. #include <openssl/bio.h>

  118. #include <openssl/bn.h>

  119. #include <openssl/buf.h>

  120. #include <openssl/dh.h>

  121. #include <openssl/err.h>

  122. #include <openssl/mem.h>

  123. #include <openssl/obj.h>

  124. #include <openssl/pem.h>

  125. #include <openssl/x509v3.h>

  126. 

  127. #include "../crypto/dh/internal.h"

  128. #include "../crypto/directory.h"

  129. #include "ssl_locl.h"

  130. 

  131. int SSL_get_ex_data_X509_STORE_CTX_idx(void)

  132. 	{

  133. 	static volatile int ssl_x509_store_ctx_idx= -1;

  134. 	int got_write_lock = 0;

  135. 

  136. 	CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);

  137. 

  138. 	if (ssl_x509_store_ctx_idx < 0)

  139. 		{

  140. 		CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);

  141. 		CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);

  142. 		got_write_lock = 1;

  143. 		

  144. 		if (ssl_x509_store_ctx_idx < 0)

  145. 			{

  146. 			ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(

  147. 				0,"SSL for verify callback",NULL,NULL,NULL);

  148. 			}

  149. 		}

  150. 

  151. 	if (got_write_lock)

  152. 		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);

  153. 	else

  154. 		CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);

  155. 	

  156. 	return ssl_x509_store_ctx_idx;

  157. 	}

  158. 

  159. void ssl_cert_set_default_md(CERT *cert)

  160. 	{

  161. 	/* Set digest values to defaults */

  162. 	cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();

  163. 	cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();

  164. 	cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();

  165. 	}

  166. 

  167. CERT *ssl_cert_new(void)

  168. 	{

  169. 	CERT *ret;

  170. 

  171. 	ret=(CERT *)OPENSSL_malloc(sizeof(CERT));

  172. 	if (ret == NULL)

  173. 		{

  174. 		OPENSSL_PUT_ERROR(SSL, ssl_cert_new, ERR_R_MALLOC_FAILURE);

  175. 		return(NULL);

  176. 		}

  177. 	memset(ret,0,sizeof(CERT));

  178. 

  179. 	ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);

  180. 	ssl_cert_set_default_md(ret);

  181. 	return(ret);

  182. 	}

  183. 

  184. CERT *ssl_cert_dup(CERT *cert)

  185. 	{

  186. 	CERT *ret;

  187. 	int i;

  188. 

  189. 	ret = (CERT *)OPENSSL_malloc(sizeof(CERT));

  190. 	if (ret == NULL)

  191. 		{

  192. 		OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_MALLOC_FAILURE);

  193. 		return(NULL);

  194. 		}

  195. 

  196. 	memset(ret, 0, sizeof(CERT));

  197. 

  198. 	ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];

  199. 	/* or ret->key = ret->pkeys + (cert->key - cert->pkeys),

  200. 	 * if you find that more readable */

  201. 

  202. 	ret->valid = cert->valid;

  203. 	ret->mask_k = cert->mask_k;

  204. 	ret->mask_a = cert->mask_a;

  205. 

  206. 	if (cert->dh_tmp != NULL)

  207. 		{

  208. 		ret->dh_tmp = DHparams_dup(cert->dh_tmp);

  209. 		if (ret->dh_tmp == NULL)

  210. 			{

  211. 			OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_DH_LIB);

  212. 			goto err;

  213. 			}

  214. 		if (cert->dh_tmp->priv_key)

  215. 			{

  216. 			BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);

  217. 			if (!b)

  218. 				{

  219. 				OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_BN_LIB);

  220. 				goto err;

  221. 				}

  222. 			ret->dh_tmp->priv_key = b;

  223. 			}

  224. 		if (cert->dh_tmp->pub_key)

  225. 			{

  226. 			BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);

  227. 			if (!b)

  228. 				{

  229. 				OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_BN_LIB);

  230. 				goto err;

  231. 				}

  232. 			ret->dh_tmp->pub_key = b;

  233. 			}

  234. 		}

  235. 	ret->dh_tmp_cb = cert->dh_tmp_cb;

  236. 

  237. 	if (cert->ecdh_tmp)

  238. 		{

  239. 		ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);

  240. 		if (ret->ecdh_tmp == NULL)

  241. 			{

  242. 			OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_EC_LIB);

  243. 			goto err;

  244. 			}

  245. 		}

  246. 	ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;

  247. 	ret->ecdh_tmp_auto = cert->ecdh_tmp_auto;

  248. 

  249. 	for (i = 0; i < SSL_PKEY_NUM; i++)

  250. 		{

  251. 		CERT_PKEY *cpk = cert->pkeys + i;

  252. 		CERT_PKEY *rpk = ret->pkeys + i;

  253. 		if (cpk->x509 != NULL)

  254. 			{

  255. 			rpk->x509 = X509_up_ref(cpk->x509);

  256. 			}

  257. 		

  258. 		if (cpk->privatekey != NULL)

  259. 			{

  260. 			rpk->privatekey = cpk->privatekey;

  261. 			CRYPTO_add(&cpk->privatekey->references, 1,

  262. 				CRYPTO_LOCK_EVP_PKEY);

  263. 

  264. 			switch(i) 

  265. 				{

  266. 				/* If there was anything special to do for

  267. 				 * certain types of keys, we'd do it here.

  268. 				 * (Nothing at the moment, I think.) */

  269. 

  270. 			case SSL_PKEY_RSA_ENC:

  271. 			case SSL_PKEY_RSA_SIGN:

  272. 				/* We have an RSA key. */

  273. 				break;

  274. 				

  275. 			case SSL_PKEY_ECC:

  276. 				/* We have an ECC key */

  277. 				break;

  278. 

  279. 			default:

  280. 				/* Can't happen. */

  281. 				OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, SSL_R_LIBRARY_BUG);

  282. 				}

  283. 			}

  284. 

  285. 		if (cpk->chain)

  286. 			{

  287. 			rpk->chain = X509_chain_up_ref(cpk->chain);

  288. 			if (!rpk->chain)

  289. 				{

  290. 				OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_MALLOC_FAILURE);

  291. 				goto err;

  292. 				}

  293. 			}

  294. 		rpk->valid_flags = 0;

  295. 		}

  296. 	

  297. 	/* Set digests to defaults. NB: we don't copy existing values as they

  298. 	 * will be set during handshake.

  299. 	 */

  300. 	ssl_cert_set_default_md(ret);

  301. 	/* Peer sigalgs set to NULL as we get these from handshake too */

  302. 	ret->peer_sigalgs = NULL;

  303. 	ret->peer_sigalgslen = 0;

  304. 	/* Configured sigalgs however we copy across */

  305. 

  306. 	if (cert->conf_sigalgs)

  307. 		{

  308. 		ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen);

  309. 		if (!ret->conf_sigalgs)

  310. 			goto err;

  311. 		memcpy(ret->conf_sigalgs, cert->conf_sigalgs,

  312. 						cert->conf_sigalgslen);

  313. 		ret->conf_sigalgslen = cert->conf_sigalgslen;

  314. 		}

  315. 	else

  316. 		ret->conf_sigalgs = NULL;

  317. 

  318. 	if (cert->client_sigalgs)

  319. 		{

  320. 		ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen);

  321. 		if (!ret->client_sigalgs)

  322. 			goto err;

  323. 		memcpy(ret->client_sigalgs, cert->client_sigalgs,

  324. 						cert->client_sigalgslen);

  325. 		ret->client_sigalgslen = cert->client_sigalgslen;

  326. 		}

  327. 	else

  328. 		ret->client_sigalgs = NULL;

  329. 	/* Shared sigalgs also NULL */

  330. 	ret->shared_sigalgs = NULL;

  331. 	/* Copy any custom client certificate types */

  332. 	if (cert->client_certificate_types)

  333. 		{

  334. 		ret->client_certificate_types = BUF_memdup(

  335. 			cert->client_certificate_types,

  336. 			cert->num_client_certificate_types);

  337. 		if (!ret->client_certificate_types)

  338. 			goto err;

  339. 		ret->num_client_certificate_types = cert->num_client_certificate_types;

  340. 		}

  341. 

  342. 	ret->cert_flags = cert->cert_flags;

  343. 

  344. 	ret->cert_cb = cert->cert_cb;

  345. 	ret->cert_cb_arg = cert->cert_cb_arg;

  346. 

  347. 	if (cert->verify_store)

  348. 		{

  349. 		CRYPTO_add(&cert->verify_store->references, 1, CRYPTO_LOCK_X509_STORE);

  350. 		ret->verify_store = cert->verify_store;

  351. 		}

  352. 

  353. 	if (cert->chain_store)

  354. 		{

  355. 		CRYPTO_add(&cert->chain_store->references, 1, CRYPTO_LOCK_X509_STORE);

  356. 		ret->chain_store = cert->chain_store;

  357. 		}

  358. 

  359. 	ret->ciphers_raw = NULL;

  360. 

  361. 	return(ret);

  362. 	

  363. err:

  364. 	ssl_cert_free(ret);

  365. 	return NULL;

  366. 	}

  367. 

  368. /* Free up and clear all certificates and chains */

  369. 

  370. void ssl_cert_clear_certs(CERT *c)

  371. 	{

  372. 	int i;

  373. 	if (c == NULL)

  374. 		return;

  375. 	for (i = 0; i<SSL_PKEY_NUM; i++)

  376. 		{

  377. 		CERT_PKEY *cpk = c->pkeys + i;

  378. 		if (cpk->x509)

  379. 			{

  380. 			X509_free(cpk->x509);

  381. 			cpk->x509 = NULL;

  382. 			}

  383. 		if (cpk->privatekey)

  384. 			{

  385. 			EVP_PKEY_free(cpk->privatekey);

  386. 			cpk->privatekey = NULL;

  387. 			}

  388. 		if (cpk->chain)

  389. 			{

  390. 			sk_X509_pop_free(cpk->chain, X509_free);

  391. 			cpk->chain = NULL;

  392. 			}

  393. 		/* Clear all flags apart from explicit sign */

  394. 		cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;

  395. 		}

  396. 	}

  397. 

  398. void ssl_cert_free(CERT *c)

  399. 	{

  400. 	if(c == NULL)

  401. 	    return;

  402. 

  403. 	if (c->dh_tmp) DH_free(c->dh_tmp);

  404. 	if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp);

  405. 

  406. 	ssl_cert_clear_certs(c);

  407. 	if (c->peer_sigalgs)

  408. 		OPENSSL_free(c->peer_sigalgs);

  409. 	if (c->conf_sigalgs)

  410. 		OPENSSL_free(c->conf_sigalgs);

  411. 	if (c->client_sigalgs)

  412. 		OPENSSL_free(c->client_sigalgs);

  413. 	if (c->shared_sigalgs)

  414. 		OPENSSL_free(c->shared_sigalgs);

  415. 	if (c->client_certificate_types)

  416. 		OPENSSL_free(c->client_certificate_types);

  417. 	if (c->verify_store)

  418. 		X509_STORE_free(c->verify_store);

  419. 	if (c->chain_store)

  420. 		X509_STORE_free(c->chain_store);

  421. 	if (c->ciphers_raw)

  422. 		OPENSSL_free(c->ciphers_raw);

  423. 	OPENSSL_free(c);

  424. 	}

  425. 

  426. int ssl_cert_inst(CERT **o)

  427. 	{

  428. 	/* Create a CERT if there isn't already one

  429. 	 * (which cannot really happen, as it is initially created in

  430. 	 * SSL_CTX_new; but the earlier code usually allows for that one

  431. 	 * being non-existant, so we follow that behaviour, as it might

  432. 	 * turn out that there actually is a reason for it -- but I'm

  433. 	 * not sure that *all* of the existing code could cope with

  434. 	 * s->cert being NULL, otherwise we could do without the

  435. 	 * initialization in SSL_CTX_new).

  436. 	 */

  437. 	

  438. 	if (o == NULL) 

  439. 		{

  440. 		OPENSSL_PUT_ERROR(SSL, ssl_cert_inst, ERR_R_PASSED_NULL_PARAMETER);

  441. 		return(0);

  442. 		}

  443. 	if (*o == NULL)

  444. 		{

  445. 		if ((*o = ssl_cert_new()) == NULL)

  446. 			{

  447. 			OPENSSL_PUT_ERROR(SSL, ssl_cert_new, ERR_R_MALLOC_FAILURE);

  448. 			return(0);

  449. 			}

  450. 		}

  451. 	return(1);

  452. 	}

  453. 

  454. int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain)

  455. 	{

  456. 	CERT_PKEY *cpk = c->key;

  457. 	if (!cpk)

  458. 		return 0;

  459. 	if (cpk->chain)

  460. 		sk_X509_pop_free(cpk->chain, X509_free);

  461. 	cpk->chain = chain;

  462. 	return 1;

  463. 	}

  464. 

  465. int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain)

  466. 	{

  467. 	STACK_OF(X509) *dchain;

  468. 	if (!chain)

  469. 		return ssl_cert_set0_chain(c, NULL);

  470. 	dchain = X509_chain_up_ref(chain);

  471. 	if (!dchain)

  472. 		return 0;

  473. 	if (!ssl_cert_set0_chain(c, dchain))

  474. 		{

  475. 		sk_X509_pop_free(dchain, X509_free);

  476. 		return 0;

  477. 		}

  478. 	return 1;

  479. 	}

  480. 

  481. int ssl_cert_add0_chain_cert(CERT *c, X509 *x)

  482. 	{

  483. 	CERT_PKEY *cpk = c->key;

  484. 	if (!cpk)

  485. 		return 0;

  486. 	if (!cpk->chain)

  487. 		cpk->chain = sk_X509_new_null();

  488. 	if (!cpk->chain || !sk_X509_push(cpk->chain, x))

  489. 		return 0;

  490. 	return 1;

  491. 	}

  492. 

  493. int ssl_cert_add1_chain_cert(CERT *c, X509 *x)

  494. 	{

  495. 	if (!ssl_cert_add0_chain_cert(c, x))

  496. 		return 0;

  497. 	X509_up_ref(x);

  498. 	return 1;

  499. 	}

  500. 

  501. int ssl_cert_select_current(CERT *c, X509 *x)

  502. 	{

  503. 	int i;

  504. 	if (x == NULL)

  505. 		return 0;

  506. 	for (i = 0; i < SSL_PKEY_NUM; i++)

  507. 		{

  508. 		if (c->pkeys[i].x509 == x)

  509. 			{

  510. 			c->key = &c->pkeys[i];

  511. 			return 1;

  512. 			}

  513. 		}

  514. 

  515. 	for (i = 0; i < SSL_PKEY_NUM; i++)

  516. 		{

  517. 		if (c->pkeys[i].x509 && !X509_cmp(c->pkeys[i].x509, x))

  518. 			{

  519. 			c->key = &c->pkeys[i];

  520. 			return 1;

  521. 			}

  522. 		}

  523. 	return 0;

  524. 	}

  525. 

  526. void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg)

  527. 	{

  528. 	c->cert_cb = cb;

  529. 	c->cert_cb_arg = arg;

  530. 	}

  531. 

  532. SESS_CERT *ssl_sess_cert_new(void)

  533. 	{

  534. 	SESS_CERT *ret;

  535. 

  536. 	ret = OPENSSL_malloc(sizeof *ret);

  537. 	if (ret == NULL)

  538. 		{

  539. 		OPENSSL_PUT_ERROR(SSL, ssl_sess_cert_new, ERR_R_MALLOC_FAILURE);

  540. 		return NULL;

  541. 		}

  542. 

  543. 	memset(ret, 0 ,sizeof *ret);

  544. 	ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);

  545. 

  546. 	return ret;

  547. 	}

  548. 

  549. void ssl_sess_cert_free(SESS_CERT *sc)

  550. 	{

  551. 	int i;

  552. 

  553. 	if (sc == NULL)

  554. 		return;

  555. 

  556. 	if (sc->cert_chain != NULL)

  557. 		sk_X509_pop_free(sc->cert_chain, X509_free);

  558. 	for (i = 0; i < SSL_PKEY_NUM; i++)

  559. 		{

  560. 		if (sc->peer_pkeys[i].x509 != NULL)

  561. 			X509_free(sc->peer_pkeys[i].x509);

  562. #if 0 /* We don't have the peer's private key.  These lines are just

  563. 	   * here as a reminder that we're still using a not-quite-appropriate

  564. 	   * data structure. */

  565. 		if (sc->peer_pkeys[i].privatekey != NULL)

  566. 			EVP_PKEY_free(sc->peer_pkeys[i].privatekey);

  567. #endif

  568. 		}

  569. 

  570. 	if (sc->peer_dh_tmp != NULL)

  571. 		DH_free(sc->peer_dh_tmp);

  572. 	if (sc->peer_ecdh_tmp != NULL)

  573. 		EC_KEY_free(sc->peer_ecdh_tmp);

  574. 

  575. 	OPENSSL_free(sc);

  576. 	}

  577. 

  578. int ssl_set_peer_cert_type(SESS_CERT *sc,int type)

  579. 	{

  580. 	sc->peer_cert_type = type;

  581. 	return(1);

  582. 	}

  583. 

  584. int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)

  585. 	{

  586. 	X509 *x;

  587. 	int i;

  588. 	X509_STORE *verify_store;

  589. 	X509_STORE_CTX ctx;

  590. 

  591. 	if (s->cert->verify_store)

  592. 		verify_store = s->cert->verify_store;

  593. 	else

  594. 		verify_store = s->ctx->cert_store;

  595. 

  596. 	if ((sk == NULL) || (sk_X509_num(sk) == 0))

  597. 		return(0);

  598. 

  599. 	x=sk_X509_value(sk,0);

  600. 	if(!X509_STORE_CTX_init(&ctx,verify_store,x,sk))

  601. 		{

  602. 		OPENSSL_PUT_ERROR(SSL, ssl_verify_cert_chain, ERR_R_X509_LIB);

  603. 		return(0);

  604. 		}

  605. #if 0

  606. 	if (SSL_get_verify_depth(s) >= 0)

  607. 		X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));

  608. #endif

  609. 	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);

  610. 

  611. 	/* We need to inherit the verify parameters. These can be determined by

  612. 	 * the context: if its a server it will verify SSL client certificates

  613. 	 * or vice versa.

  614. 	 */

  615. 

  616. 	X509_STORE_CTX_set_default(&ctx,

  617. 				s->server ? "ssl_client" : "ssl_server");

  618. 	/* Anything non-default in "param" should overwrite anything in the

  619. 	 * ctx.

  620. 	 */

  621. 	X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);

  622. 

  623. 	if (s->verify_callback)

  624. 		X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);

  625. 

  626. 	if (s->ctx->app_verify_callback != NULL)

  627. #if 1 /* new with OpenSSL 0.9.7 */

  628. 		i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); 

  629. #else

  630. 		i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */

  631. #endif

  632. 	else

  633. 		{

  634. #ifndef OPENSSL_NO_X509_VERIFY

  635. 		i=X509_verify_cert(&ctx);

  636. #else

  637. 		i=0;

  638. 		ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;

  639. 		OPENSSL_PUT_ERROR(SSL, ssl_verify_cert_chain, SSL_R_NO_VERIFY_CALLBACK);

  640. #endif

  641. 		}

  642. 

  643. 	s->verify_result=ctx.error;

  644. 	X509_STORE_CTX_cleanup(&ctx);

  645. 

  646. 	return(i);

  647. 	}

  648. 

  649. static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list)

  650. 	{

  651. 	if (*ca_list != NULL)

  652. 		sk_X509_NAME_pop_free(*ca_list,X509_NAME_free);

  653. 

  654. 	*ca_list=name_list;

  655. 	}

  656. 

  657. STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)

  658. 	{

  659. 	size_t i;

  660. 	STACK_OF(X509_NAME) *ret;

  661. 	X509_NAME *name;

  662. 

  663. 	ret=sk_X509_NAME_new_null();

  664. 	for (i=0; i<sk_X509_NAME_num(sk); i++)

  665. 		{

  666. 		name=X509_NAME_dup(sk_X509_NAME_value(sk,i));

  667. 		if ((name == NULL) || !sk_X509_NAME_push(ret,name))

  668. 			{

  669. 			sk_X509_NAME_pop_free(ret,X509_NAME_free);

  670. 			return(NULL);

  671. 			}

  672. 		}

  673. 	return(ret);

  674. 	}

  675. 

  676. void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list)

  677. 	{

  678. 	set_client_CA_list(&(s->client_CA),name_list);

  679. 	}

  680. 

  681. void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)

  682. 	{

  683. 	set_client_CA_list(&(ctx->client_CA),name_list);

  684. 	}

  685. 

  686. STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)

  687. 	{

  688. 	return(ctx->client_CA);

  689. 	}

  690. 

  691. STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)

  692. 	{

  693. 	if (s->type == SSL_ST_CONNECT)

  694. 		{ /* we are in the client */

  695. 		if (((s->version>>8) == SSL3_VERSION_MAJOR) &&

  696. 			(s->s3 != NULL))

  697. 			return(s->s3->tmp.ca_names);

  698. 		else

  699. 			return(NULL);

  700. 		}

  701. 	else

  702. 		{

  703. 		if (s->client_CA != NULL)

  704. 			return(s->client_CA);

  705. 		else

  706. 			return(s->ctx->client_CA);

  707. 		}

  708. 	}

  709. 

  710. static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x)

  711. 	{

  712. 	X509_NAME *name;

  713. 

  714. 	if (x == NULL) return(0);

  715. 	if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL))

  716. 		return(0);

  717. 		

  718. 	if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)

  719. 		return(0);

  720. 

  721. 	if (!sk_X509_NAME_push(*sk,name))

  722. 		{

  723. 		X509_NAME_free(name);

  724. 		return(0);

  725. 		}

  726. 	return(1);

  727. 	}

  728. 

  729. int SSL_add_client_CA(SSL *ssl,X509 *x)

  730. 	{

  731. 	return(add_client_CA(&(ssl->client_CA),x));

  732. 	}

  733. 

  734. int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)

  735. 	{

  736. 	return(add_client_CA(&(ctx->client_CA),x));

  737. 	}

  738. 

  739. static int xname_cmp(const X509_NAME **a, const X509_NAME **b)

  740. 	{

  741. 	return(X509_NAME_cmp(*a,*b));

  742. 	}

  743. 

  744. #ifndef OPENSSL_NO_STDIO

  745. /*!

  746.  * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;

  747.  * it doesn't really have anything to do with clients (except that a common use

  748.  * for a stack of CAs is to send it to the client). Actually, it doesn't have

  749.  * much to do with CAs, either, since it will load any old cert.

  750.  * \param file the file containing one or more certs.

  751.  * \return a ::STACK containing the certs.

  752.  */

  753. STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)

  754. 	{

  755. 	BIO *in;

  756. 	X509 *x=NULL;

  757. 	X509_NAME *xn=NULL;

  758. 	STACK_OF(X509_NAME) *ret = NULL,*sk;

  759. 

  760. 	sk=sk_X509_NAME_new(xname_cmp);

  761. 

  762. 	in=BIO_new(BIO_s_file());

  763. 

  764. 	if ((sk == NULL) || (in == NULL))

  765. 		{

  766. 		OPENSSL_PUT_ERROR(SSL, SSL_load_client_CA_file, ERR_R_MALLOC_FAILURE);

  767. 		goto err;

  768. 		}

  769. 	

  770. 	if (!BIO_read_filename(in,file))

  771. 		goto err;

  772. 

  773. 	for (;;)

  774. 		{

  775. 		if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)

  776. 			break;

  777. 		if (ret == NULL)

  778. 			{

  779. 			ret = sk_X509_NAME_new_null();

  780. 			if (ret == NULL)

  781. 				{

  782. 				OPENSSL_PUT_ERROR(SSL, SSL_load_client_CA_file, ERR_R_MALLOC_FAILURE);

  783. 				goto err;

  784. 				}

  785. 			}

  786. 		if ((xn=X509_get_subject_name(x)) == NULL) goto err;

  787. 		/* check for duplicates */

  788. 		xn=X509_NAME_dup(xn);

  789. 		if (xn == NULL) goto err;

  790. 		if (sk_X509_NAME_find(sk, NULL, xn))

  791. 			X509_NAME_free(xn);

  792. 		else

  793. 			{

  794. 			sk_X509_NAME_push(sk,xn);

  795. 			sk_X509_NAME_push(ret,xn);

  796. 			}

  797. 		}

  798. 

  799. 	if (0)

  800. 		{

  801. err:

  802. 		if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);

  803. 		ret=NULL;

  804. 		}

  805. 	if (sk != NULL) sk_X509_NAME_free(sk);

  806. 	if (in != NULL) BIO_free(in);

  807. 	if (x != NULL) X509_free(x);

  808. 	if (ret != NULL)

  809. 		ERR_clear_error();

  810. 	return(ret);

  811. 	}

  812. #endif

  813. 

  814. /*!

  815.  * Add a file of certs to a stack.

  816.  * \param stack the stack to add to.

  817.  * \param file the file to add from. All certs in this file that are not

  818.  * already in the stack will be added.

  819.  * \return 1 for success, 0 for failure. Note that in the case of failure some

  820.  * certs may have been added to \c stack.

  821.  */

  822. 

  823. int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,

  824. 					const char *file)

  825. 	{

  826. 	BIO *in;

  827. 	X509 *x=NULL;

  828. 	X509_NAME *xn=NULL;

  829. 	int ret=1;

  830. 	int (*oldcmp)(const X509_NAME **a, const X509_NAME **b);

  831. 	

  832. 	oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);

  833. 	

  834. 	in=BIO_new(BIO_s_file());

  835. 	

  836. 	if (in == NULL)

  837. 		{

  838. 		OPENSSL_PUT_ERROR(SSL, SSL_add_file_cert_subjects_to_stack, ERR_R_MALLOC_FAILURE);

  839. 		goto err;

  840. 		}

  841. 	

  842. 	if (!BIO_read_filename(in,file))

  843. 		goto err;

  844. 	

  845. 	for (;;)

  846. 		{

  847. 		if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)

  848. 			break;

  849. 		if ((xn=X509_get_subject_name(x)) == NULL) goto err;

  850. 		xn=X509_NAME_dup(xn);

  851. 		if (xn == NULL) goto err;

  852. 		if (sk_X509_NAME_find(stack, NULL, xn))

  853. 			X509_NAME_free(xn);

  854. 		else

  855. 			sk_X509_NAME_push(stack,xn);

  856. 		}

  857. 

  858. 	ERR_clear_error();

  859. 

  860. 	if (0)

  861. 		{

  862. err:

  863. 		ret=0;

  864. 		}

  865. 	if(in != NULL)

  866. 		BIO_free(in);

  867. 	if(x != NULL)

  868. 		X509_free(x);

  869. 	

  870. 	(void)sk_X509_NAME_set_cmp_func(stack,oldcmp);

  871. 

  872. 	return ret;

  873. 	}

  874. 

  875. /*!

  876.  * Add a directory of certs to a stack.

  877.  * \param stack the stack to append to.

  878.  * \param dir the directory to append from. All files in this directory will be

  879.  * examined as potential certs. Any that are acceptable to

  880.  * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be

  881.  * included.

  882.  * \return 1 for success, 0 for failure. Note that in the case of failure some

  883.  * certs may have been added to \c stack.

  884.  */

  885. 

  886. int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,

  887. 				       const char *dir)

  888. 	{

  889. 	OPENSSL_DIR_CTX *d = NULL;

  890. 	const char *filename;

  891. 	int ret = 0;

  892. 

  893. 	CRYPTO_w_lock(CRYPTO_LOCK_READDIR);

  894. 

  895. 	/* Note that a side effect is that the CAs will be sorted by name */

  896. 

  897. 	while((filename = OPENSSL_DIR_read(&d, dir)))

  898. 		{

  899. 		char buf[1024];

  900. 		int r;

  901. 

  902. 		if(strlen(dir)+strlen(filename)+2 > sizeof buf)

  903. 			{

  904. 			OPENSSL_PUT_ERROR(SSL, SSL_add_dir_cert_subjects_to_stack, SSL_R_PATH_TOO_LONG);

  905. 			goto err;

  906. 			}

  907. 

  908. #ifdef OPENSSL_SYS_VMS

  909. 		r = BIO_snprintf(buf,sizeof buf,"%s%s",dir,filename);

  910. #else

  911. 		r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,filename);

  912. #endif

  913. 		if (r <= 0 || r >= (int)sizeof(buf))

  914. 			goto err;

  915. 		if(!SSL_add_file_cert_subjects_to_stack(stack,buf))

  916. 			goto err;

  917. 		}

  918. 

  919. 	if (errno)

  920. 		{

  921. 		OPENSSL_PUT_ERROR(SSL, SSL_add_file_cert_subjects_to_stack, ERR_R_SYS_LIB);

  922. 		ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");

  923. 		goto err;

  924. 		}

  925. 

  926. 	ret = 1;

  927. 

  928. err:

  929. 	if (d) OPENSSL_DIR_end(&d);

  930. 	CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);

  931. 	return ret;

  932. 	}

  933. 

  934. /* Add a certificate to a BUF_MEM structure */

  935. 

  936. static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)

  937. 	{

  938. 	int n;

  939. 	unsigned char *p;

  940. 

  941. 	n=i2d_X509(x,NULL);

  942. 	if (!BUF_MEM_grow_clean(buf,(int)(n+(*l)+3)))

  943. 		{

  944. 		OPENSSL_PUT_ERROR(SSL, ssl_add_cert_to_buf, ERR_R_BUF_LIB);

  945. 		return 0;

  946. 		}

  947. 	p=(unsigned char *)&(buf->data[*l]);

  948. 	l2n3(n,p);

  949. 	i2d_X509(x,&p);

  950. 	*l+=n+3;

  951. 

  952. 	return 1;

  953. 	}

  954. 

  955. /* Add certificate chain to internal SSL BUF_MEM strcuture */

  956. int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)

  957. 	{

  958. 	BUF_MEM *buf = s->init_buf;

  959. 	int no_chain;

  960. 	size_t i;

  961. 

  962. 	X509 *x;

  963. 	STACK_OF(X509) *extra_certs;

  964. 	X509_STORE *chain_store;

  965. 

  966. 	if (cpk)

  967. 		x = cpk->x509;

  968. 	else

  969. 		x = NULL;

  970. 

  971. 	if (s->cert->chain_store)

  972. 		chain_store = s->cert->chain_store;

  973. 	else

  974. 		chain_store = s->ctx->cert_store;

  975. 

  976. 	/* If we have a certificate specific chain use it, else use

  977. 	 * parent ctx.

  978. 	 */

  979. 	if (cpk && cpk->chain)

  980. 		extra_certs = cpk->chain;

  981. 	else

  982. 		extra_certs = s->ctx->extra_certs;

  983. 

  984. 	if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)

  985. 		no_chain = 1;

  986. 	else

  987. 		no_chain = 0;

  988. 

  989. 	/* TLSv1 sends a chain with nothing in it, instead of an alert */

  990. 	if (!BUF_MEM_grow_clean(buf,10))

  991. 		{

  992. 		OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, ERR_R_BUF_LIB);

  993. 		return 0;

  994. 		}

  995. 	if (x != NULL)

  996. 		{

  997. 		if (no_chain)

  998. 			{

  999. 			if (!ssl_add_cert_to_buf(buf, l, x))

  1000. 				return 0;

  1001. 			}

  1002. 		else

  1003. 			{

  1004. 			X509_STORE_CTX xs_ctx;

  1005. 

  1006. 			if (!X509_STORE_CTX_init(&xs_ctx,chain_store,x,NULL))

  1007. 				{

  1008. 				OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, ERR_R_X509_LIB);

  1009. 				return(0);

  1010. 				}

  1011. 			X509_verify_cert(&xs_ctx);

  1012. 			/* Don't leave errors in the queue */

  1013. 			ERR_clear_error();

  1014. 			for (i=0; i < sk_X509_num(xs_ctx.chain); i++)

  1015. 				{

  1016. 				x = sk_X509_value(xs_ctx.chain, i);

  1017. 

  1018. 				if (!ssl_add_cert_to_buf(buf, l, x))

  1019. 					{

  1020. 					X509_STORE_CTX_cleanup(&xs_ctx);

  1021. 					return 0;

  1022. 					}

  1023. 				}

  1024. 			X509_STORE_CTX_cleanup(&xs_ctx);

  1025. 			}

  1026. 		}

  1027. 	for (i=0; i<sk_X509_num(extra_certs); i++)

  1028. 		{

  1029. 		x=sk_X509_value(extra_certs,i);

  1030. 		if (!ssl_add_cert_to_buf(buf, l, x))

  1031. 			return 0;

  1032. 		}

  1033. 

  1034. 	return 1;

  1035. 	}

  1036. 

  1037. /* Build a certificate chain for current certificate */

  1038. int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags)

  1039. 	{

  1040. 	CERT_PKEY *cpk = c->key;

  1041. 	X509_STORE_CTX xs_ctx;

  1042. 	STACK_OF(X509) *chain = NULL, *untrusted = NULL;

  1043. 	X509 *x;

  1044. 	int i, rv = 0;

  1045. 	unsigned long error;

  1046. 

  1047. 	if (!cpk->x509)

  1048. 		{

  1049. 		OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain, SSL_R_NO_CERTIFICATE_SET);

  1050. 		goto err;

  1051. 		}

  1052. 	/* Rearranging and check the chain: add everything to a store */

  1053. 	if (flags & SSL_BUILD_CHAIN_FLAG_CHECK)

  1054. 		{

  1055. 		size_t j;

  1056. 		chain_store = X509_STORE_new();

  1057. 		if (!chain_store)

  1058. 			goto err;

  1059. 		for (j = 0; j < sk_X509_num(cpk->chain); j++)

  1060. 			{

  1061. 			x = sk_X509_value(cpk->chain, j);

  1062. 			if (!X509_STORE_add_cert(chain_store, x))

  1063. 				{

  1064. 				error = ERR_peek_last_error();

  1065. 				if (ERR_GET_LIB(error) != ERR_LIB_X509 ||

  1066. 				    ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)

  1067. 					goto err;

  1068. 				ERR_clear_error();

  1069. 				}

  1070. 			}

  1071. 		/* Add EE cert too: it might be self signed */

  1072. 		if (!X509_STORE_add_cert(chain_store, cpk->x509))

  1073. 			{

  1074. 			error = ERR_peek_last_error();

  1075. 			if (ERR_GET_LIB(error) != ERR_LIB_X509 ||

  1076. 			    ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)

  1077. 				goto err;

  1078. 			ERR_clear_error();

  1079. 			}

  1080. 		}

  1081. 	else

  1082. 		{

  1083. 		if (c->chain_store)

  1084. 			chain_store = c->chain_store;

  1085. 

  1086. 		if (flags & SSL_BUILD_CHAIN_FLAG_UNTRUSTED)

  1087. 			untrusted = cpk->chain;

  1088. 		}

  1089. 

  1090. 	if (!X509_STORE_CTX_init(&xs_ctx, chain_store, cpk->x509, untrusted))

  1091. 		{

  1092. 		OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain, ERR_R_X509_LIB);

  1093. 		goto err;

  1094. 		}

  1095. 

  1096. 	i = X509_verify_cert(&xs_ctx);

  1097. 	if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)

  1098. 		{

  1099. 		if (flags & SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR)

  1100. 			ERR_clear_error();

  1101. 		i = 1;

  1102. 		rv = 2;

  1103. 		}

  1104. 	if (i > 0)

  1105. 		chain = X509_STORE_CTX_get1_chain(&xs_ctx);

  1106. 	if (i <= 0)

  1107. 		{

  1108. 		OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain, SSL_R_CERTIFICATE_VERIFY_FAILED);

  1109. 		i = X509_STORE_CTX_get_error(&xs_ctx);

  1110. 		ERR_add_error_data(2, "Verify error:",

  1111. 					X509_verify_cert_error_string(i));

  1112. 

  1113. 		X509_STORE_CTX_cleanup(&xs_ctx);

  1114. 		goto err;

  1115. 		}

  1116. 	X509_STORE_CTX_cleanup(&xs_ctx);

  1117. 	if (cpk->chain)

  1118. 		sk_X509_pop_free(cpk->chain, X509_free);

  1119. 	/* Remove EE certificate from chain */

  1120. 	x = sk_X509_shift(chain);

  1121. 	X509_free(x);

  1122. 	if (flags & SSL_BUILD_CHAIN_FLAG_NO_ROOT)

  1123. 		{

  1124. 		if (sk_X509_num(chain) > 0)

  1125. 			{

  1126. 			/* See if last cert is self signed */

  1127. 			x = sk_X509_value(chain, sk_X509_num(chain) - 1);

  1128. 			X509_check_purpose(x, -1, 0);

  1129. 			if (x->ex_flags & EXFLAG_SS)

  1130. 				{

  1131. 				x = sk_X509_pop(chain);

  1132. 				X509_free(x);

  1133. 				}

  1134. 			}

  1135. 		}

  1136. 	cpk->chain = chain;

  1137. 	if (rv == 0)

  1138. 		rv = 1;

  1139. 	err:

  1140. 	if (flags & SSL_BUILD_CHAIN_FLAG_CHECK)

  1141. 		X509_STORE_free(chain_store);

  1142. 

  1143. 	return rv;

  1144. 	}

  1145. 

  1146. int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)

  1147. 	{

  1148. 	X509_STORE **pstore;

  1149. 	if (chain)

  1150. 		pstore = &c->chain_store;

  1151. 	else

  1152. 		pstore = &c->verify_store;

  1153. 	if (*pstore)

  1154. 		X509_STORE_free(*pstore);

  1155. 	*pstore = store;

  1156. 	if (ref && store)

  1157. 		CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);

  1158. 	return 1;

  1159. 	}

  1160.