1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/libssl/src/ssl_cert.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,844 @@
1.4 +/*! \file ssl/ssl_cert.c */
1.5 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
1.6 + * All rights reserved.
1.7 + *
1.8 + * This package is an SSL implementation written
1.9 + * by Eric Young (eay@cryptsoft.com).
1.10 + * The implementation was written so as to conform with Netscapes SSL.
1.11 + *
1.12 + * This library is free for commercial and non-commercial use as long as
1.13 + * the following conditions are aheared to. The following conditions
1.14 + * apply to all code found in this distribution, be it the RC4, RSA,
1.15 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
1.16 + * included with this distribution is covered by the same copyright terms
1.17 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1.18 + *
1.19 + * Copyright remains Eric Young's, and as such any Copyright notices in
1.20 + * the code are not to be removed.
1.21 + * If this package is used in a product, Eric Young should be given attribution
1.22 + * as the author of the parts of the library used.
1.23 + * This can be in the form of a textual message at program startup or
1.24 + * in documentation (online or textual) provided with the package.
1.25 + *
1.26 + * Redistribution and use in source and binary forms, with or without
1.27 + * modification, are permitted provided that the following conditions
1.28 + * are met:
1.29 + * 1. Redistributions of source code must retain the copyright
1.30 + * notice, this list of conditions and the following disclaimer.
1.31 + * 2. Redistributions in binary form must reproduce the above copyright
1.32 + * notice, this list of conditions and the following disclaimer in the
1.33 + * documentation and/or other materials provided with the distribution.
1.34 + * 3. All advertising materials mentioning features or use of this software
1.35 + * must display the following acknowledgement:
1.36 + * "This product includes cryptographic software written by
1.37 + * Eric Young (eay@cryptsoft.com)"
1.38 + * The word 'cryptographic' can be left out if the rouines from the library
1.39 + * being used are not cryptographic related :-).
1.40 + * 4. If you include any Windows specific code (or a derivative thereof) from
1.41 + * the apps directory (application code) you must include an acknowledgement:
1.42 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
1.43 + *
1.44 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
1.45 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.46 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1.47 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1.48 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1.49 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1.50 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.51 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1.52 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1.53 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1.54 + * SUCH DAMAGE.
1.55 + *
1.56 + * The licence and distribution terms for any publically available version or
1.57 + * derivative of this code cannot be changed. i.e. this code cannot simply be
1.58 + * copied and put under another distribution licence
1.59 + * [including the GNU Public Licence.]
1.60 + */
1.61 +/* ====================================================================
1.62 + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
1.63 + *
1.64 + * Redistribution and use in source and binary forms, with or without
1.65 + * modification, are permitted provided that the following conditions
1.66 + * are met:
1.67 + *
1.68 + * 1. Redistributions of source code must retain the above copyright
1.69 + * notice, this list of conditions and the following disclaimer.
1.70 + *
1.71 + * 2. Redistributions in binary form must reproduce the above copyright
1.72 + * notice, this list of conditions and the following disclaimer in
1.73 + * the documentation and/or other materials provided with the
1.74 + * distribution.
1.75 + *
1.76 + * 3. All advertising materials mentioning features or use of this
1.77 + * software must display the following acknowledgment:
1.78 + * "This product includes software developed by the OpenSSL Project
1.79 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
1.80 + *
1.81 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1.82 + * endorse or promote products derived from this software without
1.83 + * prior written permission. For written permission, please contact
1.84 + * openssl-core@openssl.org.
1.85 + *
1.86 + * 5. Products derived from this software may not be called "OpenSSL"
1.87 + * nor may "OpenSSL" appear in their names without prior written
1.88 + * permission of the OpenSSL Project.
1.89 + *
1.90 + * 6. Redistributions of any form whatsoever must retain the following
1.91 + * acknowledgment:
1.92 + * "This product includes software developed by the OpenSSL Project
1.93 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
1.94 + *
1.95 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1.96 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.97 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.98 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1.99 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.100 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.101 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1.102 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.103 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1.104 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.105 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1.106 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1.107 + * ====================================================================
1.108 + *
1.109 + * This product includes cryptographic software written by Eric Young
1.110 + * (eay@cryptsoft.com). This product includes software written by Tim
1.111 + * Hudson (tjh@cryptsoft.com).
1.112 + *
1.113 + */
1.114 +/* ====================================================================
1.115 + * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
1.116 + * ECC cipher suite support in OpenSSL originally developed by
1.117 + * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
1.118 + */
1.119 +/*
1.120 + © Portions copyright (c) 2006 Nokia Corporation. All rights reserved.
1.121 + */
1.122 +
1.123 +#include <stdio.h>
1.124 +
1.125 +#include "e_os.h"
1.126 +#ifndef NO_SYS_TYPES_H
1.127 +# include <sys/types.h>
1.128 +#endif
1.129 +
1.130 +#include "o_dir.h"
1.131 +#include <openssl/objects.h>
1.132 +#include <openssl/bio.h>
1.133 +#include <openssl/pem.h>
1.134 +#include <openssl/x509v3.h>
1.135 +#ifndef OPENSSL_NO_DH
1.136 +#include <openssl/dh.h>
1.137 +#endif
1.138 +#include <openssl/bn.h>
1.139 +#include "ssl_locl.h"
1.140 +
1.141 +#ifdef EMULATOR
1.142 +
1.143 + GET_STATIC_VAR_FROM_TLS(ssl_x509_store_ctx_idx,ssl_cert,volatile int)
1.144 +
1.145 + #define ssl_x509_store_ctx_idx (*GET_WSD_VAR_NAME(ssl_x509_store_ctx_idx,ssl_cert,s)())
1.146 +
1.147 +#endif
1.148 +
1.149 +
1.150 +EXPORT_C int SSL_get_ex_data_X509_STORE_CTX_idx(void)
1.151 + {
1.152 +#ifndef EMULATOR
1.153 + static volatile int ssl_x509_store_ctx_idx= -1;
1.154 +#endif
1.155 + int got_write_lock = 0;
1.156 +
1.157 + CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
1.158 +
1.159 +
1.160 + if (ssl_x509_store_ctx_idx < 0)
1.161 + {
1.162 + CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1.163 + CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1.164 + got_write_lock = 1;
1.165 +
1.166 + if (ssl_x509_store_ctx_idx < 0)
1.167 + {
1.168 + ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
1.169 + 0,"SSL for verify callback",NULL,NULL,NULL);
1.170 + }
1.171 + }
1.172 +
1.173 + if (got_write_lock)
1.174 + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1.175 + else
1.176 + CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
1.177 +
1.178 + return ssl_x509_store_ctx_idx;
1.179 + }
1.180 +
1.181 +CERT *ssl_cert_new(void)
1.182 + {
1.183 + CERT *ret;
1.184 +
1.185 + ret=(CERT *)OPENSSL_malloc(sizeof(CERT));
1.186 + if (ret == NULL)
1.187 + {
1.188 + SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE);
1.189 + return(NULL);
1.190 + }
1.191 + memset(ret,0,sizeof(CERT));
1.192 +
1.193 + ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
1.194 + ret->references=1;
1.195 +
1.196 + return(ret);
1.197 + }
1.198 +
1.199 +CERT *ssl_cert_dup(CERT *cert)
1.200 + {
1.201 + CERT *ret;
1.202 + int i;
1.203 +
1.204 + ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
1.205 + if (ret == NULL)
1.206 + {
1.207 + SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
1.208 + return(NULL);
1.209 + }
1.210 +
1.211 + memset(ret, 0, sizeof(CERT));
1.212 +
1.213 + ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
1.214 + /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
1.215 + * if you find that more readable */
1.216 +
1.217 + ret->valid = cert->valid;
1.218 + ret->mask = cert->mask;
1.219 + ret->export_mask = cert->export_mask;
1.220 +
1.221 +#ifndef OPENSSL_NO_RSA
1.222 + if (cert->rsa_tmp != NULL)
1.223 + {
1.224 + RSA_up_ref(cert->rsa_tmp);
1.225 + ret->rsa_tmp = cert->rsa_tmp;
1.226 + }
1.227 + ret->rsa_tmp_cb = cert->rsa_tmp_cb;
1.228 +#endif
1.229 +
1.230 +#ifndef OPENSSL_NO_DH
1.231 + if (cert->dh_tmp != NULL)
1.232 + {
1.233 + ret->dh_tmp = DHparams_dup(cert->dh_tmp);
1.234 + if (ret->dh_tmp == NULL)
1.235 + {
1.236 + SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
1.237 + goto err;
1.238 + }
1.239 + if (cert->dh_tmp->priv_key)
1.240 + {
1.241 + BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
1.242 + if (!b)
1.243 + {
1.244 + SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
1.245 + goto err;
1.246 + }
1.247 + ret->dh_tmp->priv_key = b;
1.248 + }
1.249 + if (cert->dh_tmp->pub_key)
1.250 + {
1.251 + BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
1.252 + if (!b)
1.253 + {
1.254 + SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
1.255 + goto err;
1.256 + }
1.257 + ret->dh_tmp->pub_key = b;
1.258 + }
1.259 + }
1.260 + ret->dh_tmp_cb = cert->dh_tmp_cb;
1.261 +#endif
1.262 +
1.263 +#ifndef OPENSSL_NO_ECDH
1.264 + if (cert->ecdh_tmp)
1.265 + {
1.266 + ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
1.267 + if (ret->ecdh_tmp == NULL)
1.268 + {
1.269 + SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
1.270 + goto err;
1.271 + }
1.272 + }
1.273 + ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
1.274 +#endif
1.275 +
1.276 + for (i = 0; i < SSL_PKEY_NUM; i++)
1.277 + {
1.278 + if (cert->pkeys[i].x509 != NULL)
1.279 + {
1.280 + ret->pkeys[i].x509 = cert->pkeys[i].x509;
1.281 + CRYPTO_add(&ret->pkeys[i].x509->references, 1,
1.282 + CRYPTO_LOCK_X509);
1.283 + }
1.284 +
1.285 + if (cert->pkeys[i].privatekey != NULL)
1.286 + {
1.287 + ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
1.288 + CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
1.289 + CRYPTO_LOCK_EVP_PKEY);
1.290 +
1.291 + switch(i)
1.292 + {
1.293 + /* If there was anything special to do for
1.294 + * certain types of keys, we'd do it here.
1.295 + * (Nothing at the moment, I think.) */
1.296 +
1.297 + case SSL_PKEY_RSA_ENC:
1.298 + case SSL_PKEY_RSA_SIGN:
1.299 + /* We have an RSA key. */
1.300 + break;
1.301 +
1.302 + case SSL_PKEY_DSA_SIGN:
1.303 + /* We have a DSA key. */
1.304 + break;
1.305 +
1.306 + case SSL_PKEY_DH_RSA:
1.307 + case SSL_PKEY_DH_DSA:
1.308 + /* We have a DH key. */
1.309 + break;
1.310 +
1.311 + case SSL_PKEY_ECC:
1.312 + /* We have an ECC key */
1.313 + break;
1.314 +
1.315 + default:
1.316 + /* Can't happen. */
1.317 + SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
1.318 + }
1.319 + }
1.320 + }
1.321 +
1.322 + /* ret->extra_certs *should* exist, but currently the own certificate
1.323 + * chain is held inside SSL_CTX */
1.324 +
1.325 + ret->references=1;
1.326 +
1.327 + return(ret);
1.328 +
1.329 +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
1.330 +err:
1.331 +#endif
1.332 +#ifndef OPENSSL_NO_RSA
1.333 + if (ret->rsa_tmp != NULL)
1.334 + RSA_free(ret->rsa_tmp);
1.335 +#endif
1.336 +#ifndef OPENSSL_NO_DH
1.337 + if (ret->dh_tmp != NULL)
1.338 + DH_free(ret->dh_tmp);
1.339 +#endif
1.340 +#ifndef OPENSSL_NO_ECDH
1.341 + if (ret->ecdh_tmp != NULL)
1.342 + EC_KEY_free(ret->ecdh_tmp);
1.343 +#endif
1.344 +
1.345 + for (i = 0; i < SSL_PKEY_NUM; i++)
1.346 + {
1.347 + if (ret->pkeys[i].x509 != NULL)
1.348 + X509_free(ret->pkeys[i].x509);
1.349 + if (ret->pkeys[i].privatekey != NULL)
1.350 + EVP_PKEY_free(ret->pkeys[i].privatekey);
1.351 + }
1.352 +
1.353 + return NULL;
1.354 + }
1.355 +
1.356 +
1.357 +void ssl_cert_free(CERT *c)
1.358 + {
1.359 + int i;
1.360 +
1.361 + if(c == NULL)
1.362 + return;
1.363 +
1.364 + i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT);
1.365 +#ifdef REF_PRINT
1.366 + REF_PRINT("CERT",c);
1.367 +#endif
1.368 + if (i > 0) return;
1.369 +#ifdef REF_CHECK
1.370 + if (i < 0)
1.371 + {
1.372 + fprintf(stderr,"ssl_cert_free, bad reference count\n");
1.373 + abort(); /* ok */
1.374 + }
1.375 +#endif
1.376 +
1.377 +#ifndef OPENSSL_NO_RSA
1.378 + if (c->rsa_tmp) RSA_free(c->rsa_tmp);
1.379 +#endif
1.380 +#ifndef OPENSSL_NO_DH
1.381 + if (c->dh_tmp) DH_free(c->dh_tmp);
1.382 +#endif
1.383 +#ifndef OPENSSL_NO_ECDH
1.384 + if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp);
1.385 +#endif
1.386 +
1.387 + for (i=0; i<SSL_PKEY_NUM; i++)
1.388 + {
1.389 + if (c->pkeys[i].x509 != NULL)
1.390 + X509_free(c->pkeys[i].x509);
1.391 + if (c->pkeys[i].privatekey != NULL)
1.392 + EVP_PKEY_free(c->pkeys[i].privatekey);
1.393 +#if 0
1.394 + if (c->pkeys[i].publickey != NULL)
1.395 + EVP_PKEY_free(c->pkeys[i].publickey);
1.396 +#endif
1.397 + }
1.398 + OPENSSL_free(c);
1.399 + }
1.400 +
1.401 +int ssl_cert_inst(CERT **o)
1.402 + {
1.403 + /* Create a CERT if there isn't already one
1.404 + * (which cannot really happen, as it is initially created in
1.405 + * SSL_CTX_new; but the earlier code usually allows for that one
1.406 + * being non-existant, so we follow that behaviour, as it might
1.407 + * turn out that there actually is a reason for it -- but I'm
1.408 + * not sure that *all* of the existing code could cope with
1.409 + * s->cert being NULL, otherwise we could do without the
1.410 + * initialization in SSL_CTX_new).
1.411 + */
1.412 +
1.413 + if (o == NULL)
1.414 + {
1.415 + SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
1.416 + return(0);
1.417 + }
1.418 + if (*o == NULL)
1.419 + {
1.420 + if ((*o = ssl_cert_new()) == NULL)
1.421 + {
1.422 + SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
1.423 + return(0);
1.424 + }
1.425 + }
1.426 + return(1);
1.427 + }
1.428 +
1.429 +
1.430 +SESS_CERT *ssl_sess_cert_new(void)
1.431 + {
1.432 + SESS_CERT *ret;
1.433 +
1.434 + ret = OPENSSL_malloc(sizeof *ret);
1.435 + if (ret == NULL)
1.436 + {
1.437 + SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
1.438 + return NULL;
1.439 + }
1.440 +
1.441 + memset(ret, 0 ,sizeof *ret);
1.442 + ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
1.443 + ret->references = 1;
1.444 +
1.445 + return ret;
1.446 + }
1.447 +
1.448 +void ssl_sess_cert_free(SESS_CERT *sc)
1.449 + {
1.450 + int i;
1.451 +
1.452 + if (sc == NULL)
1.453 + return;
1.454 +
1.455 + i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
1.456 +#ifdef REF_PRINT
1.457 + REF_PRINT("SESS_CERT", sc);
1.458 +#endif
1.459 + if (i > 0)
1.460 + return;
1.461 +#ifdef REF_CHECK
1.462 + if (i < 0)
1.463 + {
1.464 + fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
1.465 + abort(); /* ok */
1.466 + }
1.467 +#endif
1.468 +
1.469 + /* i == 0 */
1.470 + if (sc->cert_chain != NULL)
1.471 + sk_X509_pop_free(sc->cert_chain, X509_free);
1.472 + for (i = 0; i < SSL_PKEY_NUM; i++)
1.473 + {
1.474 + if (sc->peer_pkeys[i].x509 != NULL)
1.475 + X509_free(sc->peer_pkeys[i].x509);
1.476 +#if 0 /* We don't have the peer's private key. These lines are just
1.477 + * here as a reminder that we're still using a not-quite-appropriate
1.478 + * data structure. */
1.479 + if (sc->peer_pkeys[i].privatekey != NULL)
1.480 + EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
1.481 +#endif
1.482 + }
1.483 +
1.484 +#ifndef OPENSSL_NO_RSA
1.485 + if (sc->peer_rsa_tmp != NULL)
1.486 + RSA_free(sc->peer_rsa_tmp);
1.487 +#endif
1.488 +#ifndef OPENSSL_NO_DH
1.489 + if (sc->peer_dh_tmp != NULL)
1.490 + DH_free(sc->peer_dh_tmp);
1.491 +#endif
1.492 +#ifndef OPENSSL_NO_ECDH
1.493 + if (sc->peer_ecdh_tmp != NULL)
1.494 + EC_KEY_free(sc->peer_ecdh_tmp);
1.495 +#endif
1.496 +
1.497 + OPENSSL_free(sc);
1.498 + }
1.499 +
1.500 +int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
1.501 + {
1.502 + sc->peer_cert_type = type;
1.503 + return(1);
1.504 + }
1.505 +
1.506 +int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
1.507 + {
1.508 + X509 *x;
1.509 + int i;
1.510 + X509_STORE_CTX ctx;
1.511 +
1.512 + if ((sk == NULL) || (sk_X509_num(sk) == 0))
1.513 + return(0);
1.514 +
1.515 + x=sk_X509_value(sk,0);
1.516 + if(!X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk))
1.517 + {
1.518 + SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
1.519 + return(0);
1.520 + }
1.521 + if (s->param)
1.522 + X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx),
1.523 + s->param);
1.524 +#if 0
1.525 + if (SSL_get_verify_depth(s) >= 0)
1.526 + X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
1.527 +#endif
1.528 + X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
1.529 +
1.530 + /* We need to inherit the verify parameters. These can be determined by
1.531 + * the context: if its a server it will verify SSL client certificates
1.532 + * or vice versa.
1.533 + */
1.534 +
1.535 + X509_STORE_CTX_set_default(&ctx,
1.536 + s->server ? "ssl_client" : "ssl_server");
1.537 +
1.538 + if (s->verify_callback)
1.539 + X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
1.540 +
1.541 + if (s->ctx->app_verify_callback != NULL)
1.542 +#if 1 /* new with OpenSSL 0.9.7 */
1.543 + i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
1.544 +#else
1.545 + i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
1.546 +#endif
1.547 + else
1.548 + {
1.549 +#ifndef OPENSSL_NO_X509_VERIFY
1.550 + i=X509_verify_cert(&ctx);
1.551 +#else
1.552 + i=0;
1.553 + ctx.error=X509_V_ERR_APPLICATION_VERIFICATION;
1.554 + SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK);
1.555 +#endif
1.556 + }
1.557 +
1.558 + s->verify_result=ctx.error;
1.559 + X509_STORE_CTX_cleanup(&ctx);
1.560 +
1.561 + return(i);
1.562 + }
1.563 +
1.564 +static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list)
1.565 + {
1.566 + if (*ca_list != NULL)
1.567 + sk_X509_NAME_pop_free(*ca_list,X509_NAME_free);
1.568 +
1.569 + *ca_list=name_list;
1.570 + }
1.571 +
1.572 +EXPORT_C STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
1.573 + {
1.574 + int i;
1.575 + STACK_OF(X509_NAME) *ret;
1.576 + X509_NAME *name;
1.577 +
1.578 + ret=sk_X509_NAME_new_null();
1.579 + for (i=0; i<sk_X509_NAME_num(sk); i++)
1.580 + {
1.581 + name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
1.582 + if ((name == NULL) || !sk_X509_NAME_push(ret,name))
1.583 + {
1.584 + sk_X509_NAME_pop_free(ret,X509_NAME_free);
1.585 + return(NULL);
1.586 + }
1.587 + }
1.588 + return(ret);
1.589 + }
1.590 +
1.591 +EXPORT_C void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list)
1.592 + {
1.593 + set_client_CA_list(&(s->client_CA),name_list);
1.594 + }
1.595 +
1.596 +EXPORT_C void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
1.597 + {
1.598 + set_client_CA_list(&(ctx->client_CA),name_list);
1.599 + }
1.600 +
1.601 +EXPORT_C STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
1.602 + {
1.603 + return(ctx->client_CA);
1.604 + }
1.605 +
1.606 +EXPORT_C STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
1.607 + {
1.608 + if (s->type == SSL_ST_CONNECT)
1.609 + { /* we are in the client */
1.610 + if (((s->version>>8) == SSL3_VERSION_MAJOR) &&
1.611 + (s->s3 != NULL))
1.612 + return(s->s3->tmp.ca_names);
1.613 + else
1.614 + return(NULL);
1.615 + }
1.616 + else
1.617 + {
1.618 + if (s->client_CA != NULL)
1.619 + return(s->client_CA);
1.620 + else
1.621 + return(s->ctx->client_CA);
1.622 + }
1.623 + }
1.624 +
1.625 +static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x)
1.626 + {
1.627 + X509_NAME *name;
1.628 +
1.629 + if (x == NULL) return(0);
1.630 + if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL))
1.631 + return(0);
1.632 +
1.633 + if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL)
1.634 + return(0);
1.635 +
1.636 + if (!sk_X509_NAME_push(*sk,name))
1.637 + {
1.638 + X509_NAME_free(name);
1.639 + return(0);
1.640 + }
1.641 + return(1);
1.642 + }
1.643 +
1.644 +EXPORT_C int SSL_add_client_CA(SSL *ssl,X509 *x)
1.645 + {
1.646 + return(add_client_CA(&(ssl->client_CA),x));
1.647 + }
1.648 +
1.649 +EXPORT_C int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
1.650 + {
1.651 + return(add_client_CA(&(ctx->client_CA),x));
1.652 + }
1.653 +
1.654 +static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1.655 + {
1.656 + return(X509_NAME_cmp(*a,*b));
1.657 + }
1.658 +
1.659 +#ifndef OPENSSL_NO_STDIO
1.660 +/*!
1.661 + * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
1.662 + * it doesn't really have anything to do with clients (except that a common use
1.663 + * for a stack of CAs is to send it to the client). Actually, it doesn't have
1.664 + * much to do with CAs, either, since it will load any old cert.
1.665 + * \param file the file containing one or more certs.
1.666 + * \return a ::STACK containing the certs.
1.667 + */
1.668 +EXPORT_C STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
1.669 + {
1.670 + BIO *in;
1.671 + X509 *x=NULL;
1.672 + X509_NAME *xn=NULL;
1.673 + STACK_OF(X509_NAME) *ret = NULL,*sk;
1.674 +
1.675 + sk=sk_X509_NAME_new(xname_cmp);
1.676 +
1.677 + in=BIO_new(BIO_s_file_internal());
1.678 +
1.679 + if ((sk == NULL) || (in == NULL))
1.680 + {
1.681 + SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
1.682 + goto err;
1.683 + }
1.684 +
1.685 + if (!BIO_read_filename(in,file))
1.686 + goto err;
1.687 +
1.688 + for (;;)
1.689 + {
1.690 + if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
1.691 + break;
1.692 + if (ret == NULL)
1.693 + {
1.694 + ret = sk_X509_NAME_new_null();
1.695 + if (ret == NULL)
1.696 + {
1.697 + SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
1.698 + goto err;
1.699 + }
1.700 + }
1.701 + if ((xn=X509_get_subject_name(x)) == NULL) goto err;
1.702 + /* check for duplicates */
1.703 + xn=X509_NAME_dup(xn);
1.704 + if (xn == NULL) goto err;
1.705 + if (sk_X509_NAME_find(sk,xn) >= 0)
1.706 + X509_NAME_free(xn);
1.707 + else
1.708 + {
1.709 + sk_X509_NAME_push(sk,xn);
1.710 + sk_X509_NAME_push(ret,xn);
1.711 + }
1.712 + }
1.713 +
1.714 + if (0)
1.715 + {
1.716 +err:
1.717 + if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
1.718 + ret=NULL;
1.719 + }
1.720 + if (sk != NULL) sk_X509_NAME_free(sk);
1.721 + if (in != NULL) BIO_free(in);
1.722 + if (x != NULL) X509_free(x);
1.723 + if (ret != NULL)
1.724 + ERR_clear_error();
1.725 + return(ret);
1.726 + }
1.727 +#endif
1.728 +
1.729 +/*!
1.730 + * Add a file of certs to a stack.
1.731 + * \param stack the stack to add to.
1.732 + * \param file the file to add from. All certs in this file that are not
1.733 + * already in the stack will be added.
1.734 + * \return 1 for success, 0 for failure. Note that in the case of failure some
1.735 + * certs may have been added to \c stack.
1.736 + */
1.737 +
1.738 +EXPORT_C int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
1.739 + const char *file)
1.740 + {
1.741 + BIO *in;
1.742 + X509 *x=NULL;
1.743 + X509_NAME *xn=NULL;
1.744 + int ret=1;
1.745 + int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b);
1.746 +
1.747 + oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
1.748 +
1.749 + in=BIO_new(BIO_s_file_internal());
1.750 +
1.751 + if (in == NULL)
1.752 + {
1.753 + SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
1.754 + goto err;
1.755 + }
1.756 +
1.757 + if (!BIO_read_filename(in,file))
1.758 + goto err;
1.759 +
1.760 + for (;;)
1.761 + {
1.762 + if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
1.763 + break;
1.764 + if ((xn=X509_get_subject_name(x)) == NULL) goto err;
1.765 + xn=X509_NAME_dup(xn);
1.766 + if (xn == NULL) goto err;
1.767 + if (sk_X509_NAME_find(stack,xn) >= 0)
1.768 + X509_NAME_free(xn);
1.769 + else
1.770 + sk_X509_NAME_push(stack,xn);
1.771 + }
1.772 +
1.773 + if (0)
1.774 + {
1.775 +err:
1.776 + ret=0;
1.777 + }
1.778 + if(in != NULL)
1.779 + BIO_free(in);
1.780 + if(x != NULL)
1.781 + X509_free(x);
1.782 +
1.783 + (void)sk_X509_NAME_set_cmp_func(stack,oldcmp);
1.784 +
1.785 + return ret;
1.786 + }
1.787 +
1.788 +/*!
1.789 + * Add a directory of certs to a stack.
1.790 + * \param stack the stack to append to.
1.791 + * \param dir the directory to append from. All files in this directory will be
1.792 + * examined as potential certs. Any that are acceptable to
1.793 + * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be
1.794 + * included.
1.795 + * \return 1 for success, 0 for failure. Note that in the case of failure some
1.796 + * certs may have been added to \c stack.
1.797 + */
1.798 +
1.799 +EXPORT_C int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
1.800 + const char *dir)
1.801 + {
1.802 + OPENSSL_DIR_CTX *d = NULL;
1.803 + const char *filename;
1.804 + int ret = 0;
1.805 +
1.806 + CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
1.807 +
1.808 + /* Note that a side effect is that the CAs will be sorted by name */
1.809 +
1.810 + while((filename = OPENSSL_DIR_read(&d, dir)))
1.811 + {
1.812 + char buf[1024];
1.813 + int r;
1.814 +
1.815 + if(strlen(dir)+strlen(filename)+2 > sizeof buf)
1.816 + {
1.817 + SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
1.818 + goto err;
1.819 + }
1.820 +
1.821 +#ifdef OPENSSL_SYS_VMS
1.822 + r = BIO_snprintf(buf,sizeof buf,"%s%s",dir,filename);
1.823 +#else
1.824 + r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,filename);
1.825 +#endif
1.826 + if (r <= 0 || r >= (int)sizeof(buf))
1.827 + goto err;
1.828 + if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
1.829 + goto err;
1.830 + }
1.831 +
1.832 + if (errno)
1.833 + {
1.834 + SYSerr(SYS_F_OPENDIR, get_last_sys_error());
1.835 + ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");
1.836 + SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
1.837 + goto err;
1.838 + }
1.839 +
1.840 + ret = 1;
1.841 +
1.842 +err:
1.843 + if (d) OPENSSL_DIR_end(&d);
1.844 + CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
1.845 + return ret;
1.846 + }
1.847 +