Copy DH key (if available) in addition to the bare parameters

[openssl.git] / ssl / ssl_cert.c

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 9a752c3d2095c7dd85ae0dfe8b7c075564fb7bc2..a054e0aa44643221f123e106424722cb2f6ba8ab 100644 (file)
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -105,15 +105,26 @@
  */
 
 #include <stdio.h>
-#include <sys/types.h>
-#ifndef WIN32
-#ifndef VMS
+
+#include "openssl/e_os.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#if !defined(WIN32) && !defined(VSM) && !defined(NeXT) && !defined(MAC_OS_pre_X)
 #include <dirent.h>
 #endif
+
+#ifdef NeXT
+#include <sys/dir.h>
+#define dirent direct
 #endif
+
 #include <openssl/objects.h>
 #include <openssl/bio.h>
 #include <openssl/pem.h>
+#include <openssl/x509v3.h>
 #include "ssl_locl.h"
 
 int SSL_get_ex_data_X509_STORE_CTX_idx(void)
@@ -139,14 +150,6 @@ CERT *ssl_cert_new(void)
                return(NULL);
                }
        memset(ret,0,sizeof(CERT));
-/*
-       ret->valid=0;
-       ret->mask=0;
-       ret->export_mask=0;
-       ret->cert_type=0;
-       ret->key->x509=NULL;
-       ret->key->publickey=NULL;
-       ret->key->privatekey=NULL; */
 
        ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
        ret->references=1;
@@ -168,8 +171,6 @@ CERT *ssl_cert_dup(CERT *cert)
 
        memset(ret, 0, sizeof(CERT));
 
-       ret->cert_type = cert->cert_type;
-
        ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
        /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
         * if you find that more readable */
@@ -190,16 +191,33 @@ CERT *ssl_cert_dup(CERT *cert)
 #ifndef NO_DH
        if (cert->dh_tmp != NULL)
                {
-               /* DH parameters don't have a reference count (and cannot
-                * reasonably be shared anyway, as the secret exponent may
-                * be created just when it is needed -- earlier library
-                * versions did not pay attention to this) */
+               /* DH parameters don't have a reference count */
                ret->dh_tmp = DHparams_dup(cert->dh_tmp);
                if (ret->dh_tmp == NULL)
                        {
                        SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_DH_LIB);
                        goto err;
                        }
+               if (cert->dh_tmp->priv_key)
+                       {
+                       BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
+                       if (!b)
+                               {
+                               SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_BN_LIB);
+                               goto err;
+                               }
+                       ret->dh_tmp->priv_key = b;
+                       }
+               if (cert->dh_tmp->pub_key)
+                       {
+                       BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
+                       if (!b)
+                               {
+                               SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_BN_LIB);
+                               goto err;
+                               }
+                       ret->dh_tmp->pub_key = b;
+                       }
                }
        ret->dh_tmp_cb = cert->dh_tmp_cb;
 #endif
@@ -246,11 +264,6 @@ CERT *ssl_cert_dup(CERT *cert)
                        }
                }
        
-
-       /* ret->cert_chain should not exist: that's pure per-connection data.
-        * Anyway, we never use this function when it is non-NULL,
-        * so we just don't look at it. */
-
        /* ret->extra_certs *should* exist, but currently the own certificate
         * chain is held inside SSL_CTX */
 
@@ -435,11 +448,19 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
        X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
        if (SSL_get_verify_depth(s) >= 0)
                X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
-       X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),
-               (char *)s);
+       X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
+       /* We need to set the verify purpose. The purpose can be determined by
+        * the context: if its a server it will verify SSL client certificates
+        * or vice versa.
+         */
+
+       if(s->server) i = X509_PURPOSE_SSL_CLIENT;
+       else i = X509_PURPOSE_SSL_SERVER;
+
+       X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
 
        if (s->ctx->app_verify_callback != NULL)
-               i=s->ctx->app_verify_callback(&ctx);
+               i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
        else
                {
 #ifndef NO_X509_VERIFY
@@ -465,19 +486,19 @@ static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME)
        *ca_list=list;
        }
 
-STACK *SSL_dup_CA_list(STACK *sk)
+STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
        {
        int i;
-       STACK *ret;
+       STACK_OF(X509_NAME) *ret;
        X509_NAME *name;
 
-       ret=sk_new_null();
-       for (i=0; i<sk_num(sk); i++)
+       ret=sk_X509_NAME_new_null();
+       for (i=0; i<sk_X509_NAME_num(sk); i++)
                {
-               name=X509_NAME_dup((X509_NAME *)sk_value(sk,i));
-               if ((name == NULL) || !sk_push(ret,(char *)name))
+               name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
+               if ((name == NULL) || !sk_X509_NAME_push(ret,name))
                        {
-                       sk_pop_free(ret,X509_NAME_free);
+                       sk_X509_NAME_pop_free(ret,X509_NAME_free);
                        return(NULL);
                        }
                }
@@ -547,7 +568,7 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
        return(add_client_CA(&(ctx->client_CA),x));
        }
 
-static int name_cmp(X509_NAME **a,X509_NAME **b)
+static int xname_cmp(X509_NAME **a,X509_NAME **b)
        {
        return(X509_NAME_cmp(*a,*b));
        }
@@ -569,7 +590,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
        STACK_OF(X509_NAME) *ret,*sk;
 
        ret=sk_X509_NAME_new(NULL);
-       sk=sk_X509_NAME_new(name_cmp);
+       sk=sk_X509_NAME_new(xname_cmp);
 
        in=BIO_new(BIO_s_file_internal());
 
@@ -584,7 +605,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
 
        for (;;)
                {
-               if (PEM_read_bio_X509(in,&x,NULL) == NULL)
+               if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
                        break;
                if ((xn=X509_get_subject_name(x)) == NULL) goto err;
                /* check for duplicates */
@@ -630,7 +651,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
     int ret=1;
     int (*oldcmp)(X509_NAME **a, X509_NAME **b);
 
-    oldcmp=sk_X509_NAME_set_cmp_func(stack,name_cmp);
+    oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
 
     in=BIO_new(BIO_s_file_internal());
 
@@ -645,7 +666,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 
     for (;;)
        {
-       if (PEM_read_bio_X509(in,&x,NULL) == NULL)
+       if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
            break;
        if ((xn=X509_get_subject_name(x)) == NULL) goto err;
        xn=X509_NAME_dup(xn);
@@ -684,18 +705,25 @@ err:
 
 #ifndef WIN32
 #ifndef VMS                    /* XXXX This may be fixed in the future */
+#ifndef MAC_OS_pre_X
 
 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                                       const char *dir)
     {
-    DIR *d=opendir(dir);
+    DIR *d;
     struct dirent *dstruct;
+    int ret = 0;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
+    d = opendir(dir);
 
     /* Note that a side effect is that the CAs will be sorted by name */
     if(!d)
        {
-       SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
-       return 0;
+       SYSerr(SYS_F_OPENDIR, get_last_sys_error());
+       ERR_add_error_data(3, "opendir('", dir, "')");
+       SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
+       goto err;
        }
 
     while((dstruct=readdir(d)))
@@ -705,16 +733,20 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
        if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf)
            {
            SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
-           return 0;
+           goto err;
            }
        
        sprintf(buf,"%s/%s",dir,dstruct->d_name);
        if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
-           return 0;
+           goto err;
        }
+    ret = 1;
 
-    return 1;
+err:   
+    CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
+    return ret;
     }
 
 #endif
 #endif
+#endif