*/
#include <stdio.h>
-#include <sys/types.h>
-#ifndef WIN32
+
+#include "openssl/e_os.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#if !defined(WIN32) && !defined(VSM) && !defined(NeXT) && !defined(MAC_OS_pre_X)
#include <dirent.h>
#endif
+
+#ifdef NeXT
+#include <sys/dir.h>
+#define dirent direct
+#endif
+
#include <openssl/objects.h>
#include <openssl/bio.h>
#include <openssl/pem.h>
return(NULL);
}
memset(ret,0,sizeof(CERT));
-/*
- ret->valid=0;
- ret->mask=0;
- ret->export_mask=0;
- ret->cert_type=0;
- ret->key->x509=NULL;
- ret->key->publickey=NULL;
- ret->key->privatekey=NULL; */
ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
ret->references=1;
memset(ret, 0, sizeof(CERT));
- ret->cert_type = cert->cert_type;
-
ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
/* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
* if you find that more readable */
}
}
-
- /* ret->cert_chain should not exist: that's pure per-connection data.
- * Anyway, we never use this function when it is non-NULL,
- * so we just don't look at it. */
-
/* ret->extra_certs *should* exist, but currently the own certificate
* chain is held inside SSL_CTX */
EVP_PKEY_free(c->pkeys[i].publickey);
#endif
}
- if (c->cert_chain != NULL)
- sk_X509_pop_free(c->cert_chain,X509_free);
Free(c);
}
-#if 1
int ssl_cert_inst(CERT **o)
{
/* Create a CERT if there isn't already one
* (which cannot really happen, as it is initially created in
* SSL_CTX_new; but the earlier code usually allows for that one
* being non-existant, so we follow that behaviour, as it might
- * turn out that there actually is a reason for it.). */
-
+ * turn out that there actually is a reason for it -- but I'm
+ * not sure that *all* of the existing code could cope with
+ * s->cert being NULL, otherwise we could do without the
+ * initialization in SSL_CTX_new).
+ */
+
if (o == NULL)
{
SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
return(1);
}
-#else /* Not needed any longer: SSL's always have their own copy */
-int ssl_cert_instantiate(CERT **o, CERT *d)
+
+SESS_CERT *ssl_sess_cert_new(void)
{
- CERT *n;
- if (o == NULL)
+ SESS_CERT *ret;
+
+ ret = Malloc(sizeof *ret);
+ if (ret == NULL)
{
- SSLerr(SSL_F_SSL_CERT_INSTANTIATE, ERR_R_PASSED_NULL_PARAMETER);
- return(0);
+ SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+
+ memset(ret, 0 ,sizeof *ret);
+ ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
+ ret->references = 1;
+
+ return ret;
+ }
+
+void ssl_sess_cert_free(SESS_CERT *sc)
+ {
+ int i;
+
+ if (sc == NULL)
+ return;
+
+ i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
+#ifdef REF_PRINT
+ REF_PRINT("SESS_CERT", sc);
+#endif
+ if (i > 0)
+ return;
+#ifdef REF_CHECK
+ if (i < 0)
+ {
+ fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
+ abort(); /* ok */
}
- if (*o != NULL && (d == NULL || *o != d))
- return(1);
- if ((n = ssl_cert_new()) == NULL)
+#endif
+
+ /* i == 0 */
+ if (sc->cert_chain != NULL)
+ sk_X509_pop_free(sc->cert_chain, X509_free);
+ for (i = 0; i < SSL_PKEY_NUM; i++)
{
- SSLerr(SSL_F_SSL_CERT_INSTANTIATE, ERR_R_MALLOC_FAILURE);
- return(0);
+ if (sc->peer_pkeys[i].x509 != NULL)
+ X509_free(sc->peer_pkeys[i].x509);
+#if 0 /* We don't have the peer's private key. These lines are just
+ * here as a reminder that we're still using a not-quite-appropriate
+ * data structure. */
+ if (sc->peer_pkeys[i].privatekey != NULL)
+ EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
+#endif
}
- if (*o != NULL)
- ssl_cert_free(*o);
- *o = n;
- return(1);
- }
+
+#ifndef NO_RSA
+ if (sc->peer_rsa_tmp != NULL)
+ RSA_free(sc->peer_rsa_tmp);
#endif
+#ifndef NO_DH
+ if (sc->peer_dh_tmp != NULL)
+ DH_free(sc->peer_dh_tmp);
+#endif
+
+ Free(sc);
+ }
-int ssl_set_cert_type(CERT *c,int type)
+int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
{
- c->cert_type=type;
+ sc->peer_cert_type = type;
return(1);
}
(char *)s);
if (s->ctx->app_verify_callback != NULL)
- i=s->ctx->app_verify_callback(&ctx);
+ i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
else
{
#ifndef NO_X509_VERIFY
*ca_list=list;
}
-STACK *SSL_dup_CA_list(STACK *sk)
+STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
{
int i;
- STACK *ret;
+ STACK_OF(X509_NAME) *ret;
X509_NAME *name;
- ret=sk_new_null();
- for (i=0; i<sk_num(sk); i++)
+ ret=sk_X509_NAME_new_null();
+ for (i=0; i<sk_X509_NAME_num(sk); i++)
{
- name=X509_NAME_dup((X509_NAME *)sk_value(sk,i));
- if ((name == NULL) || !sk_push(ret,(char *)name))
+ name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
+ if ((name == NULL) || !sk_X509_NAME_push(ret,name))
{
- sk_pop_free(ret,X509_NAME_free);
+ sk_X509_NAME_pop_free(ret,X509_NAME_free);
return(NULL);
}
}
for (;;)
{
- if (PEM_read_bio_X509(in,&x,NULL) == NULL)
+ if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
break;
if ((xn=X509_get_subject_name(x)) == NULL) goto err;
/* check for duplicates */
for (;;)
{
- if (PEM_read_bio_X509(in,&x,NULL) == NULL)
+ if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
break;
if ((xn=X509_get_subject_name(x)) == NULL) goto err;
xn=X509_NAME_dup(xn);
*/
#ifndef WIN32
+#ifndef VMS /* XXXX This may be fixed in the future */
+#ifndef MAC_OS_pre_X
int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *dir)
{
- DIR *d=opendir(dir);
+ DIR *d;
struct dirent *dstruct;
+ int ret = 0;
+
+ CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
+ d = opendir(dir);
/* Note that a side effect is that the CAs will be sorted by name */
if(!d)
{
- SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
- return 0;
+ SYSerr(SYS_F_OPENDIR, get_last_sys_error());
+ ERR_add_error_data(3, "opendir('", dir, "')");
+ SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
+ goto err;
}
while((dstruct=readdir(d)))
if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf)
{
SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
- return 0;
+ goto err;
}
sprintf(buf,"%s/%s",dir,dstruct->d_name);
if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
- return 0;
+ goto err;
}
+ ret = 1;
- return 1;
+err:
+ CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
+ return ret;
}
#endif
+#endif
+#endif