projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Initial support for MacOS.
[openssl.git] / ssl / ssl_cert.c
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 0d1c57011311a7c45111b2fff59ff09073145443..a695d042cf2e9f8e15ced5b840a4901fe69e905e 100644 (file)
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -105,10 +105,22 @@
  */
 
 #include <stdio.h>
-#include <sys/types.h>
-#ifndef WIN32
+
+#include "openssl/e_os.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#if !defined(WIN32) && !defined(VSM) && !defined(NeXT) && !defined(MAC_OS_pre_X)
 #include <dirent.h>
 #endif
+
+#ifdef NeXT
+#include <sys/dir.h>
+#define dirent direct
+#endif
+
 #include <openssl/objects.h>
 #include <openssl/bio.h>
 #include <openssl/pem.h>
@@ -137,14 +149,6 @@ CERT *ssl_cert_new(void)
                return(NULL);
                }
        memset(ret,0,sizeof(CERT));
-/*
-       ret->valid=0;
-       ret->mask=0;
-       ret->export_mask=0;
-       ret->cert_type=0;
-       ret->key->x509=NULL;
-       ret->key->publickey=NULL;
-       ret->key->privatekey=NULL; */
 
        ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
        ret->references=1;
@@ -166,8 +170,6 @@ CERT *ssl_cert_dup(CERT *cert)
 
        memset(ret, 0, sizeof(CERT));
 
-       ret->cert_type = cert->cert_type;
-
        ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
        /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
         * if you find that more readable */
@@ -244,11 +246,6 @@ CERT *ssl_cert_dup(CERT *cert)
                        }
                }
        
-
-       /* ret->cert_chain should not exist: that's pure per-connection data.
-        * Anyway, we never use this function when it is non-NULL,
-        * so we just don't look at it. */
-
        /* ret->extra_certs *should* exist, but currently the own certificate
         * chain is held inside SSL_CTX */
 
@@ -316,20 +313,21 @@ void ssl_cert_free(CERT *c)
                        EVP_PKEY_free(c->pkeys[i].publickey);
 #endif
                }
-       if (c->cert_chain != NULL)
-               sk_X509_pop_free(c->cert_chain,X509_free);
        Free(c);
        }
 
-#if 1
 int ssl_cert_inst(CERT **o)
        {
        /* Create a CERT if there isn't already one
         * (which cannot really happen, as it is initially created in
         * SSL_CTX_new; but the earlier code usually allows for that one
         * being non-existant, so we follow that behaviour, as it might
-        * turn out that there actually is a reason for it.). */
-        
+        * turn out that there actually is a reason for it -- but I'm
+        * not sure that *all* of the existing code could cope with
+        * s->cert being NULL, otherwise we could do without the
+        * initialization in SSL_CTX_new).
+        */
+       
        if (o == NULL) 
                {
                SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
@@ -346,32 +344,76 @@ int ssl_cert_inst(CERT **o)
        return(1);
        }
 
-#else /* Not needed any longer: SSL's always have their own copy */
-int ssl_cert_instantiate(CERT **o, CERT *d)
+
+SESS_CERT *ssl_sess_cert_new(void)
        {
-       CERT *n;
-       if (o == NULL) 
+       SESS_CERT *ret;
+
+       ret = Malloc(sizeof *ret);
+       if (ret == NULL)
                {
-               SSLerr(SSL_F_SSL_CERT_INSTANTIATE, ERR_R_PASSED_NULL_PARAMETER);
-               return(0);
+               SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
+               return NULL;
+               }
+
+       memset(ret, 0 ,sizeof *ret);
+       ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
+       ret->references = 1;
+
+       return ret;
+       }
+
+void ssl_sess_cert_free(SESS_CERT *sc)
+       {
+       int i;
+
+       if (sc == NULL)
+               return;
+
+       i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
+#ifdef REF_PRINT
+       REF_PRINT("SESS_CERT", sc);
+#endif
+       if (i > 0)
+               return;
+#ifdef REF_CHECK
+       if (i < 0)
+               {
+               fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
+               abort(); /* ok */
                }
-       if (*o != NULL && (d == NULL || *o != d))
-           return(1);
-       if ((n = ssl_cert_new()) == NULL) 
+#endif
+
+       /* i == 0 */
+       if (sc->cert_chain != NULL)
+               sk_X509_pop_free(sc->cert_chain, X509_free);
+       for (i = 0; i < SSL_PKEY_NUM; i++)
                {
-               SSLerr(SSL_F_SSL_CERT_INSTANTIATE, ERR_R_MALLOC_FAILURE);
-               return(0);
+               if (sc->peer_pkeys[i].x509 != NULL)
+                       X509_free(sc->peer_pkeys[i].x509);
+#if 0 /* We don't have the peer's private key.  These lines are just
+          * here as a reminder that we're still using a not-quite-appropriate
+          * data structure. */
+               if (sc->peer_pkeys[i].privatekey != NULL)
+                       EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
+#endif
                }
-       if (*o != NULL) 
-               ssl_cert_free(*o);
-       *o = n;
-       return(1);
-       }
+
+#ifndef NO_RSA
+       if (sc->peer_rsa_tmp != NULL)
+               RSA_free(sc->peer_rsa_tmp);
 #endif
+#ifndef NO_DH
+       if (sc->peer_dh_tmp != NULL)
+               DH_free(sc->peer_dh_tmp);
+#endif
+
+       Free(sc);
+       }
 
-int ssl_set_cert_type(CERT *c,int type)
+int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
        {
-       c->cert_type=type;
+       sc->peer_cert_type = type;
        return(1);
        }
 
@@ -392,7 +434,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
                (char *)s);
 
        if (s->ctx->app_verify_callback != NULL)
-               i=s->ctx->app_verify_callback(&ctx);
+               i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
        else
                {
 #ifndef NO_X509_VERIFY
@@ -418,19 +460,19 @@ static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME)
        *ca_list=list;
        }
 
-STACK *SSL_dup_CA_list(STACK *sk)
+STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
        {
        int i;
-       STACK *ret;
+       STACK_OF(X509_NAME) *ret;
        X509_NAME *name;
 
-       ret=sk_new_null();
-       for (i=0; i<sk_num(sk); i++)
+       ret=sk_X509_NAME_new_null();
+       for (i=0; i<sk_X509_NAME_num(sk); i++)
                {
-               name=X509_NAME_dup((X509_NAME *)sk_value(sk,i));
-               if ((name == NULL) || !sk_push(ret,(char *)name))
+               name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
+               if ((name == NULL) || !sk_X509_NAME_push(ret,name))
                        {
-                       sk_pop_free(ret,X509_NAME_free);
+                       sk_X509_NAME_pop_free(ret,X509_NAME_free);
                        return(NULL);
                        }
                }
@@ -537,7 +579,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
 
        for (;;)
                {
-               if (PEM_read_bio_X509(in,&x,NULL) == NULL)
+               if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
                        break;
                if ((xn=X509_get_subject_name(x)) == NULL) goto err;
                /* check for duplicates */
@@ -598,7 +640,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 
     for (;;)
        {
-       if (PEM_read_bio_X509(in,&x,NULL) == NULL)
+       if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
            break;
        if ((xn=X509_get_subject_name(x)) == NULL) goto err;
        xn=X509_NAME_dup(xn);
@@ -636,18 +678,26 @@ err:
  */
 
 #ifndef WIN32
+#ifndef VMS                    /* XXXX This may be fixed in the future */
+#ifndef MAC_OS_pre_X
 
 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                                       const char *dir)
     {
-    DIR *d=opendir(dir);
+    DIR *d;
     struct dirent *dstruct;
+    int ret = 0;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
+    d = opendir(dir);
 
     /* Note that a side effect is that the CAs will be sorted by name */
     if(!d)
        {
-       SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
-       return 0;
+       SYSerr(SYS_F_OPENDIR, get_last_sys_error());
+       ERR_add_error_data(3, "opendir('", dir, "')");
+       SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
+       goto err;
        }
 
     while((dstruct=readdir(d)))
@@ -657,15 +707,20 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
        if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf)
            {
            SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
-           return 0;
+           goto err;
            }
        
        sprintf(buf,"%s/%s",dir,dstruct->d_name);
        if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
-           return 0;
+           goto err;
        }
+    ret = 1;
 
-    return 1;
+err:   
+    CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
+    return ret;
     }
 
 #endif
+#endif
+#endif
Unnamed repository; edit this file 'description' to name the repository.