/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* https://www.openssl.org/source/license.html
*/
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * ECC cipher suite support in OpenSSL originally developed by
- * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
- */
-
#include <stdio.h>
+#include <sys/types.h>
-#include "e_os.h"
+#include "internal/nelem.h"
#ifndef NO_SYS_TYPES_H
# include <sys/types.h>
#endif
#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/crypto.h>
+#include "internal/refcount.h"
#include "ssl_locl.h"
+#include "ssl_cert_table.h"
#include "internal/thread_once.h"
static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
ret->sec_level = cert->sec_level;
ret->sec_ex = cert->sec_ex;
- if (!custom_exts_copy(&ret->cli_ext, &cert->cli_ext))
- goto err;
- if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext))
+ if (!custom_exts_copy(&ret->custext, &cert->custext))
goto err;
#ifndef OPENSSL_NO_PSK
if (cert->psk_identity_hint) {
OPENSSL_free(c->ctype);
X509_STORE_free(c->verify_store);
X509_STORE_free(c->chain_store);
- custom_exts_free(&c->cli_ext);
- custom_exts_free(&c->srv_ext);
+ custom_exts_free(&c->custext);
#ifndef OPENSSL_NO_PSK
OPENSSL_free(c->psk_identity_hint);
#endif
return i;
}
-static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,
- STACK_OF(X509_NAME) *name_list)
+static void set0_CA_list(STACK_OF(X509_NAME) **ca_list,
+ STACK_OF(X509_NAME) *name_list)
{
sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
*ca_list = name_list;
}
-STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
+STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk)
{
int i;
STACK_OF(X509_NAME) *ret;
return (ret);
}
-void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
+void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
+{
+ set0_CA_list(&s->ca_names, name_list);
+}
+
+void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
{
- set_client_CA_list(&(s->client_CA), name_list);
+ set0_CA_list(&ctx->ca_names, name_list);
+}
+
+const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx)
+{
+ return ctx->ca_names;
+}
+
+const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s)
+{
+ return s->ca_names != NULL ? s->ca_names : s->ctx->ca_names;
}
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
{
- set_client_CA_list(&(ctx->client_CA), name_list);
+ SSL_CTX_set0_CA_list(ctx, name_list);
}
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
{
- return (ctx->client_CA);
+ return ctx->ca_names;
+}
+
+void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
+{
+ SSL_set0_CA_list(s, name_list);
+}
+
+const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s)
+{
+ return s->s3 != NULL ? s->s3->tmp.peer_ca_names : NULL;
}
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
{
- if (!s->server) { /* we are in the client */
- if (s->s3 != NULL)
- return s->s3->tmp.ca_names;
- else
- return NULL;
- } else {
- if (s->client_CA != NULL)
- return s->client_CA;
- else
- return s->ctx->client_CA;
- }
+ if (!s->server)
+ return s->s3 != NULL ? s->s3->tmp.peer_ca_names : NULL;
+ return s->ca_names != NULL ? s->ca_names : s->ctx->ca_names;
}
-static int add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x)
+static int add_ca_name(STACK_OF(X509_NAME) **sk, const X509 *x)
{
X509_NAME *name;
if (x == NULL)
- return (0);
- if ((*sk == NULL) && ((*sk = sk_X509_NAME_new_null()) == NULL))
- return (0);
+ return 0;
+ if (*sk == NULL && ((*sk = sk_X509_NAME_new_null()) == NULL))
+ return 0;
if ((name = X509_NAME_dup(X509_get_subject_name(x))) == NULL)
- return (0);
+ return 0;
if (!sk_X509_NAME_push(*sk, name)) {
X509_NAME_free(name);
- return (0);
+ return 0;
}
- return (1);
+ return 1;
+}
+
+int SSL_add1_CA_list(SSL *ssl, const X509 *x)
+{
+ return add_ca_name(&ssl->ca_names, x);
+}
+
+int SSL_CTX_add1_CA_list(SSL_CTX *ctx, const X509 *x)
+{
+ return add_ca_name(&ctx->ca_names, x);
}
int SSL_add_client_CA(SSL *ssl, X509 *x)
{
- return (add_client_CA(&(ssl->client_CA), x));
+ return add_ca_name(&ssl->ca_names, x);
}
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
{
- return (add_client_CA(&(ctx->client_CA), x));
+ return add_ca_name(&ctx->ca_names, x);
}
static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
STACK_OF(X509) *chain = NULL, *untrusted = NULL;
X509 *x;
int i, rv = 0;
- unsigned long error;
if (!cpk->x509) {
SSLerr(SSL_F_SSL_BUILD_CERT_CHAIN, SSL_R_NO_CERTIFICATE_SET);
goto err;
for (i = 0; i < sk_X509_num(cpk->chain); i++) {
x = sk_X509_value(cpk->chain, i);
- if (!X509_STORE_add_cert(chain_store, x)) {
- error = ERR_peek_last_error();
- if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
- ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
- goto err;
- ERR_clear_error();
- }
- }
- /* Add EE cert too: it might be self signed */
- if (!X509_STORE_add_cert(chain_store, cpk->x509)) {
- error = ERR_peek_last_error();
- if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
- ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
+ if (!X509_STORE_add_cert(chain_store, x))
goto err;
- ERR_clear_error();
}
+ /* Add EE cert too: it might be self signed */
+ if (!X509_STORE_add_cert(chain_store, cpk->x509))
+ goto err;
} else {
if (c->chain_store)
chain_store = c->chain_store;
return ctx->cert->sec_cb(NULL, ctx, op, bits, nid, other,
ctx->cert->sec_ex);
}
+
+const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx)
+{
+ int nid = EVP_PKEY_id(pk);
+ size_t i;
+
+ if (nid == NID_undef)
+ return NULL;
+
+ for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) {
+ if (ssl_cert_info[i].nid == nid) {
+ if (pidx != NULL)
+ *pidx = i;
+ return &ssl_cert_info[i];
+ }
+ }
+ return NULL;
+}
+
+const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx)
+{
+ if (idx >= OSSL_NELEM(ssl_cert_info))
+ return 0;
+ return &ssl_cert_info[idx];
+}
projects / openssl.git / blobdiff