#include <openssl/bn.h>
#include <openssl/crypto.h>
#include "ssl_locl.h"
+#include "internal/thread_once.h"
static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op,
int bits, int nid, void *other,
static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
static volatile int ssl_x509_store_ctx_idx = -1;
-static void ssl_x509_store_ctx_init(void)
+DEFINE_RUN_ONCE_STATIC(ssl_x509_store_ctx_init)
{
ssl_x509_store_ctx_idx = X509_STORE_CTX_get_ex_new_index(0,
"SSL for verify callback",
NULL, NULL, NULL);
+ return ssl_x509_store_ctx_idx >= 0;
}
int SSL_get_ex_data_X509_STORE_CTX_idx(void)
{
- CRYPTO_THREAD_run_once(&ssl_x509_store_ctx_once, ssl_x509_store_ctx_init);
+ if (!RUN_ONCE(&ssl_x509_store_ctx_once, ssl_x509_store_ctx_init))
+ return -1;
return ssl_x509_store_ctx_idx;
}
CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key;
if (!cpk)
return 0;
- sk_X509_pop_free(cpk->chain, X509_free);
for (i = 0; i < sk_X509_num(chain); i++) {
r = ssl_security_cert(s, ctx, sk_X509_value(chain, i), 0, 0);
if (r != 1) {
return 0;
}
}
+ sk_X509_pop_free(cpk->chain, X509_free);
cpk->chain = chain;
return 1;
}
/* Set suite B flags if needed */
X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
- X509_STORE_CTX_set_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s);
+ if (!X509_STORE_CTX_set_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
+ goto end;
+ }
/* Verify via DANE if enabled */
if (DANETLS_ENABLED(&s->dane))
X509_NAME *name;
ret = sk_X509_NAME_new_null();
+ if (ret == NULL) {
+ SSLerr(SSL_F_SSL_DUP_CA_LIST, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
for (i = 0; i < sk_X509_NAME_num(sk); i++) {
name = X509_NAME_dup(sk_X509_NAME_value(sk, i));
- if ((name == NULL) || !sk_X509_NAME_push(ret, name)) {
+ if (name == NULL || !sk_X509_NAME_push(ret, name)) {
sk_X509_NAME_pop_free(ret, X509_NAME_free);
- return (NULL);
+ X509_NAME_free(name);
+ return NULL;
}
}
return (ret);
if (lh_X509_NAME_retrieve(name_hash, xn) != NULL) {
/* Duplicate. */
X509_NAME_free(xn);
+ xn = NULL;
} else {
lh_X509_NAME_insert(name_hash, xn);
- sk_X509_NAME_push(ret, xn);
+ if (!sk_X509_NAME_push(ret, xn))
+ goto err;
}
}
goto done;
err:
+ X509_NAME_free(xn);
sk_X509_NAME_pop_free(ret, X509_NAME_free);
ret = NULL;
done:
xn = X509_NAME_dup(xn);
if (xn == NULL)
goto err;
- if (sk_X509_NAME_find(stack, xn) >= 0)
+ if (sk_X509_NAME_find(stack, xn) >= 0) {
+ /* Duplicate. */
X509_NAME_free(xn);
- else
- sk_X509_NAME_push(stack, xn);
+ } else if (!sk_X509_NAME_push(stack, xn)) {
+ X509_NAME_free(xn);
+ goto err;
+ }
}
ERR_clear_error();
goto done;
err:
- ret = 0;
+ ret = 0;
done:
BIO_free(in);
X509_free(x);