X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_cert.c;h=48f247ceaca6afdf944ae14b41323765b73247ba;hp=9a8a8cc81666ffdd75917f06fff7b03469d4d47a;hb=1e7396beeb13b8132c08dd1fb95645f0b3165335;hpb=1444ba8d786747a3c7d2966ade4cd836b9cf38a6

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 9a8a8cc816..48f247ceac 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -105,17 +105,26 @@
  */
 
 #include <stdio.h>
-#include <sys/types.h>
-#if !defined(WIN32) && !defined(VSM) && !defined(NeXT)
+
+#include "openssl/e_os.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#if !defined(WIN32) && !defined(VSM) && !defined(NeXT) && !defined(MAC_OS_pre_X)
 #include <dirent.h>
 #endif
+
 #ifdef NeXT
 #include <sys/dir.h>
 #define dirent direct
 #endif
+
 #include <openssl/objects.h>
 #include <openssl/bio.h>
 #include <openssl/pem.h>
+#include <openssl/x509v3.h>
 #include "ssl_locl.h"
 
 int SSL_get_ex_data_X509_STORE_CTX_idx(void)
@@ -422,11 +431,19 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
 	X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
 	if (SSL_get_verify_depth(s) >= 0)
 		X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
-	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),
-		(char *)s);
+	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
+	/* We need to set the verify purpose. The purpose can be determined by
+	 * the context: if its a server it will verify SSL client certificates
+	 * or vice versa.
+         */
+
+	if(s->server) i = X509_PURPOSE_SSL_CLIENT;
+	else i = X509_PURPOSE_SSL_SERVER;
+
+	X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
 
 	if (s->ctx->app_verify_callback != NULL)
-		i=s->ctx->app_verify_callback(&ctx);
+		i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
 	else
 		{
 #ifndef NO_X509_VERIFY
@@ -452,19 +469,19 @@ static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME)
 	*ca_list=list;
 	}
 
-STACK *SSL_dup_CA_list(STACK *sk)
+STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
 	{
 	int i;
-	STACK *ret;
+	STACK_OF(X509_NAME) *ret;
 	X509_NAME *name;
 
-	ret=sk_new_null();
-	for (i=0; i<sk_num(sk); i++)
+	ret=sk_X509_NAME_new_null();
+	for (i=0; i<sk_X509_NAME_num(sk); i++)
 		{
-		name=X509_NAME_dup((X509_NAME *)sk_value(sk,i));
-		if ((name == NULL) || !sk_push(ret,(char *)name))
+		name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
+		if ((name == NULL) || !sk_X509_NAME_push(ret,name))
 			{
-			sk_pop_free(ret,X509_NAME_free);
+			sk_X509_NAME_pop_free(ret,X509_NAME_free);
 			return(NULL);
 			}
 		}
@@ -534,7 +551,7 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
 	return(add_client_CA(&(ctx->client_CA),x));
 	}
 
-static int name_cmp(X509_NAME **a,X509_NAME **b)
+static int xname_cmp(X509_NAME **a,X509_NAME **b)
 	{
 	return(X509_NAME_cmp(*a,*b));
 	}
@@ -556,7 +573,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
 	STACK_OF(X509_NAME) *ret,*sk;
 
 	ret=sk_X509_NAME_new(NULL);
-	sk=sk_X509_NAME_new(name_cmp);
+	sk=sk_X509_NAME_new(xname_cmp);
 
 	in=BIO_new(BIO_s_file_internal());
 
@@ -571,7 +588,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
 
 	for (;;)
 		{
-		if (PEM_read_bio_X509(in,&x,NULL) == NULL)
+		if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
 			break;
 		if ((xn=X509_get_subject_name(x)) == NULL) goto err;
 		/* check for duplicates */
@@ -617,7 +634,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
     int ret=1;
     int (*oldcmp)(X509_NAME **a, X509_NAME **b);
 
-    oldcmp=sk_X509_NAME_set_cmp_func(stack,name_cmp);
+    oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
 
     in=BIO_new(BIO_s_file_internal());
 
@@ -632,7 +649,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 
     for (;;)
 	{
-	if (PEM_read_bio_X509(in,&x,NULL) == NULL)
+	if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
 	    break;
 	if ((xn=X509_get_subject_name(x)) == NULL) goto err;
 	xn=X509_NAME_dup(xn);
@@ -671,6 +688,7 @@ err:
 
 #ifndef WIN32
 #ifndef VMS			/* XXXX This may be fixed in the future */
+#ifndef MAC_OS_pre_X
 
 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 				       const char *dir)
@@ -685,7 +703,9 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
     /* Note that a side effect is that the CAs will be sorted by name */
     if(!d)
 	{
-	SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
+	SYSerr(SYS_F_OPENDIR, get_last_sys_error());
+	ERR_add_error_data(3, "opendir('", dir, "')");
+	SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
 	goto err;
 	}
 
@@ -712,3 +732,4 @@ err:
 
 #endif
 #endif
+#endif