+ CRYPTO_THREAD_lock_free(c->lock);
+ OPENSSL_free(c);
+}
+
+int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
+{
+ int i, r;
+ CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key;
+ if (!cpk)
+ return 0;
+ for (i = 0; i < sk_X509_num(chain); i++) {
+ r = ssl_security_cert(s, ctx, sk_X509_value(chain, i), 0, 0);
+ if (r != 1) {
+ SSLerr(SSL_F_SSL_CERT_SET0_CHAIN, r);
+ return 0;
+ }
+ }
+ sk_X509_pop_free(cpk->chain, X509_free);
+ cpk->chain = chain;
+ return 1;
+}
+
+int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
+{
+ STACK_OF(X509) *dchain;
+ if (!chain)
+ return ssl_cert_set0_chain(s, ctx, NULL);
+ dchain = X509_chain_up_ref(chain);
+ if (!dchain)
+ return 0;
+ if (!ssl_cert_set0_chain(s, ctx, dchain)) {
+ sk_X509_pop_free(dchain, X509_free);
+ return 0;
+ }
+ return 1;
+}
+
+int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x)
+{
+ int r;
+ CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key;
+ if (!cpk)
+ return 0;
+ r = ssl_security_cert(s, ctx, x, 0, 0);
+ if (r != 1) {
+ SSLerr(SSL_F_SSL_CERT_ADD0_CHAIN_CERT, r);
+ return 0;
+ }
+ if (!cpk->chain)
+ cpk->chain = sk_X509_new_null();
+ if (!cpk->chain || !sk_X509_push(cpk->chain, x))
+ return 0;
+ return 1;
+}
+
+int ssl_cert_add1_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x)
+{
+ if (!ssl_cert_add0_chain_cert(s, ctx, x))
+ return 0;
+ X509_up_ref(x);
+ return 1;
+}
+
+int ssl_cert_select_current(CERT *c, X509 *x)
+{
+ int i;
+ if (x == NULL)
+ return 0;
+ for (i = 0; i < SSL_PKEY_NUM; i++) {
+ CERT_PKEY *cpk = c->pkeys + i;
+ if (cpk->x509 == x && cpk->privatekey) {
+ c->key = cpk;
+ return 1;
+ }
+ }
+
+ for (i = 0; i < SSL_PKEY_NUM; i++) {
+ CERT_PKEY *cpk = c->pkeys + i;
+ if (cpk->privatekey && cpk->x509 && !X509_cmp(cpk->x509, x)) {
+ c->key = cpk;
+ return 1;
+ }
+ }
+ return 0;
+}
+
+int ssl_cert_set_current(CERT *c, long op)
+{
+ int i, idx;
+ if (!c)
+ return 0;
+ if (op == SSL_CERT_SET_FIRST)
+ idx = 0;
+ else if (op == SSL_CERT_SET_NEXT) {
+ idx = (int)(c->key - c->pkeys + 1);
+ if (idx >= SSL_PKEY_NUM)
+ return 0;
+ } else
+ return 0;
+ for (i = idx; i < SSL_PKEY_NUM; i++) {
+ CERT_PKEY *cpk = c->pkeys + i;
+ if (cpk->x509 && cpk->privatekey) {
+ c->key = cpk;
+ return 1;
+ }
+ }
+ return 0;
+}
+
+void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg)
+{
+ c->cert_cb = cb;
+ c->cert_cb_arg = arg;
+}
+
+int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
+{
+ X509 *x;
+ int i = 0;
+ X509_STORE *verify_store;
+ X509_STORE_CTX *ctx = NULL;
+ X509_VERIFY_PARAM *param;
+
+ if ((sk == NULL) || (sk_X509_num(sk) == 0))
+ return 0;
+
+ if (s->cert->verify_store)
+ verify_store = s->cert->verify_store;
+ else
+ verify_store = s->ctx->cert_store;
+
+ ctx = X509_STORE_CTX_new();
+ if (ctx == NULL) {
+ SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ x = sk_X509_value(sk, 0);
+ if (!X509_STORE_CTX_init(ctx, verify_store, x, sk)) {
+ SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_X509_LIB);
+ goto end;
+ }
+ param = X509_STORE_CTX_get0_param(ctx);
+ /*
+ * XXX: Separate @AUTHSECLEVEL and @TLSSECLEVEL would be useful at some
+ * point, for now a single @SECLEVEL sets the same policy for TLS crypto
+ * and PKI authentication.
+ */
+ X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
+
+ /* Set suite B flags if needed */
+ X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
+ if (!X509_STORE_CTX_set_ex_data
+ (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
+ goto end;
+ }
+
+ /* Verify via DANE if enabled */
+ if (DANETLS_ENABLED(&s->dane))
+ X509_STORE_CTX_set0_dane(ctx, &s->dane);
+
+ /*
+ * We need to inherit the verify parameters. These can be determined by
+ * the context: if its a server it will verify SSL client certificates or
+ * vice versa.
+ */
+
+ X509_STORE_CTX_set_default(ctx, s->server ? "ssl_client" : "ssl_server");
+ /*
+ * Anything non-default in "s->param" should overwrite anything in the ctx.
+ */
+ X509_VERIFY_PARAM_set1(param, s->param);
+
+ if (s->verify_callback)
+ X509_STORE_CTX_set_verify_cb(ctx, s->verify_callback);
+
+ if (s->ctx->app_verify_callback != NULL)
+ i = s->ctx->app_verify_callback(ctx, s->ctx->app_verify_arg);
+ else
+ i = X509_verify_cert(ctx);
+
+ s->verify_result = X509_STORE_CTX_get_error(ctx);
+ sk_X509_pop_free(s->verified_chain, X509_free);
+ s->verified_chain = NULL;
+ if (X509_STORE_CTX_get0_chain(ctx) != NULL) {
+ s->verified_chain = X509_STORE_CTX_get1_chain(ctx);
+ if (s->verified_chain == NULL) {
+ SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_MALLOC_FAILURE);
+ i = 0;
+ }
+ }
+
+ /* Move peername from the store context params to the SSL handle's */
+ X509_VERIFY_PARAM_move_peername(s->param, param);
+
+ end:
+ X509_STORE_CTX_free(ctx);
+ return i;
+}
+
+static void set0_CA_list(STACK_OF(X509_NAME) **ca_list,
+ STACK_OF(X509_NAME) *name_list)
+{
+ sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
+ *ca_list = name_list;
+}
+
+STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk)
+{
+ int i;
+ const int num = sk_X509_NAME_num(sk);
+ STACK_OF(X509_NAME) *ret;
+ X509_NAME *name;
+
+ ret = sk_X509_NAME_new_reserve(NULL, num);
+ if (ret == NULL) {
+ SSLerr(SSL_F_SSL_DUP_CA_LIST, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ for (i = 0; i < num; i++) {
+ name = X509_NAME_dup(sk_X509_NAME_value(sk, i));
+ if (name == NULL) {
+ SSLerr(SSL_F_SSL_DUP_CA_LIST, ERR_R_MALLOC_FAILURE);
+ sk_X509_NAME_pop_free(ret, X509_NAME_free);
+ return NULL;
+ }
+ sk_X509_NAME_push(ret, name); /* Cannot fail after reserve call */
+ }
+ return ret;
+}
+
+void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
+{
+ set0_CA_list(&s->ca_names, name_list);
+}
+
+void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
+{
+ set0_CA_list(&ctx->ca_names, name_list);
+}
+
+const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx)
+{
+ return ctx->ca_names;
+}
+
+const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s)
+{
+ return s->ca_names != NULL ? s->ca_names : s->ctx->ca_names;
+}
+
+void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
+{
+ set0_CA_list(&ctx->client_ca_names, name_list);
+}