projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
fix no-dh configure option; patch supplied by Peter Meerwald
[openssl.git]
/
ssl
/
ssl_cert.c
diff --git
a/ssl/ssl_cert.c
b/ssl/ssl_cert.c
index 4cab28a200fa803c225df55ff89e0df61d5df73e..452a0822d9a3e2a4f87ce4f2aae27f6e31a96e02 100644
(file)
--- a/
ssl/ssl_cert.c
+++ b/
ssl/ssl_cert.c
@@
-121,7
+121,9
@@
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#include <openssl/dh.h>
+#endif
#include <openssl/bn.h>
#include "ssl_locl.h"
#include <openssl/bn.h>
#include "ssl_locl.h"
@@
-198,7
+200,6
@@
CERT *ssl_cert_dup(CERT *cert)
#ifndef OPENSSL_NO_DH
if (cert->dh_tmp != NULL)
{
#ifndef OPENSSL_NO_DH
if (cert->dh_tmp != NULL)
{
- /* DH parameters don't have a reference count */
ret->dh_tmp = DHparams_dup(cert->dh_tmp);
if (ret->dh_tmp == NULL)
{
ret->dh_tmp = DHparams_dup(cert->dh_tmp);
if (ret->dh_tmp == NULL)
{
@@
-232,8
+233,12
@@
CERT *ssl_cert_dup(CERT *cert)
#ifndef OPENSSL_NO_ECDH
if (cert->ecdh_tmp)
{
#ifndef OPENSSL_NO_ECDH
if (cert->ecdh_tmp)
{
- EC_KEY_up_ref(cert->ecdh_tmp);
- ret->ecdh_tmp = cert->ecdh_tmp;
+ ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
+ if (ret->ecdh_tmp == NULL)
+ {
+ SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
+ goto err;
+ }
}
ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
#endif
}
ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
#endif
@@
-291,7
+296,7
@@
CERT *ssl_cert_dup(CERT *cert)
return(ret);
return(ret);
-#if
ndef OPENSSL_NO_DH /* avoid 'unreferenced label' warning if OPENSSL_NO_DH is defined */
+#if
!defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
err:
#endif
#ifndef OPENSSL_NO_RSA
err:
#endif
#ifndef OPENSSL_NO_RSA
@@
-483,20
+488,22
@@
int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
return(0);
}
SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
return(0);
}
+ if (s->param)
+ X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx),
+ s->param);
+#if 0
if (SSL_get_verify_depth(s) >= 0)
X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
if (SSL_get_verify_depth(s) >= 0)
X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
+#endif
X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
- /* We need to
set the verify purpose. The purpo
se can be determined by
+ /* We need to
inherit the verify parameters. The
se can be determined by
* the context: if its a server it will verify SSL client certificates
* or vice versa.
*/
* the context: if its a server it will verify SSL client certificates
* or vice versa.
*/
- if (s->server)
- i = X509_PURPOSE_SSL_CLIENT;
- else
- i = X509_PURPOSE_SSL_SERVER;
- X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
+ X509_STORE_CTX_set_default(&ctx,
+ s->server ? "ssl_client" : "ssl_server");
if (s->verify_callback)
X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
if (s->verify_callback)
X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
@@
-561,12
+568,12
@@
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
set_client_CA_list(&(ctx->client_CA),name_list);
}
set_client_CA_list(&(ctx->client_CA),name_list);
}
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx)
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(
const
SSL_CTX *ctx)
{
return(ctx->client_CA);
}
{
return(ctx->client_CA);
}
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s)
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(
const
SSL *s)
{
if (s->type == SSL_ST_CONNECT)
{ /* we are in the client */
{
if (s->type == SSL_ST_CONNECT)
{ /* we are in the client */
@@
-633,14
+640,13
@@
STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
BIO *in;
X509 *x=NULL;
X509_NAME *xn=NULL;
BIO *in;
X509 *x=NULL;
X509_NAME *xn=NULL;
- STACK_OF(X509_NAME) *ret,*sk;
+ STACK_OF(X509_NAME) *ret
= NULL
,*sk;
- ret=sk_X509_NAME_new_null();
sk=sk_X509_NAME_new(xname_cmp);
in=BIO_new(BIO_s_file_internal());
sk=sk_X509_NAME_new(xname_cmp);
in=BIO_new(BIO_s_file_internal());
- if ((
ret == NULL) || (
sk == NULL) || (in == NULL))
+ if ((sk == NULL) || (in == NULL))
{
SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
goto err;
{
SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
goto err;
@@
-653,6
+659,15
@@
STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
{
if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
break;
{
if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
break;
+ if (ret == NULL)
+ {
+ ret = sk_X509_NAME_new_null();
+ if (ret == NULL)
+ {
+ SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ }
if ((xn=X509_get_subject_name(x)) == NULL) goto err;
/* check for duplicates */
xn=X509_NAME_dup(xn);
if ((xn=X509_get_subject_name(x)) == NULL) goto err;
/* check for duplicates */
xn=X509_NAME_dup(xn);
@@
-675,6
+690,8
@@
err:
if (sk != NULL) sk_X509_NAME_free(sk);
if (in != NULL) BIO_free(in);
if (x != NULL) X509_free(x);
if (sk != NULL) sk_X509_NAME_free(sk);
if (in != NULL) BIO_free(in);
if (x != NULL) X509_free(x);
+ if (ret != NULL)
+ ERR_clear_error();
return(ret);
}
#endif
return(ret);
}
#endif