# include <sys/types.h>
#endif
-#include "o_dir.h"
+#include "internal/o_dir.h"
#include <openssl/objects.h>
#include <openssl/bio.h>
#include <openssl/pem.h>
return ssl_x509_store_ctx_idx;
}
-void ssl_cert_set_default_md(CERT *cert)
-{
- /* Set digest values to defaults */
-#ifndef OPENSSL_NO_DSA
- cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
-#endif
-#ifndef OPENSSL_NO_RSA
- cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
- cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
-#endif
-#ifndef OPENSSL_NO_ECDSA
- cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
-#endif
-}
-
CERT *ssl_cert_new(void)
{
- CERT *ret;
+ CERT *ret = OPENSSL_malloc(sizeof(*ret));
- ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
if (ret == NULL) {
SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE);
return (NULL);
}
- memset(ret, 0, sizeof(CERT));
+ memset(ret, 0, sizeof(*ret));
ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);
ret->references = 1;
- ssl_cert_set_default_md(ret);
ret->sec_cb = ssl_security_default_callback;
ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL;
ret->sec_ex = NULL;
CERT *ssl_cert_dup(CERT *cert)
{
- CERT *ret;
+ CERT *ret = OPENSSL_malloc(sizeof(*ret));
int i;
- ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
if (ret == NULL) {
SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
return (NULL);
}
- memset(ret, 0, sizeof(CERT));
+ memset(ret, 0, sizeof(*ret));
- ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
- /*
- * or ret->key = ret->pkeys + (cert->key - cert->pkeys), if you find that
- * more readable
- */
-
- ret->valid = cert->valid;
- ret->mask_k = cert->mask_k;
- ret->mask_a = cert->mask_a;
- ret->export_mask_k = cert->export_mask_k;
- ret->export_mask_a = cert->export_mask_a;
+ ret->key = &ret->pkeys[cert->key - cert->pkeys];
#ifndef OPENSSL_NO_RSA
if (cert->rsa_tmp != NULL) {
ret->dh_tmp_auto = cert->dh_tmp_auto;
#endif
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
if (cert->ecdh_tmp) {
ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
if (ret->ecdh_tmp == NULL) {
goto err;
}
}
- rpk->valid_flags = 0;
-#ifndef OPENSSL_NO_TLSEXT
if (cert->pkeys[i].serverinfo != NULL) {
/* Just copy everything. */
ret->pkeys[i].serverinfo =
cert->pkeys[i].serverinfo,
cert->pkeys[i].serverinfo_length);
}
-#endif
}
ret->references = 1;
- /*
- * Set digests to defaults. NB: we don't copy existing values as they
- * will be set during handshake.
- */
- ssl_cert_set_default_md(ret);
- /* Peer sigalgs set to NULL as we get these from handshake too */
- ret->peer_sigalgs = NULL;
- ret->peer_sigalgslen = 0;
- /* Configured sigalgs however we copy across */
-
+ /* Configured sigalgs copied across */
if (cert->conf_sigalgs) {
ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen);
if (!ret->conf_sigalgs)
ret->chain_store = cert->chain_store;
}
- ret->ciphers_raw = NULL;
-
ret->sec_cb = cert->sec_cb;
ret->sec_level = cert->sec_level;
ret->sec_ex = cert->sec_ex;
-#ifndef OPENSSL_NO_TLSEXT
if (!custom_exts_copy(&ret->cli_ext, &cert->cli_ext))
goto err;
if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext))
goto err;
-#endif
return (ret);
return;
for (i = 0; i < SSL_PKEY_NUM; i++) {
CERT_PKEY *cpk = c->pkeys + i;
- if (cpk->x509) {
- X509_free(cpk->x509);
- cpk->x509 = NULL;
- }
- if (cpk->privatekey) {
- EVP_PKEY_free(cpk->privatekey);
- cpk->privatekey = NULL;
- }
- if (cpk->chain) {
- sk_X509_pop_free(cpk->chain, X509_free);
- cpk->chain = NULL;
- }
-#ifndef OPENSSL_NO_TLSEXT
- if (cpk->serverinfo) {
- OPENSSL_free(cpk->serverinfo);
- cpk->serverinfo = NULL;
- cpk->serverinfo_length = 0;
- }
-#endif
- /* Clear all flags apart from explicit sign */
- cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
+ X509_free(cpk->x509);
+ cpk->x509 = NULL;
+ EVP_PKEY_free(cpk->privatekey);
+ cpk->privatekey = NULL;
+ sk_X509_pop_free(cpk->chain, X509_free);
+ cpk->chain = NULL;
+ OPENSSL_free(cpk->serverinfo);
+ cpk->serverinfo = NULL;
+ cpk->serverinfo_length = 0;
}
}
#endif
#ifndef OPENSSL_NO_RSA
- if (c->rsa_tmp)
- RSA_free(c->rsa_tmp);
+ RSA_free(c->rsa_tmp);
#endif
#ifndef OPENSSL_NO_DH
- if (c->dh_tmp)
- DH_free(c->dh_tmp);
+ DH_free(c->dh_tmp);
#endif
-#ifndef OPENSSL_NO_ECDH
- if (c->ecdh_tmp)
- EC_KEY_free(c->ecdh_tmp);
+#ifndef OPENSSL_NO_EC
+ EC_KEY_free(c->ecdh_tmp);
#endif
ssl_cert_clear_certs(c);
- if (c->peer_sigalgs)
- OPENSSL_free(c->peer_sigalgs);
- if (c->conf_sigalgs)
- OPENSSL_free(c->conf_sigalgs);
- if (c->client_sigalgs)
- OPENSSL_free(c->client_sigalgs);
- if (c->shared_sigalgs)
- OPENSSL_free(c->shared_sigalgs);
- if (c->ctypes)
- OPENSSL_free(c->ctypes);
- if (c->verify_store)
- X509_STORE_free(c->verify_store);
- if (c->chain_store)
- X509_STORE_free(c->chain_store);
- if (c->ciphers_raw)
- OPENSSL_free(c->ciphers_raw);
-#ifndef OPENSSL_NO_TLSEXT
+ OPENSSL_free(c->conf_sigalgs);
+ OPENSSL_free(c->client_sigalgs);
+ OPENSSL_free(c->shared_sigalgs);
+ OPENSSL_free(c->ctypes);
+ X509_STORE_free(c->verify_store);
+ X509_STORE_free(c->chain_store);
custom_exts_free(&c->cli_ext);
custom_exts_free(&c->srv_ext);
-#endif
OPENSSL_free(c);
}
-int ssl_cert_inst(CERT **o)
-{
- /*
- * Create a CERT if there isn't already one (which cannot really happen,
- * as it is initially created in SSL_CTX_new; but the earlier code
- * usually allows for that one being non-existant, so we follow that
- * behaviour, as it might turn out that there actually is a reason for it
- * -- but I'm not sure that *all* of the existing code could cope with
- * s->cert being NULL, otherwise we could do without the initialization
- * in SSL_CTX_new).
- */
-
- if (o == NULL) {
- SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
- return (0);
- }
- if (*o == NULL) {
- if ((*o = ssl_cert_new()) == NULL) {
- SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
- return (0);
- }
- }
- return (1);
-}
-
int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
{
int i, r;
CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key;
if (!cpk)
return 0;
- if (cpk->chain)
- sk_X509_pop_free(cpk->chain, X509_free);
+ sk_X509_pop_free(cpk->chain, X509_free);
for (i = 0; i < sk_X509_num(chain); i++) {
r = ssl_security_cert(s, ctx, sk_X509_value(chain, i), 0, 0);
if (r != 1) {
{
SESS_CERT *ret;
- ret = OPENSSL_malloc(sizeof *ret);
+ ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
- memset(ret, 0, sizeof *ret);
+ memset(ret, 0, sizeof(*ret));
ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
ret->references = 1;
#endif
/* i == 0 */
- if (sc->cert_chain != NULL)
- sk_X509_pop_free(sc->cert_chain, X509_free);
+ sk_X509_pop_free(sc->cert_chain, X509_free);
for (i = 0; i < SSL_PKEY_NUM; i++) {
- if (sc->peer_pkeys[i].x509 != NULL)
- X509_free(sc->peer_pkeys[i].x509);
-#if 0 /* We don't have the peer's private key.
- * These lines are just * here as a reminder
- * that we're still using a
- * not-quite-appropriate * data structure. */
- if (sc->peer_pkeys[i].privatekey != NULL)
- EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
+ X509_free(sc->peer_pkeys[i].x509);
+#if 0
+ /*
+ * We don't have the peer's private key. This line is just
+ * here as a reminder that we're still using a not-quite-appropriate
+ * data structure.
+ */
+ EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
#endif
}
#ifndef OPENSSL_NO_RSA
- if (sc->peer_rsa_tmp != NULL)
- RSA_free(sc->peer_rsa_tmp);
+ RSA_free(sc->peer_rsa_tmp);
#endif
#ifndef OPENSSL_NO_DH
- if (sc->peer_dh_tmp != NULL)
- DH_free(sc->peer_dh_tmp);
+ DH_free(sc->peer_dh_tmp);
#endif
-#ifndef OPENSSL_NO_ECDH
- if (sc->peer_ecdh_tmp != NULL)
- EC_KEY_free(sc->peer_ecdh_tmp);
+#ifndef OPENSSL_NO_EC
+ EC_KEY_free(sc->peer_ecdh_tmp);
#endif
OPENSSL_free(sc);
}
/* Set suite B flags if needed */
X509_STORE_CTX_set_flags(&ctx, tls1_suiteb(s));
-#if 0
- if (SSL_get_verify_depth(s) >= 0)
- X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
-#endif
X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s);
/*
X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
if (s->ctx->app_verify_callback != NULL)
-#if 1 /* new with OpenSSL 0.9.7 */
i = s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
-#else
- i = s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
-#endif
else {
i = X509_verify_cert(&ctx);
# if 0
static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,
STACK_OF(X509_NAME) *name_list)
{
- if (*ca_list != NULL)
- sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
-
+ sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
*ca_list = name_list;
}
sk_X509_NAME_push(ret, xn);
}
}
+ goto done;
- if (0) {
err:
- if (ret != NULL)
- sk_X509_NAME_pop_free(ret, X509_NAME_free);
- ret = NULL;
- }
- if (sk != NULL)
- sk_X509_NAME_free(sk);
- if (in != NULL)
- BIO_free(in);
- if (x != NULL)
- X509_free(x);
+ sk_X509_NAME_pop_free(ret, X509_NAME_free);
+ ret = NULL;
+ done:
+ sk_X509_NAME_free(sk);
+ BIO_free(in);
+ X509_free(x);
if (ret != NULL)
ERR_clear_error();
return (ret);
}
ERR_clear_error();
+ goto done;
- if (0) {
err:
ret = 0;
- }
- if (in != NULL)
- BIO_free(in);
- if (x != NULL)
- X509_free(x);
-
+ done:
+ BIO_free(in);
+ X509_free(x);
(void)sk_X509_NAME_set_cmp_func(stack, oldcmp);
-
return ret;
}
goto err;
}
}
- if (cpk->chain)
- sk_X509_pop_free(cpk->chain, X509_free);
+ sk_X509_pop_free(cpk->chain, X509_free);
cpk->chain = chain;
if (rv == 0)
rv = 1;
pstore = &c->chain_store;
else
pstore = &c->verify_store;
- if (*pstore)
- X509_STORE_free(*pstore);
+ X509_STORE_free(*pstore);
*pstore = store;
if (ref && store)
CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);
projects / openssl.git / blobdiff