CERT *ssl_cert_new(void)
{
- CERT *ret = OPENSSL_malloc(sizeof(*ret));
+ CERT *ret = OPENSSL_zalloc(sizeof(*ret));
if (ret == NULL) {
SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE);
return (NULL);
}
- memset(ret, 0, sizeof(*ret));
ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);
ret->references = 1;
CERT *ssl_cert_dup(CERT *cert)
{
- CERT *ret = OPENSSL_malloc(sizeof(*ret));
+ CERT *ret = OPENSSL_zalloc(sizeof(*ret));
int i;
if (ret == NULL) {
return (NULL);
}
- memset(ret, 0, sizeof(*ret));
-
+ ret->references = 1;
ret->key = &ret->pkeys[cert->key - cert->pkeys];
#ifndef OPENSSL_NO_RSA
CERT_PKEY *rpk = ret->pkeys + i;
if (cpk->x509 != NULL) {
rpk->x509 = cpk->x509;
- CRYPTO_add(&rpk->x509->references, 1, CRYPTO_LOCK_X509);
+ X509_up_ref(rpk->x509);
}
if (cpk->privatekey != NULL) {
}
}
- ret->references = 1;
/* Configured sigalgs copied across */
if (cert->conf_sigalgs) {
ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen);
- if (!ret->conf_sigalgs)
+ if (ret->conf_sigalgs == NULL)
goto err;
memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen);
ret->conf_sigalgslen = cert->conf_sigalgslen;
if (cert->client_sigalgs) {
ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen);
- if (!ret->client_sigalgs)
+ if (ret->client_sigalgs == NULL)
goto err;
memcpy(ret->client_sigalgs, cert->client_sigalgs,
cert->client_sigalgslen);
/* Copy any custom client certificate types */
if (cert->ctypes) {
ret->ctypes = OPENSSL_malloc(cert->ctype_num);
- if (!ret->ctypes)
+ if (ret->ctypes == NULL)
goto err;
memcpy(ret->ctypes, cert->ctypes, cert->ctype_num);
ret->ctype_num = cert->ctype_num;
goto err;
if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext))
goto err;
-
+#ifndef OPENSSL_NO_PSK
+ if (cert->psk_identity_hint) {
+ ret->psk_identity_hint = BUF_strdup(cert->psk_identity_hint);
+ if (ret->psk_identity_hint == NULL)
+ goto err;
+ }
+#endif
return (ret);
err:
X509_STORE_free(c->chain_store);
custom_exts_free(&c->cli_ext);
custom_exts_free(&c->srv_ext);
+#ifndef OPENSSL_NO_PSK
+ OPENSSL_free(c->psk_identity_hint);
+#endif
OPENSSL_free(c);
}
{
if (!ssl_cert_add0_chain_cert(s, ctx, x))
return 0;
- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+ X509_up_ref(x);
return 1;
}
c->cert_cb_arg = arg;
}
-SESS_CERT *ssl_sess_cert_new(void)
-{
- SESS_CERT *ret;
-
- ret = OPENSSL_malloc(sizeof(*ret));
- if (ret == NULL) {
- SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
- return NULL;
- }
-
- memset(ret, 0, sizeof(*ret));
- ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
- ret->references = 1;
-
- return ret;
-}
-
-void ssl_sess_cert_free(SESS_CERT *sc)
-{
- int i;
-
- if (sc == NULL)
- return;
-
- i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
-#ifdef REF_PRINT
- REF_PRINT("SESS_CERT", sc);
-#endif
- if (i > 0)
- return;
-#ifdef REF_CHECK
- if (i < 0) {
- fprintf(stderr, "ssl_sess_cert_free, bad reference count\n");
- abort(); /* ok */
- }
-#endif
-
- /* i == 0 */
- sk_X509_pop_free(sc->cert_chain, X509_free);
- for (i = 0; i < SSL_PKEY_NUM; i++) {
- X509_free(sc->peer_pkeys[i].x509);
-#if 0
- /*
- * We don't have the peer's private key. This line is just
- * here as a reminder that we're still using a not-quite-appropriate
- * data structure.
- */
- EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
-#endif
- }
-
- OPENSSL_free(sc);
-}
-
-int ssl_set_peer_cert_type(SESS_CERT *sc, int type)
-{
- sc->peer_cert_type = type;
- return (1);
-}
-
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
{
X509 *x;
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
{
- if (s->type == SSL_ST_CONNECT) { /* we are in the client */
+ if (!s->server) { /* we are in the client */
if (((s->version >> 8) == SSL3_VERSION_MAJOR) && (s->s3 != NULL))
return (s->s3->tmp.ca_names);
else
return (X509_NAME_cmp(*a, *b));
}
-#ifndef OPENSSL_NO_STDIO
/**
* Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
* it doesn't really have anything to do with clients (except that a common use
sk = sk_X509_NAME_new(xname_cmp);
- in = BIO_new(BIO_s_file_internal());
+ in = BIO_new(BIO_s_file());
if ((sk == NULL) || (in == NULL)) {
SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
ERR_clear_error();
return (ret);
}
-#endif
/**
* Add a file of certs to a stack.
oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_cmp);
- in = BIO_new(BIO_s_file_internal());
+ in = BIO_new(BIO_s_file());
if (in == NULL) {
SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,
SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB);
return (0);
}
+ /*
+ * It is valid for the chain not to be complete (because normally we
+ * don't include the root cert in the chain). Therefore we deliberately
+ * ignore the error return from this call. We're not actually verifying
+ * the cert - we're just building as much of the chain as we can
+ */
X509_verify_cert(&xs_ctx);
/* Don't leave errors in the queue */
ERR_clear_error();
/* Rearranging and check the chain: add everything to a store */
if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) {
chain_store = X509_STORE_new();
- if (!chain_store)
+ if (chain_store == NULL)
goto err;
for (i = 0; i < sk_X509_num(cpk->chain); i++) {
x = sk_X509_value(cpk->chain, i);
if (sk_X509_num(chain) > 0) {
/* See if last cert is self signed */
x = sk_X509_value(chain, sk_X509_num(chain) - 1);
- X509_check_purpose(x, -1, 0);
- if (x->ex_flags & EXFLAG_SS) {
+ if (X509_get_extension_flags(x) & EXFLAG_SS) {
x = sk_X509_pop(chain);
X509_free(x);
}
projects / openssl.git / blobdiff