return NULL;
}
- ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);
+ ret->key = &(ret->pkeys[SSL_PKEY_RSA]);
ret->references = 1;
ret->sec_cb = ssl_security_default_callback;
ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL;
/* Configured sigalgs copied across */
if (cert->conf_sigalgs) {
- ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen);
+ ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen
+ * sizeof(*cert->conf_sigalgs));
if (ret->conf_sigalgs == NULL)
goto err;
- memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen);
+ memcpy(ret->conf_sigalgs, cert->conf_sigalgs,
+ cert->conf_sigalgslen * sizeof(*cert->conf_sigalgs));
ret->conf_sigalgslen = cert->conf_sigalgslen;
} else
ret->conf_sigalgs = NULL;
if (cert->client_sigalgs) {
- ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen);
+ ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen
+ * sizeof(*cert->client_sigalgs));
if (ret->client_sigalgs == NULL)
goto err;
memcpy(ret->client_sigalgs, cert->client_sigalgs,
- cert->client_sigalgslen);
+ cert->client_sigalgslen * sizeof(*cert->client_sigalgs));
ret->client_sigalgslen = cert->client_sigalgslen;
} else
ret->client_sigalgs = NULL;
/* Shared sigalgs also NULL */
ret->shared_sigalgs = NULL;
/* Copy any custom client certificate types */
- if (cert->ctypes) {
- ret->ctypes = OPENSSL_malloc(cert->ctype_num);
- if (ret->ctypes == NULL)
+ if (cert->ctype) {
+ ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len);
+ if (ret->ctype == NULL)
goto err;
- memcpy(ret->ctypes, cert->ctypes, cert->ctype_num);
- ret->ctype_num = cert->ctype_num;
+ ret->ctype_len = cert->ctype_len;
}
ret->cert_flags = cert->cert_flags;
if (c == NULL)
return;
- CRYPTO_atomic_add(&c->references, -1, &i, c->lock);
+ CRYPTO_DOWN_REF(&c->references, &i, c->lock);
REF_PRINT_COUNT("CERT", c);
if (i > 0)
return;
OPENSSL_free(c->conf_sigalgs);
OPENSSL_free(c->client_sigalgs);
OPENSSL_free(c->shared_sigalgs);
- OPENSSL_free(c->ctypes);
+ OPENSSL_free(c->ctype);
X509_STORE_free(c->verify_store);
X509_STORE_free(c->chain_store);
custom_exts_free(&c->cli_ext);
return ret;
}
-/* Add a certificate to a BUF_MEM structure */
-
-static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
-{
- int n;
- unsigned char *p;
-
- n = i2d_X509(x, NULL);
- if (n < 0 || !BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) {
- SSLerr(SSL_F_SSL_ADD_CERT_TO_BUF, ERR_R_BUF_LIB);
- return 0;
- }
- p = (unsigned char *)&(buf->data[*l]);
- l2n3(n, p);
- n = i2d_X509(x, &p);
- if (n < 0) {
- /* Shouldn't happen */
- SSLerr(SSL_F_SSL_ADD_CERT_TO_BUF, ERR_R_BUF_LIB);
- return 0;
- }
- *l += n + 3;
-
- return 1;
-}
-
-/* Add certificate chain to internal SSL BUF_MEM structure */
-int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
-{
- BUF_MEM *buf = s->init_buf;
- int i, chain_count;
- X509 *x;
- STACK_OF(X509) *extra_certs;
- STACK_OF(X509) *chain = NULL;
- X509_STORE *chain_store;
-
- /* TLSv1 sends a chain with nothing in it, instead of an alert */
- if (!BUF_MEM_grow_clean(buf, 10)) {
- SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_BUF_LIB);
- return 0;
- }
-
- if (!cpk || !cpk->x509)
- return 1;
-
- x = cpk->x509;
-
- /*
- * If we have a certificate specific chain use it, else use parent ctx.
- */
- if (cpk->chain)
- extra_certs = cpk->chain;
- else
- extra_certs = s->ctx->extra_certs;
-
- if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
- chain_store = NULL;
- else if (s->cert->chain_store)
- chain_store = s->cert->chain_store;
- else
- chain_store = s->ctx->cert_store;
-
- if (chain_store) {
- X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new();
-
- if (xs_ctx == NULL) {
- SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_MALLOC_FAILURE);
- return (0);
- }
- if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
- X509_STORE_CTX_free(xs_ctx);
- SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB);
- return (0);
- }
- /*
- * It is valid for the chain not to be complete (because normally we
- * don't include the root cert in the chain). Therefore we deliberately
- * ignore the error return from this call. We're not actually verifying
- * the cert - we're just building as much of the chain as we can
- */
- (void)X509_verify_cert(xs_ctx);
- /* Don't leave errors in the queue */
- ERR_clear_error();
- chain = X509_STORE_CTX_get0_chain(xs_ctx);
- i = ssl_security_cert_chain(s, chain, NULL, 0);
- if (i != 1) {
-#if 0
- /* Dummy error calls so mkerr generates them */
- SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
- SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
- SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
-#endif
- X509_STORE_CTX_free(xs_ctx);
- SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, i);
- return 0;
- }
- chain_count = sk_X509_num(chain);
- for (i = 0; i < chain_count; i++) {
- x = sk_X509_value(chain, i);
-
- if (!ssl_add_cert_to_buf(buf, l, x)) {
- X509_STORE_CTX_free(xs_ctx);
- return 0;
- }
- }
- X509_STORE_CTX_free(xs_ctx);
- } else {
- i = ssl_security_cert_chain(s, extra_certs, x, 0);
- if (i != 1) {
- SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, i);
- return 0;
- }
- if (!ssl_add_cert_to_buf(buf, l, x))
- return 0;
- for (i = 0; i < sk_X509_num(extra_certs); i++) {
- x = sk_X509_value(extra_certs, i);
- if (!ssl_add_cert_to_buf(buf, l, x))
- return 0;
- }
- }
- return 1;
-}
-
/* Build a certificate chain for current certificate */
int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags)
{
projects / openssl.git / blobdiff