X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_cert.c;h=597de0ad6c08592a7e9f2d4c68d6e9f719275770;hp=1caa3c85e34d4ac46d621441d3ee41c6b03ec156;hb=4fa52141b08fca89250805afcf2f112a2e0d3500;hpb=9076bd25bfad9c661cad928331295bd5ec9b5af3 diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 1caa3c85e3..597de0ad6c 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -195,54 +195,15 @@ CERT *ssl_cert_dup(CERT *cert) ret->references = 1; ret->key = &ret->pkeys[cert->key - cert->pkeys]; -#ifndef OPENSSL_NO_RSA - if (cert->rsa_tmp != NULL) { - RSA_up_ref(cert->rsa_tmp); - ret->rsa_tmp = cert->rsa_tmp; - } - ret->rsa_tmp_cb = cert->rsa_tmp_cb; -#endif - #ifndef OPENSSL_NO_DH if (cert->dh_tmp != NULL) { - ret->dh_tmp = DHparams_dup(cert->dh_tmp); - if (ret->dh_tmp == NULL) { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB); - goto err; - } - if (cert->dh_tmp->priv_key) { - BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); - if (!b) { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); - goto err; - } - ret->dh_tmp->priv_key = b; - } - if (cert->dh_tmp->pub_key) { - BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); - if (!b) { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); - goto err; - } - ret->dh_tmp->pub_key = b; - } + ret->dh_tmp = cert->dh_tmp; + EVP_PKEY_up_ref(ret->dh_tmp); } ret->dh_tmp_cb = cert->dh_tmp_cb; ret->dh_tmp_auto = cert->dh_tmp_auto; #endif -#ifndef OPENSSL_NO_EC - if (cert->ecdh_tmp) { - ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); - if (ret->ecdh_tmp == NULL) { - SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB); - goto err; - } - } - ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; - ret->ecdh_tmp_auto = cert->ecdh_tmp_auto; -#endif - for (i = 0; i < SSL_PKEY_NUM; i++) { CERT_PKEY *cpk = cert->pkeys + i; CERT_PKEY *rpk = ret->pkeys + i; @@ -282,7 +243,7 @@ CERT *ssl_cert_dup(CERT *cert) /* Configured sigalgs copied across */ if (cert->conf_sigalgs) { ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen); - if (!ret->conf_sigalgs) + if (ret->conf_sigalgs == NULL) goto err; memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen); ret->conf_sigalgslen = cert->conf_sigalgslen; @@ -291,7 +252,7 @@ CERT *ssl_cert_dup(CERT *cert) if (cert->client_sigalgs) { ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen); - if (!ret->client_sigalgs) + if (ret->client_sigalgs == NULL) goto err; memcpy(ret->client_sigalgs, cert->client_sigalgs, cert->client_sigalgslen); @@ -303,7 +264,7 @@ CERT *ssl_cert_dup(CERT *cert) /* Copy any custom client certificate types */ if (cert->ctypes) { ret->ctypes = OPENSSL_malloc(cert->ctype_num); - if (!ret->ctypes) + if (ret->ctypes == NULL) goto err; memcpy(ret->ctypes, cert->ctypes, cert->ctype_num); ret->ctype_num = cert->ctype_num; @@ -335,7 +296,7 @@ CERT *ssl_cert_dup(CERT *cert) goto err; #ifndef OPENSSL_NO_PSK if (cert->psk_identity_hint) { - ret->psk_identity_hint = BUF_strdup(cert->psk_identity_hint); + ret->psk_identity_hint = OPENSSL_strdup(cert->psk_identity_hint); if (ret->psk_identity_hint == NULL) goto err; } @@ -389,14 +350,8 @@ void ssl_cert_free(CERT *c) } #endif -#ifndef OPENSSL_NO_RSA - RSA_free(c->rsa_tmp); -#endif #ifndef OPENSSL_NO_DH - DH_free(c->dh_tmp); -#endif -#ifndef OPENSSL_NO_EC - EC_KEY_free(c->ecdh_tmp); + EVP_PKEY_free(c->dh_tmp); #endif ssl_cert_clear_certs(c); @@ -625,7 +580,7 @@ STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) { - if (s->type == SSL_ST_CONNECT) { /* we are in the client */ + if (!s->server) { /* we are in the client */ if (((s->version >> 8) == SSL3_VERSION_MAJOR) && (s->s3 != NULL)) return (s->s3->tmp.ca_names); else @@ -914,6 +869,12 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB); return (0); } + /* + * It is valid for the chain not to be complete (because normally we + * don't include the root cert in the chain). Therefore we deliberately + * ignore the error return from this call. We're not actually verifying + * the cert - we're just building as much of the chain as we can + */ X509_verify_cert(&xs_ctx); /* Don't leave errors in the queue */ ERR_clear_error(); @@ -968,7 +929,7 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) /* Rearranging and check the chain: add everything to a store */ if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) { chain_store = X509_STORE_new(); - if (!chain_store) + if (chain_store == NULL) goto err; for (i = 0; i < sk_X509_num(cpk->chain); i++) { x = sk_X509_value(cpk->chain, i); @@ -1123,15 +1084,21 @@ static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op, break; } case SSL_SECOP_VERSION: - /* SSLv3 not allowed on level 2 */ - if (nid <= SSL3_VERSION && level >= 2) - return 0; - /* TLS v1.1 and above only for level 3 */ - if (nid <= TLS1_VERSION && level >= 3) - return 0; - /* TLS v1.2 only for level 4 and above */ - if (nid <= TLS1_1_VERSION && level >= 4) - return 0; + if (!SSL_IS_DTLS(s)) { + /* SSLv3 not allowed at level 2 */ + if (nid <= SSL3_VERSION && level >= 2) + return 0; + /* TLS v1.1 and above only for level 3 */ + if (nid <= TLS1_VERSION && level >= 3) + return 0; + /* TLS v1.2 only for level 4 and above */ + if (nid <= TLS1_1_VERSION && level >= 4) + return 0; + } else { + /* DTLS v1.2 only for level 4 and above */ + if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level >= 4) + return 0; + } break; case SSL_SECOP_COMPRESSION: