/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
return NULL;
}
- ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);
+ ret->key = &(ret->pkeys[SSL_PKEY_RSA]);
ret->references = 1;
ret->sec_cb = ssl_security_default_callback;
ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL;
/* Configured sigalgs copied across */
if (cert->conf_sigalgs) {
- ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen);
+ ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen
+ * sizeof(*cert->conf_sigalgs));
if (ret->conf_sigalgs == NULL)
goto err;
- memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen);
+ memcpy(ret->conf_sigalgs, cert->conf_sigalgs,
+ cert->conf_sigalgslen * sizeof(*cert->conf_sigalgs));
ret->conf_sigalgslen = cert->conf_sigalgslen;
} else
ret->conf_sigalgs = NULL;
if (cert->client_sigalgs) {
- ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen);
+ ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen
+ * sizeof(*cert->client_sigalgs));
if (ret->client_sigalgs == NULL)
goto err;
memcpy(ret->client_sigalgs, cert->client_sigalgs,
- cert->client_sigalgslen);
+ cert->client_sigalgslen * sizeof(*cert->client_sigalgs));
ret->client_sigalgslen = cert->client_sigalgslen;
} else
ret->client_sigalgs = NULL;
/* Shared sigalgs also NULL */
ret->shared_sigalgs = NULL;
/* Copy any custom client certificate types */
- if (cert->ctypes) {
- ret->ctypes = OPENSSL_malloc(cert->ctype_num);
- if (ret->ctypes == NULL)
+ if (cert->ctype) {
+ ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len);
+ if (ret->ctype == NULL)
goto err;
- memcpy(ret->ctypes, cert->ctypes, cert->ctype_num);
- ret->ctype_num = cert->ctype_num;
+ ret->ctype_len = cert->ctype_len;
}
ret->cert_flags = cert->cert_flags;
ret->sec_level = cert->sec_level;
ret->sec_ex = cert->sec_ex;
- if (!custom_exts_copy(&ret->cli_ext, &cert->cli_ext))
- goto err;
- if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext))
+ if (!custom_exts_copy(&ret->custext, &cert->custext))
goto err;
#ifndef OPENSSL_NO_PSK
if (cert->psk_identity_hint) {
OPENSSL_free(c->conf_sigalgs);
OPENSSL_free(c->client_sigalgs);
OPENSSL_free(c->shared_sigalgs);
- OPENSSL_free(c->ctypes);
+ OPENSSL_free(c->ctype);
X509_STORE_free(c->verify_store);
X509_STORE_free(c->chain_store);
- custom_exts_free(&c->cli_ext);
- custom_exts_free(&c->srv_ext);
+ custom_exts_free(&c->custext);
#ifndef OPENSSL_NO_PSK
OPENSSL_free(c->psk_identity_hint);
#endif
return i;
}
-static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,
- STACK_OF(X509_NAME) *name_list)
+static void set0_CA_list(STACK_OF(X509_NAME) **ca_list,
+ STACK_OF(X509_NAME) *name_list)
{
sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
*ca_list = name_list;
}
-STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
+STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk)
{
int i;
STACK_OF(X509_NAME) *ret;
return (ret);
}
-void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
+void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
+{
+ set0_CA_list(&s->ca_names, name_list);
+}
+
+void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
+{
+ set0_CA_list(&ctx->ca_names, name_list);
+}
+
+const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx)
+{
+ return ctx->ca_names;
+}
+
+const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s)
{
- set_client_CA_list(&(s->client_CA), name_list);
+ return s->ca_names != NULL ? s->ca_names : s->ctx->ca_names;
}
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
{
- set_client_CA_list(&(ctx->client_CA), name_list);
+ SSL_CTX_set0_CA_list(ctx, name_list);
}
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
{
- return (ctx->client_CA);
+ return ctx->ca_names;
+}
+
+void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
+{
+ SSL_set0_CA_list(s, name_list);
+}
+
+const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s)
+{
+ return s->s3 != NULL ? s->s3->tmp.peer_ca_names : NULL;
}
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
{
- if (!s->server) { /* we are in the client */
- if (((s->version >> 8) == SSL3_VERSION_MAJOR) && (s->s3 != NULL))
- return (s->s3->tmp.ca_names);
- else
- return (NULL);
- } else {
- if (s->client_CA != NULL)
- return (s->client_CA);
- else
- return (s->ctx->client_CA);
- }
+ if (!s->server)
+ return s->s3 != NULL ? s->s3->tmp.peer_ca_names : NULL;
+ return s->ca_names != NULL ? s->ca_names : s->ctx->ca_names;
}
-static int add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x)
+static int add_ca_name(STACK_OF(X509_NAME) **sk, const X509 *x)
{
X509_NAME *name;
if (x == NULL)
- return (0);
- if ((*sk == NULL) && ((*sk = sk_X509_NAME_new_null()) == NULL))
- return (0);
+ return 0;
+ if (*sk == NULL && ((*sk = sk_X509_NAME_new_null()) == NULL))
+ return 0;
if ((name = X509_NAME_dup(X509_get_subject_name(x))) == NULL)
- return (0);
+ return 0;
if (!sk_X509_NAME_push(*sk, name)) {
X509_NAME_free(name);
- return (0);
+ return 0;
}
- return (1);
+ return 1;
+}
+
+int SSL_add1_CA_list(SSL *ssl, const X509 *x)
+{
+ return add_ca_name(&ssl->ca_names, x);
+}
+
+int SSL_CTX_add1_CA_list(SSL_CTX *ctx, const X509 *x)
+{
+ return add_ca_name(&ctx->ca_names, x);
}
int SSL_add_client_CA(SSL *ssl, X509 *x)
{
- return (add_client_CA(&(ssl->client_CA), x));
+ return add_ca_name(&ssl->ca_names, x);
}
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
{
- return (add_client_CA(&(ctx->client_CA), x));
+ return add_ca_name(&ctx->ca_names, x);
}
static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
STACK_OF(X509) *chain = NULL, *untrusted = NULL;
X509 *x;
int i, rv = 0;
- unsigned long error;
if (!cpk->x509) {
SSLerr(SSL_F_SSL_BUILD_CERT_CHAIN, SSL_R_NO_CERTIFICATE_SET);
goto err;
for (i = 0; i < sk_X509_num(cpk->chain); i++) {
x = sk_X509_value(cpk->chain, i);
- if (!X509_STORE_add_cert(chain_store, x)) {
- error = ERR_peek_last_error();
- if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
- ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
- goto err;
- ERR_clear_error();
- }
- }
- /* Add EE cert too: it might be self signed */
- if (!X509_STORE_add_cert(chain_store, cpk->x509)) {
- error = ERR_peek_last_error();
- if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
- ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
+ if (!X509_STORE_add_cert(chain_store, x))
goto err;
- ERR_clear_error();
}
+ /* Add EE cert too: it might be self signed */
+ if (!X509_STORE_add_cert(chain_store, cpk->x509))
+ goto err;
} else {
if (c->chain_store)
chain_store = c->chain_store;