X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fssl_cert.c;h=7579a3432d92a13f60de98ddecb46db817216927;hb=2ad3c4c89ea0e7b7063a0360936e8fe771b09c66;hp=3e5eba76056ee3db69c9d3fd806f536fd7f8e660;hpb=7d7d2cbcb02206f3393681f2bce198e11e2e185b;p=oweals%2Fopenssl.git

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 3e5eba7605..7579a3432d 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -105,15 +105,26 @@
  */
 
 #include <stdio.h>
-#include <sys/types.h>
-#ifndef WIN32
-#ifndef VMS
+
+#include "openssl/e_os.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#if !defined(WIN32) && !defined(VSM) && !defined(NeXT) && !defined(MAC_OS_pre_X)
 #include <dirent.h>
 #endif
+
+#ifdef NeXT
+#include <sys/dir.h>
+#define dirent direct
 #endif
+
 #include <openssl/objects.h>
 #include <openssl/bio.h>
 #include <openssl/pem.h>
+#include <openssl/x509v3.h>
 #include "ssl_locl.h"
 
 int SSL_get_ex_data_X509_STORE_CTX_idx(void)
@@ -132,21 +143,13 @@ CERT *ssl_cert_new(void)
 	{
 	CERT *ret;
 
-	ret=(CERT *)Malloc(sizeof(CERT));
+	ret=(CERT *)OPENSSL_malloc(sizeof(CERT));
 	if (ret == NULL)
 		{
 		SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE);
 		return(NULL);
 		}
 	memset(ret,0,sizeof(CERT));
-/*
-	ret->valid=0;
-	ret->mask=0;
-	ret->export_mask=0;
-	ret->cert_type=0;
-	ret->key->x509=NULL;
-	ret->key->publickey=NULL;
-	ret->key->privatekey=NULL; */
 
 	ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
 	ret->references=1;
@@ -159,7 +162,7 @@ CERT *ssl_cert_dup(CERT *cert)
 	CERT *ret;
 	int i;
 
-	ret = (CERT *)Malloc(sizeof(CERT));
+	ret = (CERT *)OPENSSL_malloc(sizeof(CERT));
 	if (ret == NULL)
 		{
 		SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
@@ -168,8 +171,6 @@ CERT *ssl_cert_dup(CERT *cert)
 
 	memset(ret, 0, sizeof(CERT));
 
-	ret->cert_type = cert->cert_type;
-
 	ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
 	/* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
 	 * if you find that more readable */
@@ -190,16 +191,33 @@ CERT *ssl_cert_dup(CERT *cert)
 #ifndef NO_DH
 	if (cert->dh_tmp != NULL)
 		{
-		/* DH parameters don't have a reference count (and cannot
-		 * reasonably be shared anyway, as the secret exponent may
-		 * be created just when it is needed -- earlier library
-		 * versions did not pay attention to this) */
+		/* DH parameters don't have a reference count */
 		ret->dh_tmp = DHparams_dup(cert->dh_tmp);
 		if (ret->dh_tmp == NULL)
 			{
-			SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_DH_LIB);
+			SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
 			goto err;
 			}
+		if (cert->dh_tmp->priv_key)
+			{
+			BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
+			if (!b)
+				{
+				SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
+				goto err;
+				}
+			ret->dh_tmp->priv_key = b;
+			}
+		if (cert->dh_tmp->pub_key)
+			{
+			BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
+			if (!b)
+				{
+				SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
+				goto err;
+				}
+			ret->dh_tmp->pub_key = b;
+			}
 		}
 	ret->dh_tmp_cb = cert->dh_tmp_cb;
 #endif
@@ -246,11 +264,6 @@ CERT *ssl_cert_dup(CERT *cert)
 			}
 		}
 	
-
-	/* ret->cert_chain should not exist: that's pure per-connection data.
-	 * Anyway, we never use this function when it is non-NULL,
-	 * so we just don't look at it. */
-
 	/* ret->extra_certs *should* exist, but currently the own certificate
 	 * chain is held inside SSL_CTX */
 
@@ -318,12 +331,9 @@ void ssl_cert_free(CERT *c)
 			EVP_PKEY_free(c->pkeys[i].publickey);
 #endif
 		}
-	if (c->cert_chain != NULL)
-		sk_X509_pop_free(c->cert_chain,X509_free);
-	Free(c);
+	OPENSSL_free(c);
 	}
 
-#if 1
 int ssl_cert_inst(CERT **o)
 	{
 	/* Create a CERT if there isn't already one
@@ -352,32 +362,76 @@ int ssl_cert_inst(CERT **o)
 	return(1);
 	}
 
-#else /* Not needed any longer: SSL's always have their own copy */
-int ssl_cert_instantiate(CERT **o, CERT *d)
+
+SESS_CERT *ssl_sess_cert_new(void)
 	{
-	CERT *n;
-	if (o == NULL) 
+	SESS_CERT *ret;
+
+	ret = OPENSSL_malloc(sizeof *ret);
+	if (ret == NULL)
 		{
-		SSLerr(SSL_F_SSL_CERT_INSTANTIATE, ERR_R_PASSED_NULL_PARAMETER);
-		return(0);
+		SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
+		return NULL;
 		}
-	if (*o != NULL && (d == NULL || *o != d))
-	    return(1);
-	if ((n = ssl_cert_new()) == NULL) 
+
+	memset(ret, 0 ,sizeof *ret);
+	ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
+	ret->references = 1;
+
+	return ret;
+	}
+
+void ssl_sess_cert_free(SESS_CERT *sc)
+	{
+	int i;
+
+	if (sc == NULL)
+		return;
+
+	i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
+#ifdef REF_PRINT
+	REF_PRINT("SESS_CERT", sc);
+#endif
+	if (i > 0)
+		return;
+#ifdef REF_CHECK
+	if (i < 0)
 		{
-		SSLerr(SSL_F_SSL_CERT_INSTANTIATE, ERR_R_MALLOC_FAILURE);
-		return(0);
+		fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
+		abort(); /* ok */
 		}
-	if (*o != NULL) 
-		ssl_cert_free(*o);
-	*o = n;
-	return(1);
-	}
 #endif
 
-int ssl_set_cert_type(CERT *c,int type)
+	/* i == 0 */
+	if (sc->cert_chain != NULL)
+		sk_X509_pop_free(sc->cert_chain, X509_free);
+	for (i = 0; i < SSL_PKEY_NUM; i++)
+		{
+		if (sc->peer_pkeys[i].x509 != NULL)
+			X509_free(sc->peer_pkeys[i].x509);
+#if 0 /* We don't have the peer's private key.  These lines are just
+	   * here as a reminder that we're still using a not-quite-appropriate
+	   * data structure. */
+		if (sc->peer_pkeys[i].privatekey != NULL)
+			EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
+#endif
+		}
+
+#ifndef NO_RSA
+	if (sc->peer_rsa_tmp != NULL)
+		RSA_free(sc->peer_rsa_tmp);
+#endif
+#ifndef NO_DH
+	if (sc->peer_dh_tmp != NULL)
+		DH_free(sc->peer_dh_tmp);
+#endif
+
+	OPENSSL_free(sc);
+	}
+
+int ssl_set_peer_cert_type(SESS_CERT *sc,int type)
 	{
-	c->cert_type=type;
+	sc->peer_cert_type = type;
 	return(1);
 	}
 
@@ -394,11 +448,19 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
 	X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
 	if (SSL_get_verify_depth(s) >= 0)
 		X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
-	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),
-		(char *)s);
+	X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
+	/* We need to set the verify purpose. The purpose can be determined by
+	 * the context: if its a server it will verify SSL client certificates
+	 * or vice versa.
+         */
+
+	if(s->server) i = X509_PURPOSE_SSL_CLIENT;
+	else i = X509_PURPOSE_SSL_SERVER;
+
+	X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
 
 	if (s->ctx->app_verify_callback != NULL)
-		i=s->ctx->app_verify_callback(&ctx);
+		i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
 	else
 		{
 #ifndef NO_X509_VERIFY
@@ -424,19 +486,19 @@ static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME)
 	*ca_list=list;
 	}
 
-STACK *SSL_dup_CA_list(STACK *sk)
+STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
 	{
 	int i;
-	STACK *ret;
+	STACK_OF(X509_NAME) *ret;
 	X509_NAME *name;
 
-	ret=sk_new_null();
-	for (i=0; i<sk_num(sk); i++)
+	ret=sk_X509_NAME_new_null();
+	for (i=0; i<sk_X509_NAME_num(sk); i++)
 		{
-		name=X509_NAME_dup((X509_NAME *)sk_value(sk,i));
-		if ((name == NULL) || !sk_push(ret,(char *)name))
+		name=X509_NAME_dup(sk_X509_NAME_value(sk,i));
+		if ((name == NULL) || !sk_X509_NAME_push(ret,name))
 			{
-			sk_pop_free(ret,X509_NAME_free);
+			sk_X509_NAME_pop_free(ret,X509_NAME_free);
 			return(NULL);
 			}
 		}
@@ -506,7 +568,7 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
 	return(add_client_CA(&(ctx->client_CA),x));
 	}
 
-static int name_cmp(X509_NAME **a,X509_NAME **b)
+static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
 	{
 	return(X509_NAME_cmp(*a,*b));
 	}
@@ -528,7 +590,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
 	STACK_OF(X509_NAME) *ret,*sk;
 
 	ret=sk_X509_NAME_new(NULL);
-	sk=sk_X509_NAME_new(name_cmp);
+	sk=sk_X509_NAME_new(xname_cmp);
 
 	in=BIO_new(BIO_s_file_internal());
 
@@ -543,7 +605,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
 
 	for (;;)
 		{
-		if (PEM_read_bio_X509(in,&x,NULL) == NULL)
+		if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
 			break;
 		if ((xn=X509_get_subject_name(x)) == NULL) goto err;
 		/* check for duplicates */
@@ -582,53 +644,53 @@ err:
 
 int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 					const char *file)
-    {
-    BIO *in;
-    X509 *x=NULL;
-    X509_NAME *xn=NULL;
-    int ret=1;
-    int (*oldcmp)(X509_NAME **a, X509_NAME **b);
-
-    oldcmp=sk_X509_NAME_set_cmp_func(stack,name_cmp);
-
-    in=BIO_new(BIO_s_file_internal());
-
-    if (in == NULL)
 	{
-	SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
-	goto err;
-	}
+	BIO *in;
+	X509 *x=NULL;
+	X509_NAME *xn=NULL;
+	int ret=1;
+	int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b);
 	
-    if (!BIO_read_filename(in,file))
-	goto err;
-
-    for (;;)
-	{
-	if (PEM_read_bio_X509(in,&x,NULL) == NULL)
-	    break;
-	if ((xn=X509_get_subject_name(x)) == NULL) goto err;
-	xn=X509_NAME_dup(xn);
-	if (xn == NULL) goto err;
-	if (sk_X509_NAME_find(stack,xn) >= 0)
-	    X509_NAME_free(xn);
-	else
-	    sk_X509_NAME_push(stack,xn);
-	}
+	oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
+	
+	in=BIO_new(BIO_s_file_internal());
+	
+	if (in == NULL)
+		{
+		SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	
+	if (!BIO_read_filename(in,file))
+		goto err;
+	
+	for (;;)
+		{
+		if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
+			break;
+		if ((xn=X509_get_subject_name(x)) == NULL) goto err;
+		xn=X509_NAME_dup(xn);
+		if (xn == NULL) goto err;
+		if (sk_X509_NAME_find(stack,xn) >= 0)
+			X509_NAME_free(xn);
+		else
+			sk_X509_NAME_push(stack,xn);
+		}
 
-    if (0)
-	{
+	if (0)
+		{
 err:
-	ret=0;
-	}
-    if(in != NULL)
-	BIO_free(in);
-    if(x != NULL)
-	X509_free(x);
-
-    sk_X509_NAME_set_cmp_func(stack,oldcmp);
+		ret=0;
+		}
+	if(in != NULL)
+		BIO_free(in);
+	if(x != NULL)
+		X509_free(x);
+	
+	sk_X509_NAME_set_cmp_func(stack,oldcmp);
 
-    return ret;
-    }
+	return ret;
+	}
 
 /*!
  * Add a directory of certs to a stack.
@@ -643,37 +705,51 @@ err:
 
 #ifndef WIN32
 #ifndef VMS			/* XXXX This may be fixed in the future */
+#ifndef MAC_OS_pre_X
 
 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 				       const char *dir)
-    {
-    DIR *d=opendir(dir);
-    struct dirent *dstruct;
-
-    /* Note that a side effect is that the CAs will be sorted by name */
-    if(!d)
 	{
-	SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE);
-	return 0;
-	}
+	DIR *d;
+	struct dirent *dstruct;
+	int ret = 0;
 
-    while((dstruct=readdir(d)))
-	{
-	char buf[1024];
+	CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
+	d = opendir(dir);
 
-	if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf)
-	    {
-	    SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
-	    return 0;
-	    }
+	/* Note that a side effect is that the CAs will be sorted by name */
+	if(!d)
+		{
+		SYSerr(SYS_F_OPENDIR, get_last_sys_error());
+		ERR_add_error_data(3, "opendir('", dir, "')");
+		SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
+		goto err;
+		}
 	
-	sprintf(buf,"%s/%s",dir,dstruct->d_name);
-	if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
-	    return 0;
-	}
+	while((dstruct=readdir(d)))
+		{
+		char buf[1024];
+		int r;
+		
+		if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf)
+			{
+			SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
+			goto err;
+			}
+		
+		r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,dstruct->d_name);
+		if (r <= 0 || r >= sizeof buf)
+			goto err;
+		if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
+			goto err;
+		}
+	ret = 1;
 
-    return 1;
-    }
+err:	
+	CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
+	return ret;
+	}
 
 #endif
 #endif
+#endif